Industry-Wide Effort to Accelerate Interoperability Urged by Hospital Associations
Seven major hospital associations, including the American Hospital Association (AHA), are leading pleas for an industry-wide effort to enhance data sharing. The new report is seeking public and private stakeholder support to speed up interoperability and help remove the obstacles to data sharing. In order to achieve the full potential of the nation’s healthcare system, health data must flow without obstruction. Only then will it be...
Warning About DNS Hijacking Issued by DHS
The U.S. Department of Homeland Security (DHS) Cybersecurity and Infrastructure Agency (CISA) has released an emergency warning regarding DNS hijacking campaigns. All government agencies have been told to review their DNS settings over the next 10 days. CISA reports that cyber criminals have been targeting government agencies and changing their Domain Name System records. DNS records are used to determine the IP address of a website...
Email Account Breach Impacts Valley Hope Association Patients
Valley Hope Association has revealed that a hacker has been able to log onto the email account of a member of staff. The organisation discovered that an account breach may have taken place, on October 10 2018, when unusual account activity was noticed. Swift action was taken to stop account access continuing and a third-party computer forensics firm was retained to determine the nature and scope of the data breach. The investigation...
Four-Month Email Account Hack Impacts 111K Individuals
Centerstone Insurance and Financial Services, which conducts its business as BenefitMall, has begun alerting more than 111,000 individuals that some of their protected health information has been illegally accessed, and possible stolen, in a recent email hacking incident. Dallas, TX-based BenefitMall is a supplier of employee benefits, payroll, HR, and employer services and has a workforce of over 20,000 advisors, brokers, and CPAs...
Ransomware Attack at Bobby Yee Podiatric Offices Affects 24,000 Patients
The Podiatric Offices of Bobby Yee have been subjected to a ransomware which led to the encryption of files that included the protected health information (PHI) of up to 24,000 patients and other clients. It was discovered that attack happened on October 29, 2018 when medical records were encrypted by the ransomware. Among the range of data which was breached are files containing information such as full name, address, contact...
Choice Rehabilitation Residents Affected by Email Breach
It has been found that an unauthorized individual hacked into a corporate email account of one of the employees of Choice Rehabilitation of Creve Coeur, MO, in order to set up a mail forwarder which shares emails with a personal email account. The breach happened on July 1, 2018 and the mail forwarder was left switched on until September 30, 2018. A complete review the email account showed that the protected health information of...
Vulnerabilities Identified in LabKey Server Community Edition
Security specialists at Tenable Research have identified a number of flaws in LabKey Server Community Edition 18.2-60106.64 which could be targeted to obtain user credentials, access medical data, and run arbitrary code via the Labkey browser. LabKey Server is an open source collaboration tool that enables scientists to integrate, analyze, and distribute biomedical research data. While the platform acts as a secure data repository,...
Ransomware Attack Hits Vendor of Dental Center of Northwest Ohio
Existing and previous at the Dental Center of Northwest Ohio in Toledo, OH, have been contacted to advise them that some of their protected health information may have been obtained illegally via a ransomware attack on one of its third party suppliers. A managed IT service provider called Arakyta got in touch with the dental center on September 1, 2018, regarding a security breach on a server hosting some dental center systems. With...
2018 Security Awareness Training Statistics
A recent survey conducted by Mimecast has produced some interesting security awareness training statistics for 2018. The survey shows many businesses are taking considerable risks by not providing adequate training to their employees on cybersecurity. Ask the IT department what is the greatest risk cybersecurity risk and many will say end users. IT teams put a considerable amount of effort into implementing and maintaining...
Cloud Tool Reduces AWS Costs by 60%
Healthcare groups are, increasingly, implementing cloud-based systems to meet their IT requirements, but while there are multiple reasons for moving applications, infrastructure and data center operations to the cloud, the high cloud costs make it an unattractive possibility. Many healthcare groups purchase AWS EC2 instances for to implement this on their servers. While this particular platform meets their requirements, the...
17,639 Capital Digestive Care Clients Impacted by Hacking Attack
Silver Spring, MD-based gastroenterology group Capital Digestive Care has announced that one of its business associates distributed files to a commercial cloud server that dd not have adequate security measures, exposing the protected health information of approximately 17,639 clients. The exposure was brought to the attention of Capital Digestive Care on February 23, 2018 and were quickly put in place to secure the files and prevent...
Manufacturer of Oxygen Equipment Reports Data Theft Incident Possibly Impacting 30,000 Individuals
Inogen, a manufacturer of portable oxygen concentrators, has found that an unauthorized individual has obtained the credentials of a employees and has used them to access to the staff member’s email account. Phishing and other credentials theft incidents are commonplace in the healthcare industry, although what makes this incident unusual is the number of people affected by the attack. The compromised email account includeed the...
Integrated Rehab Consultants Takes 16 Months to Notify Patients of PHI Breach
Illinoie-based physiatry organization Integrated Rehab Consultants is broadcasting notification correspondence to some patients alerting them to the exposure of some of their protected health information, in line with HIPAA regulations. However, the breach was not discovered within the past 60 days. Integrated Rehab Consultants (IRC) initially became aware of the exposure of PHI on December 2, 2016 – 16 months previously. The...
Des Moines Crisis Observation Center Discovers Inappropriate Dissemination of Patient Data
1,071 patients who were treated at the Des Moines Crisis Observation Center managed by Polk County Health Services Inc., have been contacted to advise them that some of their protected health information has been “accidentally and unknowingly disseminated” at some point in the last 3.5 years. The breach was first identified on February 14, 2018, although the inquiry revealed that information was first disclosed on June 1, 2014 and the...
Misconfigured Security Settings Results in63,500 Middletown Medical Patients Having PHI Exposed
A security setting that was not configured properly on a radiology system has lead to the patients’ protected health information of tens of thousands of patients of Middletown Medical, a multi-specialty physicians’ group based in Middleton, NY, The breach was first discovered on January 29, 2018. On January 30 the interface was realigned that any unauthorized individuals could no longer obtain patient information. The length of time...
Possible Abuse of Credit Card Details Affects 1,500 Baptist Health Patients
A former worker at Baptist Health’s West Kendall Baptist Hospital based in Miami, FL illegally obtained the credit card details of patients and used the information to complete fraudulent transactions. The misuse of credit cards was identified by Baptist Health on March 9, 2018 and the matter was then made known to Miami-Dade law enforcement and the employee was removed from their position. Baptist Health has not made it known...
Multiple Staff Email Accounts Accessed in UnityPoint Health Phishing Attack
It has been discovered that the email accounts of several employees of UnityPoint Health hhave been compromised and accessed by unauthorized people. Access to the staff email accounts was first obtained on November 1, 2017 and went on for a period of three months until February 7, 2018, when the phishing attack was noticed and access to the compromised email accounts was turned off. When the phishing attack was first noticed,...
Almost 14,000 Affected by SAMBA Privacy Breach
14,000 individuals are being alerted about a February 2018 breach of protected health information at the Special Agents Mutual Benefit Association (SAMBA). The data breach affects eligible family members of plan members who were covered by the Federal Employees Health Benefits Plan during 2017. It is an Internal Revenue Service (IRS) obligation for SAMBA to send a copy of Form 1095-B to all plan members every tax year. The form in...
Data Breach Notification and Information Security Laws Updated in Oregon
Data breach notification laws in Oregon have been updated to enhance security for state residents whose personal data is accessible to the public during a data breach. Kate Brown, the State governor, signed the Senate Bill (SB 1551) last month, which updates several parts of the legislation, particularly Oregon’s Breach Notification Law, O.R.S. 646A.604 and Information Security Law, O.R.S. 646A.622. The updates will become...
Arc of Erie County New York Reports 3,751 Patients’ PHI Was Exposed on Internet over 30-Month Period
A provider of person-centered services to individuals with developmental disabilities, The Arc of Erie County New York (The Arc), has reported that two spreadsheets listing the protected health information of 3,751 patients were open to the public via the Internet without the need for authentication for a time period of longer than 30 months from July 2015 to February 2018. The two spreadsheets in question could be seen through the...
Data Breach Notification Law Enacted by South Dakota
It has taken some time for South Dakota to introduce legislation to enhance protections for consumers impacted by breaches of their personal private data. Laws have already been passed in 48 states that obligate persons and companies that hold personal information to publish notifications to breach victims when that information is accessible by unauthorized individuals. Last week, South Dakota citizens were given similar security...
Cambridge Health Alliance Advised of PHI Breach by Law Enforcement
Massachusetts based Cambridge Health Alliance (CHA) have been advised, by law enforcement agencies, that the protected health information of some of its clients has been found in the possession of an unauthorized person. The breach occurred On January 31, 2018, Everett Massachusetts Police Department made CHA aware that files including the PHI of some of its clients had been found in the possession of an person unauthorized to have...
Clinical Pathology Laboratories Southeast Patients’ Have PHI Exposed Due to Theft of Unencrypted Laptop
Clinical Pathology Laboratories Southeast, Inc., (CPLSE) has revealed that an unencrypted laptop computer issued to a member of staff has been stolen, exposing the protected health information of a number of patients and their payment guarantors. CPLSE quickly activated safety actions to prevent the laptop from being used to gain access to its network and the theft was made known to law enforcement; however, it is possible that the...
35,000 Patients of ATI Physical Therapy Affect by Data Breach
The protected health information of more than 35,000 patients of ATI Physical Therapy has has potentially been compromised by a cyber attack that occurred when hackers obtained access to staff email accounts. A security violation was discovered on January 18, 2018 when ATI Physical Therapy saw that the direct deposit information of some of its staff members had been altered in its payroll platform. Quick action was taken to remove...
Finger Lakes Health Computer System Grinds to Halt After Ransomware Attack
A ransomware attack on Finger Lakes Health, based in Geneva, NY, has impacted the computer system to the extent that staff have had to work using pen and paper. In the meantime efforts to remove the malware and restore access to electronic data have been enhanced. The health system came under attack from the health system beginning at around midnight on Sunday March 18, 2018, with workers first noticing the attack when a ransom demand...
NH-ISAC Partnership with Anomali Boosts Threat Detection and Data Sharing
The National Health Information Sharing and Analysis Center (NH-ISAC) and Anomali have begun working together and will be providing threat intelligence to healthcare centers through NH-ISAC. As part of this partnership Anomali will be helping NH-ISAC with the required tools and infrastructure to allow its clients to work together and share threat intelligence with other subscribers. Anomali will be making up to date threat...
1,049 Patients of RoxSan Pharmacy Notified of 2015 Email Breach
1,049 patients of Beverly Hills, CA-based RoxSan Pharmacy have been warned that some of their protected health information has been shared with a business associate through an unencrypted email. The notification letters were sent to affected people during February, although the incident happened on January 20, 2015. Commenting in a recent press release, RoxSan stated that affected individuals are being contatced in “as timely a manner...
Primary Health Care Experiences Multiple Email Hacks
A non-profit network of community health centers in Des Moines, Marshalltown and Ames, IA, Primary Health Care Inc. has reported that hackers gained access to the email accounts of four workers and may have viewed or downloaded patients’ PHI. A press release issued by Primary Health Care and published a substitute breach notice to its website on March 16, 2018 outlining that the breach occurred on February 28, 2017. The breach was...
10,000 ShopRite Clients Have PHI Exposed to Improper Destruction of Device
A Millville, New Jersey based ShopRite pharmacy has reported that an electronic device used to save the signatures of people has been destroyed without first deleting all stored protected health information from the device. A restricted amount of protected health information was held on the computing device, including patients’ names, birth dates, contact details, zip codes, prescription numbers, medication names, signatures,...
PHI of 5,300 Individuals Disclosed to Employees of QuadMed
The protected health information of 5,305 patients of QuadMed, a Wisconsin-based provider of medical, laboratory, pharmacy, fitness, and physical therapy services, may have been impermissibly shared with some employees. In November 2013, QuadMed took over management of an onsite clinic at Hillenbrand Inc. Occupational health information of employees based at the Batesville, IN-based manufacturer was held in an electronic medical...
33,420 BJC Healthcare Patients Have PHI Exposed in 8-Months HIPAA Breach
BJC Healthcare has revealed that the protected health information of 33,420 of it’s subscribers has been open to public accessible for eight months without adequate for HIPAA compliant authentication required to view the PHI. The BJC Healthcare group is one of the largest not-for profit healthcare groups located in the United States. The healthcare organization, based in St Louis, runs two nationally recognized hospitals in...
Top Healthcare Security Threats Revealed in HIMSS Survey Results
HIMSS has released the findings of its 2017 healthcare cybersecurity survey, which gives us valuable insights into the state of cybersecurity in the healthcare sector and names the top healthcare security threats. The HIMSS 2018 cybersecurity survey was carried out on 239 respondents from the healthcare sector between December 2017 and January 2018. The findings of the survey were revealed at the HIMSS 2018 Conference & Exhibition...
Increase in W-2 Phishing Campaigns Leads to FBI Warning
The Federal Bureau of Investigation (FBI) has issued a new alert for businesses due to a major rise in phishing attacks attacking payroll worker. The target of the phishing attacks is to download copies of the W-2 forms of workers. Information on the forms is used to carry out identity theft and tax fraud. 2017 saw record numbers of phishing campaigns targeting businesses, educational institutions, and healthcare groups. In some...
Updated Common Rule Allows Research Institutions Another Six Months for Compliance
Initially scheduled due to be introduced on January 19, 2018, amendments to the Common Rule – The Federal Policy for the Protection of Human Subjects have been put back for six months, allowing research groups additional time to comply with the new provisions. July 19, 2018 is the new date for the change to be introduced,however the provision covering cooperative research still has an introduction and enforceable date of January 20,...
Triple-S Advantage Suffers Serious Data Breach with 36k Subscribers Impacted
36,000 plan members of Triple-S Advantage has experienced a privacy breach that has impacted. The breach was experience by the Puerto Rico based group when a mailing error which saw sensitive information of plan members sent to incorrect recipients. The data that was exposed, due to the mailing mistake, was limited and did not incorporate Social Security numbers or financial files; however, plan members’ ID numbers were impermissibly...
Decatur County General Hospital Malware Attack Exposes 24,000 Patient Records
It has been has that Decatur County General Hospital in Tennessee suffered a malware attack after a virus was uploaded to a server housing its electronic medical record network. It is thought that attacker could have gained access to the medical records of up to 24,000 people. The malware software installation was found on November 27, 2017 by the hospital’s medical record system vendor, who maintains the server on which the system is...
Ron’s Pharmacy Services’ Patients Receive Email Account Breach Alerts
San Diego, CA-based Ron’s Pharmacy Services has found that an employee’s email account containing limited protected health information has been logged onto by an unknown individual. Unusual activity was noticed on the employee’s email account during October 3, 2017 resulting in an investigation; however, it was not until December 21, 2017 that it was revealed that an unauthorized individual had obtained messages in the email...
May 2017 Partners HealthCare Breach May Have Affected 2,600 Clients
2,600 clients of Partners HealthCare System are being warned that some of their protected health information may have been compromised in a May 2017 breach. While HIPAA covered organizations are given a time period of up to 60 days following the discovery of a breach to file an incident report to OCR (if the breach impacts 500 or more people) and notify those affected by the violation, this incident occurred and was found in May 2017....
Online Breach Reporting Tool Launched in Massachusetts
It has been announced, by Massachusetts Attorney General Maura Healey, that a new online data breach reporting tool it to be introduced to simplify the process of submitting breach notifications to the State Attorney General’s office. Massachusetts data breach notification law (M.G.L. c. 93H) states that groups or organizations that suffer a breach of personal information must complete a notification and send it to the Massachusetts...
Online Trust Alliance Reveals 2017 was Worst Year Ever for Cyber Attacks
The Online Trust Alliance´s “Cyber Incident & Breach Trends Report” has revealed that 2017 was the “worst year ever” for cybersecurity attacks. The organization believes that, calculated using the number of reported violations, there were nearly twice as many cybersecurity incidents than in 2016. The Online Trust Alliance´s “Cyber Incident & Breach Trends Report” encompasses more than a simple review of the previous...
Allscripts Facing Class Action Lawsuit Following Ransomware Attack
Allscripts experienced a ransomware attack at centers in Raleigh and Charlotte, NC, resulting in several applications remaining offline for as many as 1,500 clients. Florida-based Surfside Non-Surgical Orthopedics. has already begun legal action by filing a class action lawsuit against the EHR vendor. A new variety SamSam ransomware infected Allscripts, a provider of EHR and e-prescription services to 2,500 hospitals and 19,000...
Breach Notification Bill Advanced by South Dakota Senate Attorney Judiciary Committee
A vote in favor of introducing data breach notification legislation has been overwhelmingly passed by the South Dakota Senate Attorney Judiciary Committee. The bill advanced after a 7-0 vote. It was originally introduced at the request of South Dakota Attorney General Marty Jackley. Presently there are only two states left in the US that have yet to implement data breach legislation to protect state residents. As it seems that South...
Unauthorized Palomar Health Nurse Viewed Medical Records of Over 1,300 Patients
A former nurse employed at Palomar Medical Center Escondido viewed, without authorization, the medical records of more than 1,300 patients who were receiving treatment at the hospital. Those affected are now being made aware of the breach. The breaches were experienced over a 15-month period from February 10, 2016 and May 7, 2017. The access that was not permitted was first seen when access logs were reviewed. The audit revealed a...
Coplin Health Systems Patients’ PHI Possibly Compromised by Laptop Theft
43,000 patients of West Virginia-based Coplin Health Systems have been warned that their PHI may have been exposed following the theft of an unencrypted laptop computer from the vehicle of an worker at the organization. Coplin Health was discovered the laptop theft on November 2, 2017. The theft was then reported to law enforcement and an investigation was initiated, although at the time of sending the warnings, the laptop computer in...
North Carolina State Medicaid Agency Found to Have Data Security Inadequacies
The Department of Health and Human Services’ Office of Inspector General (OIG) has released the results of an audit of the North Carolina State Medicaid agency. The audit uncovered the fact that the State agency did not implement sufficient controls to ensure the security of its Medicaid eligibility determination system and the security, integrity, and availability of Medicaid eligibility information. HHS manages the administration of...
Unauthorized Person May Have Accessed PHI of 1,128 CCHLV Patients
It has been discovered that an unauthorized individual may have viewed the protected health information of 1,128 patients of Compassionate Care Hospice Las Vegas (CCHLV). During a review on October 28, 2017, CCHLV found that its systems had been accessed without authorization. After finding the breach, CCHLV brought in a third-party forensics company to conduct a thorough investigation to look into breach and identify exactly who may...
5,000 Members of Kaiser Permanente Notified About Two Security Incidents
Two security incidents have recently been reported to the Department of Health and Human Services’ Office for Civil Rights by Kaiser Permanente. Combined, more than 5,000 people have been affected by the two breaches. Those affected were clients of the Kaiser Foundation Group Health Plan. The most potentially dangerous incident, regarding the number of individuals harmed, was an email-related breach threatening 4,389 health plan...
Employee-Related Data Breach at SSM Health Affects 29,000
It has been discovered that a former worker at the St. Louis, MO-based not-for-profit health system, SSM Health was accessing the health records of clients for 8 months despite not haveing any legitimate work reason. The individual worked in SSM Health’s customer service support call center, and due to this, did not have permission to access financial information, only demographic, health, and clinical data. The access was discovered...
Sports Medicine Practice Hit by Two Hacking Attacks in 7 Days
A hacker has gained access to its systems and encrypted files with ransomware at a family and sports medicine practice based in Colorado. Longs Peak Family Practice (LPFP) in Longmont CO, discovered suspicious activity taking place on its internal network on November 5, 2017 and took quick measures to safeguard its systems. However, before the measure were in place, the attacker ran ransomware code which encrypted files on some parts...
Cyberattack Affects Internal Access to Jones Memorial Hospital Servers
University of Rochester Medicine’s Jones Memorial Hospital, located in Wellsville, New York is currently dealing with a cyberattack that has inflicted some unexpected downtime on the organization. The attack is believed to have begun on Wednesday December 27 and has caused disruption to some of its information servers. The details of the cyberattack is unclear and it has yet to be resolved. The cyberattack has been limited to Jones...
Access to Wager Evans Dental Records Prevented for 5 Days After Ransomware Attack
Wager Evans Dental practice, based in Reno, NV, has experienced a ransomware attack that cut off access to dental records and images for five days towards the end of 2017. The ransomware attack happened on October 30, 2017. The ransomware software was installed on one computer and one server used by the Dental Clinic. Ransomware can be installed by hackers using many different methods, although most commonly attacks using email. That...
Nebraska Ransomware Attacks Compromised PHI of Almost 10,000 Patients
A ransomware attack that targeted Columbus Surgery Center, LLC and Eye Physicians, P.C., in Columbus, Nebraska has potentially exposedin the protected health information of almost 10,000 clients. The ransomware attack took place on October 7, 2017 and saw a wide variety of files on some servers being encrypted by the ransomware. A ransom demand was made by the hackers, although this was not paid. The encrypted data was restored from a...
1,750 Patients Affected by Potential Data Theft Incident at Austin Manual Therapy
1,750 patients have been notified that some of their protected health information may have been accessed and stolen by a criminal attacker who gained access to Austin Manual Therapy (AMT) systems. Following a forensic investigation, by a leading national cybersecurity team, it has been found that access was first gained on October 3, 2017 and continued until October 9, when the intrusion was found and blocked. In the the breach notice...
1,900 MidMichigan Medical Center Patients’ PHI Found After Breach
MidMichigan Medical Center (MMC) in Alpena has made contact with patients to advise them of a possible breach of their health information, which may have literally benn blown into the hands of people unauthorized to view the information. Late on November 18, a MMC cardiologist moved patient files from the Alpena cardiology office without adequate authorization. The files were placed to the cardiologist’s vehicle in a storage container...
PHI of Almost 7,000 Patients Exposed in Two Separate Breaches
A binder holding a log of presurgical insurance authorizations was accidentally recycled by a cleaning company contracted by NYU Langone Health System in October. The binder was holding records referring to around 2,000 patients. The binder had saved information including names, birth dates, dates of service, current procedural terminology code, diagnosis codes, insurer names, and insurance ID credentials. In some instances, short...
PHI Breach at UAB Medicine Leaves 652 Records Potentially Exposed
In Birmingham, Alabama, the UAB Medicine Viral Hepatitis Clinic has discovered a breach of patients’ protected health information (PHI) that could have affected up to 652 patients. The group, UAB Medicine, uses flash drives to transfer information from its Fibroscan machine to a computer. Two flash drives were identified discovered as missing on October 25, 2017. The portable storage devices were used to hold a limited amount of PHI...
Personal Information of New York Pharmacy Customers Exposed in Improper Disposal Incident
A security breach, involving the improper disposal of a device used to capture customers’ signatures, has been encountered by ShopRite Supermarkets, Inc. The device in question was used at the ShopRite, Kingston, NY location between 2005 and 2015 and stored personal and medical data. Customers who attended the pharmacy and had prescriptions supplied between 2005 and 2015 have potentially been impacted by the exposure. For those...
Extortion Attempt on Sports Medicine Provider Exposes Private Data of 7,000 Individuals
Sports Medicine & Rehabilitation Therapy (SMART), based in Massachusetts, has contacting 7,000 clients regarding a breach of their protected private health information that occurred in September 2017. Potentially, the breach impacted all clients whose data was saved during a visit to a SMART outlet prior to December 31, 2016. Hackers, in an extortion attempt, accessed SMART systems, allegedly stole private information, and asked...
Rocky Mountain Health Care Services has Second Unencrypted Laptop Stolen
An unencrypted laptop has been stolen from one of its employees of Rocky Mountain Health Care Services of Colorado Springs. This is the second such incident to be identified in just three months. The most recent incident was identified on September 28. The laptop computer was seen to store the protected health information of a small number of patients. The types of data stored on the device included first and last names, addresses,...
Medical College of Wisconsin Phishing Attack Affects 9,500 Patients
The exposure of approximately 9,500 patients’ protected health information at the Medical College of Wisconsin has been caused by a phishing attack. The attackers were able to gain access to several staff members’ email accounts, which included a variety of sensitive information of patients and some faculty employees. The types of data in the accessed email accounts included names, addresses, medical record numbers, dates of birth,...
Clinic Worker Who Stole PHI Jailed for Five Years
A staff member at a clinic who stole the protected health information of mentally ill patients and sold the data to identity thieves for profit has fail in an appeal to get a five-year jail term lessened. Jean Baptiste Alvarez, aged 43, of Aldan, PA, obtained daily census sheets from the Kirkbride Center, a 267-bed behavioral health care facility located in Philadelphia. The census sheets included all the information required to steal...
Suspected UPMC Susquehanna Phishing Attack Exposes 1,200 Patients’ PHI
A network of hospitals and medical centers in Williamsport, Wellsboro and Muncy in Pennsylvania, called UPMC Susquehannam has revealed that the protected health information of 1,200 patients has possibly been accessed by unauthorized people. Access to patient information is thought to have been obtained after an worker replied to a phishing email. While information regarding the breach date have not been published, UPMC Susquehanna...
Protenus November Breach Barometer Report Highlights Threat from Internal Breaches
Following an unusually bad September, healthcare data breach incidents fell to more typical levels, with 37 breaches tracked in October according to the November 2017 Healthcare Breach Barometer Report from Protenus. The Protenus monthly summary of healthcare data breaches collates incidents reported to the Department of Health and Human Services’ Office for Civil Rights (OCR), and incidents made public using media outlets and tracked...
Contacts Stolen and Spear Phishing Emails Sent by Ursnif Trojan
The financial sector banking Trojan Ursnif, one of the most commonly experienced banking Trojans, has before been used to attack banking institutions. However, it seems the individuals behind the malware have expanded their horizons, with cyberattacks now being carried out on a wide variety of groups across many different sectors, including healthcare. The new strain of the Ursnif Trojan was found by researchers at security firm...
Alex Azar Nominated for HHS Secretary by President Trump
Alex Azar, the former Deputy Secretary of the Department of Health and Human Services, is now the favorite to take over the reins from former Secretary Tom Price after receiving the presidential nomination for the role by President Trump. During the Presidential term of George W. Bush, Azar served as general counsel to the HHS and Deputy Secretary President Trump confirmed, via his Twitter account, that he believes Azar is the best...
2017 Data Breach Report Reveals 305% Annual Rise in Breached Records
The Risk Based Security (RBS) 2017 data breach report has shown there has been a 305% surge in the number of records exposed in data breaches in the last 12 months. For its latest breach report RBS, a provider of real time information and risk analysis tools, reviewed analyzed breach reports from the first three quarters of 2017. RBS explained in a recently published blog post, this year has been “yet another record breaker for data...
CyberAttack Infection Found by Catholic Charities of the Diocese of Albany
The Catholic Charities of the Diocese of Albany (CCDA) was performing an upgrade of its computer security software during August when it found malware on its systems. The software was discovered to have been placed on one of the computer servers located at its Glens Falls office, which provided treatment to based patients in Saratoga, Warren and Washington Counties in New York. They acted quickly was taken to block access to the...
NY AG Brings in Stop Hacks and Improve Electronic Data Security Act (SHIELD Act)
Aiming to protect New Yorkers from unwelcome breaches of their personal information, The Stop Hacks and Improve Electronic Data Security Act (SHIELD Act) has been introduced into the legislature in New York by Attorney General Eric T. Schneiderman. It is hoped that this Act with ensure that those affected will be notified when such breaches are incurred. Sponsored by Senator David Carlucci (D-Clarkstown) and Assembly member Brian...
New Variant of WannaCry Ransomware Detected in FirstHealth CyberAttack
A new variant of the WannaCry ransomware has been detected in a cyber attack on FirstHealth of the Carolinas, a Pinehurst, SC-based not for profit health provider. WannaCry ransomware came to global attention in cybers attacks in May 2017. In excess of 230,000 computers were infected within one day of the worldwide attacks starting. The ransomware variant had wormlike features and was capable of spreading quickly and affecting all...
Dental Offices and HIPAA Compliance: What Needs to Be Addressed?
Dr. Joseph Beck became the first ever dentist to be receive a HIPAA violation fine in 2014. This alerted dental offices to HIPAA compliance and the importance of it. Until then, dental offices had not been subjected fines for noncompliance with HIPAA Rules. The penalty was not applied by the Department of Health and Human Services’ Office for Civil Rights (OCR), but by the Office of the Indiana attorney general. The fine of $12,000...
Consolidated Inc. Data Breach Impacts 21,856 People
Nebraska-based CBS Consolidated Inc., operating as Cornerstone Business & Management Solutions, completed a routine audit of system logs on July 10, 2017 and found an unfamiliar account on the server. Closer inspection of that account showed it was being used to download sensitive data from the server, including the protected health information of patients that used its medical supplies. 21,856 people who received durable medical...
3,725 Veterans Have Their PHI Exposed Due to Missing Laptop
A laptop computer, no longer in use, owned by the Mann-Grandstaff VA Medical Center (MGVAMC) in Spokane, WA, has gone missing, potentially leading to the exposure of sensitive patient data. The laptop was linked to a hematology analyzer and held data related to hematology tests. The laptop was in operation between April 2013 and May 2016, but was put out of use when the device became unusable. The laptop, which had been purchased from...
Data Breaches Drop For Second Consecutive Month
The latest report of the Breach Barometer from Protenus/Databreaches.net Healthcare shows that data violations have dropped for the second consecutive month, according to . In August, there were 33 reported healthcare data violations, down from 36 incidents in July and 56 in June. While the drop int he number of data breaches is encouraging, that is still more than one healthcare data breach per day. While it was the second best month...
OIG: Multiple Security Weaknesses in Alabama’s Medicaid Management Information System
The HHS’ Office of Inspector General (OIG) has completed an audit of Alabama’s Medicaid data and information systems to adetermine whether the state was in compliance with federal regulations. The review included the Medicaid Management Information System (MMIS) and associated policies and processes. OIG also carried out a vulnerability scan on networked devices, databases, websites, and servers to identify vulnerabilities that could...
HHS Withdraws Proposed Rule for Health Plans Certification of Compliance
A new rule for certification of compliance for health plans was proposed by the HHS In January 2014, requiring all controlling health plans (CHPs) to submit a range of documentation to HHS to demonstrate HIPAA compliance. The proposed rule ‘Administrative Simplification: Certification of Compliance for Health Plans’ was drafted to promote more consistent testing procedures for CHPs. The HHS has now dediced to withdraw the...
PHI of 10,500 Patients Found in Illinois Basement
The medical history of more than 10,000 patients have been discovered in a basement in Aurora, Illinois. The documentation was located at the house, rented from Naperville-based psychiatrist Dr. Riaz Baber, M.D., by the woman who rented it. The files had been stored in the basement for at least 4 years. The female tenant, Barbara Jarvis-Neavins, claims that she was given access to the basement by the psychiatrist’s wife when workmen...
Medical Device Cybersecurity Emphasis for New AEHIS/ MDISS Partnership
A new working relationship d between CHIME’s Association for Executives in Healthcare Information Security (AEHIS) and the Foundation for Innovation, Translation and Safety Science’s Medical Device Innovation, Safety and Security Consortium (MDISS) will focus on helping advance medical device cybersecurity and improve patient data security. The two groups will cooperate to aid members identify, mitigate, and prevent cybersecurity...
51,000 Plan Subscribers Hit by Network Health Phishing Attack
Network Health has advised 51,232 of its plan subscribers that some of their protected health information (PHI) has possibly been accessed by unauthorized people. In August 2017, some Network Health Wisconsin-based employees received sophisticated phishing emails. Two of those staff members responded to the scam email and divulged their login credentials to the attackers, who used the details to gain access to their private email...
Internet of Things Medical Resilience Partnership Act to Provide Direction on Devices
The Internet of Medical Things Resilience Partnership Act, aimed at establishing public-private stakeholder partnership which will be tasked with developing a cybersecurity framework to prevent data breaches, has been approved by the U.S. House of Representatives. The hope is that this framework will be adopted by medical device manufacturers and other stakeholders to prevent data breaches and make medical devices more secure from...
Over Half of Cloud Storage Services are Misconfigured: Report
A recent report by cloud threat defense firm RedLock claims more than half of businesses have made errors that have exposed sensitive data to the general public vuia the cloud. The study shows many organizations are not adhering to established security best practices, such as using multi-factor authentication for all privileged account subscirbers. Worse again, many groups are failing to constantly review their cloud environments...
Hacking Group ‘The Dark Overlord’ Attacks Another Healthcare Organization
After a seemingly prolonged period of inactivity, the hacking group TheDarkOverlord has revealed another attack on a U.S. healthcare supplier, Mass-based SMART Physical Therapy (SMART PT). The hack reportedly happened on September 13, 2017, with the announcement of the data theft released by TDO on Twitter on Friday 22, 2017. No details were given as to how access to the data was gained, although it was revealed to databreaches.net...
Catholic Charities of the Diocese of Albany Discovers Long-Term Malware Infection
Catholic Charities of the Diocese of Albany (CCDA) has discovered, during a software upgrade in August 2017, that malware was installed on one of the computer servers used by its Glens Falls premise, which provides services in Saratoga, Warren and Washington Counties in New York. A quick response was taken to block access to the server and CCDA called in a computer security firm to carry out an investigation into the unauthorized...
Responding to a Cyberattack: Advice Issued by OCR
Recently, the Department of Health and Human Services’ Office for Civil Rights published new guide lines for covered organizations on the correct way to respond to a cyberattack. These guideline included a quick response checklist and accompanying infographic to explain the correct response to a cyberattack and the sequence of steps that should be taken. Preparation is key is a correct response. Covered entities must have response and...
HITRUST/AMA Begin Project to Assist Small Healthcare Firms with HIPAA Compliance
HITRUST has revealed it will be working with the American Medical Association (AMA) for a new project that will assist small healthcare companies with HIPAA compliance, cybersecurity and cyber risk management. Small healthcare providers can be more exposed to cyberattacks, as they usually lack the resources to dedicate to cybersecurity and do not tend to have the budgets at their disposal to employ skilled cybersecurity staff. This...
HHS Issues Partial HIPAA Privacy Rule Waiver in Hurricane Maria Disaster Zone
A partial waiver of HIPAA has been issued by the U.S. Department of Health and Human Services in the Hurricane Maria disaster area in Puerto Rico and the U.S. Virgin Islands, the thrid such waiver of 2017 following the has already issuing of waivers of HIPAA sanctions and penalties in areas affected by hurricanes earlier this year. The previous waivers were issued in relation to Hurricane Harvey and Hurricane Irma and, as was the...
Hospitals in Irma Disaster Area Granted Limited HIPAA Waiver
A limited waiver of HIPAA Privacy Rule sanctions and penalties for hospitals affected by Hurricane Irma has been issued by the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) in the U.S. Virgin Islands, Puerto Rico, and Florida. OCR says that the HIPAA Privacy and Security Rules are still in place and covered organizations must continue to obey HIPAA Rules; however, certain parts of the Privacy Rule have...
OCR Warns Covered Entities to Prepare for Natural Disasters
Medical Centers and Hospitals in Texas and Louisiana have been stretched due to Hurricane Harvey,and are trying to provide medical services without breaching HIPAA Rules. Concern arose regarding when it is allowable to share health information with patients’ friends and family, the media and the emergency services and how the Privacy Rule applies in emergencies. The Department of Health and Human Services’ Office for Civil Rights...
Finding ‘Big, Juicy, Egregious’ HIPAA Breaches Priority for OCR Head
The main enforcement priority for 2017 of Roger Severino, the Director of the Department of Health and Human Services’ Office for Civil Rights (OCR), is to find a “big, juicy, egregious” HIPAA breach to use as an example for other healthcare groups on the risks of failing to follow HIPAA Rules. When choosing which cases to pursue, OCR considers the chance to use such a case as an educational tool to warn covered groups of the need to...
Hurricane Harvey Disaster Zone: HHS Issues Partial Waiver of HIPAA Sanctions
HHS Secretary Tom Price announced that OCRis issuing a partial waiver of sanctions and financial penalties for specific Privacy Rule breaches for hospitals in Texas and Louisiana in the Hurricane Harvey emergency zone. This partial waiver is only applicable to the provisions of the HIPAA Privacy Rule as outlined below: The obligations to recieve a patient’s agreement to talk with family members or friends involved in the patient’s...
Getting Basics Correct Key to Avoiding Data Breaches
Intrusion identification systems, next generation firewalls, insider threat management software and data encryption will all help healthcare groups recognize danger, cut out security violations, and identify attacks quickly when they happen. even with all of these measures it is still vitally important to address the security basics. The Office for Civil Rights Breach portal is filled with examples of HIPAA data breaches that have...
Breach Notification Rule is Violated by Delaying Issuing of Breach Notifications
The HIPAA Breach Notification Rule (45 CFR §§ 164.400-414) states that covered organizations to advise the HHS’ Office for Civil Rights of any violation of private health information and issue notification correspondence to affected people as soon as is unreasonable and no later than 60 days after the identification of the breach. July’s Breach Barometer reports from Protenus indicated that many covered organizations have had...
2017 Healthcare Data Breach Trends Highlighted in Protenus Report
Protenus, working with Databreaches.net, has released its Breach Barometer mid-year review. The report includes all healthcare data violations reported over the past six months and gives important insights into the latest data breach trends. The Breach Barometer is a detailed review of healthcare data breaches, including not only the data breaches made known to the Department of Health and Human Services’ Office for Civil Rights’...
NotPetya Attack on Nuance Communications Not Reported to OCR
The Department of Health and Human Services’ Office for Civil Rights has previously made it clear, in its ransomware guidance, if ePHI is encrypted ransomware attacks are usually HIPAA breaches and are always reportable violations. In the guidance on ransomware guidance OCR says that “Whether or not the presence of ransomware would be a breach under the HIPAA Rules is a fact-specific determination,” adding that the definition of a...
HIPAA Breaches Under Investigation Highlighted in OCR Data Breach Portal Update
In June 2017, the Department of Health and Human Services announced it was considering an update to its data breach portal, normally called the OCR ‘Wall of Shame’. Section 13402(e)(4) of the HITECH Act states that the OCR must maintain a public list of breaches of protected health information that have affected more than 500 individuals. All 500+ record data breaches submitted or made known to OCR since 2009 are listed on the breach...
33% of Patients Access Their Health Data via Patient Portals
The Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule allow people to view information regarding their health stored by their providers. However, as revealed in a recent U.S. Government Accountability Office (GAO) report, few patients are actually exercising this right using the provided patient portals. The Medicare Electronic Health Record Incentive Program encouraged healthcare organizations to move from...
Hows Does HIPAA Affect Use of Google Drive?
The service G Suite – formerly known as Google Apps, of which Google Drive is a part – is compliant with HIPAA. The service does not breach HIPAA Rules, however users of the service may breach the rules themselves. G Suite includes all of the required security measures controls to make it a HIPAA-compliant service and can be used by HIPAA-covered organizations to share PHI (in accordance with HIPAA Rules), once the account is...
Study: Data Breaches by Ex Employees a Concern
A recent study carried out by OneLogin showed many groups are not doing enough to stop data violations by ex-employees. While access to computer systems and applications is a requirement during employment, many organizations are neglecting to block access to systems quickly when employees depart the company, even though ex-employees pose a significant data danger to security. Preventing access to networks and email accounts when an...
ONC Office of the Chief Privacy Officer Funding Stopping in 2018
The withdrawal of funding for the Office of the Chief Privacy Officer has resulted in ONC National Coordinator Don Rucker, M.D. confirming that the office will be closed during 2018. Deven McGraw, the Deputy Director for Health Information Privacy, has been acting as Acting Chief Privacy Officer until a permanent replacement to the role previously filled by Lucia Savage is identified, following her departure in January. It now seems...
File Sharing Tools and Cloud Computing: OCR Highlights Risks
File sharing and collaboration services offer many advantages to HIPAA-covered companies, although the services can also introduce risks to the privacy and security of electronic health information. Many groups use these services, including among those healthcare organizations, yet they can lead to the exposure or disclosure of sensitive information. The Department of Health and Human Services’ Office for Civil Rights (OCR) has...
Anthem Agrees Largest Ever Data Violation Settlement
The largest ever data violation settlement has recently been agreed by the health insurer Anthem Inc. Anthem was hit with a cyber attack in 2015 resulting in the theft of 78.8 million records of current and former health plan subscribers. The breach involved names, addresses, Social Security numbers, email addresses, birth dates and employment/income information being accessed with the necessary permission. A breach of that size...