At Rendition Infosec, we've been following the recent rash of hospital disclosures surrounding PHI. Only a few years ago, it seems that most legal teams felt the disclosure standard was confirmed PII or PHI disclosure to third parties. Recently, we've seen that malware installed on machines used to enter or process PII or PHI seems to trigger a notification. This is true even when there is no confirmed loss of PHI or PII - the simple possibility of illicit disclosure seems to trigger the notification.
A notification by an Ohio hospital chain in November seems to highlight this case perfectly. They identified malware on multiple machines. They were originally notified by the FBI that they had a problem, indicating that they lacked the internal monitoring capability to detect the breach themselves. In this case, the legal decision may have been made to disclose the breach based on the lack of information available about what data the malware may have exfiltrated. In any case, it's yet another disclosure from a major health care organization (UCLA led the way with notifications earlier this year) where there was no evidence of the threat actor accessing or exfiltrating data.
To make matters worse, according to the notification the hospital was infected with the malware when they were purchased in July 2015. This points to another common problem we see at Rendition - inappropriate due diligence performed during mergers and acquisition (M&A). During M&A, getting valuation correct is critical. But after a breach, the valuation of a company can change drastically. Further, the acquiring company is stuck footing the bill for any incident response, credit monitoring, and other costs associated with the breach.
Many healthcare providers have chosen to disclose without direct
evidence of theft or misuse. What does this mean for others in a
similar situation? I am not a lawyer, but I know that legal precedent
matters. Of course you should consult with your legal team when
deciding whether or not to disclose. But as the infosec professional in
the organization you should also be assisting them in understanding
whether there are similar cases where organizations have already made
decisions. These may be viewed as industry standard and influence the decisions of the legal team.