HIPAA Blog

[ Thursday, August 01, 2024 ]

 

Baim Institute for Clinical Research Suffers Ransomware event and Data Disclosure: According to this analysis by Safety Detectives, Baim Institute for Clinical Research was a victim of a ransomware event, did not pay the ransom, and some of the data was subsequently posted on the internet.

There are many interesting aspects to this breach.  First, it's unclear whether HIPAA is implicated; Baim is not a covered entity, but it could be a business associate, depending on who it contracts with and provides services to.  To the extent the incident was caused by Baim's lack of sufficient security, it could be a contractual breach by Baim.  The data disclosed contains little that would be PHI, and that which is PHI is not likely to be useful for identity theft, since it only includes very limited information about adverse events, and it's unclear if even patient names are included (age and gender are data points that can remain in de-identified PHI); however, the data could potentially be useful for blackmail, public embarrassment of the study participants, etc.  The disclosed data seems to have 3 value points: (i) reputational damage to Baim by exposing them as potentially bad data stewards; (ii) possible disclosures of Baim's business relationships that a competitor might exploit; and (iii) information about particular studies that could indicate whether a drug in development might be a blockbuster or flop (and therefore potentially affect the stock price of the sponsor).

It is yet one more message to the industry: it's not a question of if, but of when, and if you are not prepared for a ransomware attack, you deserve what you get.  Good backups, good perimeter security, good testing of your systems and staff, and good mapping of your systems can go a long way to preventing most attacks, and allowing you to recover from those lucky dogs that get through.

Good work by Safety Detectives.


Jeff [9:20 AM]

Comments: Post a Comment
http://www.blogger.com/template-edit.g?blogID=3380636 Blogger: HIPAA Blog - Edit your Template