Datica Blog

PHI Exposed for 18 Months during UVA Data Breach

Laleh Hassibi

Vice President of Marketing

March 9, 2018   Security Compliance Healthcare News

Often, the public learns about breaches of personal health information (PHI) because of the number of people affected. In fact organizations are required to inform the media of breaches that affect 500 or more people, so the number of people involved is a critical component of data breach reports.

However, a recent data breach at the University of Virginia Health System is interesting for a different reason: the length of time that PHI was exposed. The breach was discovered on December 23, 2016, and reported appropriately. The hacker had first gained access to the system, and the information of 1,882 patients’ records, on May 23, 2015, meaning the PHI was exposed for 18 months.

The Fruitfly malware attack

The hacker, Phillip Durachinsky, accessed the information through a physician’s laptop. Durachinsky developed malware called Fruitfly, and when it was installed he was able to view from a remote location whatever the person with the computer was looking at. Because the physician could access patient records, Durachinsky also had access to them.

Mark Olschesky, chief data officer at Datica wrote an article addressing some of the largest data breaches of 2017. In it, he notes, “While it’s impossible to say in retrospect if any breach was 100% preventable, having policies in place to provide ‘reasonable effort’ to prevent exposure is key to minimizing the damage from the unpreventable.” Malware was the cause of multiple breaches in 2017.

Officials at UVA became aware of the breach because the FBI was investigating Durachinsky, who had used Fruitfly to access computers owned by local, state, and federal government agencies, various companies, individuals, a police department, and schools in addition to UVA. He had been using the malware since 2003.

In a press release, UVA says, “The FBI has advised us that the third party, who has been arrested, did not take, use or share patients’ information in any way.” In addition to cooperating fully with the FBI investigation UVA followed HIPAA protocol in notifying the affected patients, the media, and the Department of Health and Human Services. The organization set up a call center to handle patient questions about the breach.

In this case, it appears the hacker did not use the PHI for nefarious purposes, however, the fact that the information was exposed for so long raises some serious questions. Was there anything that UVA officials could have done to learn about the breach sooner? Would security reviews or checks have revealed the malware? Were there any abnormalities that should have alerted the physician or the IT team of the malware?

Datica can answer some of those questions. Patch management, policies on appropriate system access, and OSSEC and anti-virus intrusion detection on all systems to identify attacks that would be otherwise unknown are all methods that Datica uses in an effort to avert attacks such as the one at UVA. Datica’s open-source policies are designed to address numerous types of attacks, including malware.

Though it ended well for the 1,882 patients since there was no nefarious use or disclosure of their data, it didn’t end so well for Durachinsky. The Cavalier Daily, the independent daily news organization at the University of Virginia reports, “Durachinsky was indicted Jan. 10 in the United States District Court for the Northern District of Ohio on allegations of accessing and damaging protected computers, production of child pornography, aggravated identity theft and illegal wiretap.”

Earlier

Sunday March 11, we are hosting a day-long boot camp for digital health enthusiasts and entrepreneurs at South by Southwest (SXSW) in collaboration with Microsoft.

Next Post

As we continue our Mapping Digital Health interview series, we chatted with Ethan Bechtel, Co-Founder and CEO of OhMD about the hurdles and maturity of the digital health industry.

Related

Will new identity-proofing NIST standards prove who you say you are?

Marcia Noyes

Director of Communications

A recent NIST update includes important changes that encourage out of band authentication methods versus a single source email. Learn how Datica is responding.

event-note October 10, 2017

HIPAA Enforcement in 2017: Key learnings from others’ mistakes

Laleh Hassibi

Vice President of Marketing

One thing is certain: healthcare still has a security problem. Out of 295 breaches reported so far for 2017, 132 are hacking/IT incident breaches.

event-note January 26, 2018

Facing down the largest breaches of 2017 with Datica's open-source policies

Mark Olschesky

Chief Data Officer

As we roll into the end of 2017, it's worth looking back on how the industry has been doing protecting PHI against the threat of cyber-intrusions.

event-note August 30, 2017

Spear Phishing: Hackers Aiming for Healthcare

Marcia Noyes

Director of Communications

In the 377 healthcare data breaches last year, phishing attacks were among the top data breach causes. Why is healthcare such a target for spear phishing attacks?

event-note August 18, 2017