Medical data is subject to some of the strictest data privacy regulations second to financial data. So what happens when private medical data is shared with third parties for financial reasons?
Nemadji Research is a Minnesota-based firm that advertises their ability to “find lost revenue for hospitals and healthcare facilities.” To that end, medical facilities share their patient data with Nemadji so that patients with insufficient insurance aren’t given medical treatment that the facilities wouldn’t be fully compensated for.
The privatization of healthcare in the United States makes the work of firms like Nemadji necessary to the continued operation and financial viability of hospitals and medical clinics. But how safe is the practice of allowing personal medical information outside the confines of the hospital network?
According to their website, Nemadji says “we work with you every step of the way, integrating with (never disrupting) your existing revenue infrastructure and delivering exceptional client services, all while keeping data security a top priority. Nemadji is a SOC II, HIPAA, and HITECH-compliant organization.”
I could acquire their SOC II report, but I would have to specifically request it via email as the content of the report isn’t on their website. So how SOC II compliant are Nemadji, really, and what do these abbreviations stand for?
The biggest difference between HIPAA and HITECH is HIPAA applies to all medical data, whether it’s digital or written on a pad with a ballpoint pen. HITECH applies to the digital medical data, but not the doctor’s handwritten notes and the like. HITECH is higher tech.
However regulatory-compliant Nemadji is, at least one of their employees appears to have been susceptible to phishing. As per Nemadji’s recent press release:
“On March 28, 2019, Nemadji identified unusual activity in an employee’s email account. We immediately launched an investigation to determine what may have happened and what information may have been affected.
Our investigation determined that an unknown individual had access to the employee’s email account for several hours on March 28, 2019 due to the employee falling victim to a phishing email. On June 5, 2019, we identified the first instance of personal information that may have been accessible as a result of this incident.”
Nemadji isn’t subject to the European Union’s General Data Protection Regulation (GDPR), assuming that none of their medical data pertains to EU citizens. But if Nemadji was subject to the GDPR, they would have been obligated to report the breach within 72 hours of discovery, so by March 31 at the latest. According to Article 33 of the GDPR:
“In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with Article 55.”
If the reasons given for delaying the report aren’t considered to be satisfactory, then they could have been given a hefty fine. Article 83 states:
“Non-compliance with an order by the supervisory authority as referred to in Article 58 shall be subject to administrative fines up to 20 000 000 EUR, or in the case of an undertaking, up to 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher.”
All of this may be irrelevant because the GDPR doesn’t apply to Nemadji. Nemadji is based in Minnesota. But the breached data is from one of Nemadji’s clients, the Los Angeles County Department of Health Services.
According to George Hulme, a cyber attacker accessed data from about 15,000 patients. Most of those patients are likely to be California residents. How does the law apply to the medical data of California residents? According to State of California Attorney General Xavier Becerra:
“California law requires a business or state agency to notify any California resident whose unencrypted personal information was acquired, or reasonably believed to have been acquired, by an unauthorized person. Any person or business that is required to issue a security breach notification to more than 500 California residents as a result of a single breach of the security system shall electronically submit a copy of that security breach notification to the Attorney General.”
Nemadji says that most of the breached data was encrypted, but the decryption keys were linked to the phished email account. That’s a bit of a technicality, but if the breached data was ciphertext, even if the attacker acquired the keys, that legal requirement may not be applicable either.
Frankly, I believe states like California need data privacy regulations with a lot more teeth. The GDPR could be a good model for that.
If that were the case, maybe Nemadji would have invested more time and money into training their employees to identify and avoid phishing attempts.
The lesson learned from all of this is that it would be wise for organizations across all industries to better security harden against email phishing, as it’s a rapidly growing threat. According to Agari’s Email Fraud & Identity Deception Trends Q1 report:
“Over the past year, business email compromise scams have jumped 60 percent. More than 90 percent of organizations report being hit by targeted email attacks, with 23 percent suffering financial damage that can average $1.6 million and up. Ninety six percent of successful data breaches now begin with an email, wreaking an average $7.9 million in costs per incident.”
Training employees to avoid getting phished is time consuming, I get it. In the fast-paced world of modern digital communication, even smart and savvy employees could be fooled. But employee training is well worth the effort, since phishing emails by their very nature of delivery often circumvent internal security software and firewalls.
And I really wish Nemadji would have reported the breach in March, then maybe their “healthcare facility business partners” could have acted much more effectively to contain the damage done by the breach, before it was too late.