Healthcare , Industry Specific , Legislation & Litigation
2 Calif. Medical Groups Split Citing Cyberattack Dispute
Breakup Spotlights How Some Relationships Can Crumble After Attack, InvestigationCyberattacks and major health data breaches in the healthcare sector often end up in court in class action disputes filed by patients. But sometimes such incidents lead to other fallout: irrevocably damaged business relationships.
See Also: How AI-Driven Identity Security Enables Clinician Autonomy
Graybill Medical Group, a physicians' practice in southern California, is splitting up with its affiliate practice, Palomar Medical Group. Palomar has provided management services to Graybill for nearly five years. Graybill says the reason for this separation is because Palomar allegedly provided an "inadequate" response to a cyberattack detected in May.
Graybill claims that Palomar still has not restored "critical functions," and that is hindering Graybill's ability to deliver essential medical services to patients, according to the San Diego Union-Tribune on Wednesday.
Palomar in a July 18 update statement posted on Graybill's website, said electronic medical records, appointment scheduling and phone systems have been restored.
In response to the breakup initiated by Graybill, the group alleges that Palomar is "evicting" by Nov. 11 nearly 100 Graybill Medical Group doctors and related employees whose practices operate in Palomar office buildings.
Palomar in a statement provided to Information Security Media Group disputes Graybill's claims regarding the cyber incident.
"Graybill attempts to distance itself from the consequences of the data security incident, despite one of Graybill's key leaders serving as the chief medical information officer of PHMG prior to and during the incident," Palomar said.
"While PHMG has continually employed its best efforts to promote Graybill's success and integration, Graybill is now using the data security incident to exit from a partnership this group has been uncooperative with since its acquisition in December 2020."
The affiliation between Graybill, which was established in 1932 as a primary care practice, and Palomar Medical Group dates back to 2020. Palomar operates nearly two dozen clinics and medical offices in southern California, serving about 200,000 patients. Graybill has approximately 45,000 patients.
Palomar reported the hacking incident to the U.S. Department of Health and Human Services on July 3 as a HIPAA breach affecting 501 individuals, according to a placeholder estimate.
Graybill in a breach notice on its website pertaining to the Palomar attack, said that on or around May 5, PHMG identified suspicious activity on certain computer systems within its network.
"PHMG immediately launched an investigation to determine the nature and scope of the activity." The investigation found that an unauthorized actor gained access to certain files within PHMG's network from April 23 to May 5 and may have copied those files.
"Additionally, this incident may have caused certain files to become unrecoverable. However, PHMG is continuing its efforts to restore all files and identify the specific individuals and information that may have been impacted so it can provide individualized notice with additional information when its investigation is complete," the notice said.
Potentially compromised information includes patient name, address, date of birth, Social Security number, medical history information, disability information, diagnostic information, treatment information, prescription information, physician information and medical record number.
Health insurance information, subscriber number, health insurance group/plan number, credit/debit card number, security code/PIN number, expiration date, email address and password, and username and password were also potentially compromised, the notice said.
Graybill did not immediately respond to ISMG's request for comment.
Strained Relationships
The California breakup is an example of how cyberattacks and major health data breaches can strain business relationships and other partnerships, especially when multiple organizations are affected, some experts said.
"Given our collective focus on third-party risk management, businesses are all considering what actions to take in the event of an incident with a supplier," said Mike Hamilton, founder and CISO of security firm Critical Insight.
"If the incident results in a cascading compromise of the customer, activation of third-party coverage is straightforward," he said.
"However, if the incident results in a disruption of business operations because of the inability to deliver a supply or service, and/or the handling of the incident was less than adequate and transparent, a company or covered entity may have no choice but to seek other options and this should not be surprising," he said.
Security incidents usually take a significant amount of time to investigate and determine root cause, said Keith Fricke, partner and principal consultant at tw-Security. "Consequently, knowing where the responsibility lies for the root cause can lead to finger pointing," he said.
"Another side effect of lengthy investigations is how long one party waits to notify other parties in the behind-the-scenes relationships. Delays in notification may violate contractual agreements regarding the window of notification," Fricke said.
Healthcare sector entities must carefully vet partners before entering any business relationship that could potentially put critical data such as patient information at risk, he said.
"Request information about the partner's information security and privacy programs, including recent risk analysis results. Ask for insights into the partner's capabilities to monitor, detect and alert on suspicious activities on networks and computer systems," he said.
Entities should also ask potential partners for evidence of tabletop exercises and incident response and disaster recovery plans, he said.
"Also, understand the nature and extent of connectivity between the organizations. Healthcare practices need to have their own disaster recovery and business continuity plans - it is not solely the responsibility of the other partner to have DR and incident response plans in place," he said.
In the event of an IT outage, the affected organization should have adequate redundancy for business continuity, Hamilton said.
"This is an issue to evaluate during procurement, so that suppliers can, in part, be evaluated based on their ability to maintain operations under duress," he said.
"A prolonged failure may be cause for terminating the relationship, or be cause for formal problem management that results in a corrective action plan that is satisfactory to the customer," Hamilton said.
But even in extreme cases, such as the Graybill and Palomar situation, it's not always easy to break up business relationships in the aftermath of a major cyber incident.
"Undoing the relationship has a lot of complications and takes time," Fricke said. "Much of the decision to part ways is based on how the parties responded, communicated and took ownership for their part of the incident."