Virus infection at University of Oklahoma exposes nearly 20,000 patients
|
Date Reported:
10/11/10, 9/24/10, and 7/25/10
Organization:
University of Oklahoma
Contractor/Consultant/Branch:
University of Oklahoma - Tulsa
University of Oklahoma-Tulsa, Neurology Clinic
Location:
Tulsa, Oklahoma
Victims:
Patients
Number Affected:
19,264
Types of Data:
"patient name, telephone number, address, birth date, Social Security Number, medical record and insurance numbers, procedure billing codes, diagnosis codes, lab reports, office notes, radiology reports, and service dates. In some records, guarantor information was also included."
Breach Description:
The University of Oklahoma-Tulsa, Neurology Clinic recently posted a public notification of a breach that occurred through an infected clinic computer. The Office of Inadequate Security reports that the organization notified the U.S. Department of Health and Human Services ("HHS") of this (or a very similar incident) affecting 19,264 patients that was "detected on or about July 25". The letter posted online on the University of Oklahoma's web site is dated September 24th, but wasn't actually posted online until sometime in October.
Reference URL:
The Office of Inadequate Security
U.S. Department of Health and Human Services breach list
University of Oklahoma breach announcement
Report Credit:
The Office of Inadequate Security
Response:
From the online sources cited above:
The University of Oklahoma-Tulsa, Neurology Clinic recently notified HHS of an incident affecting 19,264 patients. According to HHS’s logs, the clinic reported that the incident occurred or was detected on or about July 25. In a statement dated September 24 and posted on their web site on October, the clinic states:
The University of Oklahoma's Tulsa Neurology practice recently became aware that one of its clinic computers had been compromised by a virus.
[Evan] Virus infections are still very common, and will be in the future. We (FRSecure) have helped many clients respond to these types of incidents. Hopefully, we have worked with them prior to the incident, so that we can help them develop appropriate incident response processes ahead of time. The deal is that you cannot stop all malware (virus, trojan, spyware, etc.) intrusions into your systems and still make these systems useful in your environment. For a second, let's assume that you will be infected at some point. The focus then changes to detection and incident management. Most organizations that face a virus infection are lacking in their incident response processes, and miss important parts of a good response. Most organizations are primarily concerned with identification, containment, and eradication of the virus, but miss out in critical follow-up investigation work. Most organizations stop at eradication and fail miserably in determining if any sensitive information was exposed. As long as service is restored, we're good. Not really! The University of Oklahoma continued in their incident response and determined that sensitive information may have been exposed.
The Clinic is notifying individuals whose records were maintained on the computer of the discovery. Patients of Dr. John Cattaneo and of Neurology, LLC, a Tulsa practice where Dr. Cattaneo formerly practiced are being notified this week by letter.
The letters advise the patients that an intensive investigation determined that a virus capable of retrieving data from documents located on the computer had been discovered.
Although it is not possible at this time to determine what documents on the computer, if any, were accessed by this virus, in an abundance of caution, the Clinic is notifying those individuals whose information and documents were stored there.
[Evan] What type of computer was this? Should this sensitive information have been stored on it? I'm guessing that this was a client computer (laptop or desktop) on which sensitive information such as this should have never been stored.
Many of these documents included some or all of the following: patient name, telephone number, address, birth date, Social Security Number, medical record and insurance numbers, procedure billing codes, diagnosis codes, lab reports, office notes, radiology reports, and service dates.
In some records, guarantor information was also included.
[Evan] In case the other information wasn't enough!
The virus was detected on or about July 28, and its properties were determined during the investigation.
[Evan] This is the fourth date mentioned in respect to this breach. According to the HHS breach logs, the "Date of Breach" is noted as July 25th; according to the breach announcement on the university's web site, the breach "was detected on or about July 28"; the breach announcement is dated September 24th; and the breach announcement was actually posted sometime in early October. I'm not sure what this all means, but I have enough trouble trying to keep track of a single date!
Neither the University nor the clinic is aware of any misuse or conversion of any information from this computer.
Neither has any indication that the information has been used for illegal or wrongful purposes.
However, patients are being advised by letter that they may want to monitor their credit reports and/or bank activity to ensure their information has not been compromised.
They are also being advised that they can obtain one free credit report annually from certain credit reporting services (see www.ftc.gov/freereports).
In addition, the patients are being assured that the Clinic will contact them if it becomes aware of additional information that might be helpful to them.
In the event of such contact, patients will not be asked for their full Social Security Number, bank number, or credit card information.
Businesses regularly face evolving electronic threats to the security of information on their systems.
[Evan] Yeah, so? What's the point being made here?
As a result of this incident, the Clinic has taken additional steps to ensure the safety and privacy of data, such as increasing the frequency of software and security updates.
[Evan] Can we assume anything from this statement? Was this system not up-to-date with patches?
The Clinic is committed to the proper handling and protection of patient information.
[Evan] Well that's good. It's not like regulators, legislators, and customers are going to go away. In fact, we expect more pressure in the future.
Individuals with questions regarding this matter may contact the Clinic directly at or by calling toll-free, .
Commentary:
We speculate that the infected computer was a client computer. If our assumption is true, it's generally a poor practice to store nearly 20,000 sensitive patient records on a client computer. We shouldn't only point out the bad though, the university appears to have responded to the incident fairly well by identifying the potentially exposed information.
The Office of Inadequate Security makes a good point on HHS reporting that should be noted:
"This incident serves as a useful example of why HHS’s summary logs are not really that helpful to those who track and analyze data breaches. Their logs note the incident as a “hacking/IT incident” and their logs do not indicate the kinds of information involved in any particular breach. Hence, many of the incidents reported on their site might involve SSN, Medicare numbers, or financial info, but we simply can’t tell because their logs don’t tell us.
Perhaps all of those who track and analyze breaches should consider sending a joint letter to Congress and to HHS urging them to make more information on breaches available on their web site."
You can put my name on the joint letter.
This article was posted to The Breach Blog by
Evan Francen, President at FRSecure LLC
About FRSecure
Past Breaches:
Unknown
Posted by Evan Francen at 10/15/2010 3:22 PM 
Categories: University of Oklahoma, Virus
Tags: virus HIPAA network security incident response data breach security breach
Categories: University of Oklahoma, Virus
Tags: virus HIPAA network security incident response data breach security breach
Posts Atom 1.0
Comments