Cyber Security Breach update

This provides a bit more detail to our leadership team that can help them understand the breach and how we at Texas Children’s are mitigating the risk to our best ability. The overall risk is the impact to the Texas Children’s reputation as well as financial impact due to government regulations to protect personal and patient information.

1. Children’s Hospital of Philadelphia (CHOP) – Phishing

  • Overview:
    On October 23, Children’s Hospital of Philadelphia (CHOP) issued a press release regarding two phishing attacks involving patient health information. The first incident occurred when an unauthorized user gained access to a CHOP physician’s email account on August 23, 2018. A second incident identified unauthorized access to an additional CHOP email account on August 29, 2018. The investigation determined the compromised email accounts contained patient health information, which may have included patient name, date of birth, and clinical information related to neonatal and/or fetal care provided at CHOP or, in some instances, at the Hospital of the University of Pennsylvania (HUP). Per the breach report with the Department of Health and Human Services’ Office for Civil Rights (DHHS/OCR), this incident affected over 5,300 mothers/babies.
  • Texas Children’s Risk Profile:
    Threat actors that leverage phishing as an attack vector can be very successful due to the Human Factor. Mitigation requires user behavior change and a heighten level of security vigilance. At Texas Children’s, our exposure can be slightly reduced due to existing controls and security technologies in place. Our next generation email security can help protect against sophisticated spear-phishing and impersonation attacks, unknown malware and spam. We conduct regular simulated phishing to our Texas Children’s workforce and require targeted security training. We also rolled out multi-factor authentication which greatly reduces the risk of leveraging compromised user credentials to gain remote access to our network.

2. Atrium Health – Cyber-attack @ 3rd party provider

  • Overview:
    On November 27, Charlotte-based hospital network Atrium Health informed over 2.65 million patients and guarantors that their personal information was compromised following a breach at one of their third-party provider’s environment – AccuDoc Solutions. This breach is the largest seen by a health care organization in 2018. AccuDoc provides billing services to Atrium Health. The breach was noticed by AccuDoc on October 1, which detected unauthorized access to its databases that stored information related to payments made at several Atrium Health locations. The compromised databases stored personal information on patients and guarantors, including name, date of birth, address, insurance policy details, medical record number, invoice number, account balance, date of service and, in some cases, social security number.
  • Texas Children’s Risk Profile:
    Specifically to the attack vector for this cyber breach of leveraging security weaknesses of a third-party provider, Texas Children’s has a robust process to review and assess the security posture of our third party providers – especially providers that process and manage Texas Children’s restricted data (i.e., PHI, PII, PCI, etc.). Due to the nature of our industry, our risk tolerance is quite low. As a result, all third-party providers that do not meet our security standards are vetted by our executive vendor risk management steering committee to better understand the risk, mitigating controls, and legal ramifications in order to make a risk-balanced decision for the organization.

3. Baylor Scott & White Medical Center – Cyber-attack @ 3rd party provider

  • Overview:
    On December 11, Baylor Scott & White Medical Center disclosed that over 47,000 patients’ or guarantors’ personal and credit card information were compromised following a breach. The exposed information includes names, mailing addresses, telephone numbers, dates of birth, medical record numbers, dates of service, insurance provider information, account numbers, last four digits of the credit card used for payment, the credit card CVV number, type of credit card, dates of recurring payment, account balance, invoice numbers and transaction statuses. Baylor Scott & White and Memorial Hermann Health System announced on October 1, 2018 that they are to merge into a combined system. Investigation is still underway but preliminary reports indicate that the cyber breach may have occurred at one of Baylor Scott & White’s third party credit card processing vendors.
  • Texas Children’s Risk Profile:
    If the attack vector for this cyber breach leveraged security weaknesses of a third-party provider, Texas Children’s has a robust process to review and assess the security posture of our third party providers – especially providers that process and manage Texas Children’s restricted data (i.e., PHI, PII, PCI, etc.). Due to the nature of our industry, our risk tolerance is quite low. As a result, all third-party providers that do not meet our security standards are vetted by our executive vendor risk management steering committee to better understand the risk, mitigating controls, and legal ramifications in order to make a risk-balanced decision for the organization.