Protecting Healthcare Records These Days is Like a Game of “Whac-a-Mole”

Written by Doug Austin, Editor of eDiscovery Today

You’ve probably either played the game “Whac-a-Mole” yourself as a kid, or you watched your kid play it, at a Chuck E. Cheese or another similar arcade. It’s a simple game with five holes in which moles pop up and a soft rubber mallet to pop them on the head with – you get points for every time you pop one on the head. The game starts out slow at first, and it’s easy to keep up with the moles that pop up. But it gets faster and faster until several moles are popping up at once and it’s impossible to keep up with them all.

The job of protecting protected health information (PHI) regulated by the Health Insurance Portability and Accountability Act (HIPAA) is becoming more like a game of “Whac-a-Mole” where it’s been increasingly difficult to protect all the places where PHI can appear, expanding the risk of exposure of that data.

Impacts from a Recent Healthcare Cyber Attack

Here’s one example of one recent ransomware attack that impacted many healthcare organizations. On February 19, 2021, NEC Networks, dba CaptureRx, a company that provides IT services to hospitals to help manage their 340B drug discount programs, determined unauthorized individuals had accessed, acquired and encrypted files containing sensitive data earlier that month on February 6th. The investigation confirmed that files containing the protected health information of 2,400,000 or more patients were compromised in the attack. That’s scary.

CaptureRx stated that it had security systems in place to ensure the privacy and security of healthcare data, but the attackers had managed to bypass those protections. Following the attack, the company stated that policies and procedures were reviewed and enhanced, and additional training has been provided to the workforce to reduce the risk of any further security breaches.

Here’s something potentially even scarier: at least 32 healthcare organizations (and probably more) were affected by the ransomware attack. This attack didn’t originate within the healthcare organizations themselves, it originated within their IT provider for one specific function: 340B drug discount programs. If just one healthcare provider had been more diligent with its outside IT providers in terms of vetting its policies and procedures, this issue possibly could have been avoided for all of them.

Of course, that didn’t stop multiple class action lawsuits from being filed. Just this week, CaptureRx proposed a $4.75 million settlement to resolve claims related to the breach. That’s a significant cost for one data breach, and it’s only the latest example of data breaches involving healthcare organizations.

The interactive map of US ransomware attacks since 2018 from Comparitech shows 283 known ransomware attacks during that time, with 193 of them coming in just the last two years (several of which involve hundreds of thousands to millions of patient health records compromised).

Shadow Information Within Healthcare Organizations

The above example illustrates a significant problem of protecting PHI and other personally identifiable information (PII) within healthcare organizations – shadow information.

Healthcare organizations already invest millions in Electronic Medical Record (EMR) solutions, including the security to protect those solutions. But the problem is other solutions and systems that integrate with the EMR solution that also store PHI and PII for patients as well, such as SharePoint, shared drives and other solutions, such as the one in the example above.

Many organizations don’t even realize the extent to which PHI and PII has proliferated within their organizations as shadow information in various other systems and solutions.


Ultimately, it doesn’t matter how secure your primary EMR solution if the hackers can get the same information from a less secure solution or system that the organization uses. This leaves companies playing the game “Whac-a-Mole” to protect that information everywhere else. Why do you think hackers call it a “back door”?

The first step to protecting valuable PHI and PII is knowing where it is! How valuable is it? At least $4.75 million dollars to one IT provider of healthcare services.

Speaking of shadow information for healthcare organizations, Nick Inglis will be presenting the session Understanding and Addressing Your Shadow Information Problem at the Healthcare Law & Compliance Institute on Monday February 28 at 11:45am at The Ritz-Carlton in Sarasota, FL. For more information about the topic and his presentation, click here.

And for more educational topics from me related to eDiscovery, information governance, cybersecurity and data privacy, feel free to follow my blog, eDiscovery Today!