14,795 Oncology Patients Impacted in Washington University School of Medicine Data Breach
Washington University School of Medicine is getting in touch with 14,795 oncology patients to inform them that a portion of their protected health information may have been breached in January 2020. An unauthorized person obtained access to the email account of a research supervisor in the Division of Oncology at some point between January 12, 2020 and January 13, 2020 following a response to a phishing email. Upon identification of...
Three Actively Exploited Flaws Patched by Microsoft
On April 2020 Patch Tuesday, Microsoft made available updates to fix 113 flaws in its operating systems and software solutions, 19 of which have been rated critical. This month’s group of updates includes fixes for 3 zero-day flaws that are being actively exploited in real world attacks.Two of the actively exploited flaws were revealed by Microsoft in March and Microsoft suggested workarounds to limit the chance of exploitation. The...
Ransomware Attack on Andrews Braces Impacts PHI of 16,600 Patients
The Sparks, NV orthodontics clinic, Andrews Braces, has suffered a ransomware attack that resulted in the encryption of patient data. The attack was discovered on February 14, 2020, with the subsequent investigation determining the ransomware was downloaded the previous day.The practice contracted a third-party forensic investigator to examine the range and extent of the attack and determine whether patient information had been stolen...
Brandywine Urology Consultants Ransomware Attack Potentially Impacts Over 113,000 Patients
Delaware medial practice Brandywine Urology Consultants has revealed that a ransomware attack on January 25, 2020 led to the encryption of files on its servers and computers. The full extent of the attack was limited and the practice’s electronic medical record system was not impacted. No medical records were exposed or infiltrated in the attack.The practice moved quickly and took steps to address the attack and reduce the harm...
Waiver of HIPAA Penalties for Good Faith Operation of COVID-19 Community-Based Testing Sites
The HHS has issued an additional Notice of Enforcement Discretion covering healthcare providers and business associates that manage some aspect of COVID-19 community-based testing sites. Under the terms of the Notice of Enforcement discretion, the HHS will not issue sanctions and penalties in relation to good faith participation in the operation of COVID-19 community-based testing sites. The Notice of Enforcement discretion is...
Healthcare Resource Group & Confido have PHI Exposed in Phishing Attacks
The pharmacy benefits consulting group Confido has begun alerting 3,600 of its clients’ employees, members, and their dependents, that a portion of their personal information may have been accessed by an unauthorized person who obtained access to an employee’s email account.The email account breach was discovered on December 12, 2020 and an investigation was initiated to determine the scale and extent of the breach. With the help of a...
PHI Disclosures for Public Health and Health Oversight Activities Allowed in Notice of Enforcement Discretion for Business Associates
On April 2, 2020, the Department of Health and Human Services revealed that with immediate effect, it will be applying enforcement discretion and will not impose sanctions or fines against healthcare providers or their business associates for good faith uses and sharing of protected health information (PHI) by business associates for public health and health oversight activities for the duration of the COVID-19 public health...
Otis R. Bowen Center for Human Services Data Breach Impacts up to 35,800 Patients
The Otis R. Bowen Center for Human Services, an Indiana-based supplier of mental health and addiction recovery healthcare services, has revealed that unauthorized actors have obtained access to the email accounts of two of its staff members. It is not yet known when the email account breaches took place and for how long unauthorized individuals had access to the email accounts. In its website substitute breach alert, The Otis R. Bowen...
Multiple Data Breaches Reported
There has been a number of healthcare data breaches made known to the HHS’ Office for Civil Rights (OCR) during the past few weeks. AffordaCare Urgent Care Clinics in Texas was attacked with Maze Ransomware. A report on DataBreaches.net revealed that the cybercriminals obtained 40GB of data prior to encrypting files. Some of the stolen data was published online when AffordaCare refused to pay the ransom. It is not yet known how many...
Data Breaches Reported at LifeSprk & University of Utah Health
LifeSprk is making contact with 9,000 of its account holders to inform them that a a limited amount of their protected health information may have been illegally accessed or stolen due to a November 2019 phishing attack. On January 17, 2020, the Minnesota-based senior care provider became aware that an unauthorized person had illegally accessed the email account of one of its staff members. The account was quickly secured and a...
COVID19 Pandemic Leads to Massive Increase in WHO Cyberattacks
It has been revealed that the World Health Organization has suffered a surge in the number of hacking attempts on its databases in the last month as a result of the COVID-19 Pandemic. Chief Information Security Officer for the WHO, Flavio Aggio, issued a statement that said a large number of fraudulent WHO web pages have been discovered that have been created to trick people into handing over personal information. The purpose of the...
Coronavirus Pandemic Guidance on Telehealth & HIPAA Released by OCR
After the announcement made by the HHS’ Office for Civil Rights that enforcement of HIPAA compliance linked to the good faith provision of telehealth services for the duration of the COVID-19 pandemic has been relaxed, OCR has published guidance on telehealth and remote communications. Telehealth is defined by the HHS’ Health Resources and Services Administration (HRSA) as “the use of electronic information and telecommunications...
Email Security Breaches at Relation Insurance & Rainbow Hospice Care
Relational Insurance Inc., an insurance brokerage company operating as Relation Insurance Services of Georgia (RISG), suffered an email security breach in August 2019. An unauthorized person was discovered to have obtained access to the email account of an employee and possibly accessed or copied emails that included protected health information (PHI). The breach was discovered on August 15, 2019 when suspicious activity was noticed...
Vulnerability in Walgreens Mobile App Secure Messaging Feature Made PHI Accessible
Walgreens has started contacting customers to make them aware that a portion of their protected health information may have been accessed by unauthorized individual due to an error in the personal secure messaging feature of the Walgreens mobile app. The secure messaging app includes a feature that allows registered customers to manage and receive SMS prescription refill notifications and deals and coupons. A vulnerability in the app...
Google’s Response to Senators Questions About Ascension Partnership Deemed Incomplete
After it became public that a massive amount of patient data had been shared with Google by the Catholic health system Ascension, the second biggest health system in the United States, a bipartisan group of Senators – Sen. Bill Cassidy, M.D., (R-LA), Elizabeth Warren (D-MA), and Richard Blumenthal (D-CT) – wrote to Google asking for answers about the nature of the agreement and the data the company received. Ascension manages 150...
Final Approval Given for Quest Diagnostics 2016 Data Breach Settlement
A federal judge has given final approval to a settlement in a class action lawsuit filed against the New Jersey-based medical laboratory firm, Quest Diagnostics Inc., in relation to its 2016 data breach. The $195,000 settlement will see up to $325 compensation made available for each person impacted by the breach. On November 26, 2016 hackers obtained access to the Care360 MyQuest mobile app that is used by patients to store and share...
First HIPAA Penalty of 2020 Announced by HHS’ Office for Civil Rights
The first HIPAA penalty of 2020 has been announced by the Department of Health and Human Services’ Office for Civil Rights (OCR) and has been sanctioned against the medical practice of Steven A. Porter, M.D. The practice has agreed to pay a fine of $100,000 to resolve possible breaches of the HIPAA Security Rule and will implement a corrective action plan to tackle all areas of noncompliance discovered during the compliance audit. Dr....
Physician Network Affiliated with Boston Children’s Hospital Impacted by Malware Attack
On Monday, February 10, 2020, Pediatric Physicians’ Organization at Children’s (PPOC), a physician group that works with Boston Children’s Hospital, suffered a malware attack that led to a system outage which stopped its 500+ pediatricians, nurse practitioners, and physician assistants from viewing patient data and scheduling appointments. PPOC has around 200 servers, 11 of which were affected by the attack. IT teams at PPOC and...
Manchester Ophthalmology & UnitedHealthcare Impacted by Data Breaches
Manchester Ophthalmology in Connecticut has suffered a cyberattack in which the hackers may have gained access to patient data. The eye care supplier became aware of the cyberattack on November 25, 2019 when employees identified suspicious activity on the network. Assisted by an external technology firm, it was determined later that day that hackers had gained access to its systems and tried to deploy ransomware. Access was first...
Partially Completed Prescriptions of Schedule II Drugs Must be Tracked: HHS
The Department of Health and Human Services has released a final rule changing the HIPAA National Council for Prescription Drug Programs (NCPDP) D.0 Telecommunication Standard that obligates pharmacies to record partially completed prescriptions for Schedule II drugs. The modification is part of HHS efforts to manage opioid abuse in the United States and will supply a greater quantum of data that may help control impermissible refills...
Phoenix Children’s Hospital & New York Nursing Center Impacted by Phishing Incident
A business email compromise (BEC) attack has impacted Village Center for Care dba VillageCare Rehabilitative and Nursing Center (VRNC) and Village Senior Services Corporation dba VillageCareMAX (VCMAX). BEC attacks involve the impersonation of an executive, either using the executive’s actual email account compromised in a previous attack, or by spoofing the executive’s email address. An unauthorized person, pretending to be part of...
30,000 Patients Affected After Malware Corrupts Medical Records
On November 21, 2019, Fondren Orthopedic Group, an association of private orthopedic surgery practitioners located in Houston and the surrounding areas, were hit by a cyberattack that impacted specific elements of its IT system. In a substitute breach notice published on its website, the incident was referred to as a malware attack that damaged the medical records of specific patients. Swift action was taken to limit the infection and...
Florida and Texas Healthcare Providers Report Ransomware Attacks
One of the most recent developments in the world of cyber crime to the tactic of threat actors to deploy ransomware to encrypt files to stop data access, but also to obtain data and threaten to publish or sell on the stolen data if the huge ransom demands are not met. This new tactic aims at growing the chance of finding victims paying the ransom. The Center for Facial Restoration in Miramar, FL, is one of the biggest healthcare...
DHS: Citrix Vulnerability Being Exploited Still
The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) has released an alert in relation to a recently discovered flaw in the Citrix Application Delivery Controller and Citrix Gateway web server appliances. The vulnerability, referred to as CVE-2019-19781, can be exploited via the internet and can make remote execution of arbitrary code on vulnerable appliances possible. The flaw, when exploited,...
Phishing Attack Leads to Second Lawsuit Against Kalispell Regional Healthcare
A second lawsuit has been submitted against Kalispell Regional Healthcare in Montana in relation to a May 2019 phishing attack that resulted in the email accounts of some of its employees accessed by hackers. Kalispell Regional Healthcare became aware of the breach on August 28, 2019. The investigation showed that the hackers gained access to staff email accounts on May 24, 2019 and potentially accessed patient data. A forensic...
Three-Year Insider Breach Discovered at North Ottawa Community Health System
North Ottawa Community Health System (NOCH) has become aware that a staff member at North Ottawa Community Hospital in Grand Haven, MI, viewed the medical records of patients without authorization over a period of three years. This issue was brought to the attention of the health system on October 15 by another employee. A review into the alleged inappropriate access was initiated on October 17 and the employee was suspended pending...
Rep. Jayapal Questions Google & Alphabet Ascension Partnership
Rep. Pramila Jayapal (D-Washington), a member of the House Judiciary Subcommittee on Antitrust, Commercial, and Administrative Law, has written to Google and Alphabet in relation to their Ascension partnership. She has demanded answers to several questions about how protected health information has been obtained, the measures put in place to protect patient data, and how Google will be using the PHI. The partnership between Google and...
The Cancer Center of Hawaii Delayed Radiation Therapy for Patients Due to Ransomware Attack
A ransomware attack took place, on November 5, 2019, on the Cancer Center of Hawaii in Oahu. The attack meant that the Cancer Center to close down its network servers, which meant it was temporarily stopped from providing radiation therapy to clients at Pali Momi Medical Center and St. Francis’ hospital in Liliha. While patient services suffered some disruption, no patient information is thought to have been accessed by the hackers....
$85,000 HIPAA Right of Access Failures Results in Financial Penalty for Korunda Medical
The Department of Health and Human Services’ Office for Civil Rights has revealed its second enforcement action as part of its HIPAA Right of Access Initiative. Florida-based Korunda Medical has agreed to settle potential fines for the HIPAA Right of Access and will implement a corrective action plan and bring its policies and procedures in line with the obligations of the HIPAA Privacy Rule. In March 2019, OCR was submitted with a...
80,000 Patients of Southeastern Minnesota Oral & Maxillofacial Surgery Impacted in Ransomware Attack
Southeastern Minnesota Oral & Maxillofacial Surgery (SEMOMS) has made it public that a ransomware may have impacted the protected health information of almost 80,000 patients. The attack was first discovered on September 23, 2019. The IT team reacted quickly and secured the compromised server so as to restore the encrypted data. It is not known whether the ransom was paid or if the IT team was able to bring the server back online...
100 Dental Practices Affected by Ransomware Attack on Managed Service Provider
An Englewood, CO-based Complete Technology Solutions (CTS) Colorado IT firm that specializes in supplying managed IT services to over 100 dentist practices has been infiltrated as part of a ransomware attack. Indications are that attack was initiated at the end of November. KrebsonSecurity published a report that revealed CTS was sent request for $700,000 in ransom money. This payment was to be made in order for the keys to unlock...
Cheyenne Regional Medical Center Experiences Phishing Attack
Cheyenne Regional Medical Center in Wyoming has recently became aware that patient data may have been illegally obtained due to a phishing attack identified in April. The medical center was made aware of a potential security breach following the detection of suspicious activity related to staff payroll accounts on or around April 5, 2019. Around a week later, the medical center discovered that employee email accounts had been...
Sunrise Community Health and Katherine Shaw Bethea Hospital Suffer Phishing Attacks
Evans, CO-based Sunrise Community Health has learned that the email accounts of several staff members were compromised due to employees responding to phishing emails. The email accounts were accessed by unauthorized people between September 11, 2019 and November 22, 2019. Assisted by third party company of computer forensics experts, Sunrise Community Health determined on November 5, 2019 that the infiltrated email accounts included...
HIPAA Compliance for Amazon Lex
Amazon has revealed that the Amazon Lex chatbot service now supports HIPAA compliance and can be used by healthcare groups without breaching Health Insurance Portability and Accountability Act Rules. Amazon Lex is a service that permits customers to create conversational interfaces into applications using text and voice. It permits the creation of chatbots that use lifelike, natural language to engage with clients, submit questions,...
Privacy Protections for Consumer Health Data to be Enhanced by Smartwatch Data Act
Sens. Bill Cassidy, M.D., (R-Louisiana) and Jacky Rosen, (D-Nevada) have introduced the Stop Marketing And Revealing The Wearables And Trackers Consumer Health (Smartwatch) Data Act. This new legislation will ensure that health data gathered through fitness trackers, smartwatches, and health apps cannot be sold or shared without consumer consent. The Health Insurance Portability and Accountability Act (HIPAA) applies to health data...
Sentara Hospitals Agrees to $2.175M HIPAA Settlement for Breach Notification Rule and BAA Failures
The Department of Health and Human Services’ Office for Civil Rights (OCR) has issued its eighth HIPAA financial penalty of 2019. Sentara Hospitals has agreed to settle possible breaches of the HIPAA Privacy and Breach Notification Rules and will pay a penalty of $2.175 million and will adopt a corrective action plan to remedy areas of noncompliance. Sentara runs 12 acute care hospitals in Virginia and North Carolina and has more than...
Timothy Noonan Revealed as New Deputy Director for Health Information Privacy at Office for Civil Rights
The Department of Health and Human Services’ Office for Civil Rights (OCR) has appointed Timothy Noonan Deputy Director for Health Information Privacy. The position of the Deputy Director for Health Information Privacy is to lead the Health Information Privacy Division of the Office for Civil Rights, oversee OCR’s national health information privacy policy and outreach activities, and administer and police the HIPAA Privacy, Security,...
Ransomware Attack Impacts 107,000 Ferguson Medical Group Patients
Saint Francis Healthcare System has revealed that the computer network of Ferguson Medical Group has been hit by a ransomware attack. The attack took place on September 21, 2019, before Saint Francis Medical Center purchased the Sikeston, MO-based medical group. Saint Francis Healthcare became aware of the ransomware attack on September 21. A notice published on the Saint Francis Healthcare website, the hackers succeeded in encrypting...
9,800 Employee Records Potentially Accessed Without Authorization at Former Aegis Medical Group
The Florida physician network, Aegis Medical Group, has begun contacting 9,800 patients to advise them that their protected health information may have been obtained and viewed by a former employee. That individual is thought to have tried to sell patient records to third parties thought to have been participating in identity theft and fraud. Aegis Medical Group was contacted by law enforcement agencies on September 11, 2019 in...
UNC Chapel Hill School of Medicine and Starling Physicians Report Phishing Attacks
University of North Carolina Chapel Hill School of Medicine has been hit by a phishing attack in which the protected health information of 3,716 patients has potentially been obtained by unauthorized individuals. A review by third-party forensics experts revealed that a number of employee email accounts were compromised between May 17, 2018 and June 18, 2018. It is not obvious when the security breach was first detected. The range of...
California Addiction Treatment Center Hit by Cyber Attack
An AWS S3 storage bucket owned by Sunshine Behavioral Health, LLC, a San Juan Capistrano, CA-based organization of drug and alcohol addiction rehabilitation centers, has been misconfigured, leading to the exposure of sensitive patient information. The misconfigured AWS S3 bucket was first reported to databreaches.net in August 2019. Sunshine Behavioral Health was contacted and the bucket was secured; however, the data exposure does...
Loyola Medicine and Main Street Clinical Associates Report PHI Theft Incidents
Main Street Clinical Associates, PA., in Durham, NC has contacted certain patients that some of their protected health information was stored on devices that were illegally taken from its offices. The theft took place when the Main Street offices had been evacuated due to a bad gas explosion. Workers at the office were ordered to evacuate the building on April 10, 2019 following an explosion in an nearby building. Files and equipment...
Business Associate Phishing Attack Impacts TennCare and Florida Blue Members
More healthcare organizations have revealed they have been impacted by a data breach at Magellan Health National Imaging Associates, a business associate of several HIPAA-covered groups that supply managed pharmacy and radiology benefits services. Danville, PA-located Geisinger Health Plan revealed last month that 5,848 of its account holders had been impacted by the breach and Albuquerque, NM-based Presbyterian Health Plan has...
Kalispell Regional Healthcare Contacts 140,209 Patients About Phishing Attack
Kalispell Regional Healthcare, located in Montana, is currently getting in touch with around 140,000 patients that some of their protected health information (PHI) was potentially impacted in a security breach over the summer. Kalispell Regional Healthcare runs Kalispell Regional Medical Center, a 138-bed hospital in Kalispell, MT. The breach has impacted the majority of its patients. The breach impacted Kalispell Regional’s email...
Range of HIPAA Breaches Result in $2.15 Million Civil Monetary Penalty for Jackson Health System
The Department of Health and Human Services’ Office for Civil Rights has sanctioned a $2.15 million civil monetary penalty against the Miami, FL-located nonprofit academic medical system, Jackson Health System (JHS), for a slew of breaches of HIPAA Privacy Rule, Security Rule, and Breach Notification Rule. In July 2015, OCR became aware of many media reports in which the PHI of a patient was impermissibly shared. The person was a...
Millions of Patients’ Sensitive Data Found to be Accessible via the Internet
Due to the failure of nine companies to secure their medical databases, the sensitive health information of millions of patients has been exposed over the internet. The exposed patient data was found by security experts at WizeCase. The research team, headed by Avishai Efrat, used publicly available tools to search for exposed data that could be obtained without the need for any usernames or passwords. The firm then provides...
15,982 South Texas Dermatopathology Patients Contacted in Relation to AMCA Data Breach
South Texas Dermatopathology is the most recent victim of the data breach at American Medical Collection Agency (AMCA) to make the breach known to the Department of Health and Human Services Office for Civil Rights (OCR) and alert impacted patients. The breach was published on the OCR breach portal on October 7, 2019 and indicates 15,982 patients have been impacted. AMCA was a business associate of the San Antonio, TX-located medical...
Shared Network Drives Expose Thousands of Veterans’ Records
A report published by the Department of Veteran Affairs’ Office of Inspector General (VA OIG) audit has revealed that Internal Department of Veteran Affairs (VA) communications, disability claims, and the health information of thousands of veterans have been exposed and could possibly have been accessed by VA employees authorized to view the data. VA OIG completed an audit of the VA’s Milwaukee Regional Office following a call from a...
Healthcare Data Breach Report for September 2019 Published
36 healthcare data breaches of more than 500 records were reported to the Department of Health and Human Services’ Office for Civil Rights, during September, a 26.53% drop in the number of breaches from August. 1,957,168 healthcare records were illegally accessed in those breaches, a rise of 168.11% from August. The massive rise in the number of breached records is largely down to four reported incidents, each of which included...
PHI Disclosures on Yelp Lead to $10,000 Fine for Dental Practice
The Department of Health and Human Services’ Office for Civil Rights has agreed to a HIPAA settlement for a violation case with Elite Dental Associates in relation to the impermissible disclosure of a number of patients’ protected health information (PHI) when answering patient reviews on the Yelp review website. Elite Dental Associates is a Dallas, TX-based privately-owned dental clinic that provides general, implant and cosmetic...
National Patient Identifier Repeal Act Introduced by Senator Rand Paul
Sen. Rand Paul, M.D., (R-Kentucky) has brought in a new bill that aims to have the national patient identifier provision of HIPAA permanently deleted due to privacy concerns over the configuration of such a system. At present, HIPAA is best known for its healthcare data privacy and security regulations, but the national patient identifier system was proposed in the first HIPAA legislation of 1996 as a measure to facilitate data...
Major Disruption to Patient Services at Campbell County Health due to Ransomware Attack
Campbell County Health in Gillette, WY, has experienced a ransomware attack that has shut down hospital systems and is preventing access to patient data. The attack took place in the early hours of Friday September 20, 2019 according to the Department of Health. An investigation into the attack has been initiated and attempts are ongoing to remove the ransomware, restore encrypted files, and bring systems back online; however, at the...
Flaws Discovered in WLAN Firmware Used by Philips IntelliVue Portable Patient Monitors
Two flaws have been discovered in Philips IntelliVue WLAN firmware which impact certain IntelliVue MP monitors. The flaws could be exploited by hackers to download malicious firmware which could affect data flow and lead to an inoperable condition warning at the device and Central Station. Philips was made aware of the flaws by security expert Shawn Loveric of Finite State, Inc. and proactively released a security advisory to allow...
Phishing Attack on Ramsey County Impacts 117,905 Individuals
Ramsey County has revealed that a phishing attack that took place in August 2018 impacted a great many more individuals than first thought. The victim count has been revised to 117,905 from 599. The original breach report stated the email accounts of 26 staff members were compromised in a phishing attack that took place around August 9, 2018. The attack was identified quickly and the affected accounts were locked down. The individuals...
NCCoE Releases Mobile Device Security Guidance for Corporate-Owned Personally Enabled Devices
The National Cybersecurity Center of Excellence (NCCoE) has published new draft NIST mobile device security guidance to help groups address the risks created by corporate-owned personally enabled (COPE) devices. Mobile devices permit staff members to access resources vital for their work duties, no matter where those individuals are based. As such, the devices allow groups to enhance efficiency and productivity, but the devices bring...
Phishing Attacks at Magellan Health Subsidiaries Impact 56,226 Presbyterian Health Plan Subscribers
Magellan Health, based in Scottsdale, Arizona, has revealed that discovered two of its subsidiaries have experienced phishing attacks that exposed the protected health information of members of Albuquerque, NM-based Presbyterian Health Plan. The phishing attacks were identified by National Imaging Associates and Magellan Healthcare, which both supply services to Presbyterian Health Plan. Both incidents were reported to the Department...
First HIPAA Violation Case Under 2019 Right of Access Initiative Settled by OCR
Earlier in 2019, the Department of Health and Human Services’ Office for Civil Rights (OCR) revealed that one of the main focuses of HIPAA enforcement in 2019 would be HIPAA right of access failures, including untimely responses to access requests and overcharging for copies of medical data. The HIPAA right of access permits patients to obtain copies of their medical records on request. HIPAA-covered entities must honor those requests...
Unsecured Online PACS Makes 400 Million Medical Images Freely Accessible
Following a recently completed investigation by ProPublica, the German public broadcaster Bayerischer Rundfunk, and vulnerability and analysis company, Greenbone Networks has stated that 24.3 million medical images included in image storage systems are freely accessible on the Internet and require no authentication to view or install the images. Those images, which include X-rays, MRI, and CT scans, are held in picture archiving and...
UC Health Phishing Attack Affects Multiple Email Accounts
University of Cincinnati Health (UC Health) is looking into a security breach that saw the email accounts of multiple employees accessed by an unauthorized person The attack took place between July 6 and July 12, 2019 and involved ‘a limited number’ of employee email accounts. A review of the compromised email accounts revealed they included patients’ names, birth dates, medical record numbers, and some clinical data. A deep dive...
13,905 Patients Targeted in Artesia General Hospital Phishing Attack
Artesia General Hospital, located in Artesia New Mexico, has stated that protected health information (PHI) of 13,905 patients has been illegally accessed in a planned phishing attack. The breach was discovered when an employee’s email account was seen to have been used to send unauthorized emails. The breach was first noticed on June 18, 2019 and the forensic analysis revealed the account had been accessed by an unauthorized person...
Kaspersky Lab Survey: No Cybersecurity Training for 32% of Healthcare Workers
There have been a minimum of 200 breaches of greater than 500 records reported since January and 2019 looks set to be another record-breaking 12 months for healthcare data breaches. The ongoing rise in data breaches lead to Kaspersky Lab completing a survey to ascertain more about the state of cybersecurity in healthcare. Kaspersky Lab has now released the second part of its report from the survey of 1,758 healthcare workers in the...
PHI of 183,000 Patients Exposed in Phishing Attack on Presbyterian Healthcare Services
The Albuquerque, NM-based not-for-profit health organization Presbyterian Healthcare Services, has suffered a phishing attack that resulted in the email accounts of several workers subjected to unauthorized access. The phishing attack was noticed by Presbyterian Healthcare Services during June 6, 2019. The breach investigation showed the email accounts were infiltrated a month earlier, on or around May 9, 2019. Upon identification of...
HIPAA Compliance & iCloud
We look at HIPAA compliance and iCloud because, as more and more businesses take advantage of cloud computing, an important question for Covered Entities to consider is, are cloud storage services such as iCloud HIPAA compliant? If so, Apple´s cloud storage products – iCloud and iCloud+ – could be a convenient and user-friendly option for storing and saving electronic PHI (ePHI). Apple´s iCloud and iCloud+ services are available...
3,000 Records Potentially Compromised in Rhode Island Healthcare Attack
Rhode Island Ear, Nose and Throat Physicians Inc. (RIENT) is contacting 2,943 patients to make them aware that some of their health information was saved on a server which was subjected to unauthorized access on June 19, 2019 when a hacker obtained access to its databases. The breach was discovered the same day and the network was safeguarded. An external computer forensics firm was contracted to assist with the investigation and help...
10,000 Patients Have Personal Data Impacted in Massachusetts General Hospital Breach
Massachusetts General Hospital (MGH) has identified that computer applications used by security experts in its Department of Neurology have been infiltrated using unauthorized access. The individual to blame would have been able to access the protected health information of around 10,000 patients. MGH discovered the breach on June 24, 2019 and quickly shut down access to the applications and databases. An investigation was initiated,...
Data Breach Exposes Medical Records of Western Connecticut Health Network Patients
Nuvance Health has started getting in touch with certain Western Connecticut Health Network (WCHN) patients to make them aware that some of their protected health information has been exposed. On June 11, 2019, WCHN sent a box of medical records to the Connecticut State Department of Public Health. The package was sent using the U.S. Postal Service (USPS), but the package was harmed while on the move, exposing the contents of the...
Washington Hospital Hit with $1m Ransom Demand
A ransomware attack on an Aberdeen, WA-hospital and associated clinics is still wreaking havoc over two months after the initial attack took place. The cybercriminals have requested $1 million for the keys to unlock the encryption on the captured data. On June 15, 2019, Grays Harbor Community Hospital started noticing IT problems. The attack happened on a Saturday when staffing numbers were low so, at first, the problem was put down...
Lost Thumb Drive was used to Store PHI of Renown Health Patients
Renown Health, the largest healthcare supplier in Northern Nevada, has started getting in touch with certain patients to make them aware that some of their protected health information (PHI) may have was accessible.Patient information was held in files on a portable storage device (thumb drive) identified as missing on June 30, 2019. An extensive search of the facility was conducted but the thumb drive could not be found. An...
Emergency Notifications Systems & Business HIPAA-Compliance
Emergency notification systems for business are software services that are often implemented to alert personnel to the risk of danger. Situation that they are used include incoming hurricanes, chemical spills, active shooter events, and fires; and therefore it would be unusual rare for Protected Health information (PHI) to be shared in the context of an emergency alert. In addition, outside of the healthcare and healthcare insurance...
AMCA Breach Impacts 2.2 Million Patients of Clinical Pathology Laboratories
It has recently been discovered that the protected health information (PHI) of approximately 2.2 million of patients of Clinical Pathology Laboratories in Texas may have been infiltrated in the data breach at American Medical Collection Agency (AMCA). AMCA supplies debt collection services to many healthcare firms, which necessitates access to the PHI of patients with outstanding bills. A cyberattack on the AMCA payment website...
25,000 Adirondack Health Patients Hit by Email Account Hack
Vermont-based Adirondack Health is getting in touch with around 25,000 patients that some of their protected health information has potentially been obtained by a cyber criminal. Information such as patients’ names, dates of birth, Medicare ID numbers or health insurance member numbers, and limited treatment and/or clinical information. A smaller subset of patients also had their Social Security number accessible. Adirondack Health is...
Tennessee Hospice Phishing Attack may have Impacted Sensitive Data
A provider of end-of-life care, palliative care, bereavement support and community education based in Alive Hospice in Nashville, Tennessee has revealed that the email account of a staff member was infiltrated during May 2019. On May 6, 2019, suspicious activity was noticed in a staff member’s account. The password for the account was quickly amended and an investigation was launched into the cause of the violation. The...
One-Year Prison Sentence for TermPatient Care Coordinator Following HIPAA Violation
A former patient care coordinator based at University of Pittsburgh Medical Center (UPMC) has been given a one-year prisons sentence for accessing the medical records of patients and using that information to cause malicious damage. Sue Kalina, 62, of Butler, PA, had previously been employed at UPMC Tri Rivers Musculoskeletal and Allegheny Health Network as a patient care coordinator. On March 30, 2016, while a staff member with UPMC,...
Unauthorized Use of PHI as Teaching Tool Leads to Legal Action by Student
A medical student at Marshall University is suing the institution, along with Cabell Huntington Hospital, in relation to the unauthorized sharing of some of his protected health information (PHI) to a class of students. The student, who is referred to only as as J.M.A in the lawsuit, alleges that his x-rays were used as a teaching tool by a professor at Marshall University Joan C. Edwards School of Medicine, but information...
Phishing Attack Impacts PHI of 10,893 Summa Health Patients
It was discovered on on May 1 that up to four employee email accounts containing patients’ protected health information (PHI) have been infiltrated at Akron, Ohio-based Summa Health after an an unauthorized person obtained access. Summa Health noticed the breach and launched an investigation that found two email accounts were infiltrated during August 2018, and a further two accounts between March 11, 2019 and March 29, 2019. All...
HIPAA Enforcement Safe Harbor Called for in HELP Committee Bill
There may be some implications for HIPAA-covered entities after the Senate Health, Education, Labor and Pensions (HELP) Committee approved the Lower Health Care Costs (LHCC) Act of 2019. One of the main targets of the bill is to enhance the transparency of healthcare expenses and service quality. The bill aims to bring a finish to surprise health bills and make sure patients are kept updated about healthcare costs. The LHCC Act...
Allowable Uses and Disclosures of PHI for Care Coordination and Continuity of Care Clarified by OCR
The Department of Health and Human Services’ Office for Civil Rights has released new HIPAA guidance for health plans on how protected health information can be sent to support care coordination and continuity of care. The new material, which has been published in an FAQ format, addresses two questions commonly asked by health plans: Can PHI be shared with another health plan for care coordination reasons? OCR has said that the HIPAA...
California and Illinois Clinics Discover Ransomware Attacks
Quantum Vision Centers and Eye Surgery Center patients located in Illinois are being contact to make them aware that some of their protected health information may have been illegally obtained in an April 2019 ransomware attack. An unauthorized person obtained access to certain Quantum systems and deployed ransomware on April 18, 2019. The ransomware encrypted files, some of which included data such as names, dates of birth,...
645,000 Clients of Oregon Department of Human Services Alerted Regarding Phishing Breach
The Oregon Department of Human Services (ODHS) is making contact with 645,000 clients to advise them that some of their personal information may have been compromised due to a phishing attack.The targeted attack kicked off on January 9, 2019 and lead to 9 ODHS employees clicking on links in emails and disclosing their login details. ODHS and the Department of Administrative Services Enterprise Security Office noticed the breach on...
AMCA Breach Affects Almost 7.7 Million Patients
After reports that the data breach at American Medical Collection Agency (AMCA) impacted the records of 11.9 million Quest Diagnostics patients, comes revelation that another healthcare company that has been impacted by the breach. On June 4, 2019, LabCorp, a different nationwide group of blood testing centers, announced that 7.7 million people whose blood samples were processed by the company may have had their sensitive information...
PHI Uploaded to Unapproved and Unsecured Cloud Service Used by UMC Physicians
UMC Physicians, based in Lubbock, is contacting patients of UMC Southwest Gastroenterology to make them aware that some of their protected health information has been exposed due to errors of judgement by two of its employed providers. Those suppliers had each set up a Google shared drive which was used to track follow up jobs related to the provision of care to patients. While the shared drives were set up with good aims and were...
Verity Health’s St. Vincent Medical Center Reports Phishing Attack
St. Vincent Medical Center, a part of Verity Health System, has announced a staff email account has been hacked following a response to a phishing email. The breach took place on March 15, 2016 and involved the email account of a hospital pathologist. The account compromise was discovered on March 26 and the account was secured within hours. During the period of time time that the unauthorized individual had access to the account, it...
Bodybuilding.com Data Breach Impacts 3,193 Employees
The bodybuilding and personal fitness website Bodybuilding.com has revealed it has had to deal with a security incident that may have lead to the information of customers and employees being accessed by unauthorized people. While the breach affecting customers was not a reportable incident under HIPAA, HIPAA does cover group health plans. As such, bodybuilding.com was required to report the breach of group members’ PHI to the Office...
Court Rules that Negligence Claim Based on HIPAA Violation can Proceed in Arizona
An Arizona man who submitted a legal action against Costco in relation to a privacy violation and had the lawsuit thrown out by the trial court has had the decision overturned by the Court of Appeals, which ruled that the patient can sue the pharmacy for negligence in relation to a violation of the Health Insurance Portability and Accountability Act (HIPAA). The privacy violation in question took place in 2016. The man had was sent a...
Business Associate Phishing Attack Impacts PHI of 17,531 Patients
Women’s Health USA Inc., an Avon, CT-based business associate that supplies a range of practice management services to healthcare groups, has suffered a phishing attack that has lead to the exposure of patients’ protected health data. A review was initiated following the discovery of suspicious activity within specific employee email accounts. The targeted email accounts were safeguarded, and a leading cybersecurity firm was engaged...
HHS Reforms HITECH Act Penalties for HIPAA Breaches
The Department of Health and Human Services has published a notification of enforcement discretion in relation to the civil monetary penalties that are applied when breaches of HIPAA compliance rules are identified and will be bringing down reducing the maximum financial penalty for three of the four penalty levels. The Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 raised the penalties for HIPAA...
Medical Billing Service Provider Suffers Ransomware Attack 7 Months After Computer Breach
Massachusetts-based supplier of medical billing services Doctors’ Management Service Inc. noticed that malicious software had been downloaded to its network which stopped files from being accessed on December 24, 2018 A review into the security incident was initiated which found GandCrab ransomware had been deployed. Files were rescued from backups and no ransom was paid. The review also found that the individual responsible for...
EmCare Phishing Attack Exposes 60,000 Records
The Dallas, TX-based physician staffing company EmCare has revealed that it has been impacted by a data breach that has impacted around 60,000 individuals, 31,000 of whom were patients. The exposed data was detailed in emails and email attachments in employee email accounts that were accessed by an unauthorized person after several employees responded to phishing emails and disclosed their email details. It is unclear from Emcare’s...
11,639 Individuals Impacted by Riverplace Counseling Center Malware Attack
Riverplace Counseling Center in Anoka, MN, has revealed that malware was discovered on its systems which may have allowed unauthorized individuals to obtain access to patients’ protected health information. The malware infection was first noticed on January 20, 2019. The counseling center brought in an IT firm to conduct a forensic analysis, remove the malware, and restore its systems from backups. The analysis process was completed...
Servers Compromised and Virus Deployed at Centrelake Medical Group
Centrelake Medical Group, a group of 8 medical imaging and oncology clinics in California, is notifying a number of patients that some of their protected health information has been exposed due to of a computer virus. The computer virus was identified in February 2019 when it stopped the medical group from accessing its files. The virus seems to be a form of ransomware, although no mention of ransomware or a ransom demand was made in...
$4.7 Million Settlement Agreed in Washington State University Data Breach Class Action Lawsuit
In the past few days a $4.7 million settlement has been approved by the King County Superior Court to reimburse individuals whose personal information was stolen from Washington State University in April 2017. Washington State University had backed up personal information on external hard drives which were saved in a safe in a self-storage locker. On April 21, 2017, the university discovered a break-in had taken place at the storage...
Can SparkPost be Deemed HIPAA Compliant?
SparkPost is a widely-used email delivery and analytics platform that is implemented by many enterprises to send information to customers Healthcare bodies are required to adhere with HIPAA Rules, so to determine is SparkPost supports HIPAA compliance and whether its platform can be used in a HIPAA compliant manner we have considered the following. SparkPost is the largest global email delivery and analytics platform and is used to...
UW Medicine Exposes 1m Patients’ PHI by Removing Security
Around 974,000 patients of UW Medicine have had their PHI exposed online due to the accidental disabling of protections on a website server. The error led to sensitive internal files being indexed by search engines. Sensitive patient information was accessible using Internet searches without any need for authentication. The Seattle-based group noticed a vulnerability on a website server on December 26, 2018, following being contacted...
Milestone Family Medicine Data Breach Made Known to St. Francis Patients
Bon Secours St. Francis Health System is getting in touch with patients in relation to a security breach that may have led to some of their protected health information (PHI) being viewed/accessed by unauthorized actors who obtained access to the systems of Milestone Family Medicine in Greenville, SC. Milestone Family Medicine was connected with St. Francis Physicians Services (SFPS) until February 24, 2019, and had previously worked...
Rutland Regional Medical Center Email Accounts Accessed by Hackers
Rutland City -based Rutland Regional Medical, the biggest community hospital in Vermont, has uncovered a hack of its IT systems where cybercriminals obtained access to the email accounts of nine employees and potentially viewed/obtained patients’ protected health information. The hack was discovered on December 21, 2018 when a staff member of the medical center saw that their email account had been used to transmit large quantities of...
Proposal to Pay Patients to Share Their Healthcare Data Included in Oregon Health Information Property Act
The Oregon Health Information Property Act proposes that healthcare patients should be permitted to legally authorize their healthcare suppliers to sell their health data and for them to paid if their health information is sold to a third party. At present, the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule restricts the allowable uses and disclosures of ‘Protected Health Information.’ HIPAA-covered bodies...
Facebook Data Gathering Reined in by German Facebook Ruling
Recently he German antitrust body, Bundeskartellamt, released a decision dictating that the way Facebook obtains, links, authors and uses data in user accounts is an unfair advantage it leverages due to its dominant market position. This ruling comes after a three-year long investigation into Facebook’s business methods by the Bundeskartellamt. Facebook account holders must, under the terms of service, give their consent to have...
Minnesota Infertility Clinic Suffers Malware Attack
Malware has been downloaded to the network of Reproductive Medicine and Infertility Associates, an infertility clinic located in Woodbury, Minnesota. While no proof was found to imply any patient information was accessed or exfiltrated by the malware, the chance of a data breach taking place could not be eliminated. The malware attack was discovered by the infertility clinic on December 5, 2018 and an external computer forensics firm...
Roper St. Francis Healthcare Phishing Attack Sees 13 Accounts Compromised
A massive phishing campaign targeting Roper St. Francis Healthcare has seen attackers gain access to the email accounts of 13 staff members. The phishing attack was discovered on November 30, 2018 and actions were taken to block access to a corporate email account. The investigation into the breach showed further email accounts had been accessed. The affected accounts were logged onto by the hacker between November 15 and December 1,...
$935,000 Settlement Agreed Between Aetna and California AG in HIV Status Breach Case
Health insurance company Aetna has reach an agreement to to a HIPAA penalty of $935,000 to the California Attorney General in relation to alleged violations of state laws during a 2017 privacy breach that released state residents’ HIV status. On July 28, 2017, Aetna’s mailing supplier sent letters to plan subscribers who were receiving HIV medications or pre-exposure prophylaxis to stop them from contracting HIV. The letters included...