Is there such a thing as bad luck breaches? Most of us don’t expect luck to rule our world although I will always take good luck if I can get it. But when bad things happen sometimes we say it is due to a string of bad luck. Can data breaches be due to one of those strings of bad luck?
Growing up on a farm in the 70s and 80s means you probably spent some time watching an episode or two of Hee Haw. One of the many regular skits included stories of bad luck with an intermittent song that included the chorus:
In my family any time there was even a hint of whining or claim of bad luck someone within earshot would wail out those lyrics. But I digress. If bad luck doesn’t exist then what explains cases where things just keep going horribly wrong like data breaches occurring two years in a row and the second one may have created a third one?
Bad luck breaches: What happened first?
The first breach that happened with Alive Hospice was announced in July 2018 with this long story of an investigation into one problem that wasn’t a breach turned up another problem that WAS a breach. The statement they gave began as follows:
“On or around December 20, 2017, and April 5, 2018, Alive Hospice experienced email phishing events that affected an employee’s email account.”
Isn’t that how it always happens when you have a phishing failure in December and April you check them out and find nothing wrong.
Alive Hospice did investigations and found no problems in either of those phishing attacks and even included the phrase saying that they “took steps to change the user’s password on both occasions, in an abundance of caution”. One must always include the abundance of caution on your data breach announcements because you need to show that you didn’t do the minimum. (Maybe we can tie that statement into a later discussion about doing the minimums.)
OK, so I do have lots of questions like was it the same user that fell for it twice and you just changed their password or was it two different users? What about your investigation into each incident how did you determine nothing happened was it because there was no PHI in those accounts or you think you caught it in time or what? They knew they were hit by two phishing attacks and they thought everything was ok and changed the user passwords is basically what they are telling us.
As we read through their July 13, 2018 announcement the plot thickens when they say that although they didn’t think anything went wrong in those two previous incidents but in May they were doing a “review of their email system” and found a problem.
They brought in a forensics team that determined that activity by an unauthorized actor was found on two accounts one began Dec 20, 2017, and the other on April 5, 2018. Wait a minute doesn’t that coincide with the two phishing incidents where they changed the passwords and everything was ok? Not only that but the email accounts that were impacted included PHI on 1,868 patients that were notified in July 2018 about the unauthorized activity in the email accounts that contained their information.
It is hard not to have doubts that they originally brought in any appropriate technical staff that understood phishing attacks like this under HIPAA, if they brought in anyone at all, when the original attacks occurred or the forensics would have taken place then not several months later. When you have a breach like this one is when you tighten up your program and make sure you never have another breach plus get prepared for your OCR investigation. This breach is listed on the OCR Breach Portal as being under investigation as right now so they have to be in the paperwork back and forth stage of the investigation that goes on for years.
I don’t even attempt to call this data breach the result of just bad luck for a couple of reasons including the fact that we don’t know what happened for sure just yet and you expect that first one to put the gas under your a$$ to get the program moving. But, not so fast there buckaroo gloom, despair, and agony is yet to arrive.
Bad luck breaches: What happened next?
Now we jump to 2019 where you assume they are still dealing with the fall out from the notification done in 2018 and responding to OCR requests for information in that investigation. Alive Hospice does a press release on July 3, 2019, that starts with words the words you know where you are heading down a sad path the words were: “On or around May 6, 2019”. Right away we are told they aren’t even certain what day they became aware of something which isn’t a good sign based on the exercises they went through just months earlier.
I do respect the choice of making the announcement just before a holiday at the very end of the day since it hit the news wire site at 10pm on July 3rd, which means you can’t get too much further under the radar and stay within their 60-day time frame. I would have recommended they do the exact same thing, especially since it wasn’t their first rodeo involving data breach announcements and their fallout. Just in case you were wondering, the 2018 announcement was showing up on the news site on a Friday night at 10 pm also.
This data breach is also on the OCR breach portal showing that 608 patients were involved in this new breach and it is also under investigation. An employee’s email account was accessed by an unauthorized individual from May 4 until May 6, 2019, that contained the patient information in the same way that the two other employee accounts had PHI in them the previous year.
It appears from the outside looking in that there was no action taken to prevent the problem between the first two accounts and one a year later. I know for certain that I would have advised them to implement 2FA/MFA on those email accounts after the first phishing attack and insisted on it after the second phishing attack and made one more passionate plea to implement it after the 2018 data breach was found. I have no idea how they could have the same thing happen again when 2FA is the most logical response to business email compromise cases where PHI was exposed. We work with offices who have been through this and I don’t understand why that wouldn’t have been the immediate response unless their email has so little security controls that they can’t implement 2FA on their accounts. If the email lacks that kind of security controls there is no way PHI should be up in there!
Bad luck breaches: Is that it?
This is the bad luck point that got my attention on this specific case because how could this really happen after the other two releases happen without something just being “snake bit” as we call it. Alive Hospice made a new press release that hit the site on Sept 6, 2019, at 11pm which shows that someone is paying attention to how to stay under the radar for sure because that is the Friday of Labor Day weekend. Just like we expect the criminals to act on the holidays because no one is paying attention we should really be watching for the data breach announcements over the holidays. Note to self: holiday season coming up soon so pay attention in Nov and Dec.
While the others were announcements that we had seen before this new one is completely different than anything I have ever seen and made me take note of the other two announcements that I didn’t pay much attention to for obvious reasons just like everyone else. This one made me just stare and read it two or three times when it says that they were mailing their July notifications and “on or about July 9” they discovered something.
Bad luck is what they have or there are layers of issues involved in dealing with privacy and security requirements with this many issues one after another and you put an exclamation point on it when no one is checking the mailing information. There is also a question here about their idea that no PHI was exposed because they only mailed a letter telling someone else that your PHI had been disclosed. Who knows what was really mailed out and who were they really mailed to without PHI? I don’t know how they can claim they sent the wrong ones out and had to do a corrected mailing but it didn’t contain PHI so it isn’t yet another breach on our part.
Personally, I want to get in the car and run up to Nashville to protect these patients and families in hospice care which is not the time to deal with this kind of stress and confusion. There are so many things that aren’t happening here that I have an overwhelming need to help someone so that I can help the people being impacted by these issues. I will be watching closely for more announcements from or about them but clearly you have to pay close attention to late-night press releases about the negative issues that seem to be haunting them.
Just like all of my family who poo-pooed my claims of bad luck and made sure I understood the value of preparation and focus on the job at hand, I would have to do the same in this case should someone claim it was just a string of bad luck. We help too many people handle these issues with recurrence of the exact same problem and certainly no notifications will be sent from one of our clients without them being reminded to spot check the entire list for matching names and addresses.