Utah Valley Eye Center in Provo, UT reported on Oct 31, 2019, that their scheduling system was compromised. The compromise occurred on June 18, 2018.
The attacker used the information they were able to gather to send phishing emails to the patients. The attacker sent emails disguises as PayPal emails to compromise PayPal accounts.
According to the Utah Valley Eye Center, the attacker was able to obtain 5764 email addresses and other PII (Personally Identifiable Information) such as a home address, phone numbers, birth dates, and names. It is reported that PHI (Protected Health Information) was not accessed by the attacker.
Utah Valley Eye Center did report the breach to the required authorities and did send a notification to all 20,418 patients alerting them to the attack as a precaution. The patients were advised to place a fraud alert on their credit files.
What Could Have Been Done Differently?
There are two things that could have been handled differently in this case.
- MFA was likely not set up on the scheduling system. It’s not clear if that was an option with the scheduling system but it should be. If it was the eye doctor should have enabled and used it accordingly. This would have most likely prevented the breach.MFA is short for multi-factor authentication. Essentially, it’s a second form of authentication and can be a pin sent via SMS (not recommended), soft token or biometric, or any combination of these. Some portals can also be configured to only allow login from specific locations.
- There is a big gap in time from the compromise to the notification. The breach occurred on June 18, 2018, but was not reported until October 31, 2019. That’s more than 16 months.It’s not clear when the eye doctor became aware of the compromise but if the attacker was in the system for 16 months, they would have probably gotten a lot more than 5764 email addresses.
It’s important to understand that notification of breaches need to be reported in a reasonable amount of time. Since it appears PHI was not accessed the 60-day rule is not relevant, but most states have a law that data breaches are to be reported within a few months.
I was unable to find anything that states how long a business must notify the appropriate parties of a breach. In Connecticut, it’s 90 days.
Utah can also fine $2500 per consumer up to $100,000. In this case, Utah Valley Eye Center is looking at the maximum penalty.
Because the records include more than one personally identifiable piece of information Utah Valley Eye Center is subject to the rules of notification and fines.
The Potential Cost
It looks like Utah Valley Eye Center can be fined $100,000. Since the breach was just reported a fine has not been levied yet.
They could potentially be fined for delayed notification as well if Utah has laws regarding the time frame for notification of a breach.
It’s not clear if PHI was impacted. According to most sources, it was not but this breach is on the HIPAA Wall of Shame which means the OCR is investigating. If PHI is included in the breach the fines can be much more significant.
While not likely to be this high when all is said and done, and if it is determined that PHI was accessed, Utah Valley Eye Center can be looking at over $8,000,000 in fines and costs to mitigate.
The attack looks to be somewhat amateurish based on the information available. A weak password, a little social engineering, and lack of MFA and anyone can easily compromise an online portal.
From there it’s easy to grab email addresses and other PII. There are freely available tools on the internet to create phishing emails disguised as PayPal. They even help you clone the PayPal site.
To avoid all this the following should have been in place:
- Use Complex Passwords/Passphrase (Upper, lower, numbers, special characters)
- Educate Your Staff on Social Engineering
- Enable MFA – Avoid SMS if possible
- Enable Logins from Specific Location/IP Address
If the scheduling portal does not have these options, it’s time to move on to another scheduling portal. While it would be hard to believe
While there is no evidence that PHI was involved in this breach the OCR is still investigating. Even if they determine that no PHI was breached, they will likely scrutinize Utah Valley Eye Center’s HIPAA compliance program. Other healthcare providers have been fined by the OCR for lax compliance programs in the past. Utah Valley Eye Center could be on the hook for more than the $100,000 fine for having PII breached.