FBI Issues Warning Following Spike in Vishing Attacks
Jan25

FBI Issues Warning Following Spike in Vishing Attacks

Many data breaches start with a phishing email, but credential phishing can also occur via other communication channels such as instant messaging platforms or SMS messages. One often overlooked way for credentials to be obtained is phishing over the telephone. These phishing attacks, termed vishing, can give attackers the credentials they need to gain access to email accounts and cloud services and escalate privileges. Recently, the Federal Bureau of Investigation (FBI) issued an alert after a spike in vishing incidents to steal credentials to corporate accounts, including credentials for network access and privilege escalation. The change to remote working in 2020 due to COVID-19 has made it harder for IT teams to monitor access to their networks and privilege escalation, which could allow these attacks to go undetected. The FBI warned that it has observed a change in tactics by threat actors. Rather than only targeting credentials of individuals likely to have elevated privileges, cybercriminals are now trying to obtain all credentials. While the credentials of low-ranking...

Read More
Study Indicates Majority of EHR Vendors are Engaging in Information Blocking Practices
Jan22

Study Indicates Majority of EHR Vendors are Engaging in Information Blocking Practices

Information blocking by electronic health record (EHR) vendors is still highly prevalent, despite recent policymaking that prohibits information blocking practices, according to a recent study published in the Journal of the American Medical Informatics Association (JAMIA). To identify the extent of the problem, the researchers conducted a national survey of health information exchange organizations (HIEs). HIEs were chosen as they are directly connected to EHR vendors and health systems and are therefore in an ideal position to assess interoperability and data sharing. 86 out of the 106 HIEs that met the qualification criteria responded and answered three questions: How often do EHR vendors and health systems practice information blocking? How are these information blocking practices conducted? What is the impact of local market competitiveness on information blocking behavior? A majority of HIEs (55%) reported cases of information blocking by EHR vendors at least some of the time and 14% said all EHR vendors engaged in information blocking. 30% of respondents said information...

Read More
Micky Tripathi and Robinsue Frohboese Head ONC and OCR at the HHS
Jan22

Micky Tripathi and Robinsue Frohboese Head ONC and OCR at the HHS

The Biden administration has appointed Micky Tripathi as the National Coordinator for Health IT at the Department of Health and Human Services’ Office. Tripathi will head the Office of the National Coordinator for Health IT, which is tasked with coordinating efforts to implement advanced health information technology to ensure the secure exchange of health information. The ONC is currently overseeing efforts to provide Americans with easy access to their health records through their smartphones and is implementing 21st Century Cures Act provisions that promote health IT interoperability and prohibit information blocking. Tripathi has a wealth of experience in secure health information exchange and is aware of the current interoperability issues in the healthcare industry. Prior to joining the ONC, Tripathi was most recently the chief alliance officer at the healthcare analytics and software company Arcadia, where he was responsible for developing partnerships to enhance healthcare with advanced IT technology. Tripathi has also served as manager of the strategy and management...

Read More
HIPAA Enforcement by State Attorneys General
Jan21

HIPAA Enforcement by State Attorneys General

The Department of Health and Human Services’ Office for Civil Rights is the main enforcer of HIPAA compliance; however, state Attorneys General also play a role in enforcing compliance with the Health Insurance Portability and Accountability Act Rules. The Health Information Technology for Clinical and Economic Health (HITECH) Act gave state attorneys general the authority to bring civil actions on behalf of state residents who have been impacted by violations of the HIPAA Privacy and Security Rules and can obtain damages on behalf of state residents. The Connecticut Attorney General was the first to exercise this right in 2010 against Health Net Inc. for the loss of unencrypted hard drive containing the electronic protected health information 1.5 million individuals and delayed breach notifications. The case was settled for $250,000. The Vermont Attorney General followed suit with a similar action against Health Net in 2011 that was settled for $55,000, and Indiana brought a civil action against Wellpoint Inc. in 2011 that was settled for $100,000. State Attorney HIPAA cases were...

Read More
Data Breaches Reported by Gainwell Technologies, TaylorMade Diagnostics, and Mattapan Community Health Center
Jan21

Data Breaches Reported by Gainwell Technologies, TaylorMade Diagnostics, and Mattapan Community Health Center

Gainwell Technologies has discovered unauthorized individuals have potentially accessed the information of certain participants of Wisconsin’s Medicaid program, which was stored in emails and email attachments in a compromised account. Access to the email account was first gained on October 29, 2020 and continued until November 16, 2020. The account contained information such as names, member ID numbers, and billing codes for services. Approximately 1,200 Wisconsin Medicaid members have been affected. Affected individuals have been offered a 1-year complimentary membership to credit monitoring services. Gainwell provides fiscal-agent services for the Wisconsin Department of Health Services (DHS) Medicaid Program. Since the breach occurred, the DHS and Gainwell have worked together to prevent similar breaches in the future. This is the second incident to be reported as having affected Gainwell in recent weeks. Gainwell operates the Medicaid Management Information System used by the Tennessee state Medicaid health plan, TennCare. Gainwell discovered an error at a mailing vendor...

Read More