A Microsoft Power Apps vulnerability recently leaked COVID-19 vaccination records in Denton County, Texas. What's more, this vulnerability exposed a total of 38 million records containing personally identifiable information (PII) and protected health information (PHI).
Denton County represents just a small portion of the data breach. As a business associate to covered entities like Denton County, Microsoft (and all third-party vendors) must do its due diligence to safeguard PHI under the U.S. legislation HIPAA. And for healthcare providers, this means utilizing strong cybersecurity while ensuring their business associates are doing the same.
UpGuard, an independent cybersecurity firm, discovered the Microsoft Power Apps vulnerability on May 24. Microsoft Power Apps is a cloud-hosted suite of services that allows organizations to create business intelligence applications. After apprising Microsoft of the situation, UpGuard then notified the 47 impacted organizations. Denton County was informed July 2 and secured its data by July 7. The IT department also shut down access through the third-party app. PII/PHI exposed includes vaccine information, names, birth dates, email addresses, and phone numbers.
Originally reporting indicated that millions of records were compromised, but the subsequent investigation discovered several files were duplicates. According to the U.S. Health and Human Services (HHS) Breach Portal, the vulnerability affected 326,417 Denton County individuals. Denton County notified everyone affected of the cybersecurity incident and is now exploring additional cybersecurity measures. While the county did not collect Social Security numbers, driver's license numbers, or financial account information, officials told affected individuals to monitor their credit.
Microsoft as a business associate
Generally, the HIPAA Privacy Rule allows covered entities to disclose PHI to business associates if they receive assurance that the information is protected through a signed business associate agreement (BAA).
A business associate is a person or entity that performs certain functions or activities that involves the use or disclosure of PHI. The BAA is a key component to HIPAA compliance between a covered entity and a business associate.
Microsoft's HIPAA web page indicates that Microsoft will sign a BAA for some, but not all, of its products. For example, while Microsoft 365, Microsoft Teams, and Microsoft Azure can be HIPAA compliant, Microsoft Ads is not.
And according to the HIPAA Azure web page, Microsoft Power Apps is covered by its BAA and therefore can be HIPAA compliant.
The Microsoft Power Apps vulnerability
The Microsoft cloud platform is complex and leaves configuration up to customers. And this configuration issue is the reason for the recent problems. The Microsoft Power Apps vulnerability arose because organizations must enable table permissions on their own. This way, data that needs to be public, like COVID-19 vaccine registration pages, can be visible. And information that needs to remain private, such as PHI, can. But if the correct configurations aren’t set, anyone can gain access to private data.
After UpGuard alerted Microsoft, its Security Response Center responded by closing the case and stating that the breach was “considered to be by design.” UpGuard then notified the impacted organizations, including American Airlines, J.B. Hunt, and Ford. Government agencies informed include the Maryland Department of Health, the state of Indiana, and New York City Municipal Transportation Authority and Schools. Microsoft became concerned and made changes only when UpGuard exposed the more severe cases.
As a result, Microsoft enabled table permissions by default to avoid further confusion and improper disclosure. Moreover, Microsoft now provides its customers with a self-diagnosis tool to help detect potential data privacy issues.
Extra cybersecurity layers are vital
Even though Microsoft signs a BAA and utilizes its own cybersecurity measures, the company has seen many cyber vulnerabilities and breaches (e.g., Microsoft Exchange this year). And third-party vendor errors hurt healthcare providers (as well as their patients) who have to report and investigate breaches and possibly be subject to HIPAA violations.
RELATED: What to do after you violate HIPAA
These reasons are why healthcare providers must make sure that business associates are HIPAA compliant through a signed BAA. Moreover, they must protect themselves and their patients with a layered cybersecurity program that includes:
- Access controls
- Firewalls and antivirus software
- Employee awareness training
- Offline backups
- Up-to-date and patched devices and software
Paubox Email Suite Plus—needed strong email security
Paubox Email Suite Plus protects email from inbound and outbound threats. All outbound emails are encrypted directly from an existing email platform (e.g., Microsoft 365 and Google Workspace), requiring no change in email behavior.
And a new feature of our solution, Zero Trust Email, reviews incoming emails for potential threats, quarantining anything that raises a red flag. This feature, along with patented ExecProtect, which stops domain name spoofing, keeps all possible back doors into a system shut.
Furthermore, our solution is HITRUST CSF certified, which adds an extra layer of security. The HITRUST Alliance is a not-for-profit organization whose mission is to champion programs that safeguard sensitive information and manage information risk for organizations across all industries and throughout the third-party supply chain.
What this Microsoft incident demonstrates is the importance of using checks and balances when utilizing any third-party vendor who handles PHI. The only way to protect yourself and your patients’ PHI is by employing your own layered protections on top of what any business associate might do.