CSI Laboratories Says Recent Phishing Incident Affected 245,000 Patients
A data breach at a Georgia cancer testing laboratory affecting the information of nearly 245,000 individuals is the second time within six months the lab reported to federal regulators a hacking breach affecting hundreds of thousands of individuals.
A spokeswoman for Cytometry Specialists, which does business as CSI Laboratories, says this most recent event is unrelated to a March hacking incident that affected the data of 312,000 individuals.
Back-to-back cybersecurity incidents are likely regardless to grab the attention of federal regulators.
“When an entity has more than one breach within a short period of time, it is likely that the regulator’s investigations of these breaches will be consolidated and this will increase scrutiny on the entity,” says privacy attorney Adam Greene of the law firm Davis Wright Tremaine.
CSI says in a notification statement that its recent phishing incident, discovered in July, involved an attempt by hackers to commit payment fraud as well as the acquisition of files containing patient information.
CSI reported the phishing incident on Sept. 26 to the U.S. Department of Health and Human Services’ Office for Civil Rights as affecting 244,850 individuals.
The laboratory on March 25 reported two separate hacking incidents involving ransomware and data exfiltration affecting 312,000 individuals.
A CSI spokeswoman tells Information Security Media Group the two incidents affected separate IT systems. “There were entirely different systems involved. This [phishing] incident did not impact the network,” she says.
Additional security measures that were implemented following the earlier breach have been fully deployed and “all threats have been removed from the CSI environment,” she says.
Regulatory Red Flags
The narrow time span between CSI’s two major health data breaches will potentially raise red flags with regulators, says Greene, a former senior adviser at HHS OCR.
HHS OCR will often look at what actions the entity took in response to the first data breach and whether the multiple breaches were due to a similar systematic failure, such as a failure to conduct an enterprisewide risk analysis,” he says.
While there are definite negatives involving major breaches being reported within a short time frame, there can also be a sliver of optimism related to the subsequent incident.
“When it comes to multiple breaches, each fact pattern is unique,” Greene says. “While multiple breaches may reflect widespread information security issues, I have also seen it occur for more positive reasons, such as an entity improving already-good audit practices and, as a result, detecting more cases of users abusing their access privileges.”
CSI in its notification about the phishing breach says that on July 8 the company learned of the incident involving one employee’s email account and took steps to isolate that account.
“We believe the access to a single employee mailbox occurred not to access patient information, but rather as part of an effort to commit financial fraud on other entities by redirecting CSI customer health care provider payments to an account posing as CSI using a fictitious email address,” CSI says.
The invoices were not directly billed to patients, CSI adds. “Thus, we believe that the malicious actor was seeking to divert invoice payments.”
During its investigation, CSI determined on July 15 that the hacker acquired certain files from the affected employee inbox, including documents that may have contained patient name and patient number, and in some cases additional patient information, including date of birth and health insurance information.
“None of the files contained patient financial account information,” CSI says.
“At this time, we have no facts suggesting that any of the patient information has been used and, in most cases, it will be very difficult, if not impossible, for anyone to further use the patient information that was accessed,” the company says. “Accordingly, we do not believe that you need to take any steps at this time to protect your information.”
The company did not offer credit or identity monitoring to affected individuals because Social Security numbers or financial information was not compromised, the CSI spokeswoman says.
“As far as we know, no data has appeared on the dark web.”
The notification statement the company issued for its earlier breach indicated that the incident involved “a cyberattack partially disrupted CSI’s information systems” and also acquisition by the “intruder” of certain files and documents containing patient information (see: Big Hacks: 5 Health Data Breaches Affect 1.2 Million).
CSI’s breach notification in that earlier incident said the company would “continue to closely monitor” its network and information systems for unusual activity and further improve security across its networks to “protect from unauthorized access or similar criminal activity in the future.”
CSI’s parent company, Fulgent Genetics, does not appear to have filed any reports to the Securities and Exchange Commission involving either of the CSI incidents and their potential financial impact.
In addition to heightened regulatory scrutiny, entities that report multiple major data breaches also become attractive candidates for lawsuits.
“Class actions are often a numbers game – the more people are impacted, the higher the likelihood of a class action. If the second breach increases the number of affected individuals, this may lead to an increased risk of class action,” Greene says.
In fact, a Baltimore-based healthcare entity, LifeBridge Health, which reported to federal regulators two major health data breaches affecting a total of 540,000 people within two years, recently agreed to settle a class action lawsuit filed in the wake of those incidents (see: Health Entity Agrees to Pay $7.9 Million to Improve Security).
As part of the lawsuit’s resolution, LifeBridge agreed to spend $7.9 million to enhance and maintain its security.