Often, the public learns about breaches of personal health information (PHI) because of the number of people affected. In fact organizations are required to inform the media of breaches that affect 500 or more people, so the number of people involved is a critical component of data breach reports.
However, a recent data breach at the University of Virginia Health System is interesting for a different reason: the length of time that PHI was exposed. The breach was discovered on December 23, 2016, and reported appropriately. The hacker had first gained access to the system, and the information of 1,882 patients’ records, on May 23, 2015, meaning the PHI was exposed for 18 months.
The Fruitfly malware attack
The hacker, Phillip Durachinsky, accessed the information through a physician’s laptop. Durachinsky developed malware called Fruitfly, and when it was installed he was able to view from a remote location whatever the person with the computer was looking at. Because the physician could access patient records, Durachinsky also had access to them.
Mark Olschesky, chief data officer at Datica wrote an article addressing some of the largest data breaches of 2017. In it, he notes, “While it’s impossible to say in retrospect if any breach was 100% preventable, having policies in place to provide ‘reasonable effort’ to prevent exposure is key to minimizing the damage from the unpreventable.” Malware was the cause of multiple breaches in 2017.
Officials at UVA became aware of the breach because the FBI was investigating Durachinsky, who had used Fruitfly to access computers owned by local, state, and federal government agencies, various companies, individuals, a police department, and schools in addition to UVA. He had been using the malware since 2003.
In a press release, UVA says, “The FBI has advised us that the third party, who has been arrested, did not take, use or share patients’ information in any way.” In addition to cooperating fully with the FBI investigation UVA followed HIPAA protocol in notifying the affected patients, the media, and the Department of Health and Human Services. The organization set up a call center to handle patient questions about the breach.
In this case, it appears the hacker did not use the PHI for nefarious purposes, however, the fact that the information was exposed for so long raises some serious questions. Was there anything that UVA officials could have done to learn about the breach sooner? Would security reviews or checks have revealed the malware? Were there any abnormalities that should have alerted the physician or the IT team of the malware?
Datica can answer some of those questions. Patch management, policies on appropriate system access, and OSSEC and anti-virus intrusion detection on all systems to identify attacks that would be otherwise unknown are all methods that Datica uses in an effort to avert attacks such as the one at UVA. Datica’s open-source policies are designed to address numerous types of attacks, including malware.
Though it ended well for the 1,882 patients since there was no nefarious use or disclosure of their data, it didn’t end so well for Durachinsky. The Cavalier Daily, the independent daily news organization at the University of Virginia reports, “Durachinsky was indicted Jan. 10 in the United States District Court for the Northern District of Ohio on allegations of accessing and damaging protected computers, production of child pornography, aggravated identity theft and illegal wiretap.”