Osteopathic Professional Group Reports Year-Old BreachPII of Nearly 28,000 Members Exfiltrated in June 2020 Hacking Incident
The American Osteopathic Association has just begun notifying nearly 28,000 individuals about a June 2020 data exfiltration incident involving their personal information. The medical professional organization says workforce challenges during the pandemic led to the delayed identification of people affected by the data breach.
See Also: Case Study: The Road to Zero Trust
In a breach report submitted on Wednesday to the state of Maine's attorney general office, AOA says the incident affected about 27,500 individuals, including 209 Maine residents.
The Chicago-based non-profit professional association says it represents 151,000 osteopathic physicians and medical students across the U.S.
AOA, in a sample breach notification letter provided to Maine's attorney general's office, says that on June 25, 2020, AOA became aware of "suspicious activity" relating to certain systems. AOA worked with third party forensic investigators to examine the nature and scope of the activity, and the AOA systems of interest, the letter notes.
AOA determined that certain information within its systems was exfiltrated by an unauthorized malicious actor. In response, AOA conducted "a deliberate and thorough assessment of the information affected and to whom that information pertained," the organization says.
"Like many businesses, the COVID-19 pandemic presented considerable challenges to AOA’s normal business operations," AOA says
"As a result, it has taken an extended time for AOA to identify the names and addresses of impacted individuals due to the pandemic’s impact on our staff’s working conditions, and their inability to be on location to identify all potentially impacted parties.”
AOA says that on June 1, it confirmed the total population and contact information for individuals affected by the incident.
Information that was subject to the compromise includes name, address, Social Security number, date of birth, financial account information, and email address/username and password .
AOA says it is unaware of any actual or attempted malicious use of the affected information as a result of the incident, but is offering affected individuals one year of complimentary credit and identity monitoring.
AOA did not immediately respond to Information Security Media Group's request for additional details about the data breach.
Many of AOA's members – such as osteopathic physicians – are required to comply with the HIPAA rules in the handling of their patients' protected health information, including the HIPAA breach notification rule.
However, AOA itself does not fit the definition of a covered entity - such as a health plan, healthcare clearinghouse or healthcare provider that falls under the HIPAA umbrella, says regulatory attorney Marti Arvin of the privacy and security consultancy CynergisTek.
Also, AOA "would only be a business associate [under HIPAA] if it performs services for or on behalf of its member providers. While some professional associations do business associate-type of functions, not all do," she notes.
Privacy attorney David Holtzman of the consulting firm HITprivacy LLC notes that AOA, unlike some medical professional societies, also does not maintain patient registries that collect data containing PHI from healthcare providers.
Under the HIPAA breach notification rule, individual notifications must be provided without unreasonable delay and in no case later than 60 days following the discovery of a breach, according to the Department of Health and Human Services. Additionally, for breaches affecting 500 or more individuals, covered entities must notify HHS no later than 60 days following a breach.
But aside from HIPAA, all 50 states, as well as Washington D.C., and Puerto Rico, have breach notification laws with varying reporting deadlines that could potentially pertain to AOA, Arvin notes.
The laws vary regarding the types of entities and data covered, and the time periods within which to report a breach, she says.
"Many states don’t have a defined term but say something like 'without unreasonable delay.' Without guidance from the state regulatory it would be unclear what would be considered an unreasonable delay, even one year," Arvin says.
Some states require organizations to begin notifying affected consumers in as few as 15 days after discovery of the breach while others have "open-ended requirements" for communicating news about incidents, Holtzman says.
Maine's breach notification law requires entities to report breaches “no more than 30 days after becoming aware of the breach and identifying its scope," Arvin notes.
"Identity theft and medical billing fraud is always a risk when the personal information of providers is compromised and as with any data compromise, the longer it takes to notify the more that risk can be increased," she says.
The AOA is not the only medical professional organization to recently report a hacking incident affecting thousands of its members.
In April, the American College of Emergency Physicians reported that a "malware" attack detected in Sept. 7, 2020, affected more than 70,000 of the group's current and former members, as well as members of three other emergency medical professional organizations (see: ER Physician Association Hacked).
"The information compromised through the security incidents involving an organization that serves the medical community is especially sensitive because it can expose the individuals whose data was disclosed to significant financial fraud or harm to their reputation," Holtzman says.
When collecting sensitive personally identifiable information, organizations should carefully assess why the information is being collected and minimize access to the data to only those with an appropriate role in the entity, he advises.
"Do not create unnecessary or duplicative collections of sensitive PII, including information stored on backup servers, network drives or unencrypted drives or applications," he says.
"Securely delete electronic files containing sensitive PII is no longer needed and wherever it is stored."