Is it Possible to Have HIPAA Compliant Gmail?
It is possible to have HIPAA compliant Gmail if you subscribe to a Google Workspace account that supports HIPAA compliance, if the products included in the Workspace account are configured to support HIPAA compliance, and if the Gmail service is used in compliance with the Privacy Rule standards relating to permissible uses and disclosures. When an individual or organization qualifies as a HIPAA covered entity or business associate,...
Vaccine Manufacturers Targeted with Metamorphic Tardigrade Malware
The biomanufacturing sector has been warned about targeted attacks involving Tardigrade malware – a sophisticated metamorphic variant of the SmokeLoader backdoor. Tardigrade malware is known to have been used in two cyberattacks on companies in the biomanufacturing sector in 2021. In the spring of this year, a large biomanufacturing facility was targeted and a second facility was infected with the malware in October. The attacks...
$130,000 Settlement Agreed with Two New Jersey Printing Companies to Resolve Alleged HIPAA Violations
An investigation conducted by the New Jersey Division of Consumer Affairs into an unauthorized disclosure of the protected health information (PHI) of almost 56,000 New Jersey residents has been settled by New Jersey Acting Attorney General, Andrew Bruck. The two firms will pay financial penalties totaling $130,000 and have agreed to a consent order that requires them to make changes to their policies and procedures to improve data...
Personal and Health Information of 656,000 Patients of California Clinic Potentially Compromised
Community Medical Centers in California has announced it suffered a cyberattack in October in which the personal and protected health information of more than 656,000 individuals was potentially compromised. Community Medical Centers is a nonprofit network of neighborhood health centers in Northern California serving patients in San Joaquin, Solano, and Yolo counties. The healthcare provider issued a notification to the Maine Attorney...
New Jersey Fines Infertility Clinic $495,000 for Multiple Violations of the HIPAA Rules
An investigation conducted by the New Jersey Department of Law and Public Safety Division of Consumer Affairs into a HIPAA compliance data breach at an infertility clinic has been settled, with the clinic operator agreeing to pay a financial penalty of $495,000. Diamond Institute for Infertility and Menopause, LLC (Diamond) is based in Millburn, NJ, and operates two infertility clinics in the state and one in New York. The company...
Guidance on HIPAA and COVID-19 Vaccination Status Disclosures Issued by HHS
In the United States, HIPAA compliance rules restrict uses and disclosures of healthcare data, but there has been considerable confusion about HIPAA and COVID-19 vaccination status disclosures amongst the public, and even members of Congress. The U.S. Department of Health and Human Services’ Office for Civil Rights, the main enforcer of HIPAA, has now released guidance on HIPAA and COVID-19 vaccination status disclosures to help clear...
100 Million IoT Devices Affected by Zero-Day Flaw, Including Medical Devices
A high-severity zero-day vulnerability in the Internet-of-Things (IoT) open-source platform NanoMQ has put more than 100 million devices at risk of attack. NanoMQ by EMQ is a real-time IoT monitoring platform that is used to delivers alerts when abnormal activity is detected in IoT devices. The platform is used in many settings, including industrial systems, manufacturing, healthcare, automobiles, and many more. The vulnerability,...
Pediatric Care Provider Fined $80,000 for HIPAA Right of Access Violation
A pediatric hospital in Omaha, NE has agreed to settle a Department of Health and Human Services’ Office for Civil Rights (OCR) HIPAA investigation and will pay a financial penalty of $80,000 to close the case. The investigation was launched in response to a complaint from a patient who was not provided with a copy of her late daughter’s medical records in a timely manner. HIPAA gives individuals the right to obtain a copy of their...
More than 600,000 Patients Affected by DuPage Medical Group Ransomware Attack
On August 30, 2021, Downers Grove, IL-based DuPage Medical Group announced it has been affected by a ransomware attack. DuPage is the largest independent physician group in Illinois and has more than 900 physicians that provide over 19,000 appointments a day. Between July 12 and July 13, 2021, the group suffered a network outage, which was rapidly identified as a ransomware attack. The forensic investigation confirmed unauthorized...
288% Increase in Ransomware Attacks Between Q1 and Q2, 2021
There was a massive 288% surge in ransomware attacks between the first and second quarters of 2021, according to research recently published by NCC Group. The Conti ransomware gang was the biggest threat in this period, having conducted 22% of the attacks. The Avaddon ransomware gang was also particularly active and was behind 17% of the attacks. The Avaddon ransomware-as-a-service (RaaS) operation is believed to have been shut down,...
80% of Global Organizations Suffer Further Attacks After Paying Ransomware Operators
You suffer a ransomware attack and decide to pay the ransom to regain access to your data, but that may not be the end of it. Chances are that after paying you will be attacked again and will be issued with a further ransom demand. How frequently do these double attacks occur? According to a recent report by Cybereason, 80% of global organizations that paid a ransom experienced a further attack, often by the same threat group that was...
Phishing Attack Affects Up to 34,862 Lafourche Medical Group Patients
34,862 patients of Lafourche Medical Group, a Louisiana-based urgent care center operator, have been made aware that a security incident may have resulted in a portion of their of their protected health information being compromised. Lafourche Medical Group learned in March 2021 that an external accountant had replied to a phishing email that claimed to have been sent by one of the owners of Lafourche Medical Group. responding to the...
HIPAA Right of Access Case Settled for $5,000 by Diabetes, Endocrinology & Lipidology Center
According to the HHS’ Office for Civil Rights (OCR), a settlement agreement has been negotiated with The Diabetes, Endocrinology & Lipidology Center, Inc. (DELC) in relation to a possible HIPAA Right of Access breach. DELC is a West Virginia-based healthcare supplier that focuses on treating endocrine disorders. In August 2019, a complaint was submitted to OCR which claimed that DELC had breached HIPAA when it didn’t respond...
NCSC Warns UK Educational Institutions of Increased Ransomware Threat
The UK’s National Cyber Security Center (NCSC) has issued a warning to the UK education sector following a recent spike in ransomware attacks on schools, colleges, and universities. Some of the recent attacks have resulted in the loss of school financial records, student coursework, and COVID-19 testing data. Ransomware attacks often involve the theft of data prior to the use of ransomware to encrypt systems. The attacks can have a...
SolarWinds Hackers Conducting Spear Phishing Campaign Posing as USAID
The Russian Advanced Persistent Threat (APT) group Nobelium – aka APT29/The Dukes/Cozy Bear – that was behind the SolarWinds Orion supply chain attack has been conducting a spear phishing campaign masquerading as the U.S. Agency for International Development (USAID). The emails are used to deliver malware and gain persistent access to the internal networks of the targeted companies. The spear phishing attacks were identified by...
Apple Patches Zero-day Flaw Actively Exploited by Shlayer Malware
An actively exploited zero-day vulnerability in macOS has been patched by Apple. The vulnerability, one of the most serious flaws in macOS to be discovered, allows malware to bypass File Quarantine, Gatekeeper, and Notarization protections. The vulnerability – tracked as CVE-2021-30657 – is due to a logic flaw in the macOS policy subsystem that performs security checks on applications. The flaw was identified by security researcher...
New Jersey Plastic Surgery Practice Pays $30K to OCR Settle HIPAA Right of Access Case
The HHS’ Office for Civil Rights (OCR) has revealed a settlement has been agreed with Ridgewood, NJ-based Village Plastic Surgery to resolve a potential breach of the HIPAA Right of Access provision of the HIPAA Privacy Rule. As per the terms of the settlement, Village Plastic Surgery will pay a $30,000 fine and will implement a corrective action plan that includes the creation of policies and processes covering patient medical record...
AMCA Medical Debt Collection Agency Settles Multistate Action over 21 Million-Record Data Breach
A settlement has been reached between a coalition of 41 state Attorneys General and American Medical Collection Agency (AMCA) to resolve a case stemming from a data breach involving the protected health information of 21 million Americans. The data breach was the largest healthcare data breach to be reported in 2019. AMCA specializes in small debt collections from patients of medical testing facilities. From August 1, 2018 until March...
U.S. Healthcare Data Breach Report for January 2021
January witnessed a 48% month-over-month drop in the number of large healthcare data breaches, down from 62 breach incidents in December to 32 in January, according to an analysis by HIPAA Journal. While this is well beneath the 38 data breaches that are reported on average each month, it is still more than 1 data breach every day. There would have been a major drop in the amount of breached records were it not for a major data breach...
Harvard Eye Associates Pays Ransom to Recover Healthcare Data Stolen in Hacking Incident
In California, Laguna Hills-based Harvard Eye Associates has been affected by a cyberattack on its online storage vendor and the protected health information (PHI) of 29,982 patients could possibly have been stolen. The storage vendor made Harvard Eye Associates aware, on January 15, 2021, that cybercriminals had obtained access to its computer databases and stole data. While it was not known if files were encrypted to prevent access,...
US Healthcare Data Breach Report Shows Breaches Increased by 55% In 2020
An analysis of 2020 healthcare data breaches has been conducted by Bitglass that shows the extent to which the healthcare industry was targeted by hackers. There was a sharp increase in hacking and IT incidents in 2019 and that trend continued in 2020 when 67% of all reported healthcare data breaches were the result of hacking/IT incidents. The healthcare records of 24.1 million individuals were exposed in those breaches – 91% of all...
Florida Medicaid Applicants’ PHI Impacted in Seven-Year Breach
It has been discovered by the Tallahassee, FL-based Medicaid health plan, Florida Healthy Kids Corporation, that its web hosting provider failed to address vulnerabilities which were targeted by hackers to obtain access to its web portal and the protected health information of those applying for membership since 2013. Florida Healthy Kids had an agreement with Jelly Bean Communications Design, LLC to arrange the hosting of its...
UK Residents Warned of COVID-19 Vaccine Phishing Emails Seeking Financial Information
UK residents are being warned about a new phishing campaign that spoofs the National Health Service (NHS) and asks recipients to confirm that they want to receive the COVID-19 vaccine. The UK’s vaccination program is now well underway, with more than 6.5 million people already given the first dose of one of the approved COVID-19 vaccines, with the most vulnerable groups and NHS workers being prioritized. However, it is likely to take...
2020 Saw 560 U.S. Healthcare Facilities Affected by Ransomware
During 2020 – according to the latest State of Ransomware report from the New Zealand-based cybersecurity firm Emsisoft – healthcare, education, and government entities were the main focus of ransomware threat groups with 2,354 attacks being registered. Towards the end of 2019 ransomware was being extensively used in cyberattacks on the healthcare industry. The attacks dwindled in the first half of 2020 but rose...
More Than 37 Billion Records Were Exposed in Data Breaches in 2020
A new report from Risk Based Security suggests the number of data breaches fell by 48% globally in 2020; however, the number of breached records increased by 141% to 37 billion. The data for the Risk Based Security 2020 Year End Report came from crawls of the Internet to find information on data breaches, with all cases then subject to manual review. The researchers identified 3,932 breaches that had been disclosed in 2020 and. The...
Ransomware Attacks on Healthcare Organizations Continue to Rise with Ryuk the Biggest Threat
Cyberattacks on healthcare organizations have continued to increase over the past two months, according to research conducted by cybersecurity firm Check Point, and ransomware is now the biggest malware threat. In October, a joint security advisory was issued by the DHS’ Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Department of Health and Human Services (HHS) warning the...
Saint Francis Healthcare Data Breach Lawsuit Settled for $350,000
In relation to September 2019 ransomware attack on Ferguson Medical Group (FMG), a $350,000 settlement has been reached between Saint Francis Healthcare System and patients impacted by the attack. FMG was purchased by Saint Francis after a cyberattack resulted in many important records being inaccessible. They tried to retrieve all impacted records via backups, though some were could no be rescued. These files included medical...
10th HIPAA Fine Under Right of Access Initiative Revealed by Office for Civil Rights
The 10th financial penalty under its HIPAA Right of Access enforcement initiative has been revealed by the U.S. Department of Health and Human Services’ Office for Civil Rights. California-based Riverside Psychiatric Medical Group has committed to paying a financial penalty of $25,000 to settle a possible HIPAA Right of Access breach and will implement a corrective action plan to see to it that compliance with this provision of the...
City of New Haven Fined €202,000 for Failure to Terminate Former Employee’s Access Rights
In Connecticut the City of New Haven has committed to paying a $203,400 financial penalty to the Department of Health and Human Services’ office for Civil Rights to compensate for a HIPAA violation case. An OCR investigation was initiated in May 2017 following a receipt of data breach notification originating in New Haven on January 24. OCR investigated if the City of New Haven was responsible for HIPAA violations. Following this...
Ireland Facebook Ordered to Stop Data Transfers to US by Irish DPO
A preliminary order has been handed down by Ireland’s Data Protection Commission (DPC) ordering Facebook to stop sending personal data transfers from Ireland to the United States. This order is a result of the European Union Court ruling in July, referred to as Schrem II, that stated it is illegal for any personal data being transferred from the EU to the US if it can be monitored by US government agencies or federal authorities. What...
TikTok Data Management Being Investigated by CNIL in France
It has been revealed that the data protection authority in France, the CNIL, is about to review the data operations of TikTok. TikTok has been trying to appoint the Data Protection Commission (DPC) in Ireland as its lead authority in Europe. It has done so by establishing a base in Ireland to manage private data for EU-based users. Due to this the group believes that the investigation in France may be deemed invalid. The DPC is...
PHI of Customers Stolen in Looting Incidents at Cub Pharmacies
A pharmacy network has revealed the protected health information of some of its customers has been illegally taken by looters in late May during the period of civil unrest. From May 27-30, 2020, 8 Cub pharmacies in the Minneapolis area were broken into and items were taken such as paperwork containing the protected health information of its customers. Items taken from the clinic included locked safes that contained credit card...
Lack of Encryption & Other HIPAA Breaches Leads to $1m HIPAA Penalty for Lifespan
The HHS’ Office for Civil Rights has sanctioned a $1,040,000 HIPAA penalty on Lifespan Health System Affiliated Covered Entity (Lifespan ACE)after identifying systemic noncompliance with the HIPAA Rules. Lifespan is a not-for-profit health system located in Rhode Island that has many healthcare provider affiliates in the state. On April 21, 2017, a breach report was submitted with OCR by Lifespan Corporation, the parent company and...
Portals Accessed Using Stolen Credentials of Health Plan Members
Independence Blue Cross, AmeriHealth HMO, Inc. and AmeriHealth Insurance Company of New Jersey have discovered hackers obtained access to pages in their member portals between March 17, 2020 and April 30, 2020 and may have seen the personal and protected health information of some of their account holders. The range of data possibly accessed included names, member identification numbers, plan type, spending account balances, user...
Saint Francis Healthcare Partners & Florida Internal Medicine Practice Hit by Ransomware Attacks
Saint Francis Healthcare Partners in Connecticut has begun making contact with 38,529 patients to make them aware that a portion of their protected health information may have been stolen by hackers as a result of a “sophisticated cybersecurity incident” that allowed an unauthorized individual to gain access to its email database. The attack took place on December 30, 2019 but it was not until March 20, 2020 that the forensic...
COVID-19 Themed Cyberattacks Have Increased by 30% in the Past Two Weeks
There has been a sharp increase in the number of COVID-19 themed cyberattacks in the past two weeks according to Check Point. Check Point has been tracking phishing attacks and other cybersecurity incidents and identified 192,000 COVID-19 themed attacks in the past two weeks. Most of the cyberattacks were phishing attacks where authorities on SARS-CoV-2 such as the World Health Organization (WHO) and the Centers for Disease Control...
HIPAA Violations in Michigan and Illinois Lead to Healthcare Workers Being Fired
A staff member at Ann & Robert H. Lurie Children’s Hospital of Chicago has been fired accessing the medical records of patients without the appropriate authorization over a period of 15 months. The privacy violations were discovered when, after reviewing access logs, the hospital found that a staff member had viewed the medical records of 4,824 patients without authorization between November 2018 and February 2020. The range of...
Malicious COVID-19 Domains Taken Down and New Blocklists Released
Cybercriminals have registered large numbers of COVID-19 themed domains which are being used for a variety of scams. Internet service providers are being ordered to take down the websites but given the sheer number of malicious websites that have been set up, that process is taking some time. In the United Kingdom, Her Majesty’s Revenue and Customs (HMRC) has ordered internet service providers to take down 292 COVID-19 themed websites...
30,000 Patients Impacted by Fondren Orthopedic Group Malware Attack
Fondren Orthopedic Group, an association of private orthopedic surgery practitioners in Houston and the surrounding areas, experienced a cyberattack that affected certain parts of its IT system on November 21, 2019. In a substitute breach notice published on its website, the incident was referred to as a malware attack that damaged the medical records of specific patients. Quick action was taken to limit the infection and its systems...
16,167 Patients Hit by Hospital Sisters Health System Email Breach
Hospital Sisters Health System has recently found out that an email security breach in August 2019 led to unauthorized people obtaining access to emails and email attachments that included the protected health information of 16,167 patients. Hospital Sisters Health System is a 15-hospital health network serving patients in Illinois and Wisconsin. Between August 6, 2019 and August 9, 2019, unauthorized people obtained access to the...
Novel Coronavirus Outbreak Prompts HHS Covered Entity HIPAA Data Sharing Warning
In response to the 2019 Novel Coronavirus outbreak, the Department of Health and Human Services has released a bulletin to make HIPAA-covered entities aware of the allowable methods for sharing patient information during outbreaks of infectious disease and other emergency situations, In the news release, the HHS confirmed that at such times, the protections of the HIPAA Privacy Rule still apply and healthcare organizations must...
False Allegations of HIPAA Violations Result in Georgia Man Being Charged
Following the discover of a complex scheme to set up an acquaintance in relation to breaches violations of the Health Insurance Portability and Accountability Act (HIPAA), a Georgia man has been charged. The man in question, 43-year-old Jeffrey Parker, claimed that he was a whistleblower reporting HIPAA breaches committed by a nurse.Mr Parker made the breaches known to the hospital where the person was employed, and official...
Survey: Cost of Healthcare Data Breaches Predicted to Reach $4 Billion in 2020
Healthcare sector data breaches are taking place at an unprecedented level. The healthcare data breach figures for 2019 have yet to be drawn up, but so far 494 data breaches of more than 500 records have been made known to the HHS’ Office for Civil Rights and more than 41.11 million records were exposed, stolen, or impermissibly disclosed in 2019. That makes 2019 the worst year on record for healthcare data breaches and the second...
2019 HIPAA Enforcement
2019 was another period with stringent HIPAA compliance enforcement evident. Action taken by the Department of Health and Human Services’ Office for Civil Right (OCR) lead to has resulted in 10 financial penalties. $12,274,000 has been paid to OCR in 2019 to resolve HIPAA violation cases. 2019 witnessed two civil monetary penalties sanctioned and settlements were agreed with eight groups, one less than 2018. In 2019, the average fine...
14,591 DHS Patients have PHI Compromised in Phishing Attack on California Business Associate
Nemadji Research Corporation, an outfit working with California Reimbursement Enterprises, has revealed that an unauthorized person obtained access to the email account of a staff emmber and may have viewed or copied the protected health information (PHI). California Reimbursement Enterprises is a business associate of several healthcare centers and hospitals in California and operates to provide a patient eligibility and billing...
Amazon CloudFront & HIPAA Compliance
Amazon CloudFront is a web service that enables users to optimize the speed of their web content delivery via the Internet and for website hosting. Normally, when a website is viewed, the visitor experiences some latency loading static and dynamic content. The reason for this is viewers will not make a direct connection to the content, instead they will be directed through a path to reach the server where the content can be seen. The...
HIPAA Compliance & IBM Cloud
IBM provides a cloud platform to help groups create their mobile and web services, build native cloud apps, and host their infrastructure along with a wide variety of cloud-based services for the capture, analysis, and processing of data. The platform has already been configured by many healthcare suppliers, payers, and health plans, and applications and portals have been developed to provide patients with better access to their...
Two Maryland Healthcare Providers Affected by Potential Breach at Meditab Software
In Maryland two healthcare providers have been impacted by a possible data breach that took place at their business associate, Meditab Software Inc.Meditab supplies EMR and practice management software to healthcare providers and its systems include patient data. In March 2019, Meditab found some protected health information (PHI) had been left unsecured. Meditab had established a portal to view statistics for its Fax Cloud services....
Phishing Breach Notifications Sent to 645,000 Clients of Oregon Department of Human Services
The Oregon Department of Human Services (ODHS) is making contact with 645,000 clients to advise them that a portion of their personal information was possibly impacted due to a phishing attack. The phishing attack took place beginning on January 9, 2019 and lead to nine ODHS members of staff visiting links in emails and disclosing their login details. ODHS and the Department of Administrative Services Enterprise Security Office...
Misconfigured ElasticSearch Server at University of Chicago Medicine Exposed Over 1.68M Records
It has been revealed that University of Chicago Medicine has discovered more than 1.68 million of its records have been exposed due to a misconfigured server. The records were saved on a misconfigured ElasticSearch server which had mistakenly had protections removed allowing it to be accessed over the internet without the requirement for any authentication. The misconfiguration permitted a database to be accessed which included...
Healthcare Data Breach Report for April 2019
April 2019 was the worst month recorded, to date, for healthcare data breaches. More data breaches were made known to the Department of Health and Human Services’ Office for Civil Rights (OCR) during April than other other month since healthcare data breach reports were first reported in October 2009. In April, 46 healthcare data breaches were made known to OCR, which is a 48% increase from March and 67% higher than the average number...
Legal Action: Court Told Hospital Worker Shared Patient Information
A legal action has been submitted against Atchison Hospital in Kansas by a rape victim who claims an x-ray technician at the hospital got in touch with her attacker and disclosed sensitive data about the treatment she received at the hospital. According to a report in the Kansas City Star, after being raped, the woman sought treatment at the hospital. She was given a rape kit examination, and allegedly made it clear to the hospital...
DHS Cybersecurity and Infrastructure Security Agency Issues Guidelines for O365 Migrations
The U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) has issued a set of guidelines and best practices to help organizations migrate to Microsoft Office 365 and avoid introducing vulnerabilities that could make it easier for cybercriminals to conduct attacks and gain access to Office 365 accounts. There has been a major increase in the number of organizations that have transitioned to...
1,100 Spectrum Health Lakeland Patients Affected by Phishing Attack
Spectrum Health Lakeland has revealed that a breach, the second the group has suffered in as many months, has exposed the protected health information (PHI) of some of its clients. The previous breach took place at Wolverine Services Group and affected around 60,000 of its patients. The latest incident involved an unauthorized person obtaining access to an email account due to the response to a phishing email. As was the case with the...
Extensive HIPAA Failures Lead to $3 Million Fine for Touchstone Medical Imaging
The Department of Health and Human Services’ Office for Civil Rights (OCR) has revealed that a settlement has been agreed between with the Franklin, TN-based diagnostic medical imaging services firm, Touchstone Medical Imaging. The settlement resolves many breaches of HIPAA Rules identified by OCR during the review of a 2014 data breach. Touchstone Medical Imaging has agreed to a settlement of $3,000,000 in relation to the violations...
American Baptist Homes of the Midwest Reports Ransomware Attack
American Baptist Homes of the Midwest (ABHM), a supplier of assisted living and assisted care centers around the U.S Midwest, has reported a security breach involving the use of ransomware on its systems. The attack began on or around March 10, 2019. The attack was detected quickly, but only after the encryption routine had kicked off. The attack was disabled and affected accounts were secured, but not in time to prevent widespread...
Delayed Breach Response Costs Tennessee Medical Imaging Firm $3 Million
It is not possible to prevent all healthcare data breaches, but when a breach is experienced it must be investigated and mitigated promptly. Delaying the breach response and notifications can prove extremely costly, as the Tennessee medical imaging firm Touchstone Medical imaging discovered. On May 9, 2014, Touchstone Medical Imaging was notified by the FBI that an FTP server had been left unsecured. At the same time, the HHS’ Office...
Sharecare Health Data Services Issues Alert 8 Months After Breach Discovery
Sharecare Health Data Services (SHDS), a San Diego firm that provides secure electronic exchange and medical records management services for healthcare groups, has contacted some of its clients to advise them that hackers gained access to parts of its systems that contained sensitive patient data. SHDS discovered abnormal network activity on June 26, 2018, leading to an in-depth investigation. The investigation showed cyber criminals...
16,440 Patients Affect by Breach at Kentucky Counseling Center
Kentucky Counseling Center (KCC) has uncovered a list of 16,440 clients has been illegally taken and shared with another person. A current member of staff is thought to have accessed and copied patient information without authorization, uploading the data to an anonymous file sharing service, and then sending a hyperlink to the list to a former staff member of KCC. The former staff member was sent the link to the patient list on...
PHI Incident at Rush University Medical Center Impacts up to 45,000 Patients
Rush University Medical Center is contacting around 45,000 patients to advise them that their PHI has been exposed due to a data incident at a financial services vendor. Rush discovered the incident on January 22, 2019. A member of staff of the financial services vendor was found to have shared a file containing patients’ PHI to an unauthorized third party in May 2018. The sort of information in the file varied from patient to patient...
Pawnee County Memorial Hospital Malware Attack Impacts 7,000 Patients
Pawnee County Memorial Hospital in Pawnee City, Nebraska, is contacting 7,038 clients that some of their protected health information has possibly been accessed by a cyber criminal. On November 29, 2018, the hospital were advised that malware had been downloaded which allowed an unauthorized person to obtain access to its email system. Malware was placed into the hospital’s email system when a staff member opened a malicious email...
Georgia Eye Associates Email Breach Impacts 24,000 Patients
EyeSouth Partners has revealed that a cyber criminal has obtained access to a staff member’s email account and may have viewed/obtained the electronic protected health information (ePHI) of up to 24,000 clients. EyeSouth Partners is a registered business associate of Georgia Eye Associates, South Georgia Eye Partners, Cobb Eye Center, and Georgia Ophthalmology Associates. EyeSouth Partners became aware, on October 25 last year,...
$3m HIPAA Settlement Agreed Between Cottage Health and OCR
A HIPAA penalty settlement of $3,000,000 has been agreed between the Department of Health and Human Services’ Office for Civil Rights (OCRand the Santa Barbara, CA-based healthcare provider Cottage Health in relation to a HIPAA compliance breach. Cottage Health runs four different hospitals in California, including Santa Barbara Cottage Hospital, Santa Ynez Cottage Hospital, Goleta Valley Cottage Hospital and Cottage Rehabilitation...
6,092 Patients of FABEN Obstetrics and Gynecology Alerted about Ransomware Attack
FABEN Obstetrics and Gynecology has been hit by a ransomware hacking attack on a server that stored patients’ protected health information (PHI). The ransomware was discovered on November 21, 2018 and lead to widespread file encryption. A review was initiated to determine the extent of the attack and whether any patients’ PHI was obtained or downloaded by the hackers. A review of the files stored on the server showed that files...
Criminal HIPAA Violation Leads to Probation for Physician
Following pleading guilty to a criminal violation of HIPAA Rules, a physician has received 6 months’ probation as an alternative to a jail term and financial penalty for the wrongful disclosure of patients’ PHI to a pharmaceutical company. The Department of Justice in Massachusetts heard the legal case in conjunction with a case against Massachusetts-based pharma firm Aegerion. In September 2017, the Novelion Therapeutics subsidiary...
Around 1,000 Lebanon VA Medical Center Patients have their PHI Impermissibly Disclosed
It has been discovered the protected health information of hundreds of elderly patients of Lebanon VA Medical Center in Pennsylvania has been impermissibly disclosed to a family member of a veteran. The data breach, which took place in November 2018, involved a member of staff at Lebanon VA Medical Center emailed a document to a family member of a veteran who was seeking nursing home facilities. The list should have included nursing...
AJMC Study: Following a Data Breach Hospitals’ Advertising Expenditure Rises 64%
In a recent study published in the American Journal of Managed Care Sung J. Choi, PhD and M. Eric Johnson, PhD looked into how advertising expenditures at hospitals changed in the aftermath of a data breach. The study, showed that hospitals invest an average o f64% more on advertising spending in the year after a data breach. Advertising expenditures were discovered 79% higher over the two-year period after a data breach. The authors...
Q3 2018 Healthcare Data Breach Report Published
A Q3 2018 healthcare data breach report from Protenus shows there has been a significant reduction in healthcare data breaches compared to the previous quarter. In Q2, 142 healthcare organizations reported data breaches compared to 117 in Q3. However, due to some large breaches in Q3, the total number of exposed records was substantially higher. Between July and September, the health records of 4,390,512 patients were exposed,...
Anthem Data Breach Settlement of $16 Million Agreed with OCR
The largest ever healthcare data breach in the United States has attracted the largest ever fine for noncompliance with HIPAA Rules. The Anthem data breach settlement of $16 million eclipses the previous highest HIPAA fine of $5.55 million and reflects not only the severity of the Anthem Inc data breach, which saw the protected health information of 78.8 million plan members stolen, but also the extent of noncompliance with HIPAA...
Failure to Encrypt ePHI Costs Cancer Treatment and Research Center $4.34 Million
The Department of Health and Human Services’ Office for Civil Rights has announced its third HIPAA financial penalty of 2018. The $4.34 million civil monetary penalty is the fourth largest HIPAA penalty ever issued to resolve HIPAA violations. While most covered entities and business associates agree to settle HIPAA violations and pay the penalty, on rare occasions the penalties are contested, and the case goes before an...
582,000 Patients Warned of Potential PHI Compromise by California Dept. of Developmental Services
A recent survey carried out with hackers, incident responders, and penetration testers has showed that most can gain access to a targeted system in around 15 hours, but 54% of hackers take under five hours to gain access to a system, and identify and obtain sensitive data. The data comes from the second yearly Nuix Black Report and its survey of 112 hackers and penetration testers, 79% of which were located in the United States. Those...
Email Account Breach Impacts 4,000 Patients of Texas Health Resources
Texas Health Resources is sending notifications to ‘fewer than 4,000 patients’ that some of their Private Health Information may have been seen by an unauthorized persons. The Arlington-based health care provider, a supplier to over 1.7 million patients in North Texas, says that the data breach may have happened as early as October 2017, although they did not identify it until January 17, 2018, when law enforcement alerted the the...
Missing Hard Drives from Chesapeake Regional Healthcare Contained PHI of 2,100 Patients
Chesapeake, Virginia based Chesapeake Regional Healthcare has reported that two hard drives containing the protected health information (PHI) of approximately 2,100 patients are missing from their Chesapeake Regional Medical Center campus at that location. The private health information stored on the devices in question relates to patients who participated in research at its Sleep Center between April 2015 and February 2018. it is...
Improper Disposal of PHI is Common According to JAMA Study
A recently completed study (published in JAMA) has emphasized just how often hospitals are disposing of PHI in an unsafe fashion. While the study was completed in Canada, which is not subject to HIPAA, the results emphasize a critical area of PHI security that is often neglected. Incorrect Destruction of PHI is More Commonplace than Previously Thought Researchers at St. Michael’s Hospital in Toronto reviewed recycled paperwork at...
Breach Notification Act Passed by Alabama State Senate
The Alabama Data Breach Notification Act (Senate Bill 318) has been sent for consideration to the House of Representatives after the Alabama Senate last week unanimously passed it. Alabama is one of the two remaining states still yet to introduce legislation that requires companies to send notifications to people whose personal information is accessed in data breaches. South Dakota, the other state yet to introduce legislation, is...
NY Attorney General Fines EmblemHealth €575,000 for HIPAA Breach
A mailing mistake by EmblemHealth in 2016 that resulted in the Health Insurance Claim Numbers of 81,122 plan subscribers printed on the exterior of envelopes has resulted in the New York Attorney General applying a $575,000 settlement fine. Despite that all mailings have a unique patient identifier on the envelope, in this case the potential for damage was high as Health Insurance Claim numbers are formed using the Social Security...
New York Surgery & Endoscopy Suffers Record Data Breach Affected 135,000 Patients
A malware infection has potentially allowed hackers to gain access to the medical records of as many as 135,000 patients at St. Peter’s Surgery & Endoscopy Center, located in New York So far in 2018, this is the second largest healthcare data breach reported and the most serious seen in New York state since the 3,466,120-record data breach at Newkirk Products, Inc. in August 2016. The St. Peter’s Surgery & Endoscopy...
Kansas Department for Aging and Disability Services Experiences 11,000-Record Breach
It has been discovered that an employee at Kansas Department for Aging and Disability Services (KDADS) sent an unauthorized email to a group of KDADS business associates that included the protected health information of almost 11,000 individuals. The email was issued to individuals who had already signed a business associate agreement with KDADS which disallows them from disclosing or using inappropriately any emailed protected health...
5,123 Individuals Impacted by Flexible Benefit Service Corporation Breach
Chicago-Il-based general agency and benefit administrator Flexible Benefit Service Corporation (Flex) has revealed that a phishing attack resulted in an unauthorized person gaining access to a corporate email account. The security breach was first noticed on December 6, 2017 when an email account of a company worker was found to be sending phishing emails. The email account was compromised after a single worker replied to a phishing...
HHS’ Office for Civil Rights Offers Anti-Phishing Advice for Healthcare Organizations
The Department of Health and Human Services’ Office for Civil Rights has issued anti-phishing advice for healthcare organizations. The warning and advice comes after several major phishing attacks in healthcare. The risk from phishing is greater than ever before and healthcare organizations are being extensively targeted. If technical controls are not implemented and the workforce is not trained to recognize phishing attacks, data...
Phishing Attack on Sutter Health Business Associate Impacts Patients
Sutter Health is contacting certain patients to advise them that their protected health information may have been exposed in a phishing attack on the legal firm Salem and Green, one of its business associates. It is thought that the attack took place on or around October 11, 2017, a phishing email was received by a worker at Salem and Green. The worker responded and, in doing so, allowed the attackers access to their email account....
HIPAA Compliance and Citrix ShareFile
ShareFile was purchased by Citrix Systems during 2011 and the service is offered as a suitable data sync, file sharing, and collaboration service for the healthcare sector. it is vitally important for anyone considering using it to consider HIPAA compliance and Citrix Fileshare. It is a safe file sharing, data storage and collaboration service that permits large files to be easily sent within a company, with remote workers, and with...
HIPAA Compliance and Amazon CloudFront
Amazon CloudFront is a web tool that permits users to quicken web content delivery across the Internet. In most case, when a website is visited, the visitor encounters some latency accessing static and dynamic pieces of content. This is due to the fact that web visitors will not make a direct connection to the content, instead they will be taken through a path to log onto the server where the content can be obtained. The path can...
HIPAA $100,000 Fine Applied After Illinois Business Closes
HIPAA covered organization and their business associates must continue to adhere to Rules even when they close down. The HHS’ Office for Civil Rights (OCR) has reinforced this point with a $100,000 fine for FileFax Inc., for violations that happened after the business had ceased operating. FileFax is a Northbrook, IL-based firm that supplies medical record storage, maintenance, and delivery facilities for HIPAA covered organizations....
Western Washington Medical Group Patients Impacted by HIPAA Breach
842 patients of Western Washington Medical Group have had their protected health information exposed when files including sensitive health information were disposed of with regular trash in November 2017. The breach occurred when the janitorial service used by the medical group removed the contents from shredding bins along with regular trash. Instead of sensitive documents being permanently terminated in adherence with HIPAA Rules,...
CarePlus Health Warns 11,200 Subscribers of PHI Breach
A privacy incident has been suffered by Miami, FL-based CarePlus Health Plans where certain plan subscribers’ protected health information were mistakenly shared with other plan subscribers. Benefits statement explanations were sent to its plan subscribers on January 9 and January 16, 2018, although on January 17, CarePlus noticed that some of the statements had been sent to the wrong recipients. The EoB statements included details...
Lost Device Means PHI of 660 Eastern Maine Medical Center Patients Could Be at Risk
A portable hard drive that has gone missing from the State Street facility, in Bangor, ME of Eastern Maine Medical Center. The group is now notifying 660 clients that some of their protected health information could have been exposed. The missing device did not have encryption and data on the device could be accessed without no password requirement. While it has not been confirmed if it was stolen, but the device could not be located...
Forrest General Hospital Phishing Attack Exposes Patients’ PHI
The PHI has of patients of Forrest Health’s Forrest General Hospital has potentially been obtained by a third party after access was gained to the email account of one of the employees of a business associate, Horne LLP. HORNE LLP is a provider of certain Medicare reimbursement procedures to Forrest General Hospital and due to this needs requires access to patients’ private health information. HORNE found email account breach on...
DC Assisted Living Facility Hit by Malware Breach Exposing 5,200 PHI Records
A malware attack experienced at Westminster Ingleside King Farm Presbyterian Retirement Communities may have allowed the hackers to obtain the protected health information of thousands of its clients. The Washington D.C., located assisted living center had adapted a wide range of security solutions to stop unauthorized access to its systems, although on this occasion they were unable to prevent the attack. The malware was identified...
53,000 Pharmacy Patients Have PHI Exposed in Email Hack
Patients of Onco360 and CareMed Specialty Pharmacy have been notified that the PHI of 53,173 patients has been compromised due to a phishing attack. A security breach was discovered on November 14, 2017, when suspicious activity involving an member of staff’s email account was uncovered. Following the discovery third party computer forensics experts conducted an investigation to determine the manner and extent of the breach. It...
Hancock Health Hit by Ransomware Attack
Following a ransomware attack on Indiana-based organization Hancock Health last Thursday, staff at the hospital had no choice but to move to using pen and paper to detail patient health information, while IT staff made efforts to obstruct the attack and regain access to encrypted files. The attack started around 9.30pm on Thursday night when files on its network started to be encrypted. The attack initially caused the network to run...
Registered Nurses ‘Happy’ With PHI Security According to University of Phoenix Survey
The results of a recent survey completed by the University of Phoenix College of Health Professions indicates registered nurses (RNs) are of the belief that their organization’s ability to prevent data breaches is of an acceptable level. The survey was transmitted to 504 permanent RNs and administrative workers across the USA. Respondents had held their position for a minimum of two years. Just under half of RNs (48%) and 57% of...
Unencrypted Hard Drive Results in the PHI of 9387 Patients’ Being Exposed
In late November, the Framingham, MA-based Charles River Medical Associates based practice discovered one of its external hard drives was missing from its usual location. The missing device contained x-ray images, names, patient ID numbers, and birth details. All patients who had visited the Framingham radiology lab for a bone density scan since 2010 had their x-ray images obtained – almost 9,400 individuals. The hard drive was...
PHI Breach at Oklahoma State University Center for Health Sciences
An unauthorized individual has gained access to parts of the Oklahoma State University Center for Health Sciences (OSUCHS) network and may have accessed files containing billing details of Medicaid patients. The security breach was uncovered on November 7, 2017 with access to the network terminated the next day. Third party computer forensics experts were employed to carry out a comprehensive investigation to determine which areas of...
Florida Agency for Health Care Administration Hit by Phishing Attack
An unauthorized individual has gained access to a single email account of a staff member at the Agency for Health Care Administration in Florida using a phishing scam. The staff member was sent, and responded to, a malicious phishing email on November 15, 2017 and shared login details that permitted the attacker to remotely access his/her email account and, potentially, the protected health information of up to 30,000 Medicaid...
Compassion Care Hospice Cyber Attack Affects 1,128 Clients
The protected health information of 1,128 clients of Compassionate Care Hospice Las Vegas (CCHLV) may have been accessed by an unauthorized individual person. The person in question obtained gained access to the company’s may have viewed the content of the servers. CCHLV discovered the violation on Mits network on October 28, 2017. The server was accessed by an unauthorized individual. CCHLV hired a firm specializing in...
24,000 Patients Impacted by Emory Healthcare Data Breach
It has been discovered that a former worker at Emory Healthcare (EHC) has obtained the protected health information of 24,000 EHC patients and uploaded the data to a Microsoft Office 365 OneDrive account, from where it was accessible by other people. The former worker was a physician at Emory Healthcare, who is now a staff member at the University of Arizona (UA) College of Medicine. EHC says client information was taken covertly and...
5,000 Patients’ PHI Exposed in Two Separate Breaches
Separate breaches of patients’ protected health information have been exposed at Midland Memorial Hospital in Midland, TX, and Washington Health System Greene in Waynesburg, PA. The Washington Health System Greene organization is contacting 4,145 patients to advise them that some of their protected health information has been exposed after a hard drive could not be found at their premises. An external hard drive used with a bone...
UNC Health Care Breach Potentially Impacts 24,000 Patients
A computer device belonging to UNC Dermatology & Skin Cancer Center in Chapel Hill, NC, has been stolen in a burglary, possibly exposing the protected health information of up to 24,000 patients of the clinic. Thieves removed the computer from the premised on October 8, 2017. UNC Health Care said the stolen computer contained a database on that gathered the protected health information of patients who had previously been treated...
18,500 Patients’ PHI Exposed After Multiple Email Accounts Were Compromised
The Detroit-based Henry Ford Health System has issued notifications to almost 18,500 patients that some of their PHI has potentially been seen by an unauthorized person. The PHI breach was discovered on October 3, 2017 when unauthorized access to the email accounts of several members of staff was detected. While protected health information was possible accessed or stolen, the health system’s EHR system was not accessed at any point....