Ransomware Attacks – Is Your Data Protected?

Safeguarding electronic Protected Health Information (ePHI) is as important for a big Fortune 1000 company as it is for independent pharmacies. The HIPAA Security Rule was designed to be flexible to accommodate providers of different sizes and with varying scopes of practice; therefore, the size of your pharmacy does not matter…the Security Rule still applies. That means administrative, technical and physical safeguards are all required to protect patient information.

A recent breach at PharMerica Corporation should serve as a reminder to reassess your pharmacy’s own safeguards to help decrease the risk of a successful malicious cyberattack. According to the PharMerica breach notification posted online in the Maine Attorney General Data Breach Notifications database, the breach affected over 5.1 million people. The attack occurred between March 12 and March 13, 2023 and was discovered on March 21, 2023. A sample of PharMerica’s breach notification letter explained that hackers gained access to patient records including “name, address, date of birth, Social Security number, medications, and health insurance information”. A ransomware gang claimed to be behind the attack and when PharMerica did not pay the ransom to buy back their stolen data, the information was published online.

Administrative safeguards such as firewalls, anti-virus software, log-in monitoring and password management are just several examples of methods to protect ePHI. Here are several questions to consider about your own program:

  • What array of methods does your pharmacy use to safeguard your ePHI?
  • Have you evaluated your vulnerabilities lately?
  • Have new/different threats been identified that require consideration for additional safeguards to be implemented?

PAAS Tips:

  • At least once a year, the Security Officer should perform a thorough assessment of the potential threats, vulnerabilities and the associated risks to the confidentiality, integrity and availability of ePHI
  • Develop and implement policies and procedures to safeguard ePHI
  • PAAS National® Fraud, Waste & Abuse and HIPAA Compliance Program members should review their Policy & Procedure Manual for additional guidance on safeguards; specifically, Section 11 – HIPAA Security and Other Administrative Simplifications and should perform a Risk Analysis at least annually
Sara Hathaway, PharmD