Philips Ultrasound Systems Vulnerability Discovered
An authentication bypass vulnerability affecting Philips Ultrasound Systems that could targeted by a hacker to view or modify data has been discovered. The flaw is caused by the presence of an alternative path or channel that can be implemented to bypass authentication controls.The flaw is tracked as CVE-2020-14477. This is a low severity flaw which has been assigned a CVSS v3 base score of 3.6 out of 10. To target the vulnerability,...
Information on Contacting COVID-19 Patients to Request Blood & Plasma Donations
Once patients contract an infectious respiratory disease like COVID-19, the immune system creates antibodies that supply protection if the pathogen appears again. The antibodies in the blood of patients who recover from an illness like this are key to fighting it. Those antibodies could also be used to treat other patients. Through the donation of blood and plasma two preparations can be created: Convalescent plasma and hyperimmune...
Improved Compliance Revealed in Ciitizen HIPAA Right of Access Study
There has been a major improvement in compliance with the HIPAA Right of Access, according to the most recent Patient Record Scorecard Report from Ciitizen. To formulate the report, Ciitizen conducted a study of 820 healthcare suppliers to assess how well each responded to patient requests for copies of their healthcare data. A wide variety of healthcare suppliers were assessed for the study, from single physician practices to large,...
HIPAA Violations in Michigan and Illinois Lead to Healthcare Workers Being Fired
A staff member at Ann & Robert H. Lurie Children’s Hospital of Chicago has been fired accessing the medical records of patients without the appropriate authorization over a period of 15 months. The privacy violations were discovered when, after reviewing access logs, the hospital found that a staff member had viewed the medical records of 4,824 patients without authorization between November 2018 and February 2020. The range of...
Three Actively Exploited Flaws Patched by Microsoft
On April 2020 Patch Tuesday, Microsoft made available updates to fix 113 flaws in its operating systems and software solutions, 19 of which have been rated critical. This month’s group of updates includes fixes for 3 zero-day flaws that are being actively exploited in real world attacks.Two of the actively exploited flaws were revealed by Microsoft in March and Microsoft suggested workarounds to limit the chance of exploitation. The...
Waiver of HIPAA Penalties for Good Faith Operation of COVID-19 Community-Based Testing Sites
The HHS has issued an additional Notice of Enforcement Discretion covering healthcare providers and business associates that manage some aspect of COVID-19 community-based testing sites. Under the terms of the Notice of Enforcement discretion, the HHS will not issue sanctions and penalties in relation to good faith participation in the operation of COVID-19 community-based testing sites. The Notice of Enforcement discretion is...
PHI Disclosures for Public Health and Health Oversight Activities Allowed in Notice of Enforcement Discretion for Business Associates
On April 2, 2020, the Department of Health and Human Services revealed that with immediate effect, it will be applying enforcement discretion and will not impose sanctions or fines against healthcare providers or their business associates for good faith uses and sharing of protected health information (PHI) by business associates for public health and health oversight activities for the duration of the COVID-19 public health...
Coronavirus Pandemic Guidance on Telehealth & HIPAA Released by OCR
After the announcement made by the HHS’ Office for Civil Rights that enforcement of HIPAA compliance linked to the good faith provision of telehealth services for the duration of the COVID-19 pandemic has been relaxed, OCR has published guidance on telehealth and remote communications. Telehealth is defined by the HHS’ Health Resources and Services Administration (HRSA) as “the use of electronic information and telecommunications...
Google’s Response to Senators Questions About Ascension Partnership Deemed Incomplete
After it became public that a massive amount of patient data had been shared with Google by the Catholic health system Ascension, the second biggest health system in the United States, a bipartisan group of Senators – Sen. Bill Cassidy, M.D., (R-LA), Elizabeth Warren (D-MA), and Richard Blumenthal (D-CT) – wrote to Google asking for answers about the nature of the agreement and the data the company received. Ascension manages 150...
Manchester Ophthalmology & UnitedHealthcare Impacted by Data Breaches
Manchester Ophthalmology in Connecticut has suffered a cyberattack in which the hackers may have gained access to patient data. The eye care supplier became aware of the cyberattack on November 25, 2019 when employees identified suspicious activity on the network. Assisted by an external technology firm, it was determined later that day that hackers had gained access to its systems and tried to deploy ransomware. Access was first...
2020 Healthcare Data Breach Report
Protenus has released its 2020 healthcare data breach report which shows the past 12 months have been the worst ever in terms of the number of reported breaches. For its 2020 Breach Barometer report, Protenus, in conjunction with databreaches.net, identified more than 572 healthcare data breaches of 500 or more records in 2019, up 48.6% compared to 2018. The number of data breaches affecting the healthcare industry has increased...
Partially Completed Prescriptions of Schedule II Drugs Must be Tracked: HHS
The Department of Health and Human Services has released a final rule changing the HIPAA National Council for Prescription Drug Programs (NCPDP) D.0 Telecommunication Standard that obligates pharmacies to record partially completed prescriptions for Schedule II drugs. The modification is part of HHS efforts to manage opioid abuse in the United States and will supply a greater quantum of data that may help control impermissible refills...
Novel Coronavirus Outbreak Prompts HHS Covered Entity HIPAA Data Sharing Warning
In response to the 2019 Novel Coronavirus outbreak, the Department of Health and Human Services has released a bulletin to make HIPAA-covered entities aware of the allowable methods for sharing patient information during outbreaks of infectious disease and other emergency situations, In the news release, the HHS confirmed that at such times, the protections of the HIPAA Privacy Rule still apply and healthcare organizations must...
Survey: Cost of Healthcare Data Breaches Predicted to Reach $4 Billion in 2020
Healthcare sector data breaches are taking place at an unprecedented level. The healthcare data breach figures for 2019 have yet to be drawn up, but so far 494 data breaches of more than 500 records have been made known to the HHS’ Office for Civil Rights and more than 41.11 million records were exposed, stolen, or impermissibly disclosed in 2019. That makes 2019 the worst year on record for healthcare data breaches and the second...
2019 HIPAA Enforcement
2019 was another period with stringent HIPAA compliance enforcement evident. Action taken by the Department of Health and Human Services’ Office for Civil Right (OCR) lead to has resulted in 10 financial penalties. $12,274,000 has been paid to OCR in 2019 to resolve HIPAA violation cases. 2019 witnessed two civil monetary penalties sanctioned and settlements were agreed with eight groups, one less than 2018. In 2019, the average fine...
Rep. Jayapal Questions Google & Alphabet Ascension Partnership
Rep. Pramila Jayapal (D-Washington), a member of the House Judiciary Subcommittee on Antitrust, Commercial, and Administrative Law, has written to Google and Alphabet in relation to their Ascension partnership. She has demanded answers to several questions about how protected health information has been obtained, the measures put in place to protect patient data, and how Google will be using the PHI. The partnership between Google and...
HIPAA Compliance for Amazon Lex
Amazon has revealed that the Amazon Lex chatbot service now supports HIPAA compliance and can be used by healthcare groups without breaching Health Insurance Portability and Accountability Act Rules. Amazon Lex is a service that permits customers to create conversational interfaces into applications using text and voice. It permits the creation of chatbots that use lifelike, natural language to engage with clients, submit questions,...
Privacy Protections for Consumer Health Data to be Enhanced by Smartwatch Data Act
Sens. Bill Cassidy, M.D., (R-Louisiana) and Jacky Rosen, (D-Nevada) have introduced the Stop Marketing And Revealing The Wearables And Trackers Consumer Health (Smartwatch) Data Act. This new legislation will ensure that health data gathered through fitness trackers, smartwatches, and health apps cannot be sold or shared without consumer consent. The Health Insurance Portability and Accountability Act (HIPAA) applies to health data...
Sentara Hospitals Agrees to $2.175M HIPAA Settlement for Breach Notification Rule and BAA Failures
The Department of Health and Human Services’ Office for Civil Rights (OCR) has issued its eighth HIPAA financial penalty of 2019. Sentara Hospitals has agreed to settle possible breaches of the HIPAA Privacy and Breach Notification Rules and will pay a penalty of $2.175 million and will adopt a corrective action plan to remedy areas of noncompliance. Sentara runs 12 acute care hospitals in Virginia and North Carolina and has more than...
Timothy Noonan Revealed as New Deputy Director for Health Information Privacy at Office for Civil Rights
The Department of Health and Human Services’ Office for Civil Rights (OCR) has appointed Timothy Noonan Deputy Director for Health Information Privacy. The position of the Deputy Director for Health Information Privacy is to lead the Health Information Privacy Division of the Office for Civil Rights, oversee OCR’s national health information privacy policy and outreach activities, and administer and police the HIPAA Privacy, Security,...
Range of HIPAA Breaches Result in $2.15 Million Civil Monetary Penalty for Jackson Health System
The Department of Health and Human Services’ Office for Civil Rights has sanctioned a $2.15 million civil monetary penalty against the Miami, FL-located nonprofit academic medical system, Jackson Health System (JHS), for a slew of breaches of HIPAA Privacy Rule, Security Rule, and Breach Notification Rule. In July 2015, OCR became aware of many media reports in which the PHI of a patient was impermissibly shared. The person was a...
PHI Disclosures on Yelp Lead to $10,000 Fine for Dental Practice
The Department of Health and Human Services’ Office for Civil Rights has agreed to a HIPAA settlement for a violation case with Elite Dental Associates in relation to the impermissible disclosure of a number of patients’ protected health information (PHI) when answering patient reviews on the Yelp review website. Elite Dental Associates is a Dallas, TX-based privately-owned dental clinic that provides general, implant and cosmetic...
National Patient Identifier Repeal Act Introduced by Senator Rand Paul
Sen. Rand Paul, M.D., (R-Kentucky) has brought in a new bill that aims to have the national patient identifier provision of HIPAA permanently deleted due to privacy concerns over the configuration of such a system. At present, HIPAA is best known for its healthcare data privacy and security regulations, but the national patient identifier system was proposed in the first HIPAA legislation of 1996 as a measure to facilitate data...
Flaws Discovered in WLAN Firmware Used by Philips IntelliVue Portable Patient Monitors
Two flaws have been discovered in Philips IntelliVue WLAN firmware which impact certain IntelliVue MP monitors. The flaws could be exploited by hackers to download malicious firmware which could affect data flow and lead to an inoperable condition warning at the device and Central Station. Philips was made aware of the flaws by security expert Shawn Loveric of Finite State, Inc. and proactively released a security advisory to allow...
NCCoE Releases Mobile Device Security Guidance for Corporate-Owned Personally Enabled Devices
The National Cybersecurity Center of Excellence (NCCoE) has published new draft NIST mobile device security guidance to help groups address the risks created by corporate-owned personally enabled (COPE) devices. Mobile devices permit staff members to access resources vital for their work duties, no matter where those individuals are based. As such, the devices allow groups to enhance efficiency and productivity, but the devices bring...
Unsecured Online PACS Makes 400 Million Medical Images Freely Accessible
Following a recently completed investigation by ProPublica, the German public broadcaster Bayerischer Rundfunk, and vulnerability and analysis company, Greenbone Networks has stated that 24.3 million medical images included in image storage systems are freely accessible on the Internet and require no authentication to view or install the images. Those images, which include X-rays, MRI, and CT scans, are held in picture archiving and...
Kaspersky Lab Survey: No Cybersecurity Training for 32% of Healthcare Workers
There have been a minimum of 200 breaches of greater than 500 records reported since January and 2019 looks set to be another record-breaking 12 months for healthcare data breaches. The ongoing rise in data breaches lead to Kaspersky Lab completing a survey to ascertain more about the state of cybersecurity in healthcare. Kaspersky Lab has now released the second part of its report from the survey of 1,758 healthcare workers in the...
HIPAA Compliance & iCloud
We look at HIPAA compliance and iCloud because, as more and more businesses take advantage of cloud computing, an important question for Covered Entities to consider is, are cloud storage services such as iCloud HIPAA compliant? If so, Apple´s cloud storage products – iCloud and iCloud+ – could be a convenient and user-friendly option for storing and saving electronic PHI (ePHI). Apple´s iCloud and iCloud+ services are available...
Emergency Notifications Systems & Business HIPAA-Compliance
Emergency notification systems for business are software services that are often implemented to alert personnel to the risk of danger. Situation that they are used include incoming hurricanes, chemical spills, active shooter events, and fires; and therefore it would be unusual rare for Protected Health information (PHI) to be shared in the context of an emergency alert. In addition, outside of the healthcare and healthcare insurance...
Amazon CloudFront & HIPAA Compliance
Amazon CloudFront is a web service that enables users to optimize the speed of their web content delivery via the Internet and for website hosting. Normally, when a website is viewed, the visitor experiences some latency loading static and dynamic content. The reason for this is viewers will not make a direct connection to the content, instead they will be directed through a path to reach the server where the content can be seen. The...
One-Year Prison Sentence for TermPatient Care Coordinator Following HIPAA Violation
A former patient care coordinator based at University of Pittsburgh Medical Center (UPMC) has been given a one-year prisons sentence for accessing the medical records of patients and using that information to cause malicious damage. Sue Kalina, 62, of Butler, PA, had previously been employed at UPMC Tri Rivers Musculoskeletal and Allegheny Health Network as a patient care coordinator. On March 30, 2016, while a staff member with UPMC,...
HIPAA Compliance & IBM Cloud
IBM provides a cloud platform to help groups create their mobile and web services, build native cloud apps, and host their infrastructure along with a wide variety of cloud-based services for the capture, analysis, and processing of data. The platform has already been configured by many healthcare suppliers, payers, and health plans, and applications and portals have been developed to provide patients with better access to their...
Phishing Attack Impacts PHI of 10,893 Summa Health Patients
It was discovered on on May 1 that up to four employee email accounts containing patients’ protected health information (PHI) have been infiltrated at Akron, Ohio-based Summa Health after an an unauthorized person obtained access. Summa Health noticed the breach and launched an investigation that found two email accounts were infiltrated during August 2018, and a further two accounts between March 11, 2019 and March 29, 2019. All...
HIPAA Enforcement Safe Harbor Called for in HELP Committee Bill
There may be some implications for HIPAA-covered entities after the Senate Health, Education, Labor and Pensions (HELP) Committee approved the Lower Health Care Costs (LHCC) Act of 2019. One of the main targets of the bill is to enhance the transparency of healthcare expenses and service quality. The bill aims to bring a finish to surprise health bills and make sure patients are kept updated about healthcare costs. The LHCC Act...
Allowable Uses and Disclosures of PHI for Care Coordination and Continuity of Care Clarified by OCR
The Department of Health and Human Services’ Office for Civil Rights has released new HIPAA guidance for health plans on how protected health information can be sent to support care coordination and continuity of care. The new material, which has been published in an FAQ format, addresses two questions commonly asked by health plans: Can PHI be shared with another health plan for care coordination reasons? OCR has said that the HIPAA...
Sensitive Information of 11.9 Million Quest Diagnostics Patients Compromised
Quest Diagnostics, one of the leading medical laboratories and blood testing companies in the United States, has been affected by a data breach at one of its vendors. That breach has resulted in the exposure and potential theft of almost 12 million individuals’ personal, medical, and financial information. According to a recent U.S. Securities and Exchange Commission (SEC) filing, Quest Diagnostics was notified of a data breach at the...
Medical Informatics Engineering Settles HIPAA Violation Cases for $1 Million
The electronic medical record software company Medical Informatics Engineering (MIE) has agreed to settle its HIPAA compliance violation case with the U.S. Department of Health and Human Services’ Office for Civil Rights for $100,000 and has agreed to pay $900,000 to resolve a multi-state action filed by state attorneys general over a 2015 data breach. MIE experienced a data breach on May 7, 2015 when hackers gained access to a server...
Healthcare Data Breach Report for April 2019
April 2019 was the worst month recorded, to date, for healthcare data breaches. More data breaches were made known to the Department of Health and Human Services’ Office for Civil Rights (OCR) during April than other other month since healthcare data breach reports were first reported in October 2009. In April, 46 healthcare data breaches were made known to OCR, which is a 48% increase from March and 67% higher than the average number...
Legal Action: Court Told Hospital Worker Shared Patient Information
A legal action has been submitted against Atchison Hospital in Kansas by a rape victim who claims an x-ray technician at the hospital got in touch with her attacker and disclosed sensitive data about the treatment she received at the hospital. According to a report in the Kansas City Star, after being raped, the woman sought treatment at the hospital. She was given a rape kit examination, and allegedly made it clear to the hospital...
Bodybuilding.com Data Breach Impacts 3,193 Employees
The bodybuilding and personal fitness website Bodybuilding.com has revealed it has had to deal with a security incident that may have lead to the information of customers and employees being accessed by unauthorized people. While the breach affecting customers was not a reportable incident under HIPAA, HIPAA does cover group health plans. As such, bodybuilding.com was required to report the breach of group members’ PHI to the Office...
Delayed Breach Response Costs Tennessee Medical Imaging Firm $3 Million
It is not possible to prevent all healthcare data breaches, but when a breach is experienced it must be investigated and mitigated promptly. Delaying the breach response and notifications can prove extremely costly, as the Tennessee medical imaging firm Touchstone Medical imaging discovered. On May 9, 2014, Touchstone Medical Imaging was notified by the FBI that an FTP server had been left unsecured. At the same time, the HHS’ Office...
Court Rules that Negligence Claim Based on HIPAA Violation can Proceed in Arizona
An Arizona man who submitted a legal action against Costco in relation to a privacy violation and had the lawsuit thrown out by the trial court has had the decision overturned by the Court of Appeals, which ruled that the patient can sue the pharmacy for negligence in relation to a violation of the Health Insurance Portability and Accountability Act (HIPAA). The privacy violation in question took place in 2016. The man had was sent a...
HHS Reforms HITECH Act Penalties for HIPAA Breaches
The Department of Health and Human Services has published a notification of enforcement discretion in relation to the civil monetary penalties that are applied when breaches of HIPAA compliance rules are identified and will be bringing down reducing the maximum financial penalty for three of the four penalty levels. The Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 raised the penalties for HIPAA...
Can SparkPost be Deemed HIPAA Compliant?
SparkPost is a widely-used email delivery and analytics platform that is implemented by many enterprises to send information to customers Healthcare bodies are required to adhere with HIPAA Rules, so to determine is SparkPost supports HIPAA compliance and whether its platform can be used in a HIPAA compliant manner we have considered the following. SparkPost is the largest global email delivery and analytics platform and is used to...
Proposal to Pay Patients to Share Their Healthcare Data Included in Oregon Health Information Property Act
The Oregon Health Information Property Act proposes that healthcare patients should be permitted to legally authorize their healthcare suppliers to sell their health data and for them to paid if their health information is sold to a third party. At present, the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule restricts the allowable uses and disclosures of ‘Protected Health Information.’ HIPAA-covered bodies...
$3m HIPAA Settlement Agreed Between Cottage Health and OCR
A HIPAA penalty settlement of $3,000,000 has been agreed between the Department of Health and Human Services’ Office for Civil Rights (OCRand the Santa Barbara, CA-based healthcare provider Cottage Health in relation to a HIPAA compliance breach. Cottage Health runs four different hospitals in California, including Santa Barbara Cottage Hospital, Santa Ynez Cottage Hospital, Goleta Valley Cottage Hospital and Cottage Rehabilitation...
Industry-Wide Effort to Accelerate Interoperability Urged by Hospital Associations
Seven major hospital associations, including the American Hospital Association (AHA), are leading pleas for an industry-wide effort to enhance data sharing. The new report is seeking public and private stakeholder support to speed up interoperability and help remove the obstacles to data sharing. In order to achieve the full potential of the nation’s healthcare system, health data must flow without obstruction. Only then will it be...
Warning About DNS Hijacking Issued by DHS
The U.S. Department of Homeland Security (DHS) Cybersecurity and Infrastructure Agency (CISA) has released an emergency warning regarding DNS hijacking campaigns. All government agencies have been told to review their DNS settings over the next 10 days. CISA reports that cyber criminals have been targeting government agencies and changing their Domain Name System records. DNS records are used to determine the IP address of a website...
Criminal HIPAA Violation Leads to Probation for Physician
Following pleading guilty to a criminal violation of HIPAA Rules, a physician has received 6 months’ probation as an alternative to a jail term and financial penalty for the wrongful disclosure of patients’ PHI to a pharmaceutical company. The Department of Justice in Massachusetts heard the legal case in conjunction with a case against Massachusetts-based pharma firm Aegerion. In September 2017, the Novelion Therapeutics subsidiary...
Vulnerabilities Identified in LabKey Server Community Edition
Security specialists at Tenable Research have identified a number of flaws in LabKey Server Community Edition 18.2-60106.64 which could be targeted to obtain user credentials, access medical data, and run arbitrary code via the Labkey browser. LabKey Server is an open source collaboration tool that enables scientists to integrate, analyze, and distribute biomedical research data. While the platform acts as a secure data repository,...
Anthem Data Breach Settlement of $16 Million Agreed with OCR
The largest ever healthcare data breach in the United States has attracted the largest ever fine for noncompliance with HIPAA Rules. The Anthem data breach settlement of $16 million eclipses the previous highest HIPAA fine of $5.55 million and reflects not only the severity of the Anthem Inc data breach, which saw the protected health information of 78.8 million plan members stolen, but also the extent of noncompliance with HIPAA...
Failure to Encrypt ePHI Costs Cancer Treatment and Research Center $4.34 Million
The Department of Health and Human Services’ Office for Civil Rights has announced its third HIPAA financial penalty of 2018. The $4.34 million civil monetary penalty is the fourth largest HIPAA penalty ever issued to resolve HIPAA violations. While most covered entities and business associates agree to settle HIPAA violations and pay the penalty, on rare occasions the penalties are contested, and the case goes before an...
Cloud Tool Reduces AWS Costs by 60%
Healthcare groups are, increasingly, implementing cloud-based systems to meet their IT requirements, but while there are multiple reasons for moving applications, infrastructure and data center operations to the cloud, the high cloud costs make it an unattractive possibility. Many healthcare groups purchase AWS EC2 instances for to implement this on their servers. While this particular platform meets their requirements, the...
582,000 Patients Warned of Potential PHI Compromise by California Dept. of Developmental Services
A recent survey carried out with hackers, incident responders, and penetration testers has showed that most can gain access to a targeted system in around 15 hours, but 54% of hackers take under five hours to gain access to a system, and identify and obtain sensitive data. The data comes from the second yearly Nuix Black Report and its survey of 112 hackers and penetration testers, 79% of which were located in the United States. Those...
Manufacturer of Oxygen Equipment Reports Data Theft Incident Possibly Impacting 30,000 Individuals
Inogen, a manufacturer of portable oxygen concentrators, has found that an unauthorized individual has obtained the credentials of a employees and has used them to access to the staff member’s email account. Phishing and other credentials theft incidents are commonplace in the healthcare industry, although what makes this incident unusual is the number of people affected by the attack. The compromised email account includeed the...
Integrated Rehab Consultants Takes 16 Months to Notify Patients of PHI Breach
Illinoie-based physiatry organization Integrated Rehab Consultants is broadcasting notification correspondence to some patients alerting them to the exposure of some of their protected health information, in line with HIPAA regulations. However, the breach was not discovered within the past 60 days. Integrated Rehab Consultants (IRC) initially became aware of the exposure of PHI on December 2, 2016 – 16 months previously. The...
Des Moines Crisis Observation Center Discovers Inappropriate Dissemination of Patient Data
1,071 patients who were treated at the Des Moines Crisis Observation Center managed by Polk County Health Services Inc., have been contacted to advise them that some of their protected health information has been “accidentally and unknowingly disseminated” at some point in the last 3.5 years. The breach was first identified on February 14, 2018, although the inquiry revealed that information was first disclosed on June 1, 2014 and the...
Misconfigured Security Settings Results in63,500 Middletown Medical Patients Having PHI Exposed
A security setting that was not configured properly on a radiology system has lead to the patients’ protected health information of tens of thousands of patients of Middletown Medical, a multi-specialty physicians’ group based in Middleton, NY, The breach was first discovered on January 29, 2018. On January 30 the interface was realigned that any unauthorized individuals could no longer obtain patient information. The length of time...
Possible Abuse of Credit Card Details Affects 1,500 Baptist Health Patients
A former worker at Baptist Health’s West Kendall Baptist Hospital based in Miami, FL illegally obtained the credit card details of patients and used the information to complete fraudulent transactions. The misuse of credit cards was identified by Baptist Health on March 9, 2018 and the matter was then made known to Miami-Dade law enforcement and the employee was removed from their position. Baptist Health has not made it known...
Multiple Staff Email Accounts Accessed in UnityPoint Health Phishing Attack
It has been discovered that the email accounts of several employees of UnityPoint Health hhave been compromised and accessed by unauthorized people. Access to the staff email accounts was first obtained on November 1, 2017 and went on for a period of three months until February 7, 2018, when the phishing attack was noticed and access to the compromised email accounts was turned off. When the phishing attack was first noticed,...
Almost 14,000 Affected by SAMBA Privacy Breach
14,000 individuals are being alerted about a February 2018 breach of protected health information at the Special Agents Mutual Benefit Association (SAMBA). The data breach affects eligible family members of plan members who were covered by the Federal Employees Health Benefits Plan during 2017. It is an Internal Revenue Service (IRS) obligation for SAMBA to send a copy of Form 1095-B to all plan members every tax year. The form in...
Data Breach Notification and Information Security Laws Updated in Oregon
Data breach notification laws in Oregon have been updated to enhance security for state residents whose personal data is accessible to the public during a data breach. Kate Brown, the State governor, signed the Senate Bill (SB 1551) last month, which updates several parts of the legislation, particularly Oregon’s Breach Notification Law, O.R.S. 646A.604 and Information Security Law, O.R.S. 646A.622. The updates will become...
Arc of Erie County New York Reports 3,751 Patients’ PHI Was Exposed on Internet over 30-Month Period
A provider of person-centered services to individuals with developmental disabilities, The Arc of Erie County New York (The Arc), has reported that two spreadsheets listing the protected health information of 3,751 patients were open to the public via the Internet without the need for authentication for a time period of longer than 30 months from July 2015 to February 2018. The two spreadsheets in question could be seen through the...
Missing Hard Drives from Chesapeake Regional Healthcare Contained PHI of 2,100 Patients
Chesapeake, Virginia based Chesapeake Regional Healthcare has reported that two hard drives containing the protected health information (PHI) of approximately 2,100 patients are missing from their Chesapeake Regional Medical Center campus at that location. The private health information stored on the devices in question relates to patients who participated in research at its Sleep Center between April 2015 and February 2018. it is...
Improper Disposal of PHI is Common According to JAMA Study
A recently completed study (published in JAMA) has emphasized just how often hospitals are disposing of PHI in an unsafe fashion. While the study was completed in Canada, which is not subject to HIPAA, the results emphasize a critical area of PHI security that is often neglected. Incorrect Destruction of PHI is More Commonplace than Previously Thought Researchers at St. Michael’s Hospital in Toronto reviewed recycled paperwork at...
Data Breach Notification Law Enacted by South Dakota
It has taken some time for South Dakota to introduce legislation to enhance protections for consumers impacted by breaches of their personal private data. Laws have already been passed in 48 states that obligate persons and companies that hold personal information to publish notifications to breach victims when that information is accessible by unauthorized individuals. Last week, South Dakota citizens were given similar security...
Cambridge Health Alliance Advised of PHI Breach by Law Enforcement
Massachusetts based Cambridge Health Alliance (CHA) have been advised, by law enforcement agencies, that the protected health information of some of its clients has been found in the possession of an unauthorized person. The breach occurred On January 31, 2018, Everett Massachusetts Police Department made CHA aware that files including the PHI of some of its clients had been found in the possession of an person unauthorized to have...
Clinical Pathology Laboratories Southeast Patients’ Have PHI Exposed Due to Theft of Unencrypted Laptop
Clinical Pathology Laboratories Southeast, Inc., (CPLSE) has revealed that an unencrypted laptop computer issued to a member of staff has been stolen, exposing the protected health information of a number of patients and their payment guarantors. CPLSE quickly activated safety actions to prevent the laptop from being used to gain access to its network and the theft was made known to law enforcement; however, it is possible that the...
35,000 Patients of ATI Physical Therapy Affect by Data Breach
The protected health information of more than 35,000 patients of ATI Physical Therapy has has potentially been compromised by a cyber attack that occurred when hackers obtained access to staff email accounts. A security violation was discovered on January 18, 2018 when ATI Physical Therapy saw that the direct deposit information of some of its staff members had been altered in its payroll platform. Quick action was taken to remove...
Finger Lakes Health Computer System Grinds to Halt After Ransomware Attack
A ransomware attack on Finger Lakes Health, based in Geneva, NY, has impacted the computer system to the extent that staff have had to work using pen and paper. In the meantime efforts to remove the malware and restore access to electronic data have been enhanced. The health system came under attack from the health system beginning at around midnight on Sunday March 18, 2018, with workers first noticing the attack when a ransom demand...
NH-ISAC Partnership with Anomali Boosts Threat Detection and Data Sharing
The National Health Information Sharing and Analysis Center (NH-ISAC) and Anomali have begun working together and will be providing threat intelligence to healthcare centers through NH-ISAC. As part of this partnership Anomali will be helping NH-ISAC with the required tools and infrastructure to allow its clients to work together and share threat intelligence with other subscribers. Anomali will be making up to date threat...
1,049 Patients of RoxSan Pharmacy Notified of 2015 Email Breach
1,049 patients of Beverly Hills, CA-based RoxSan Pharmacy have been warned that some of their protected health information has been shared with a business associate through an unencrypted email. The notification letters were sent to affected people during February, although the incident happened on January 20, 2015. Commenting in a recent press release, RoxSan stated that affected individuals are being contatced in “as timely a manner...
Primary Health Care Experiences Multiple Email Hacks
A non-profit network of community health centers in Des Moines, Marshalltown and Ames, IA, Primary Health Care Inc. has reported that hackers gained access to the email accounts of four workers and may have viewed or downloaded patients’ PHI. A press release issued by Primary Health Care and published a substitute breach notice to its website on March 16, 2018 outlining that the breach occurred on February 28, 2017. The breach was...
10,000 ShopRite Clients Have PHI Exposed to Improper Destruction of Device
A Millville, New Jersey based ShopRite pharmacy has reported that an electronic device used to save the signatures of people has been destroyed without first deleting all stored protected health information from the device. A restricted amount of protected health information was held on the computing device, including patients’ names, birth dates, contact details, zip codes, prescription numbers, medication names, signatures,...
PHI of 5,300 Individuals Disclosed to Employees of QuadMed
The protected health information of 5,305 patients of QuadMed, a Wisconsin-based provider of medical, laboratory, pharmacy, fitness, and physical therapy services, may have been impermissibly shared with some employees. In November 2013, QuadMed took over management of an onsite clinic at Hillenbrand Inc. Occupational health information of employees based at the Batesville, IN-based manufacturer was held in an electronic medical...
33,420 BJC Healthcare Patients Have PHI Exposed in 8-Months HIPAA Breach
BJC Healthcare has revealed that the protected health information of 33,420 of it’s subscribers has been open to public accessible for eight months without adequate for HIPAA compliant authentication required to view the PHI. The BJC Healthcare group is one of the largest not-for profit healthcare groups located in the United States. The healthcare organization, based in St Louis, runs two nationally recognized hospitals in...
Top Healthcare Security Threats Revealed in HIMSS Survey Results
HIMSS has released the findings of its 2017 healthcare cybersecurity survey, which gives us valuable insights into the state of cybersecurity in the healthcare sector and names the top healthcare security threats. The HIMSS 2018 cybersecurity survey was carried out on 239 respondents from the healthcare sector between December 2017 and January 2018. The findings of the survey were revealed at the HIMSS 2018 Conference & Exhibition...
New York Surgery & Endoscopy Suffers Record Data Breach Affected 135,000 Patients
A malware infection has potentially allowed hackers to gain access to the medical records of as many as 135,000 patients at St. Peter’s Surgery & Endoscopy Center, located in New York So far in 2018, this is the second largest healthcare data breach reported and the most serious seen in New York state since the 3,466,120-record data breach at Newkirk Products, Inc. in August 2016. The St. Peter’s Surgery & Endoscopy...
70,320 Tufts Health Plan Members Affected by Window Envelope Privacy Breach
Tufts Health Plan is warning 70,320 of its subscribers that their health plan ID numbers have been accessed. A mailing vendor/partner utilized by Tufts Health Plan sent Tufts Medicare Preferred ID cards to Medicare Advantage subscribers between December 11, 2017 and January 2, 2018. Envelopes with plastic windows were used which naturally permitted plan members’ names and addresses to be visible, but Tufts Health Plan member IDs were...
Kansas Department for Aging and Disability Services Experiences 11,000-Record Breach
It has been discovered that an employee at Kansas Department for Aging and Disability Services (KDADS) sent an unauthorized email to a group of KDADS business associates that included the protected health information of almost 11,000 individuals. The email was issued to individuals who had already signed a business associate agreement with KDADS which disallows them from disclosing or using inappropriately any emailed protected health...
5,123 Individuals Impacted by Flexible Benefit Service Corporation Breach
Chicago-Il-based general agency and benefit administrator Flexible Benefit Service Corporation (Flex) has revealed that a phishing attack resulted in an unauthorized person gaining access to a corporate email account. The security breach was first noticed on December 6, 2017 when an email account of a company worker was found to be sending phishing emails. The email account was compromised after a single worker replied to a phishing...
Updated Common Rule Allows Research Institutions Another Six Months for Compliance
Initially scheduled due to be introduced on January 19, 2018, amendments to the Common Rule – The Federal Policy for the Protection of Human Subjects have been put back for six months, allowing research groups additional time to comply with the new provisions. July 19, 2018 is the new date for the change to be introduced,however the provision covering cooperative research still has an introduction and enforceable date of January 20,...
Phishing Attack on Sutter Health Business Associate Impacts Patients
Sutter Health is contacting certain patients to advise them that their protected health information may have been exposed in a phishing attack on the legal firm Salem and Green, one of its business associates. It is thought that the attack took place on or around October 11, 2017, a phishing email was received by a worker at Salem and Green. The worker responded and, in doing so, allowed the attackers access to their email account....
HIPAA Compliance and Citrix ShareFile
ShareFile was purchased by Citrix Systems during 2011 and the service is offered as a suitable data sync, file sharing, and collaboration service for the healthcare sector. it is vitally important for anyone considering using it to consider HIPAA compliance and Citrix Fileshare. It is a safe file sharing, data storage and collaboration service that permits large files to be easily sent within a company, with remote workers, and with...
HIPAA Compliance and Amazon CloudFront
Amazon CloudFront is a web tool that permits users to quicken web content delivery across the Internet. In most case, when a website is visited, the visitor encounters some latency accessing static and dynamic pieces of content. This is due to the fact that web visitors will not make a direct connection to the content, instead they will be taken through a path to log onto the server where the content can be obtained. The path can...
Ron’s Pharmacy Services’ Patients Receive Email Account Breach Alerts
San Diego, CA-based Ron’s Pharmacy Services has found that an employee’s email account containing limited protected health information has been logged onto by an unknown individual. Unusual activity was noticed on the employee’s email account during October 3, 2017 resulting in an investigation; however, it was not until December 21, 2017 that it was revealed that an unauthorized individual had obtained messages in the email...
Online Breach Reporting Tool Launched in Massachusetts
It has been announced, by Massachusetts Attorney General Maura Healey, that a new online data breach reporting tool it to be introduced to simplify the process of submitting breach notifications to the State Attorney General’s office. Massachusetts data breach notification law (M.G.L. c. 93H) states that groups or organizations that suffer a breach of personal information must complete a notification and send it to the Massachusetts...
Online Trust Alliance Reveals 2017 was Worst Year Ever for Cyber Attacks
The Online Trust Alliance´s “Cyber Incident & Breach Trends Report” has revealed that 2017 was the “worst year ever” for cybersecurity attacks. The organization believes that, calculated using the number of reported violations, there were nearly twice as many cybersecurity incidents than in 2016. The Online Trust Alliance´s “Cyber Incident & Breach Trends Report” encompasses more than a simple review of the previous...
Allscripts Facing Class Action Lawsuit Following Ransomware Attack
Allscripts experienced a ransomware attack at centers in Raleigh and Charlotte, NC, resulting in several applications remaining offline for as many as 1,500 clients. Florida-based Surfside Non-Surgical Orthopedics. has already begun legal action by filing a class action lawsuit against the EHR vendor. A new variety SamSam ransomware infected Allscripts, a provider of EHR and e-prescription services to 2,500 hospitals and 19,000...
Breach Notification Bill Advanced by South Dakota Senate Attorney Judiciary Committee
A vote in favor of introducing data breach notification legislation has been overwhelmingly passed by the South Dakota Senate Attorney Judiciary Committee. The bill advanced after a 7-0 vote. It was originally introduced at the request of South Dakota Attorney General Marty Jackley. Presently there are only two states left in the US that have yet to implement data breach legislation to protect state residents. As it seems that South...
DC Assisted Living Facility Hit by Malware Breach Exposing 5,200 PHI Records
A malware attack experienced at Westminster Ingleside King Farm Presbyterian Retirement Communities may have allowed the hackers to obtain the protected health information of thousands of its clients. The Washington D.C., located assisted living center had adapted a wide range of security solutions to stop unauthorized access to its systems, although on this occasion they were unable to prevent the attack. The malware was identified...
53,000 Pharmacy Patients Have PHI Exposed in Email Hack
Patients of Onco360 and CareMed Specialty Pharmacy have been notified that the PHI of 53,173 patients has been compromised due to a phishing attack. A security breach was discovered on November 14, 2017, when suspicious activity involving an member of staff’s email account was uncovered. Following the discovery third party computer forensics experts conducted an investigation to determine the manner and extent of the breach. It...
Hancock Health Hit by Ransomware Attack
Following a ransomware attack on Indiana-based organization Hancock Health last Thursday, staff at the hospital had no choice but to move to using pen and paper to detail patient health information, while IT staff made efforts to obstruct the attack and regain access to encrypted files. The attack started around 9.30pm on Thursday night when files on its network started to be encrypted. The attack initially caused the network to run...
Registered Nurses ‘Happy’ With PHI Security According to University of Phoenix Survey
The results of a recent survey completed by the University of Phoenix College of Health Professions indicates registered nurses (RNs) are of the belief that their organization’s ability to prevent data breaches is of an acceptable level. The survey was transmitted to 504 permanent RNs and administrative workers across the USA. Respondents had held their position for a minimum of two years. Just under half of RNs (48%) and 57% of...
Coplin Health Systems Patients’ PHI Possibly Compromised by Laptop Theft
43,000 patients of West Virginia-based Coplin Health Systems have been warned that their PHI may have been exposed following the theft of an unencrypted laptop computer from the vehicle of an worker at the organization. Coplin Health was discovered the laptop theft on November 2, 2017. The theft was then reported to law enforcement and an investigation was initiated, although at the time of sending the warnings, the laptop computer in...
PHI Breach at Oklahoma State University Center for Health Sciences
An unauthorized individual has gained access to parts of the Oklahoma State University Center for Health Sciences (OSUCHS) network and may have accessed files containing billing details of Medicaid patients. The security breach was uncovered on November 7, 2017 with access to the network terminated the next day. Third party computer forensics experts were employed to carry out a comprehensive investigation to determine which areas of...
North Carolina State Medicaid Agency Found to Have Data Security Inadequacies
The Department of Health and Human Services’ Office of Inspector General (OIG) has released the results of an audit of the North Carolina State Medicaid agency. The audit uncovered the fact that the State agency did not implement sufficient controls to ensure the security of its Medicaid eligibility determination system and the security, integrity, and availability of Medicaid eligibility information. HHS manages the administration of...
Nebraska Ransomware Attacks Compromised PHI of Almost 10,000 Patients
A ransomware attack that targeted Columbus Surgery Center, LLC and Eye Physicians, P.C., in Columbus, Nebraska has potentially exposedin the protected health information of almost 10,000 clients. The ransomware attack took place on October 7, 2017 and saw a wide variety of files on some servers being encrypted by the ransomware. A ransom demand was made by the hackers, although this was not paid. The encrypted data was restored from a...
5,000 Patients’ PHI Exposed in Two Separate Breaches
Separate breaches of patients’ protected health information have been exposed at Midland Memorial Hospital in Midland, TX, and Washington Health System Greene in Waynesburg, PA. The Washington Health System Greene organization is contacting 4,145 patients to advise them that some of their protected health information has been exposed after a hard drive could not be found at their premises. An external hard drive used with a bone...
Extortion Attempt on Sports Medicine Provider Exposes Private Data of 7,000 Individuals
Sports Medicine & Rehabilitation Therapy (SMART), based in Massachusetts, has contacting 7,000 clients regarding a breach of their protected private health information that occurred in September 2017. Potentially, the breach impacted all clients whose data was saved during a visit to a SMART outlet prior to December 31, 2016. Hackers, in an extortion attempt, accessed SMART systems, allegedly stole private information, and asked...