Data Breach Notification,
Data Security,
Governance & Risk Management
Texas-Based Harris Health Receives FBI Clearance to Notify 5,000 Affected Patients
Harris Health has begun notifying 5,000 patients following a pronounced data breach that involved unauthorized access to electronic health records (EHRs) by a former employee over the course of more than ten years. The Texas-based healthcare organization reported the discovery of this breach to the FBI four years ago.
The compromised access spanned from January 4, 2011, to March 8, 2021, where the employee accessed patients’ EHRs without any legitimate work-related purpose. Harris Health officially recognized the incident on February 10, 2021, promptly initiated an investigation with forensic aid, reported the breach to law enforcement, and subsequently terminated the employee.
Recently, Harris Health announced that the FBI had granted approval to inform affected patients. The organization operates several healthcare facilities, including two trauma centers and a network of 37 clinics, all serving a large population in Houston.
According to Harris Health, while cooperating with law enforcement, they discovered that some patient information had been shared with unauthorized parties. The delay in notifying patients was required to avoid hindering the ongoing investigation. Now that the FBI has issued the go-ahead, Harris Health is expeditiously informing all potentially affected individuals.
The specifics of the exposed information include names, dates of birth, addresses, contact numbers, medical record identifiers, clinical details, and in some cases, Social Security numbers. Harris Health has pledged to offer complimentary identity protection and credit monitoring services to those whose Social Security numbers may have been compromised.
Security experts have raised concerns about the unusual four-year timeframe for law enforcement to allow Harris Health to proceed with patient notifications. This delay raises questions regarding the complexity of the initial access and subsequent activities, suggesting the possibility that there may have been more significant criminal undertones behind the breach. Techniques outlined in the MITRE ATT&CK framework, such as initial access through insider threats and privilege escalation via persistent unauthorized access, may have played a role in this incident.
The urgency of strengthening access controls in healthcare environments is underscored by this breach, with experts advocating for more stringent audits, enhanced training protocols, and advanced logging technologies to monitor access to sensitive information. Implementing role-based access management and requiring reauthorization of access can help ensure that only authorized personnel access specific patient records.
The recent breach at Harris Health serves as a stark reminder of the vulnerabilities inherent in electronic health systems. It highlights the critical need for healthcare organizations to invest in robust cybersecurity measures to safeguard patient information legitimately, in compliance with HIPAA regulations, and to mitigate the risks associated with insider threats.
