30,000 Patients Notified of Phishing Incident at Memorial Hospital at Gulfport
Feb18

30,000 Patients Notified of Phishing Incident at Memorial Hospital at Gulfport

Memorial Hospital at Gulfport, MS, is notifying approximately 30,000 patients that some of their protected health information has potentially been accessed by an unauthorized individual as a result of a phishing incident. Memorial Hospital discovered a breach of an employee’s email account on December 17, 2018. The compromised account was immediately secured and an investigation was launched to determine the extent of the breach. The investigation revealed the employee responded to a phishing email on December 6, 2018, which gave the attacker access to patients’ protected health information stored in emails and email attachments. Memorial Hospital reports that the breach was limited to names, dates of birth, health insurance information, and information about medical services received at the hospital. A small number of Social Security numbers were also contained in the compromised email account. Patients affected by the incident were notified by mail on February 15, 2019. Complimentary credit monitoring services have been offered to all patients whose Social Security numbers were...

Read More
Data Access and Sharing Risks Identified at National Institutes of Health
Feb15

Data Access and Sharing Risks Identified at National Institutes of Health

The Department of Health and Human Services’ Office of Inspector General (OIG) has published a report of the findings of an audit of the National institutes of Health (NIH). The NIH is the primary government biomedical and public health research agency in the United States and one of the foremost medical research centers in the world. The audit was conducted to determine whether adequate controls had been implemented for permitting and monitoring access to sensitive NIH data. OIG reviewed internal controls, policies, procedures, and supporting documentation, and conducted interviews with internal staff. While controls had been implemented at NIH to restrict access to sensitive data, OIG identified several areas where improvements could be made to bolster security and several recommendations were made. OIG recommended NIH should develop a security framework, conduct risk assessments, implement additional security controls to safeguard sensitive data, and should start working with an organization that has expertise and knowledge of misuse of scientific data. NIH did not concur with...

Read More
16-Month Malware Infection at Florida Pulmonary & Sleep Medicine Center Impacts 42,000 Patients
Feb15

16-Month Malware Infection at Florida Pulmonary & Sleep Medicine Center Impacts 42,000 Patients

AdventHealth Medical Group’s Pulmonary & Sleep Medicine in Tavares, FL, formerly known as Lake Pulmonary Critical Care, has discovered hackers gained access to its systems and may have viewed or obtained the protected health information of up to 42,161 patients. Hackers first gained access to the Pulmonary & Sleep Medicine center’s systems in August 2017 as a result of the installation of malware. The malware infection was not discovered until December 27, 2018. The malware was removed and its systems were secured and an investigation was launched to determine the extent of the breach and which patients had been affected. The investigation revealed the hackers gained access to parts of its system where patients’ protected health information was stored. The information that was potentially accessed included names, addresses, email addresses, telephone numbers, dates of birth, health insurance information, Social Security numbers, medical histories, and the race, gender, weight, and height of patients. It is unclear how the malware was installed and why it took 16 months to...

Read More
Healthcare Email Fraud Attacks Have Increased 473% in 2 Years
Feb14

Healthcare Email Fraud Attacks Have Increased 473% in 2 Years

A recent report from Proofpoint has revealed healthcare email fraud attacks have increased 473% in the past two years. Email fraud, also known as business email compromise (BEC), is one of the biggest cyber threats faced by businesses. Successful attacks can result in losses of hundreds of thousands or even millions of dollars. Figures from the FBI suggest that globally, $12.5 billion has been lost to these email fraud attacks since 2013. These email attacks are highly targeted and typically involve the spoofing of email addresses to make emails appear to have been sent internally or from a trusted individual. They often involve the use of a genuine email account within an organization that has previously been compromised in a phishing or spear phishing attack. The attacks are usually conducted to obtain sensitive data such as employee tax information or patient information, to obtain credentials to be used in further attacks, and for wire fraud. Wire fraud is the most common form of email fraud in healthcare. For the report, Proofpoint analyzed more than 160 billion emails sent by...

Read More
March 1, 2019: Deadline for Reporting Small Healthcare Data Breaches
Feb14

March 1, 2019: Deadline for Reporting Small Healthcare Data Breaches

The deadline for reporting 2018 data breaches of fewer than 500 records is fast approaching. HIPAA covered entities and their business associates must ensure that the Department of Health and Human Services’ Office for Civil Rights (OCR) is notified of all 2018 data breaches of fewer than 500 records before March 1, 2019. The HIPAA Breach Notification Rule requires HIPAA-covered entities and their business associates to report data breaches of 500 or more records within 60 days of discovering the breach. The deadline for reporting small healthcare data breaches is 60 days from the end of the calendar year in which the breach was experienced. If it is not possible to determine how many individuals have been affected by a data breach, or if the breach investigation has not been concluded before the 60-day deadline, an interim breach report should be submitted. The breach report can then be updated as and when further information becomes available. If a data breach is not reported within the 60-day reporting window, OCR can issue a financial penalty for noncompliance. While fines for...

Read More