Hackers have compromised the protected health information of more than 200,000 patients and staff of Multicare Health System, a not-for-profit healthcare organization serving the Pacific Northwest that traces its roots back to 1882. A vendor used by a service provider that supports Multicare experienced the data breach. This chain of entities that illustrates why both covered entities like Multicare and their business associates (BAs) must always implement cybersecurity best practices to safeguard patient data. This incident is only the latest of many data breach that Multicare has experienced in recent years.
What is Multicare Health Systems?
The nonprofit healthcare organization was the first hospital in Tacoma, Washington, founded over 140 years ago. Today, Multicare is the largest locally-owned health system in the state, with a network of ten hospitals and more than 20,000 employees, volunteers, and healthcare providers. Multicare offers inpatient care, primary care, urgent care, and virtual care, as well as specialty services and pediatric care. The company also includes MultiCare Medical Associates, which houses affiliated physicians and a wide range of community outreach programs across the state.
Where did the breach occur?
Although Multicare's name is the one in the headlines, the data breach actually occurred at Netgain Technology LLC, a Minnesota-based cloud services provider that specializes in supporting healthcare organizations. Netgain didn't work with Multicare directly. Instead, Netgain's customer was Woodcreek Provider Services, a pediatric service provider based in Puyallup, Washington. Woodcreek used to operate some of the hospitals now managed by Multicare, and it continues to partner with the larger firm in providing healthcare to residents of Washington State.
How did the attack happen?
According to a notice posted on Woodcreek's website, Netgain suffered a data breach via a ransomware attack between November 24 and December 3, 2020, although the attackers may have had access to Netgain's systems as far back as September 2020. Although Woodcreek's medical records system was not compromised, the company says an archive server was "stolen by the attackers." The server itself was not physically removed by the hackers, of course. Instead, its contents were encrypted so that Woodcreek could no longer access it. And in this case, the company relented to the attacker's demands to regain access.
SEE ALSO: To Pay or to Not Pay for Stolen Data
"The data was returned after the ransom was paid and we have no reason to believe it has been or will be further used or disclosed," the company says. "On January 18, 2021, Woodcreek received a copy of the recovered data set and has been working diligently since then to notify affected individuals."
What information was exposed?
Woodcreek's public announcement included an exhaustive list of potentially compromised patient data: "The information included names and addresses, medical record numbers, dates of birth, social security numbers, health insurance policy and identification numbers, insurance claims, explanation of benefits, statements, clinical notes, referral requests, laboratory reports, decision not to vaccinate forms, authorization requests for services, treatment approvals, records requests, immunization information, vaccine records, prescription requests, release of information forms, subpoena records requests, medical record disclosure logs, incident reports, invoices, correspondence with patients, student identification numbers, bank account numbers, employment related documents, court documents, Drug Enforcement Agency certificates, payroll withholding and insurance deduction authorizations, benefit and tax forms, employee health information and some medical records." Although the breach involved Multicare patients, Multicare stressed to local media that Woodcreek's systems are separate from theirs, and that the ransomed data relates only to "a small number of pediatric clinics in the Puget Sound region for Mary Bridge Children’s Hospital and Health Network.”
How has Multicare responded?
It appears as if Multicare is leaving most of the breach response to Woodcreek, providing no notice information on the incident available on its
own website. Woodcreek sent
formal notice of the data breach to Washington's Attorney General, as well as to the Office for Civil Rights under the federal Department of Health and Human Services (netting an entry on the "
Wall of Shame"). Woodcreek meanwhile sent letters to anyone who received care between January 2005 and November 2020, as well as a few patients from as far back as 1997. The company is offering free enrollment in credit monitoring and identity theft protection services. Finally, Woodcreek is is maintaining a call center and a
special website for this breach.
Has Multicare suffered other data breaches?
In this most recent case, Multicare was ensnared in a data breach via a service provider that was used by a partner organization. Last year, Multicare's direct business associate Blackbaud
suffered a different data breach. That breach impacted more than 3.4 million people affiliated with dozens of organizations that used its
ResearchPoint and DonorCentric applications. And in 2016, Multicare
experienced a direct breach of its systems when an outside party gained access to an employee’s email account.
What can others learn from this breach?
It's not clear exactly how Netgain's systems were compromised, although ransomware is among the most common types of
malware sent via
phishing emails to employees. Unfortunately, even if a company follows
email best practices and provides regular
cybersecurity training, its data can still be compromised through an external vendor, making the
business associate agreement an especially important legal document. Whether you're a healthcare organization or a service provider that handles information from one,
HIPAA compliant email is a must.
Paubox Email Suite Plus provides both inbound and outbound email security features, including our patented
ExectProtect solution which stops
display name spoofing emails from ever reaching the inbox.
Try Paubox Email Suite Plus for FREE today.
