Harris Health, a Texas-based healthcare organization operating hospitals and clinics, suffered an insider breach spanning over a decade (2011–2021). A former employee improperly accessed electronic health records (EHRs) of 5,000 patients without authorization, potentially disclosing sensitive data including names, dates of birth, addresses, Social Security numbers, medical histories, diagnoses, medications, and insurance details to unauthorized individuals. The breach was discovered in February 2021, but FBI restrictions delayed patient notifications until 2025. While the exact scope of exposed data remains unclear, Harris Health is offering identity and credit monitoring to affected individuals. The incident highlights systemic failures in access controls, auditing, and employee monitoring, with the FBI’s prolonged investigation suggesting possible broader criminal activity beyond unauthorized data access.
Source: https://www.bankinfosecurity.com/hospital-insider-breach-lasted-10-years-led-to-fbi-inquiry-a-29668
TPRM report: https://www.rankiteo.com/company/harris-health
"id": "har3062630100825",
"linkid": "harris-health",
"type": "Breach",
"date": "6/2011",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': '5,000 patients',
'industry': 'Healthcare',
'location': 'Houston, Texas, USA',
'name': 'Harris Health System',
'size': 'Large (Operates 2 trauma centers, 37 clinics, '
'and specialty locations)',
'type': 'Healthcare Provider'}],
'attack_vector': 'Insider Threat (Improper Access by Former Employee)',
'customer_advisories': ['Complimentary Identity and Credit Monitoring Offered '
'to Affected Patients'],
'data_breach': {'data_exfiltration': 'Yes (Disclosed to Unauthorized '
'Individuals)',
'file_types_exposed': ['EHR Database Records',
'Potentially Printed/Exported Files'],
'number_of_records_exposed': '5,000 patient records',
'personally_identifiable_information': ['Names',
'Dates of Birth',
'Addresses',
'Email Addresses',
'Phone Numbers',
'SSNs (for some '
'patients)'],
'sensitivity_of_data': 'High (Comprehensive Health and PII '
'Data)',
'type_of_data_compromised': ['Protected Health Information '
'(PHI)',
'Personally Identifiable '
'Information (PII)',
'Social Security Numbers '
'(SSNs)']},
'date_detected': '2021-02-10',
'date_publicly_disclosed': '2024-09-27',
'description': 'Harris Health, a Texas-based healthcare organization, is '
'notifying 5,000 patients of an insider breach involving a '
'former employee who improperly accessed electronic health '
'records (EHRs) from January 4, 2011, to March 8, 2021. The '
'breach was discovered on February 10, 2021, and reported to '
'the FBI, which delayed patient notifications until recently. '
'The compromised data includes names, dates of birth, '
'addresses, email addresses, phone numbers, medical record '
'numbers, clinical information, diagnoses, medical history, '
'medications, immunizations, provider names, dates of service, '
'insurance information, and Social Security numbers for some '
'patients. Harris Health is offering identity and credit '
'monitoring to affected patients.',
'impact': {'brand_reputation_impact': 'High (Long-Term Breach, Delayed '
'Notification, Sensitive Health Data '
'Compromised)',
'data_compromised': ['Names',
'Dates of Birth',
'Addresses',
'Email Addresses',
'Telephone Numbers',
'Medical Record Numbers',
'Clinical Information',
'Diagnoses',
'Medical History',
'Medications',
'Immunizations',
'Provider Names',
'Dates of Service',
'Insurance Information',
'Social Security Numbers (for some patients)'],
'identity_theft_risk': 'High (SSNs and Comprehensive PII Exposed)',
'legal_liabilities': ['Potential HIPAA Violations',
'FBI Investigation Ongoing'],
'operational_impact': ['FBI Investigation Delayed Patient '
'Notifications for ~4 Years',
'Reputation Damage',
'Potential Regulatory Scrutiny'],
'payment_information_risk': 'Low (No Explicit Mention of Payment '
'Card Data)',
'systems_affected': ['Electronic Health Records (EHR) System']},
'initial_access_broker': {'entry_point': 'Legitimate EHR System Access '
'(Abused by Insider)',
'high_value_targets': ['Patient PHI (Including '
'SSNs, Medical Histories)'],
'reconnaissance_period': '2011-01-04 to 2021-03-08 '
'(~10 years)'},
'investigation_status': 'Ongoing (FBI Investigation; No Public Updates on '
'Charges or Conclusions)',
'lessons_learned': ['Importance of Role-Based Access Control (RBAC) for EHR '
'Systems',
'Need for Regular Audits of EHR Access Logs',
"Risks of 'Access Creep' (Accumulated Unnecessary "
'Permissions Over Time)',
'Criticality of Timely Patient Notification (Balanced '
'with Law Enforcement Needs)',
'Value of Employee Training on Permissible PHI Access'],
'motivation': ['Unauthorized Disclosure to Third Parties',
'Potential Criminal Activity (Under FBI Investigation)'],
'post_incident_analysis': {'corrective_actions': ['Termination of Responsible '
'Employee',
'Forensic Investigation',
'Patient Notification '
'(Delayed by FBI)',
'Offer of Identity '
'Monitoring Services',
'Implied Review of Access '
'Controls (Not Explicitly '
'Detailed)'],
'root_causes': ["Lack of Enforcement for 'Minimum "
"Necessary' PHI Access",
'Insufficient Monitoring/Auditing '
'of EHR Access',
"Potential 'Access Creep' "
'(Accumulated Permissions Over '
'Time)',
'Delayed Detection (Breach Lasted '
'~10 Years)']},
'recommendations': ['Implement Strict RBAC with Quarterly Reauthorization',
'Deploy Technology to Monitor and Alert on Suspicious EHR '
'Access (e.g., Same Last Name, Geographic Proximity, '
'Off-Hours Logins)',
'Conduct Periodic Manual Audits of EHR Access',
"Enforce 'Minimum Necessary' HIPAA Requirements for PHI "
'Access',
'Avoid Copying Access Profiles Between Employees',
'Prohibit Shared Credentials for EHR Systems',
'Train Employees on Permissible vs. Prohibited PHI Access',
'Invest in Automated Log Collection and Analysis for PHI '
'Systems'],
'references': [{'date_accessed': '2024-09-27',
'source': 'Information Security Media Group (ISMG)',
'url': 'https://www.govinfosecurity.com/hospital-insider-breach-lasted-10-years-led-to-fbi-inquiry-a-24021'},
{'date_accessed': '2024-09-27',
'source': 'Harris Health Privacy Breach Notice'}],
'regulatory_compliance': {'legal_actions': ['FBI Investigation (Status '
'Unknown)',
'Potential HIPAA Enforcement by '
'HHS OCR'],
'regulations_violated': ['Health Insurance '
'Portability and '
'Accountability Act '
'(HIPAA)'],
'regulatory_notifications': ['FBI (2021)',
'Patients (2024, '
'Delayed)']},
'response': {'communication_strategy': ['Privacy Breach Notice to Patients',
'Media Statement (Limited Details Due '
'to Ongoing FBI Investigation)'],
'containment_measures': ['Termination of Employee',
'Forensic Investigation'],
'enhanced_monitoring': 'Implied (Post-Breach Recommendations for '
'EHR Access Audits)',
'incident_response_plan_activated': 'Yes (Investigation Launched '
'with Forensic Firm)',
'law_enforcement_notified': 'Yes (FBI, Delayed Patient '
'Notification per FBI Request)',
'recovery_measures': ['Patient Notification (Delayed by FBI)',
'Public Disclosure'],
'remediation_measures': ['Offering Complimentary Identity and '
'Credit Monitoring to Affected Patients',
'Potential Review of Access Controls '
'(Implied)'],
'third_party_assistance': ['Forensic Investigation Firm', 'FBI']},
'stakeholder_advisories': ['Patients Notified via Privacy Breach Notice '
'(Delayed by FBI)'],
'threat_actor': 'Former Employee (Unnamed)',
'title': 'Harris Health Insider Breach Lasted 10 Years, Led to FBI Inquiry',
'type': ['Data Breach', 'Insider Threat', 'Unauthorized Access'],
'vulnerability_exploited': ['Lack of Role-Based Access Control (RBAC)',
'Insufficient Monitoring of EHR Access',
'Inadequate Audit Logs',
"Failure to Enforce 'Minimum Necessary' HIPAA "
'Requirements']}