Dedicated to providing the latest
HIPAA compliance news

Medical Device Security Testing Only Performed by One in Twenty Hospitals
May26

Medical Device Security Testing Only Performed by One in Twenty Hospitals

The security of medical devices has attracted a lot of attention in recent months due to fears of device vulnerabilities being exploited by cybercriminals to cause harm to patients, gain access to healthcare networks and steal patient data. Cybercriminals have extensively targeted the healthcare industry due to the high value of patient data on the black market, combined with relatively poor cybersecurity defenses. While there have...

Read More
Stolen Electromyography Device Contained 836 Patients PHI, says SSM Health
May25

Stolen Electromyography Device Contained 836 Patients PHI, says SSM Health

SSM Health has started notifying patients that some of their protected health information was exposed when a portable device was stolen from DePaul Hospital St Louis in Bridgeton, MO. The device contained the protected health information of 836 patients, including names, medical record numbers, dates of birth and brief details of patients’ chief health complaint.  No insurance details, financial information, Social Security numbers or...

Read More
HIPAA Enforcement Update Provided by OCR’s Iliana Peters
May25

HIPAA Enforcement Update Provided by OCR’s Iliana Peters

Office for Civil Rights Senior Advisor for HIPAA Compliance and Enforcement, Iliana Peters, has given an update on OCR’s enforcement activities in a recent Health Care Compliance Association ‘Compliance Perspectives’ podcast. OCR investigates all data breaches involving the exposure of theft of more than 500 healthcare records. OCR also investigates complaints about potential HIPAA violations. Those investigations continue to reveal...

Read More
Security Gaps Found in Virginia Medicaid Claims Processing Systems
May24

Security Gaps Found in Virginia Medicaid Claims Processing Systems

Last week, the Department of Health and Human Services’ Office of Inspector General released a report of an audit of Virginia Medicaid’s claims processing systems. The audit uncovered several vulnerabilities that left the data of Medicaid beneficiaries exposed. OIG investigators determined that Virginia had not secured its Medicaid data to an acceptable standard in line with Federal requirements. The report does not detail the...

Read More
Healthcare Organizations Reminded of HIPAA Rules Relating to Ransomware
May19

Healthcare Organizations Reminded of HIPAA Rules Relating to Ransomware

Following the recent WannaCry ransomware attacks, the Department of Health and Human Services has been issuing cybersecurity alerts and warnings to healthcare organizations on the threat of attack and steps that can be taken to reduce risk. The email alerts were sent soon after the news of the attacks on the UK’s NHS first started to emerge on Friday May 12, and continued over the course of the week. The alerts provided timely and...

Read More
Rite Aid Announces Breach of Its Online Store
May19

Rite Aid Announces Breach of Its Online Store

Pharmacy chain Rite Aid has discovered unauthorized individuals gained access to the e-commerce platform of its online store and stole sensitive information of its customers over a period of 10 weeks. The attackers gained access to, and stole, personal information and credit/debit card details. An investigation into the breach revealed that access to the platform was first gained on January 30, 2017 and continued until April 11, 2017...

Read More
Medical Device Cybersecurity Gaps Discussed at FDA Workshop
May19

Medical Device Cybersecurity Gaps Discussed at FDA Workshop

This week, the U.S. Food and Drug Administration (FDA) is hosting a two-day workshop to identify current cybersecurity gaps that could be exploited by cybercriminals to gain access to medical devices. Best practices and cybersecurity tools that can be adopted to improve defenses against cyberattacks are under discussion. This is the third time the FDA has held such a workshop on medical device security and it comes at an appropriate...

Read More
Guidance on Securing Wireless Infusion Pumps Issued by NIST
May11

Guidance on Securing Wireless Infusion Pumps Issued by NIST

The National Institute of Standards and Technology (NIST), in collaboration with the National Cybersecurity Center of Excellence (NCCoE), has released new guidance for healthcare delivery organizations on securing wireless infusion pumps to prevent unauthorized access. Infusion pumps, and many other medical devices, used to interact only with the patient and healthcare provider; however, advances in technology have improved...

Read More
Patient-Physician Texting to Be Covered at AMA Annual Meeting
May10

Patient-Physician Texting to Be Covered at AMA Annual Meeting

Text messages are a quick and easy method of communication, although for healthcare professionals the use of SMS messages carries considerable privacy risks. While text messages can be used to communicate quickly with members of a care team, the inclusion of any protected health information (PHI) or personally identifiable information (PII) violates HIPAA Rules. SMS texts are unencrypted, potentially allowing unauthorized individuals...

Read More
New Jersey IVF Clinic Hack Sees PHI of 14,000 Patients Potentially Compromised
May10

New Jersey IVF Clinic Hack Sees PHI of 14,000 Patients Potentially Compromised

A third-party server hosting the electronic health record database of the New Jersey Diamond Institute for Infertility and Menopause has been hacked and access gained by an unauthorized individual. The Diamond Institute says its database and EHR system was encrypted, so the attackers were unable to access patient health records, although many unencrypted supporting documents were also stored on the server and may have been accessed....

Read More
180,000 Patient Records Dumped Online by The Dark Overlord
May09

180,000 Patient Records Dumped Online by The Dark Overlord

It is a nightmare scenario far worse than a ransomware attack. A hacker infiltrates your network, steals patient data and then threatens to publish those data if you do not pay a ransom. That is the modus operandi of TheDarkOverlord, who conducted numerous attacks on healthcare organizations over the past few months. Sizable ransom demands were issued – which TDO referred to as ‘modest’ – with threats issued to sell or publish the...

Read More
Majority of Organizations Failing to Protect Against Mobile Device Security Breaches
May05

Majority of Organizations Failing to Protect Against Mobile Device Security Breaches

A recent report published by Dimensional Research has highlighted the growing threat of mobile device security breaches and how little organizations are doing to mitigate risk. Cybercriminals may view employees as one of the weakest links in the security chain, but mobile devices are similarly viewed as an easy way of gaining access to data and corporate networks. According to the report, the threat of mobile cyberattacks in growing....

Read More
Rise in Business Email Compromise Scams Prompts IC3 Warning
May05

Rise in Business Email Compromise Scams Prompts IC3 Warning

There has been a massive increase in business email compromise scams over the past three years. In the past two years alone, the number of companies that have reported falling for business email comprise scams has increased by 2,370% according to new figures released by the Internet Crime Complaint Center (IC3). In the past three years, cybercriminals have used business email compromise scams to fraudulently obtain more than $5...

Read More
Bitglass Publishes 2017 Healthcare Data Security Report
May04

Bitglass Publishes 2017 Healthcare Data Security Report

Bitglass has recently published its 2017 Healthcare Data Breach Report, the third annual report on healthcare data security issued by the data protection firm. For the report, Bitglass conducted an analysis of healthcare data breach reports submitted to the Department of Health and Human’ Services Office for Civil Rights. The report confirms 2016 was a particularly bad year for healthcare industry data breaches. Last year saw record...

Read More
OCR Director Stresses Importance of Keeping Health Data Secure
Apr28

OCR Director Stresses Importance of Keeping Health Data Secure

The new director of the Department of Health and Human Services’ Office for Civil Rights, Roger Severino, has hinted that last year’s increase in settlements for non-compliance with HIPAA Rules was not a blip. OCR started the year with two settlements in January and a further two in February. While there was a break in March, April has seen three settlements announced. Financial penalties will continue to be issued when covered...

Read More
MDLive Faces Class Action Lawsuit Over Alleged Patient Privacy Violations
Apr26

MDLive Faces Class Action Lawsuit Over Alleged Patient Privacy Violations

A class action lawsuit has been filed against the telemedicine company MDLive claiming the company violated the privacy of patients by disclosing sensitive medical information to a third party without informing or obtaining consent from patients. App users are required to enter in a range of sensitive information into the MDLive app; however, the complainant alleges that during the first 15 minutes of use, the app takes an average of...

Read More
Unencrypted Portable Devices are a HIPAA Breach Waiting to Happen
Apr25

Unencrypted Portable Devices are a HIPAA Breach Waiting to Happen

This week, OCR announced a new settlement with a covered entity to resolve HIPAA violations discovered during the investigation of an impermissible disclosure of ePHI. The incident that sparked the investigation was the theft of an unencrypted laptop computer from the vehicle of a CardioNet employee. This week has also seen two data breaches reported that have similarly involved the theft of portable devices. Earlier this week,...

Read More
Wireless Health Services Provider Settles HIPAA Violations with OCR for $2.5 Million
Apr24

Wireless Health Services Provider Settles HIPAA Violations with OCR for $2.5 Million

2016 was a record year for HIPAA settlements, but 2017 is looking like it will see last year’s record smashed. There have already been six HIPAA settlements announced so far this year, and hot on the heels of the $31,000 settlement announced last week comes another major HIPAA fine. A $2.5 million settlement has been agreed with CardioNet to resolve potential HIPAA violations. CardioNet is a Pennsylvania-based provider of remote...

Read More
68% of Healthcare Employees Would Share Regulated Data
Apr21

68% of Healthcare Employees Would Share Regulated Data

The Dell End User Security Survey has revealed that sensitive information, including data covered by HIPAA Rules, would be shared by employees without authorization under certain circumstances. The Dell End User Security Survey sought to uncover how widespread the unauthorized sharing of confidential information has become. The results show that even in heavily regulated industries such as healthcare, unauthorized data sharing is...

Read More
OIG Issues Warning About HHS Agency Phone Scams
Apr19

OIG Issues Warning About HHS Agency Phone Scams

This year has seen numerous email scams conducted to gain access to the tax information of employees; however, recently, criminals have started picking up the phone to conduct their scams. Phone scams have spiked in recent weeks, with criminals impersonating Department of Health and Human Services’ employees, including the Office of Inspector General (OIG). The rise in phone scams has prompted OIG to issue a warning. Scammers have...

Read More
21 Employees Found to Have Accessed PHI Without Authorization
Apr17

21 Employees Found to Have Accessed PHI Without Authorization

A routine audit conducted by Virginia Mason Memorial has revealed employees have been accessing the protected health information of patients without authorization. Audits of PHI access logs occasionally reveal rogue employees have been improperly accessing the medical records of patients, but what makes this incident stand out is the number of employees that were discovered to have improperly viewed PHI. The audit revealed 21...

Read More
Protenus Publishes Healthcare Data Breach Report for March 2017
Apr14

Protenus Publishes Healthcare Data Breach Report for March 2017

Protenus has released its Breach Barometer report for March 2017, which shows a significant increase in healthcare data breaches and a major jump in the number of individuals who have had their sensitive data exposed or stolen. In both January and February there were 31 reported healthcare data breaches, although March saw the figure jump to 39 incidents.  February saw relatively few individuals affected by healthcare data breaches....

Read More
$400,000 HIPAA Penalty Agreed with Denver FQHC for Security Management Process Failures
Apr13

$400,000 HIPAA Penalty Agreed with Denver FQHC for Security Management Process Failures

The Department of Health and Human Services’ Office for Civil Rights (OCR) has taken action against a Denver, CO-based federally-qualified health center (FQHC) for security management process failures that contributed to the organization experiencing a data breach in 2011. Metro Community Provider Network (MCPN) has agreed to pay OCR $400,000 and adopt a robust corrective action plan to resolve all HIPAA compliance issues identified...

Read More
AMIA Suggests it’s Time for a HIPAA Update
Apr11

AMIA Suggests it’s Time for a HIPAA Update

The American Medical Informatics Association has suggested now is the time to update the Health Insurance Portability and Accountability Act (HIPAA) to make sure the legislation fits today’s connected world. The legislation was first introduced more than 20 years ago at a time when the Internet was just in its infancy. Over the past two decades, technology has advanced in ways that could not have been predicted when the legislation...

Read More
918,000 Patients’ Sensitive Information Exposed Online
Apr10

918,000 Patients’ Sensitive Information Exposed Online

The data of 918,000 patients who provided their sensitive information to HealthNow Networks, a Boca Raton, FL-based telemarketing organization that used to provide medical supplies to seniors, has been exposed online for many months. The data were discovered by an individual with the Twitter handle Flash Gordon after he conducted a search for unprotected data on the search engine Shodan. The data had been stored in an unprotected root...

Read More
Large Hospitals and Teaching-Focused Hospitals Face Greater Risk of Data Breaches
Apr06

Large Hospitals and Teaching-Focused Hospitals Face Greater Risk of Data Breaches

A study recently published in JAMA Internal Medicine examined recent healthcare data breach trends to determine which types of hospitals are the most susceptible to data breaches. The researchers analyzed breach reports submitted to the Department of Health and Human Services’ Office for Civil Rights between October 21, 2009 and December 31, 2016. During that time, 216 hospitals reported 257 breaches of more than 500 patient records....

Read More
Quarter of Healthcare Organizations Do Not Encrypt Data Stored in the Cloud
Apr04

Quarter of Healthcare Organizations Do Not Encrypt Data Stored in the Cloud

A recent survey by HyTrust has revealed that a quarter of healthcare organizations do not use encryption to protect data at rest in the cloud, even though the lack of encryption potentially places sensitive data – including the protected health information of patients – at risk of being exposed. Amazon Web Service (AWS) one of the most popular choices with the healthcare industry, although many healthcare organizations are using...

Read More
Dr. Donald Rucker Named New National Coordinator for Health IT
Apr03

Dr. Donald Rucker Named New National Coordinator for Health IT

Dr. Donald Rucker has been named as the new National Coordinator of the Department of Health and Human Services’ Office of the National Coordinator for Healthcare Information Technology. Nether the Department of Health and Human Services nor the Office of the National Coordinator for Healthcare Information Technology has officially announced the new appointment, although Dr. Donald Rucker’s name now appears in the HHS directory as...

Read More
FBI Warns Healthcare Industry About Anonymous FTP Server Cyberattacks
Mar29

FBI Warns Healthcare Industry About Anonymous FTP Server Cyberattacks

The Federal Bureau of Investigation has issued a warning to healthcare organizations using File Transfer Protocol (FTP) servers. Medical and dental organizations have been advised to ensure FTP servers are configured to require users to be properly authenticated before access to stored data can be gained. Many FTP servers are configured to allow anonymous access using a common username such as ‘FTP’ or ‘anonymous’. In some cases, a...

Read More
Patients’ PHI Accidentally Sent to Media Outlets by Mecklenburg County
Mar29

Patients’ PHI Accidentally Sent to Media Outlets by Mecklenburg County

A spreadsheet containing the protected health information of more than 1,200 patients has been accidentally sent to two media outlets by a worker at Mecklenburg County, NC. The spreadsheet was emailed to the media outlets in response to a freedom of information request. That request was made following the discovery that 185 female patients had not been notified of abnormal Pap smear results. The spreadsheet had been created for state...

Read More