Dedicated to providing the latest
HIPAA compliance news

Hacking Group Attempts to Extort Funds from Cancer Services Provider
Jan20

Hacking Group Attempts to Extort Funds from Cancer Services Provider

TheDarkOverlord has struck again, this time the victim was a small Indiana cancer charity. The attack occurred on January 11 and was accompanied with a 50 Bitcoin ($43,000) ransom demand. Little Red Door Cancer Services of East Central Indiana was threatened with the publication of confidential data if the ransom was not paid. The charitable organization provides a range of services to help victims of cancer live normal lives during...

Read More
Protenus Releases 2016 Healthcare Data Breach Report
Jan20

Protenus Releases 2016 Healthcare Data Breach Report

Protenus, in conjunction with Databreaches.net, has published its 2016 healthcare data breach report, summarizing the hacks and mishaps that have resulted in patient and health plan members’ protected health information being exposed or stolen. Fortunately, 2016 has not seen the mega data breaches of 2015, although it has been far from a good year. More than 27 million healthcare records were stolen in 2016 across 450 reported data...

Read More
Final Rule Updating Common Rule Regulations Issued by HHS
Jan20

Final Rule Updating Common Rule Regulations Issued by HHS

The Department of Health and Human Services has published its Final Common Rule (45 CFR part 46). The Final Rule makes considerable changes to the Common Rule, although some of the most controversial elements which were included in September 2015 proposed rule have been dropped. One of the proposed changes would have made it much harder for research organizations to use biomedical samples for research. Rather than allowing a general...

Read More
No HIPAA Violation Fine for Virginia State Senator
Jan19

No HIPAA Violation Fine for Virginia State Senator

While campaigning to become Republican state senator for Virginia in 2015, Henrico County physician Siobhan Dunnavant, M.D., used patients’ contact information – classed as protected health information under HIPAA Rules – to solicit donations from patients to help fund her campaign. Contact information – names and addresses – was shared with her campaign team and was used to communicate with patients. The same information...

Read More
HHS Issues Final Rule on Confidentiality of Alcohol and Drug Abuse Patient Records Regulations
Jan19

HHS Issues Final Rule on Confidentiality of Alcohol and Drug Abuse Patient Records Regulations

In February 2016, the Department of Health and Human Services published a proposed change to the Confidentiality of Alcohol and Drug Abuse Patient Records regulations, (42 CFR Part 2) to facilitate health integration and information exchange. HHS has now finalized the Part 2 changes following an extensive evaluation of public comments, according to a recent press release from the Substance Abuse and Mental Health Services...

Read More
OCR HIPAA Enforcement: Summary of 2016 HIPAA Settlements
Jan12

OCR HIPAA Enforcement: Summary of 2016 HIPAA Settlements

The Department of Health and Human Services’ Office for Civil Rights has stepped up its enforcement activities in recent years, and 2016 HIPAA settlements were at record levels. In total, payments of $22,855,300 were made to OCR in 2016 to resolve alleged HIPAA violations. Seven settlements were in excess of $1,500,000. In 2016, OCR settled alleged HIPAA violations with 12 healthcare organizations. Last year also saw an Administrative...

Read More
Warning for Healthcare Organizations that use MongoDB Databases
Jan11

Warning for Healthcare Organizations that use MongoDB Databases

Over the course of the past two weeks, the number of organizations that have had their MongoDB databases accessed, copied, and deleted has been steadily growing. Ethical Hacker Victor Gevers discovered in late December that many MondoDB databases had been left unprotected and were freely accessible over the Internet by unauthorized individuals. By January 6, he reported that 13 organizations had had their databases copied and deleted....

Read More
FDA Confirms Muddy Waters’ Claims that St. Jude Medical Devices Can be Hacked
Jan10

FDA Confirms Muddy Waters’ Claims that St. Jude Medical Devices Can be Hacked

The U.S. Food and Drug Administration (FDA) issued a safety communication Tuesday about cybersecurity flaws in certain St. Jude Medical cardiac devices and the Merlin@home transmitter after it was confirmed the devices could potentially be remotely accessed by unauthorized individuals. The FDA confirmed that unauthorized users could “remotely access a patient’s RF-enabled implanted cardiac device by altering the...

Read More
Foreign Government-Backed Hacker Was Behind 2015 Anthem Breach
Jan08

Foreign Government-Backed Hacker Was Behind 2015 Anthem Breach

The massive 2015 data breach at Anthem Inc., which resulted in the theft of more than 78.8 million health plan members’ records, was likely the work of a foreign government-backed hacker, according to a recent report issued by the California Department of Insurance. Anthem Inc., the second largest health insurer in the United States, announced the massive cyberattack in February 2015, almost a month after the breach was discovered....

Read More
Fetal Tissue Firms Guilty of Systemic HIPAA Violations
Jan06

Fetal Tissue Firms Guilty of Systemic HIPAA Violations

The U.S. House of Representatives Select Investigative Panel has published the findings from its investigation into the sale of fetal tissue by abortion clinics, revealing systemic HIPAA violations by both abortion clinics and tissue procurement businesses. An investigation was requested by the Energy and Commerce Subcommittee on Oversight and Investigations following revelations made by undercover journalist David Daleiden. In 2015,...

Read More
Patients Holding Back Health Information Over Data Privacy Fears
Jan05

Patients Holding Back Health Information Over Data Privacy Fears

A fully interoperable health system is becoming closer to reality. Barriers to health data sharing are being removed and the ONC and HHS’ Office for Civil Rights are stepping up their efforts to prevent information blocking by healthcare providers. However, in order for information to be able to flow, it is essential that information is collected. If healthcare providers and other healthcare organizations only have access to partial...

Read More
11GB of Sensitive Data Left Unprotected by Department of Defense Subcontractor
Jan05

11GB of Sensitive Data Left Unprotected by Department of Defense Subcontractor

A security researcher has discovered that the sensitive data of psychologists, doctors and other health workers employed by the United States Special Operations Command (SOCOM) have been exposed on the Internet by Woodbridge, VA-based Potomac Healthcare, a subcontractor for the Department of Defense. Potomac Healthcare supplies health workers to government organizations through Booz Allen Hamilton. Chris Vickery of MacKeeper...

Read More
Massachusetts Data Breach Notification Archive Now Available Online
Jan05

Massachusetts Data Breach Notification Archive Now Available Online

The Office of Consumer Affairs and Business Regulation of the state of Massachusetts has taken a major step toward improving transparency by making its data breach notification archive available to the public. Previously, members of the public were permitted to view the breach reports, but only by submitting a public records request. Now all breach notifications made to the state’s Office of Consumer Affairs and Business Regulation...

Read More
Largest Healthcare Data Breaches of 2016
Jan04

Largest Healthcare Data Breaches of 2016

2016 was a particularly bad year for healthcare data breaches. While the numbers of records exposed was nowhere near the level of 2015 – 16,586,112 records compared to 113,267,174 in 2015 – more covered entities reported breaches than in any other year since OCR started publishing breach summaries on its ‘Wall of Shame’ in 2009. 2016 ranks as the second worst year in terms of the number of patient and health plan members’...

Read More
108 L.A. County Employees Fall for Phishing Attack: 756,000 Impacted
Jan03

108 L.A. County Employees Fall for Phishing Attack: 756,000 Impacted

It has taken some time for the County of Los Angeles to announce it was the victim of a major phishing attack, especially considering the attack was discovered within 24 hours of the May, 2016 breach. However, notification had to be delayed so as not to interfere with an “extensive” criminal investigation. The investigation into the phishing attack was conducted by county district attorney Jackie Lacey’s cyber investigation...

Read More
Regular PHI Access Log Audits Can Prevent Major PHI Breaches
Dec30

Regular PHI Access Log Audits Can Prevent Major PHI Breaches

Infirmary Health has announced that an employee has been fired after being discovered to have accessed the health records of approximately 1,000 patients without authorization. The individual was required to access patients’ protected health information (PHI) for legitimate work reasons, yet data access rights were abused. The employee worked in the Atmore Community Hospital: A 49-bed facility serving patients in Escambia and Monroe...

Read More
New Report Published on Privacy Risks of Personal Health Wearable Devices
Dec29

New Report Published on Privacy Risks of Personal Health Wearable Devices

Wearable technology is now ubiquitous. Consumers have embraced the wide range of trackers and health apps that have come to market in recent years and manufacturers have responded to demand and have created an even broader range of wearable devices that track and monitor health metrics. Wearable devices have expanded from trackers that monitor heart rates, exercise levels, and sleep quality, to devices that collect a far greater range...

Read More
Patient Posts PHI of New Hampshire State Psychiatric Hospital Patients Online
Dec28

Patient Posts PHI of New Hampshire State Psychiatric Hospital Patients Online

New Hampshire Department of Health and Human Services has alerted approximately 15,000 patients to a breach of some of their personal and highly sensitive information. Patient data were accessed by a former patient in October 2015 and were posted on a social media website. The data accessed and posted online by the former patient included names and addresses along with Medicaid ID numbers and Social Security numbers. The patient...

Read More
Increase in Ransomware and Cyberattacks Linked to Fall in Price of Health Data
Dec23

Increase in Ransomware and Cyberattacks Linked to Fall in Price of Health Data

The value of health records on the black market dropped substantially in 2016. A set of health records is now reportedly attracting a price of between $1.50 and $10, according to a recent report from TrapX. Back in 2012, the value of a complete set of health records was around $50 to $60. The fall in price is easy to explain. Last year saw more than 113 million healthcare records breached, according to figures from the Department of...

Read More
Fairbanks Hospital Alerts Patients to Potential 3-Year Internal HIPAA Breach
Dec22

Fairbanks Hospital Alerts Patients to Potential 3-Year Internal HIPAA Breach

Fairbanks Hospital in Indianapolis, IN., has discovered that the electronic health information of its patients could have been accessed by all of its employees for a period of at least three years. Protections had been put in place to prevent unauthorized accessing of electronic health records by staff members, but on October 18, 2016, the hospital became aware that some files had been stored on an internal network that lacked those...

Read More
Joint Commission Ban on Secure Messaging for Orders Remains in Place
Dec22

Joint Commission Ban on Secure Messaging for Orders Remains in Place

The Joint Commission on Accreditation of Healthcare’s (Joint Commission) ban on the use of secure text messaging platforms for patient care orders will remain in place, according to its December newsletter. In April 2016, the Joint Commission took the decision to allow the use of a secure texting platform for sending orders. The ban was not totally lifted, as the Joint Commission required certain components to be in place and certain...

Read More
Security Risks of Unencrypted Pages Evaluated
Dec20

Security Risks of Unencrypted Pages Evaluated

Pagers are still extensively used in the healthcare industry even though the devices have been shown to pose a considerable security risk. Trend Micro has recently demonstrated – in the company’s ‘Leaking Beeps’ series of reports – the extent to which pagers leak data and how easy it is for sensitive information to be intercepted by cybercriminals. The equipment needed to intercept unencrypted pages can even be purchased for as...

Read More
TigerText Announces Record-Breaking Year for Growth
Dec16

TigerText Announces Record-Breaking Year for Growth

TigerText, the nation’s leading secure healthcare messaging platform provider, has announced it has recorded another record-breaking year for growth, signing up over 300 healthcare organizations in 2016. The company now boasts more than 3,000 healthcare customers in the United States, including five of the top ten largest health systems in the country. More than 10 million secure messages are now being sent via the TigerText platform...

Read More
ONC Issues Challenge to Develop a New Online Model Privacy Notice Generator
Dec15

ONC Issues Challenge to Develop a New Online Model Privacy Notice Generator

The Department of Health and Human Services’ Office of the National Coordinator for Health Information Technology (ONC) has challenged designers, developers, and health data privacy experts to create a new online Model Privacy Notice (MPN) generator. At present, the MPN is a voluntary resource that helps health technology developers who collect electronic health data provide information to consumers about how health data is collected,...

Read More
Hospital Employee Jailed for Credit Card Theft
Dec12

Hospital Employee Jailed for Credit Card Theft

An employee of Banner Boswell Hospital in Sun City, AZ has been arrested and jailed for stealing credit card details from hospital patients. Filip Chudziak, 40, of Surprise, AZ was charged with identity theft, fraudulent schemes, and fraudulent use of credit cards by the Maricopa County Sheriff’s Office this weekend following an investigation into credit card fraud by Maricopa County detectives. The offenses were committed over a...

Read More
Healthcare Data Breaches Fell in October
Nov17

Healthcare Data Breaches Fell in October

There was a fall in the number of data breaches reported by healthcare organizations in the United States in October, according to the latest Breach Barometer report from Protenus. This is the second month in a row where the number of data breaches have fallen. The number of reported breaches dropped from an annual high of 42 incidents in August to 35 breaches in October; two fewer breaches than were reported last month. However, the...

Read More
U.S. Court of Appeal Grants Stay in FTC V LabMD Case
Nov11

U.S. Court of Appeal Grants Stay in FTC V LabMD Case

There has been a long running battle between the Federal Trade Commission (FTC) and LabMD over the accidental exposure and disclosure of sensitive personal information of patients and the actions LabMD must take to mitigate risk. The accidental disclosure occurred after LabMDs billing manager installed the file sharing program LimeWire on a work computer in 2005. The program was used for downloading and sharing music and video files...

Read More
Data Theft and Social Engineering Biggest Concerns for Healthcare CIOs
Oct28

Data Theft and Social Engineering Biggest Concerns for Healthcare CIOs

The College of Healthcare Information Management (CHIME) has explored the deepest, darkest fears of healthcare chief information (CIOs) and chief information security officers (CISOs) in a recent survey, the findings of which were presented to the Department of Health and Human Services Cybersecurity Task Force this week. The survey, which was conducted on 190 CHIME and Association for Executives in Healthcare Information Security...

Read More
Study Highlights Risk of PHI Exposure from Unencrypted Healthcare Pagers
Oct27

Study Highlights Risk of PHI Exposure from Unencrypted Healthcare Pagers

Many healthcare providers have now transitioned from pagers to more secure forms of communication. Secure text messaging platforms allow protected health information to be shared quickly and efficiently between physicians and care team members. Those platforms incorporate the necessary security features to ensure messages cannot be intercepted and viewed by unauthorized individuals. However, pagers typically lack security controls...

Read More
Majority of Healthcare Vendors Not Ready to Comply with the HITRUST Data Security Standard
Oct12

Majority of Healthcare Vendors Not Ready to Comply with the HITRUST Data Security Standard

The Department of Health and Human Services’ Office for Civil Rights has stepped up HIPAA enforcement activities in recent years and oversight of covered entities is improving. One area of HIPAA-compliance that has come under increased scrutiny is the effort made by healthcare business associates to ensure protected health information is protected in accordance with HIPAA Rules. Approximately 30% of healthcare data breaches reported...

Read More