HealthEC LLC, is a health management solution provider based in New Jersey. Their population health management platform is used by more than one million healthcare providers in 18 states for data integration, analytics and care coordination. The company gave public notice on December 22, 2023, about a data breach that involved the patient information of 4.5 million people. The breach was initially detected as suspicious network activity, prompting an in-depth investigation that concluded on October 24. The investigation revealed that between July 14 and July 23, unauthorized external parties had accessed internal systems and managed to extract sensitive files. The compromised data included patient names, addresses, birth dates, Social Security Numbers, and medical record numbers, along with medical details like diagnoses and prescriptions.
Basis of the Case
A 75-page class action suit, in addition to others, have been filed against HealthEC since its recent data breach disclosure. The lawsuit contends that the data breach could have been prevented and attributes the incident directly to HealthEC’s inadequate cybersecurity measures. Specifically, it points to the failure to implement reasonable cybersecurity protocols, highlighting the lack of encryption for sensitive data on its network as a critical oversight. The lawsuit further highlights that it took HealthEC over five months after the breach to inform the public, a delay deemed unacceptable. This prolonged period before notification deprived affected individuals of the chance to take timely measures to safeguard themselves against identity theft and fraud. Additionally, the Plaintiff points out several shortcomings in HealthEC’s disclosure, including:
- A lack of clarity regarding the initial detection time of the cyberattack.
- Absence of details about the specific vulnerabilities that were exploited by the attackers.
- Insufficient information on the steps taken by HealthEC in response to the cyberattack to prevent future breaches.
In addition, the plaintiff contends that HealthEC lacked adequate policies and procedures for the timely deletion of sensitive data when it was no longer necessary, underlining a significant gap in their data management practices.
Call to Action
Like any health-related organization, HealthEC falls under the Health Insurance Portability and Accountability Act (HIPAA). While encrypting data at rest is not mandatory under HIPAA, a covered entity must assess whether encryption is a reasonable and appropriate safeguard in electronic protected health information (ePHI). If encryption is not deemed reasonable, the entity must document the reasoning and implement an equivalent alternative measure to protect.
The National Institute of Standards and Technology (NIST) recommends that organizations secure Protected Health Information (PHI) using Advanced Encryption Standard (AES), OpenPGP, and S/MIME for data at rest and transition. These standards are good practice for any type of organization that needs to secure sensitive data. There are three Common Types of Storage Encryption Technologies for data at rest:
- Full Disk Encryption: FDE encrypts the entire disk including the operating system, application files and user data. It is best for protecting data at rest on a device such as a laptop.
- Virtual Disk and Volume Encryption: Virtual disk encryption encrypts the entire volume or virtual disks, making it more flexible than full disk encryption. It is often used within virtualization environments where different encrypted volumes are needed.
- File/Folder Encryption: File encryption encrypts individual files or folders and lets users select specific files to encrypt specific sensitive documents, especially in environments where multiple users access the same system.
For more detailed guidance on encryption options, you can refer to NIST Special Publication 800-111. Consulting with HALOCK Security Labs can provide valuable insights into the necessity and methodology of integrating an encryption plan into your organization’s cybersecurity strategy. Such a consultation is essential for effectively securing sensitive data and ensuring regulatory compliance.