message in a bottle GyUMP7c We all live in a world that revolves around communication tools today. Messaging failures are often the reason privacy breaches occur. In fact, we have 3 to share with you today. Messaging failures can occur in ways you never dreamed of until it happens to someone you know – not you, of course.
Today’s episode covers 3 different stories about messaging failures.

A 5 star review would make us so HAPPY!
Free HIPAA Training
Delivered to your inbox every Friday

In this episode:

Messaging Failures Times 3

Today’s Episode is brought to you by:

Kardon and HIPAA for MSPs / Security First IT

Next HIPAA Boot Camp

Live in Tucker, GA

July 19 and 20th

www.HelpMeWithHIPAA.com/bootcamp

Want to be part of Help Me With HIPAA? Donate to the cause at www.HelpMeWithHIPAA.com/give

HMWH App now has more features.  You can now access a PDF with the show notes ready for your HIPAA training documentation!  Find it under the bonus feature in the app for both the Apple and Android versions.  It is a little gift box on the app bar.

Like us and leave a review on our Facebook page: www.Facebook.com/HelpMeWithHIPAA

[3:20]

Some notes from listeners:

On a survey a listener said

HIPAA Pasta Moose

© Slosman Communications Enterprises “HIPAA Pasta Moose”

I would access the notes and transcripts, but I can’t seem to find them.

Email from Alex:

Seriously, you are going to push Donna over the edge if you use the HIPAA-Pasta-Moose. It is actually pretty funny!

Messaging Failures Times 3 [8:44]

The security news is filled with stories of email and messaging failures that resulted in data breaches.  Some of them have to do with people doing the wrong things.  But, most of them are the result of people feeling too comfortable that they know what they are doing or there is nothing to worry about since they have encrypted their messages.

These 3 stories may open your eyes to some pretty interesting cases where no one in these offices thought it would happen to them either.  The last one is worth hanging out with us just to hear how odd it is.

Story #1  Black River Medical Center in MO phishing attack was successful.  [10:50]

In this one, a single employee fell for a phishing scam.  In their statement they stated that on April 23, they discovered that a staffer fell for a phishing scam and had their email account compromised. From there, the attacker could use those credentials to access sensitive patient information.

The investigation determined that an unknown, unauthorized third party gained access to the employee’s email account and could have viewed or accessed the information contained therein, which included patients’ names, addresses and phone numbers, and in certain instances, limited treatment information.

So, this one isn’t clear which case it is but either there was PHI in the email account itself.  Or, they used some sort of single sign on that may have given someone access to the email account plus much more.  Either way, there is a potential that PHI was accessed. It was clearly exposed to someone that had no business with access to it.

This case makes us think twice about the convenience of the single sign on approach plus just having encryption does not mean PHI in your email account is protected.  There are layers we have to worry about today and one of those layers is people falling for phishing scams that give away their usernames and passwords.

Story #2 AFLAC Agents have breach of their Office 365 Accounts.  [17:58]

These details are a bit different. In this case, it wasn’t Aflac itself that had the issue it was some of their agents.  Apparently, someone had unauthorized access to agent accounts on O365 for almost 3 months.  Of course, we don’t get all of the details but there was some information included:

American Family Life Assurance Company of Columbus and Continental American Insurance Company (collectively, “Aflac”) have discovered that potential unauthorized access to certain Office 365 email accounts occurred between Jan. 17, 2018, and April 2, 2018. These accounts were on a business email system hosted by a third party. The incident was discovered through Aflac’s data security detection systems.

Based on our review, Aflac email accounts of a small number of our independent contractor insurance agents appear to have been accessed by an unauthorized third party. These agents are not employed by Aflac; they are independent contractors who help us provide services to you. As our HIPAA Business Associates, these agents have also agreed to safeguard and protect your information. These agents’ email accounts were hosted by Microsoft Office 365, which is also a third-party vendor to Aflac.

Data analysis, which was completed April 25, 2018, showed that some of the email accounts may have included HIPAA protected health information (PHI) and other personally identifiable information (PII). We immediately instituted multiple robust controls to mitigate and remediate the activity, including resetting passwords, isolating the specific email accounts and contacting the affected insurance agents. We also continue to work with our independent contractor agents and vendors to implement strong security measures.

The independent contractor agents may have been required to use O365 based on the fact that they say Microsoft is an Aflac vendor.  What they didn’t do is enforce strong security requirements on those accounts.  You can bet now they have required 2FA or something to address whatever caused the “unauthorized access”.

The failures here remind us that third parties are still in the mix with these messaging systems.  Plus, just outsourcing it to Microsoft or Google with a BAA does not mean you don’t have to lock things down using the security tools available to you.

Story #3 Unsecured pager messages just floating around in the air.  [26:50]

This one is kind of a surprise for a couple of reasons.  First, there are still folks out there using pagers.  In many ways that theory that the old way of doing things worked just fine without these security issues does work out.  This is not one of them.  Second, the way it was discovered is just nerdy cool.

An “IT worker” for one of the county governments in Missouri decided to hook an old school antenna up to his laptop to pick up TV broadcast channels.  Nerdy, but cool.  I remember turning the antenna outside while my dad yelled out the window how “well” I was doing.  That antenna was on a pole that ran up above the roof of the house to get a good signal.  That connected to a laptop was my vision.

The IT worker was reviewing the traffic the laptop picked up looking for his channels he wanted.  As he was picking up signals along comes information that was open text PHI.  After doing some digging it turns out that the PHI was coming from unsecured pagers at 7 different hospitals including the University of Kansas Hospital in Kansas City, Cass County Regional in Harrisonville, Liberty Hospital in Liberty, Children’s Mercy Hospital in Kansas City, St. Mary’s Medical Center in Blue Springs, and Missouri Baptist Medical Center in St. Louis, all in Missouri, and Wesley Medical Center in Wichita, Kansas.  Wow, that’s a lot of messaging failures in one air pattern!

Since this IT worker could recognize healthcare information but did not know how to proceed it appears they did not work in the part of the county that would require some HIPAA knowledge.  He notified the Kansas City Star newspaper about his findings, not the hospitals.  The quote in the article I read was kind of telling about the lack of HIPAA knowledge:

The worker said that he wanted to bring attention to the fact that these hospitals were not encrypting their pager data and that cybercriminals could easily intercept the information and use it for identity theft. He thought it also may be a HIPAA violation.

The other interesting thing was that one of the hospitals tried to blow it off by saying:

the pager data was only available to local hackers with specialized scanning and decoding equipment and that intercepting the data was illegal under the Electronic Communications Protection Act.

What a crock of ….  The response from the apparently still anonymous IT worker was as I expected.

I am not a hacker, I am into radio signals!  I was not trying to find your traffic it just showed up on my screen!

To make things worse, the paper had to contact some of the patients included in the messages to confirm the story.  They did indeed confirm that those were actual patients.  However, the patients were not very happy about the calls from the paper.

One woman from St. Charles, Missouri, confirmed that she had been hospitalized at Missouri Baptist Medical in St. Louis on May 28.

You’re sitting there telling me exactly what happened to me, so what the hell?” she told the newspaper.

A woman from Kansas City whose son’s visit to Children’s Mercy was included in the pager transmissions picked up by the IT worker said she felt violated.

“I think something needs to be changed,” she told the newspaper. “Who knows what else is going on, if it’s that easy for that information to get out there? There’s a big security breach there and it needs to be stopped.”

I think those two quotes make the point very clear.  Messaging failures are not about you and your coworkers it is about patients and their privacy.

As these stories demonstrate, it is very easy to feel too comfortable with our messaging tools sometimes.  The two women interviewed for the story in Kansas City were rightfully upset that their information was out there for others to see.  Even if it was only locally.  In fact, that may have made it even worse for some folks.

Please remember to follow us and share us on your favorite social media site. Rate us on your podcasting apps, we need your help to keep spreading the word.  As always, send in your questions and ideas!

HIPAA is not about compliance, it’s about patient care. TM

Share This
HIPAA Boot Camp