$85,000 Penalty for Korunda Medical for HIPAA Right of Access Failures
Dec13

$85,000 Penalty for Korunda Medical for HIPAA Right of Access Failures

The Department of Health and Human Services’ Office for Civil Rights has announced its second enforcement action under its HIPAA Right of Access Initiative. Florida-based Korunda Medical has agreed to settle potential violations of the HIPAA Right of Access and will adopt a corrective action plan and bring its policies and procedures in line with the requirements of the HIPAA Privacy Rule. In March 2019, OCR received a complaint from a patient who alleged she had not been provided with a copy of her medical records in the requested electronic format despite making repeated requests. The complainant alleged that Korunda Medical refused to send an electronic copy of her medical records to a third party and was overcharging patients for providing copies of their medical records. Under HIPAA, covered entities are only permitted to charge a reasonable, cost-based fee for providing access to patients’ protected health information. The initial complaint was filed with OCR on March 6, 2019. On March 18, 2019, OCR provided technical assistance to Korunda Medical on the HIPAA Right of Access...

Read More
Ransomware Attack on The Cancer Center of Hawaii Delayed Radiation Therapy for Patients
Dec13

Ransomware Attack on The Cancer Center of Hawaii Delayed Radiation Therapy for Patients

On November 5, 2019 The Cancer Center of Hawaii in Oahu was attacked with ransomware. The attack forced the Cancer Center to shut down its network servers, which meant it was temporarily prevented from providing radiation therapy to patients at Pali Momi Medical Center and St. Francis’ hospital in Liliha. While patient services experienced some disruption, no patient information is believed to have been accessed by the attackers. The forensic investigation into the breach is ongoing but all data stored on its radiology machines has been recovered and its network is now fully operational. It is unclear for how long its network was down and no information has been released so far on the types of patient information that may have been accessed. The Cancer Center has notified the FBI about the breach and will report the incident to appropriate authorities, if the forensic investigators confirm that patient data may have been accessed. The breach was confined to the Cancer Center’s systems. Pali Momi Medical Center and St. Francis’ hospital were unaffected by the attack as their patient...

Read More
MSPs and Healthcare Organizations Targeted with New Zeppelin Ransomware Variant
Dec12

MSPs and Healthcare Organizations Targeted with New Zeppelin Ransomware Variant

A new ransomware variant is being used in targeted attacks on managed service providers, technology, and healthcare firms, according to security researchers at Blackberry Cylance. Attacks are being conducted on carefully selected, high profile targets using a new variant of VegaLocker/Buran ransomware named Zeppelin. VegaLocker has been around since early 2019 and all variants from this family have been used to attack companies in Russian speaking countries. The campaigns were broad and used malvertising to direct users to websites hosting the ransomware. The latest variant is being used in a distinctly different campaign that is much more targeted. Attacks have only been detected on companies in Europe, the United States, and Canada so far. If the ransomware is downloaded onto a device in the Russian Federation, Ukraine, Belorussia, or Kazakhstan, the ransomware exits and does not encrypt files. Ransomware variants from the VegaLocker family have all been offered as ransomware-as-a-service and there are indications that the same is true of Zeppelin ransomware, although the...

Read More
Amazon Lex is Now HIPAA Compliant
Dec12

Amazon Lex is Now HIPAA Compliant

Amazon has announced that the Amazon Lex chatbot service now supports HIPAA compliance and can be used by healthcare organizations without violating Health Insurance Portability and Accountability Act Rules. Amazon Lex is a service that allows customers to build conversational interfaces into applications using text and voice. It allows the creation of chatbots that use lifelike, natural language to engage with customers, ask questions, collect and give out information, and complete a range of different tasks such as scheduling appointments. The conversational engine that powers Amazon Lex is also used by Amazon Alexa. Until recently, there was limited potential for use of Amazon Lex in healthcare as the solution was not HIPAA-compliant and could therefore not be used in connection with electronic protected health information (ePHI). The service was also not covered by Amazon’s business associate agreement (BAA). On December 11, 2019, Amazon confirmed that Amazon Lex is now included in its AWS business associate agreement (BAA) addendum and that the service is eligible for use with...

Read More
German Telecoms Firm Slapped with $10.56 Million GDPR Penalty
Dec12

German Telecoms Firm Slapped with $10.56 Million GDPR Penalty

A data protection authority in Germany has issued one of the largest ever GDPR penalties to the telecommunications and hosting firm 1&1 Telecommunications. The fine was issued for a failure to implement appropriate technical and administrative measures to authenticate individuals in its call centers. 1&1 Telecommunications, a subsidiary of United Internet Group, is one of the largest telecommunications and mobile service providers in Germany. The firm was investigated by the Federal Commissioner for Data Protection and Freedom of Information (BfDI) after a report was received that the only information required to authenticate customers in its call centers was a name and data of birth – Information that can easily be found on social media sites. If a correct name and data of birth was provided, it was possible to obtain an extensive range of sensitive information on customers. BfDI determined that 1&1 Telecommunications had failed to comply with Article 32 of the EU’s General Data Protection Regulation. Article 32 requires appropriate technical and administrative...

Read More