Ontario Provincial Police (OPP) in Canada have arrested a man believed to be responsible for an Alaska HIPAA breach in April 2018 that resulted in the possible exposure of approximately 700,000 individuals’ protected health information.
Following a 23-month investigation, Matthew Philbert, 31, was arrested on November 30, 2020, and charged with fraud, unauthorized use of a computer, and “possession of device to obtain unauthorized use of a computer system or to commit mischief.” He remains in custody.
International Law Enforcement Aids Investigation of Alaska HIPAA Breach
Separate but parallel investigations by the Federal Bureau of Investigation in the United States, OPP’s Cyber Operations Center, the Royal Canadian Mounted Police’s National Cybercrime Coordination Unit, and Europol in the European Union uncovered evidence of “multiple ransomware attacks” and malware campaigns.
These incidents impacted an unknown number of victims in the U.S., Canada, and potentially other countries. Philbert is accused of attacks that hit “many targets, including individuals, businesses, municipalities, and their respective data and information systems and infrastructure,” said OPP Deputy Commissioner Chuck Cox at a Tuesday virtual press conference.
Alaska HIPAA Breach Triggers U.S. Indictment
The U.S. Attorney’s Office in Anchorage, Alaska also unsealed a two-count indictment, charging Philbert with computer fraud and conspiracy to commit computer fraud. If convicted on either charge, he faces forfeiture of any proceeds traceable to the violations. If that property cannot be recovered, the government will seek forfeiture of other property owned by Philbert.
Upon Philbert’s arrest by Canadian authorities, evidence was seized and held for investigation, including desktop and laptop computers, a tablet, several hard drives, cellphones, a Bitcoin seed phrase, and several blank cards with magnetic stripes.
Another Alaska HIPAA Breach
In 2012 an unencrypted USB drive was stolen from the Alaska Department of Health and Social Services. The drive was believed to hold the electronic protected health information (ePHI) of Medicaid beneficiaries.
Following an investigation by the Office for Civil Rights, the state agreed to pay $1.7 million as part of a settlement agreement. The investigation uncovered serious violations of HIPAA regulations including:
- Failure to complete a risk analysis.
- Failure to implement sufficient risk management measures.
- Failure to complete security training for workforce members.
- Failure to implement device and media controls.
- Failure to address device and media encryption.
Incidents Like Alaska HIPAA Breach Rising
Unfortunately, cyberattacks are becoming more and more common. An October report from the non-profit Identity Theft Resource Center publicly reported data compromises through Sept 30, 2021, were 17 percent higher than in all of 2020.
If you are a healthcare provider or an organization that serves providers, achieving HIPAA compliance should be a foundational part of your cybersecurity measures. An effective compliance program should include security risk analysis to identify and remediate gaps related to PHI privacy, data security, policies and procedures, and effective training.
You need signed business associate agreements with vendors who touch PHI and you need a plan for incident management and breach reporting. Finally, you have to be able to prove you’ve done all of the above in the event of an audit.
In the wake of Philbert’s, Chris Lynam, the Director General of the National Cybercrime Coordination Unit and the Canadian Anti-Fraud Centre had the following advice on preventing cyberattacks:
“The best thing people and organizations can do to help us combat cybercrime is learn how to protect themselves from it and always report instances to local law enforcement.”
