FDA Issues Warning About Flaws in Medtronic Implantable Cardiac Device Programmers
Oct16

FDA Issues Warning About Flaws in Medtronic Implantable Cardiac Device Programmers

The U.S. Food and Drug Administration (FDA) has issued a warning about vulnerabilities in certain Medtronic implantable cardiac device programmers which could potentially be exploited by hackers to change the functionality of the programmer during implantation or follow up visits. Approximately 34,000 vulnerable programmers are currently in use. The programmers are used by physicians to obtain performance data, to check the status of the battery, and to reprogram the settings on Medtronic cardiac implantable electrophysiology devices (CIEDs) such as pacemakers, implantable defibrillators, cardiac resynchronization devices, and insertable cardiac monitors. The flaws are present in Medtronic CareLink 2090 and CareLink Encore 29901 programmers, specifically how the devices connect with the Medtronic Software Distribution Network (SDN) over the internet. The connection is required to download software updates for the programmer and firmware updates for Medtronic CIEDs. While a virtual private network (VPN) is used to establish a connection between the programmers and the Medtronic SDN,...

Read More
$16 Million Anthem HIPAA Breach Settlement Takes OCR HIPAA Penalties Past $100 Million Mark
Oct16

$16 Million Anthem HIPAA Breach Settlement Takes OCR HIPAA Penalties Past $100 Million Mark

OCR has announced that an Anthem HIPAA breach settlement has been reached to resolve potential HIPAA violations discovered during the investigation of its colossal 2015 data breach that saw the records of 78.8 million of its members stolen by cybercriminals. Anthem has agreed to pay OCR $16 million and will undertake a robust corrective action plan to address the compliance issues discovered by OCR during the investigation. The previous largest ever HIPAA breach settlement was $5.55 million, which was agreed with Advocate Health Care in 2016. “The largest health data breach in U.S. history fully merits the largest HIPAA settlement in history,” said OCR Director Roger Severino. Anthem Inc., an independent licensee of the Blue Cross and Blue Shield Association, is America’s second largest health insurer. In January 2015, Anthem discovered cybercriminals had breached its defenses and had gained access to its systems and members’ sensitive data. With assistance from cybersecurity firm Mandiant, Anthem determined this was an advanced persistent threat attack – a continuous and targeted...

Read More
Most Common Healthcare Phishing Emails Identified
Oct16

Most Common Healthcare Phishing Emails Identified

A new report by Cofense has revealed the most common healthcare phishing emails and which messages are most likely to attract a click. The 2018 Cofense State of Phishing Defense Report provides insights into susceptibility, resiliency, and responses to phishing attacks, highlights how serious the threat from phishing has become, and how leading companies are managing risk. The high cost of phishing has been highlighted this week with the announcement of a settlement between the HHS’ Office for Civil Rights and Anthem Inc. The $16 million settlement resolved violations of HIPAA Rules that led to Anthem’s 78.8 million record data breach of 2015. That cyberattack started with spear phishing emails. In addition to the considerable cost of breach remediation, Anthem also settled a class action lawsuit related to the breach for $115 million. Even an average sized breach now costs $3.86 million to resolve (Ponemon/IBM Security, 2018). Previous Cofense research suggests that 91% of all data breaches start with a phishing email and research by Verizon suggests 92% of malware infections...

Read More
Aetna Settles HIPAA Violation Case with State AGs
Oct15

Aetna Settles HIPAA Violation Case with State AGs

In 2017, errors occurred with two Aetna mailings that resulted in the impermissible disclosure of the protected health information of plan members, including HIV statuses and AFib diagnoses. A class action lawsuit was filed on behalf of the victims of the HIV status breach which was settled for $17 million in January. Now Aetna has reached settlements with the attorneys general for New Jersey, Connecticut, and the District of Columbia to resolve the alleged HIPAA violations discovered during an investigation into the privacy breaches. The first mailing was sent on July 28, 2017 by an Aetna business associate. Over-sized windowed envelopes were used for the mailing, through which it was possible to see the names and addresses of plan members along with the words “HIV Medications.” Approximately 12,000 individuals received the mailing. In September, a second mailing was sent on behalf of Aetna to 1,600 individuals. This similarly resulted in an impermissible disclosure of PHI. In addition to names and addresses, the logo of an IMPACT AFib study was visible, which suggested the...

Read More
Email Accounts Compromised at Biomarin Pharmaceutical and Envision Healthcare Corporation
Oct12

Email Accounts Compromised at Biomarin Pharmaceutical and Envision Healthcare Corporation

Novato, CA-based Biomarin Pharmaceutical has discovered two employee email accounts have been compromised as a result of a phishing attack in which a temporary employee’s login credentials were obtained by the attacker. The attack was discovered on June 21, 2018 and immediate action was taken to prevent further unauthorized account access. The investigation into the breach determined that the email accounts had been accessed by an unauthorized individual, but it was not possible to tell whether any emails were opened or copied by the attacker. An analysis of the compromised accounts suggests a document containing names, health insurance information and Social Security numbers may have been in one or both email accounts at the time the breach. Due to the nature of exposed data, affected individuals have been advised to place a fraud alert on their credit files as a precaution against identity theft and fraud and urged to monitor explanation of benefits statements from insurers for medical services which have not been received. Biomarin Pharmaceutical has now secured its network and...

Read More