CEO SUMMARY: Class action lawsuits filed by patients whose protected health information (PHI) was breached during a cyber attack may be one additional unwelcome consequence for clinical laboratories and anatomic pathology groups hit by a ransomware or cyber attack. This is what happened to ReproSource Fertility Diagnostics, a subsidiary of Quest Diagnostics. An expert offers steps that clinical laboratory and pathology leaders can take to better prepare for such attacks.
RANSOMWARE ATTACKS CONTINUE TO BE A SIGNIFICANT THREAT to clinical laboratories, pathology practices, hospitals, and physician groups. But one case shows how a new wrinkle has developed in this trend: a class action lawsuit from patients whose data was exposed during an attack last summer.
In August, a subsidiary of Quest Diagnostics was the victim of a ransomware attack on its information systems. As a result, one of the patients whose data may have been compromised filed a legal complaint against the subsidiary, ReproSource Fertility Diagnostics, a lab in Providence, R.I., that specializes in testing for reproductive health and fertility.
Class Action Lawsuit
In November, Rhode Island resident Jasmyn Bickham filed the lawsuit in U.S. District Court in Massachusetts. In the court filing, Bickham’s attorneys said they filed the lawsuit on behalf of Bickham and 350,000 other patients as “a class action for damages.”
For this lawsuit to move forward, the plaintiffs’ attorneys will need to persuade the court to certify the complaint as a class action. That decision will depend on how many patients claim to be harmed and decide to join the case. (See comments about this case and the cyber attack incident from Quest Diagnostics below.)
The ReproSource situation is a reminder to lab administrators and pathologists that an encryption attack, followed by a ransom demand, is not the only financial risk to the lab organization. There could be substantial legal costs if a lab needs to defend itself from litigious patients whose protected health information (PHI) was breached during the attack.
Labs Should Prepare
To protect themselves from ransomware attacks, all labs need to prepare in three ways. First, they should regularly upgrade their information systems to ensure that they have the latest in state-of-the-art security features and that all associated software is up to date. Second, they need to train staff in how to respond the instant anyone in the lab detects an attack. Third, all labs, pathology groups, and other healthcare providers need to follow the steps that federal and state laws require after a security breach involving PHI.
To help clinical laboratories and anatomic pathology groups prepare for cyber attacks, Emily Johnson, a lawyer in Chicago with the national law firm of McDonald Hopkins, recommended these four steps:
- Train all laboratory staff on the proper cybersecurity protection measures, and how to identify and respond to any cyber attack.
- Add language into business associate agreements whenever possible to protect the lab if a business associate (or a subcontractor of a business associate) causes a data breach.
- Obtain insurance coverage that includes cyber liability and information security provisions.
- Establish an incident-response team that will take the lead in the event of an attack.
Cybersecurity Training
The first recommendation is that breach-prevention measures must include more than technological assistance, Johnson said.
“In addition to implementing appropriate measures—such as firewalls, data encryption, and a requirement for multifactor authentication—all healthcare providers also need to educate and train staff on how to identify and respond to cyber attacks,” she said. “That’s the single most important step a lab can take to protect itself because every lab is only as strong as its weakest link.
“A clinical lab can have all of the recommended IT and security safeguards in place, but it still takes just one person to create an access point, whether that’s through a phishing email or some other opportunity in which the threat actors take advantage and trick somebody into giving up their credentials,” added Johnson.
The second recommendation involves how labs contract with third parties. One of the most infamous data breaches involved the retailer Target, which received a considerable amount of bad publicity following news of an incident in 2013. While the publicity damaged Target’s reputation, the breach occurred due to the missteps of a heating and air conditioning contractor that exposed Target’s information system to the attack, Johnson noted.
Review Business Contracts
“Keep this situation in mind when your lab negotiates contracts with external companies,” she stated. “When negotiating an agreement with other business partners, labs and pathology groups should try to get some sort of indemnity language into their contracts that addresses what happens if the business associate or one of its subcontractors causes a breach. In those circumstances, the lab should contractually obligate, where possible, those parties to be financially liable for any damages that result.”
Such language, however, isn’t necessarily infallible if a case goes to court. “Unfortunately, when it comes to damages, a court can decide who’s responsible for what level of damages in each case,” Johnson commented. “Another problem with such language is that insurance policies sometimes prohibit indemnity language in contracts, and the inclusion of such language could nullify the insurance policy.
Adjust Insurance Coverage
“On the subject of insurance, my third recommendation is that the legal teams at clinical labs and pathology groups should have insurance policies that address liability for cyber attacks and information security beaches,” Johnson suggested. “Keep in mind, however, that such coverage can be costly.
“Years ago, those policies were relatively inexpensive,” she continued.
“However, because of the growing number of healthcare entities suffering breaches, premiums for this coverage have been rising. Despite growing costs of such policies, it is absolutely critical that labs and pathology groups have some sort of cyber liability coverage.”
Recommendation number four is that labs also should have an incident response team in case of a cyber attack.
“With that team in place, the clinical laboratory has a trained team ready to respond to any attack immediately,” Johnson said. “The team would work together to respond to the attack, and should include the lab’s IT experts, human resources staff, legal team, and a cyber liability insurance broker.
Incident Response Team
“When any lab gets hit with a ransomware attack, it’s also important to have cybersecurity forensic investigators ready to review what happened,” she added. “Every lab needs someone with that expertise to investigate which files—if any—were viewed and whether any of the lab’s files were exfiltrated, meaning they were taken off of a server either by copying or removing and deleting the originals.
“The forensic team will review the available evidence in an attempt to identify any files that were compromised,” Johnson stated. “Having that information will be critical in determining whether the incident resulted in a breach that requires notification to impacted individuals.”
Mac McMillan, CEO and President of CynergisTek, a company in Austin, Texas, that specializes in healthcare cybersecurity, privacy, and compliance, agreed that a response team is needed after a ransomware attack or data breach.
“The investigation will involve looking at all the data in your system, including the system logs, to identify when the organization was first aware that something was wrong,” McMillan advised. “The date and time that the clinical laboratory staff knew about any breach or malware attack is always important to lawyers and government regulators.
“In the ReproSource case, the date of the incident is important because the plaintiff’s lawyers have argued that ReproSource failed to report the incident to its patients within the 60 days as required by law,” he added.
Patients Notified of Attack
In response to a request for comment by The Dark Report, Quest explained that it is not clear whether any PHI was stolen.
“ReproSource provided notice that it experienced a data security incident in which an unauthorized party may have accessed or acquired protected health information and personally identifiable information of ReproSource patients. Quest Diagnostics’ systems were not affected by this incident,” Quest said.
“While an investigation did not confirm that the unauthorized party acquired data in the incident, out of an abundance of caution, ReproSource notified individuals whose personal information may have been accessed,” Quest added.
On Oct. 8, ReproSource issued a notice about the data breach. In the five-page notice, the subsidiary explained the steps it took to address the issue and offered assistance to individuals whose PHI may have been compromised, including complimentary credit and identity monitoring services.
Unauthorized Access
“On Aug. 8, 2021, an unauthorized party accessed the ReproSource network,” the notice says. “We discovered ransomware on the morning of Aug. 10, and in less than an hour we severed all network connection activity and contained the incident. We immediately launched a comprehensive investigation to determine the cause and scope of the incident. We retained leading cybersecurity experts to assist with our investigation, confirmed containment of the ransomware, and quickly and securely recovered operations. Additionally, we promptly notified law enforcement.”
Beyond looking at the ReproSource case, clinical lab executives will also want to keep an eye on more recent threats.
For example, on Dec. 16, Wired magazine reported that in the first week of December, hackers committed what the publication called “a seismic event.” The report noted that an open-source library called Log4J, which web servers use worldwide, was exposed to relatively simple attacks from hackers.
The Federal Trade Commission recognized this threat and posted the following statement on its website:
Log4J is a ubiquitous piece of software used to record activities in a wide range of systems found in consumer-facing products and services. Recently, a serious vulnerability in the popular Java logging package, Log4J (CVE-2021-44228) was disclosed, posing a severe risk to millions of consumer products to enterprise software and web applications. This vulnerability is being widely exploited by a growing set of attackers.
Log4J Cyber Threat
“The first wave of hacking is well underway,” Wired noted in its coverage of the Log4J hack. “But it’s what comes next that should worry you.”
McMillan warned that what’s disturbing about the Log4J attack is that in the coming weeks or months, it could lead to more ransomware and other attacks on cybersecurity infrastructure in healthcare and other industries.
It is recommended that lab administrators and pathologists elevate cybersecurity threat protection in their labs’ strategic planning and daily operations. Prevention is the best strategy, given the fact that an encryption attack can totally shut down all information system access and functions in the targeted lab.
Contact Emily Johnson at 312-642-1798 or ejohnson@mcdonaldhopkins.com; Mac McMillan at 512-402-8550 or info@cynergistek.com.
Hackers Got Patients’ Financial Data
ON AUG. 8, 2021, HACKERS ACCESSED THE NETWORK OF REPROSOURCE FERTILITY DIAGNOSTIGS, a lab company in Providence, R.I., and exposed the protected health information (PHI) of at least 350,000 individuals, according to a court filing.
The PHI included Social Security numbers, addresses, dates of birth, and health insurance billing information, which healthcare data experts have said are among the most valuable to hackers who sell that information on the dark web. (See TDR, “Ransomware Attackers Target Healthcare Providers,” May 24, 2021.)
In a lawsuit that a patient filed in November, lawyers for the plaintiff alleged that ReproSource discovered the ransomware attack on Aug. 10 and began notifying customers on Sept. 24.
The plaintiff is Jasmyn Bickham, who received care at a ReproSource clinic in Providence in 2015. ReproSource notified Bickham on Oct. 21, 2021, that her PHI had been compromised in the breach, the 53-page lawsuit said.
In the complaint, the plaintiff charges that ReproSource’s actions in the case include negligence, breach of contract, breach of implied contract, and breach of fiduciary duty. Under the Health Insurance Portability and Accountability Act (HIPAA) of 1996, a patient’s PHI is protected.
The complaint charges that ReproSource failed to take appropriate steps to protect patients’ data while healthcare providers’ systems have come under repeated attacks and after officials have issued warnings about the need for all companies to protect their data from hackers, the lawsuit charged.
