A week went by before anyone noticed some unusual activity in the email system of a Saco, Maine-based community mental health care agency last June.
By the time email accounts were secured and a digital forensics investigation launched, the sensitive personal health information of 22,000 clients at Sweetser may have been accessed by hackers.
The patient data breach Sweetser detected June 24, 2019, was limited to information transmitted via email and did not affect the system storing electronic health records, ac-cording to the agency’s spokeswoman, Susan Pierter.
But the information may have included names, addresses, dates of birth, phone numbers, Social Security numbers, health insurance plan coverage, diagnostic codes, and information on medical conditions and treatment.
“Sweetser has no evidence that the unauthorized actor even knew the email accounts contained health or medical information,” Pierter wrote in an email in response to an in-quiry from New England Psychologist.
“Rather, it appears the efforts may have been to utilize email accounts to proliferate a spam campaign. We reported the incident to law enforcement and will provide whatever cooperation is necessary to hold the perpetrators accountable.”
Patient data breaches like the one Sweetser experienced increased dramatically in the U.S. in 2019, according to a public database of cyberattacks against health care providers.
The U.S. Department of Health and Human Services (HHS) website listed 91 hacking/IT incidents reported to its Office of Civil Rights during the calendar year 2018. Between Jan. 1 and Nov. 30, 2019, the number of such breaches soared to 240.
Massachusetts was the only New England state to report a breach in 2018. But in the first 11 months of 2019, there were five breaches in Massachusetts while every other state in the region had at least one breach reported. Connecticut had five while Vermont and Maine each had two and New Hampshire and Rhode Island each had one.
Federal law requires all providers, health plans, and third-party medical claims clearing-houses covered by the Health Insurance Portability and Accountability Act (HIPAA) to give notice to patients and HHS after discovering that protected health information has been stolen or improperly accessed.
If a breach affects 500 or more individuals, the report must be filed with HHS no later than 60 days after the discovery. Breaches affecting fewer than 500 individuals can be reported on an annual basis. Reports can be filed on the HHS website.
Sweetser notified HHS on Sept. 13, three days after its own data review investigation revealed that data containing clients’ information within one or more email accounts may have been affected.
But more than 80 days passed since the initial discovery of the breach and the agency didn’t notify potentially affected clients until Oct. 25, which may subject the agency to civil penalties in addition to the cost of corrective action.
The notification letters provided information about steps to take to protect personal infor-mation. Sweetser also offered credit monitoring and identity protection services through Experian, a consumer credit reporting company.
“What I’m seeing are a lot of gaps between when the breach is identified and when it’s reported,” said Michael F. Arrigo, an expert witness on health care data regulations and managing partner of No World Borders, headquartered in Newport Beach, California. The firm has an office in Boston.
Arrigo said an email content filter to block phishing, viruses, and executable files could have prevented hackers from accessing Sweetser’s email system. The agency has ap-proximately 950 employees.
“It would not be financially prohibitive for them to have done that to prevent this incident,” Arrigo added.
Data breaches cost health care sector an average of $429 per compromised record, according to the 2019 Cost of Data Breach Study by IBM Security and the Ponemon Insti-tute.
HIPAA covered entities that discover a data breach have to perform a risk assessment and develop a mitigation plan that must be kept on file for six years but these are not re-quired to be made public, Arrigo said.
The largest health data breach in history saw hackers steal the electronic protected health information of almost 79 million people from Anthem, Inc., between early Decem-ber 2014 and late January 2015.
Anthem filed a breach report with the HHS Office for Civil Rights on March 13, 2015. In October 2018, HHS announced that Anthem had agreed to pay a record $16 million and take substantial corrective action to settle potential HIPAA violations.
Government investigators found that Anthem failed to conduct a thorough risk analysis, had insufficient procedures to regularly review information system activity, failed to iden-tify and respond to suspected or known security incidents, and failed to implement adequate minimum access controls to prevent hackers from accessing data as early as February 2014.