Episode 52 of HIPAA Critical welcomes back Paubox Customer Success Manager, Aja Anderson, to discuss the findings of the Paubox HIPAA Breach Report for August 2021.
Hannah Trum: I'm Hannah Trum, and this is HIPAA Critical, a podcast from Paubox where we discuss security, technology, and compliance news with healthcare industry leaders. Data breaches and HIPAA fines are everywhere in healthcare. If your organization isn’t proactive about protecting PHI, you’re only tempting fate. When it comes to a breach, everything from employee training to how long it takes an organization to notify the HHS is essential. Each month, we publish a report that analyzes HIPAA breaches affecting more than 500 people that are reported to the HHS. Under the HITECH Act, the HHS secretary is required to post these breaches to the Breach Notification Portal publicly. Or what most people in the industry call the HHS Wall of Shame. On today’s episode, I welcome back Paubox customer success manager, Aja Anderson to discuss the latest HIPAA Breach Report and trends she’s observed over the last month. Aja, could you give our listeners a quick rundown of the data found in the August 2021 HIPAA breach report?
Aja Anderson: Yeah, absolutely. Thanks for having me back. Hannah.
It's important to call out that the data that we review here monthly is only what's been reported in that previous month. So you know, it's August, but we're talking about what happened in July. And I'm mentioning this because it can take months for companies to detect a breach, even though we see these reports of breaches daily.
So looking at these numbers, I see two massive breaches on network servers in New York and Wisconsin, that affected over 3.6 million people collectively.Hannah: That's a ton of people.
Aja: Yeah. That’s a couple folks.Hannah: That's the population of Houston getting breached.
Aja: Yes, that's exactly correct. I'm glad that you bring the context in. We throw these big numbers out, but they don't really mean anything. But when you put it into context… if you can think about the city of Houston, it's fairly large.Hannah: The fourth-largest city in America. Yes.
Aja: Yep. So yes, thank you for that.
No surprise, network servers lead again as the primary source of breaches. They love being number one.
And over 500,000 people were affected by email breaches, specifically.Hannah: Which is not a small number of people. I think that the two large breaches by a network server can really overshadow or make people think that email isn't as much of a threat as it really is. Because when you're looking at the grand scheme of things, yes 500,000 people, it's not the same as almost 4 million. But it is still a lot of people.
Aja: It's a lot of people. It's more than the size of most companies that the people out there are working in. I don't know that anybody knows what it feels like to be in a group of 500,000; several football stadiums. It's a lot of folks.Hannah: It is a lot. And it's email. It's clicking on a link. We could go on and on about that because you and I work in email security. So it's like I was saying, No surprise, that email breaches and network server breaches continue to affect the most people month over month. As we know, the name of the game in cybersecurity is to be proactive. From a customer success standpoint, what do you think are some proactive measures that companies can take?
Aja: Sure, so it will ultimately save you money to have a member of your team that's actually focused on this issue. They're working on cybersecurity, and maybe they're your IT director, and they're also looking at this. But having somebody that's focused on this on your team is really important.
Small organizations and earlier stage companies might not set a budget aside for infosec. But dealing with a data breach is far more costly to your bottom line and to your reputation. You can't really undo the damage to your reputation, assuming you have the money to clean up the problem.Hannah: Even large corporations can barely get by saving their reputation and they have what seems like endless amounts of money.
Aja: Exactly. You're going to be spending many more millions and hours worked by your marketing and PR departments trying to pull you out of the dumpster fire. So having somebody on your team is really important.
MSPs manage their risk. Providers can help. We can make introductions. And if you can't afford to have somebody on the team right now, getting an encrypted solution like ours, working with an account manager like myself and my colleagues can help fill that gap.
You send us your concerns, we make it our priority to get to the bottom of them. Customer Success managers are the secret bonus here.Hannah: The secret bonus, yes. Y'all are what makes our customers happy and listen to their complaints. Earlier Hoala Greevy, our founder, put out a blog post about, you know, HIPAA compliant voicemail transcription service. We just literally launched. Two weeks ago or three weeks ago, we had a social mixer. I don't know if you were on that mixer, Aja, but someone said, “Hey, this is a pain point for me.” And Hoala and one of our engineers went head down for, I don't know, 10 days and got it launched. Because there was a problem. And we were like, “okay, we're gonna step up and fix it,” because that's who we are.
Aja: Yeah, exactly. We're really on the cutting edge of iterating on customer feedback.
I wasn't on that one. Because unfortunately, I had bronchitis. You can probably still hear it in my voice a little bit.
I can vouch for the fact that when you come to those social mixers, or when you reach out to your customer success managers, we prioritize the feedback you give us. If it's something that more than four people are interested in, we really do make it a priority to come up with a solution.
And more than that, we just appreciate people telling us what's going on with them on the ground, because we're serving the healthcare industry broadly here, right. But within the industry, there are so many micro verticals of folks who are working in much more specific niches and their needs might be totally different. A healthcare provider is different than an insurance provider.
And so we want to hear from you, we want to know what's important to you. And beyond obviously, excellent security, we'll take all the different thoughts that you have into consideration. It even goes into the way that we design the platform. Your feedback is super important to us.Hannah: Definitely, everyone's pain points are different. But cybersecurity as a whole, would you say, are the same between an individual level and a company level? I feel like things that you can do at home and at the workplace are very similar.
Aja: Yeah, I would agree with that. Maybe with the exception of hiring somebody to handle your IT, you're probably gonna have to do that at home.
But it is important to treat your home and your home network as seriously and securely as you would treat the office space. Because with this remote environment that we're in, all of our own servers and networks are at risk. You have to take it just as seriously in your own home as you do at work.
No matter how tight your budget is, this is for the individual; this is for the multinational corporation with a million-dollar budget; you should routinely assess the risk of your systems.
You should have some kind of emergency action plan in place, whether on the individual level or the larger level. And I'll get into that a little bit more with my monthly security tip.
But when we're talking about a company, you need to know who's responsible for what when the worst occurs. You have to have a plan of action. You won't have that if you don't think like an attacker.
We've seen companies who wait too long to communicate with their customers after a breach has occurred. And that leads to lawsuits.Hannah: From a marketing perspective, upfront, it is harder to admit fault. You think it looks bad, but in the long run, transparency is the name of the game, especially in health care, especially in cybersecurity. So if something happens, it actually makes you look better, in the long run, to say, “Hey, guys, we messed up. This is what we're doing. This is our star plan.” And like you said, you can't do that if you don't have a plan set in place for it.
Aja: Exactly. And, leadership that understands that getting the word out and taking it on the nose if that's what has to happen is what you have to do.
We had a situation earlier this summer, where we had a brief outage, and it taught us a lot about where our gaps were. And immediately we made some big infrastructure changes. Our CEO got on the phone. He was sending a personal email out to every single one of our customers to say, “We messed up. We take ownership of this. Here's what we're going to do to fix it.” And by the end of the weekend, we had made all the changes we had promised.Hannah: But not only did Hoala email all of our customers, but he also posted a public blog on our website to have accountability on all fronts. And while obviously, Paubox, we're a smaller company, it is easier to make those decisions. But it says a lot about our company and about our founder and how he really cares about our customers and the pain points in those problems.
Aja: Exactly. And that's because he's got us telling him every week on the product meeting, here's what's happening for the customers. That transaction loop of communication is so critical for customer success.
I know some of our customers gave us feedback that they liked his approach so much that they've actually put it into their playbooks for when they have a problem. So it feels it feels really good to have been part of that culture of accountability.Hannah: What a great compliment. Switching gears a little bit, people outside of our industry might look at the news and see a lot of major cybersecurity attacks lately. The Colonial Pipeline and LinkedIn just to name a few. But you and I work in the industry, so we know attacks happen more often than that. What is the most unusual hacking or breach incident you've seen in the last month?
Aja: Sure, I found the Forefront Dermatology breach interesting in that, to be honest, I found it a bit disappointing when I was doing my research. I read their press release, which was pretty vague. And I know that there's a reason for that.
I get that you need to take some time to investigate. You have to figure out what the heck happened. You don't want to go out guns blazing when you don't really know what's going on.
And at the same time, you have to let the customer know.Hannah: You don’t have to let them know everything, but you have to let them know something.
Aja: Exactly. We're talking about closer to 2.5 [million people], who were affected across 21 states, including Washington or not, including now 21 states plus Washington D.C. That's a lot of compromised PHI that we're talking about.
The impact is millions of patients who are going to be susceptible to identity theft and fraud for years to come. It took Forefront [Dermatology] months to talk about it. So guess what happened? There was a class-action lawsuit, of course.
And so when you're thinking, “do I have the budget to hire an infosec specialist for my company?” The answer is yes. The answer is to make room.Hannah: Or make someone on your team get trained in this. Our COO takes these courses. He is the person who takes the classes to stay compliant. And sure it could have been his dream job, but I'm not sure it's anyone's dream job to be the compliance master. But if you want your business to grow, you have to take accountability. If you want to be profitable now and into the future, you just have to be proactive like this. We're in 2021. It's a no-brainer.
Aja: There is no room for error. Because, again, when a breach happens, and it's not if, it's when, you are going to be paying a financial cost. You can't really predict the total impact because there could be lawsuits, multiple lawsuits, and then you're going to pay the reputation cost. And you may never come back from that.Hannah: I keep thinking about companies that have lost their reputation from when we were younger, and we still remember it now. But we go off on a tangent about that. So I'm going to kick us back into gear. What do you recommend for individuals to do in their personal lives to be proactive about personal data breaches?
Aja: Sure, I'm glad you asked this because this is what the monthly security tip is all about.
We spoke last month about how important it is to confirm that the emails you receive, especially anything involving money or clicking on a link, are actually coming from the person that you think they're coming from.
I'm reiterating that because I had dinner with a family friend last week. She's a little older. She's not tech-savvy. She would not describe herself as tech-savvy. And she's also a very kind and trusting Good Samaritan.Hannah: Which makes you a trap for a cybersecurity attack.
Aja: Yes. She admitted that she'd been caught in a spoofing attack and she purchased the gift cards. She spent the money because she truly believed the request came from another close friend.
So this month, we're going to take security a step further.
What happened to her happened because of a Facebook data breach where login credentials were compromised. And so the bad actor was able to send out all these requests to mutual friends posing as another person. The person whose security was compromised.
And this is common. This is very common. 67% of data breaches are related to stolen credentials phishing. We get emails and alerts from our social media platforms, from our banks, places we shop, like Target, when these things happen, and I'll speak for myself. We don't take them seriously.
If I ignore them, I don't read them. I don't change my passwords. And that's a problem. You have to change your password. You should do it right now.
And you should also download a password manager. There are so many different ones you can use without having to pay a monthly subscription fee.
I personally like LastPass. You need to set that up and set a random 16 digit password for any account, particularly with financial or health information. I would recommend every account you have because if you visit a website called “Have I been Pwned?” So it's owned, with a P.Hannah: Such a millennial thing.
Aja: Such a millennial thing. But that will actually show you all the different data breaches that your email has been involved in, and it's not pleasant to do that.
I found 18 breaches where my email had been compromised. And by accounts that I'd never even thought of. There were such throwaway accounts that I can't even name one right now.
But it wasn't my Wells Fargo or my student loans, which please hack into those. They were things like a food blog.Hannah: Your Xanga account?
Aja: Yeah, like a Xanga account. Just ridiculous.
So please, do yourself, do me a favor. I'm asking personally. Change your passwords. Do it regularly. Get yourself a password manager.Hannah: And not only that but to quote my guest from last week, Dr. Eric Cole , that two-factor authentication for everything is so annoying. It is. Do you think that I want to type in a code after I type in my password for everything? No. But I do know that a hacker is not going to do it. Add two-factor authentication to everything. And teach your children now as you're giving them phones and technology so that this is not a cybersecurity tip we have to give for the next 20 years.
And there are so many small tweaks you can make to your cyber hygiene. Yeah, they may seem annoying at the moment, but as they become habits you won't think about them as much.
And your email will stop showing up on “Have I been Pwned.”
I think that almost anybody out there listening has probably experienced some version of fraud, identity theft, lately. I had somebody buy a one-way ticket to Russia with my credit card once. And I was like, “Really? That’s so random. You're gonna just slide this right in?” But don't take your cyber hygiene for granted. Change your password.Hannah: And that's your tip of the month, folks. Okay, thank you so much for joining me today. Aja, do you have any more or last words of wisdom for our listeners?
Aja: Subscribe to our blog. I have learned basically everything I know from our blog. And we have the sources of where we get all that information too.
So if you've got a couple of unplanned hours, and you're really into healthcare and security, read our blog, I highly recommend it.Hannah: I totally agree. And actually, I'm going to add a little plugin here. If there's a topic on our blog that you don't see or if there's something you'd like Aja and me to talk about in the future, please email email@example.com and we'll add it to our podcast. Anyways, thanks again Aja for joining me and I will see you in a month.
Aja: Amazing. Have a great week. Stay safe, change your password.Hannah: For more information about the Paubox HIPAA Breach Report or to see any of the data mentioned in this episode, please visit paubox.com/blog. Looking to network within the industry? Join our next social mixer on August 26. It’s 100% and 100% virtual. If you’re interested in attending, please send an email to firstname.lastname@example.org . Due to the rapidly changing landscape of the COVID-19, we have decided to postpone Paubox SECURE. The safety of our attendees, speakers, guests, sponsors and employees is our top priority. For more information, please visit pauboxsecure.com. As a reminder, you can listen to every episode of the HIPAA Critical podcast on paubox.com or subscribe via Apple Podcasts , Spotify , iHeartRadio , Stitcher , Amazon Music or wherever you listen to podcasts. Thanks for tuning into another episode of the HIPAA Critical podcast; I’m your host, Hannah Trum, signing off.