Buffalo Medical Group Says Alleged HIPAA Violations Are Unfounded
Last month, a breach notification letter was received by media outlets and at least one patient of the Buffalo Medical Group (BMG) warning that the protected health information (PHI) of certain patients had been impermissibly disclosed to an unauthorized individual. The letters were sent on BMG headed paper, and the letter indicated that it had been authored by three members of the BMG staff who chose to remain anonymous. The letter claims that the PHI of certain patients had been impermissibly disclosed and the privacy violations had been brought to the attention of a dermatologist at BMG, yet nothing had been done. The letter claimed that the privacy of patients was violated by a licensed practice nurse who had been disclosing patients’ PHI to a boyfriend. The offenses, which if true would have violated the Health Insurance Portability and Accountability Act (HIPAA), had allegedly taken place some years previously. According to the letter, when the nurse broke off the relationship in August 2015 the ex-boyfriend notified a dermatologist of the privacy violations. No action...
HIPAA Business Associate Notifies Patients of Data Breach
EqualizeRCM Services, an Austin, TX-based vendor of billing services, is in the process of sending breach notification letters to patients to alert them to the potential exposure of their Protected Health Information after an employee’s laptop computer was stolen. At this stage it is unclear how many individuals have been impacted as the security breach has not yet been added to the Department of Health and Human Services’ Office for Civil Rights breach portal. Patients of the following healthcare facilities have been impacted by the data breach: Central Dallas Surgery Center Hermann Drive Surgical Hospital Kirby Surgical Center Microsurgery Institute (Houston, Dallas) Northstar Healthcare Surgery Center (Scottsdale, Houston, Dallas) Plano Surgical Hospital Southwest Freeway Surgery Center Victory Medical Center Houston The laptop computer contained a number of unencrypted documents which could potentially be accessed by unauthorized individuals. The documents did not contain any Social Security numbers or financial account numbers, although personally identifiable information and...
Review of Medicare Administrative Contractors Shows 8pc Annual Rise in Data Security Gaps
An annual review of Medicare administrative contractors (MAC) conducted by Pricewaterhouse Coopers (PwC) on behalf of the Office of Inspector General revealed 129 data security gaps existed in 2014, representing an increase of 8% from the previous year. The Social Security Act requires the information security programs of all MACs to be assessed by an independent entity on an annual basis. This year PwC was contracted to assess all nine MACs on the eight major requirements of the Federal Information Security Management Act of 2002 (FISMA) in addition to the Centers for Medicare and Medicaid Services (CMS) core security requirements. Data security gaps are defined as the incomplete implementation of FISMA or CMS core security requirements. Each data security gap is rated as high risk, medium risk, or low risk. For high and medium risk data security gaps, each MAC must develop an action plan to address the issues and the CMS is required to follow up and ensure that those data security gaps have been addressed. PwC discovered 18 high risk, 45 medium risk, and 66 low risk gaps. The...
Verizon: Human Error the Main Cause of Security Incidents
The Verizon 2016 Data Breach Investigations Report was released this week. The biggest cause of security incidents over the past 12 months has been what Verizon calls “miscellaneous errors,” a category which includes misconfigured IT systems, improper disposal of company data, lost and stolen devices and email errors. In the case of the latter, 26% of breaches were caused by individuals emailing data to incorrect individuals. Weak passwords continue to cause organizations problems. 63% of confirmed data breaches were attributed to either poor passwords, default login credentials that had not been changed, or the use of stolen login credentials. Cyberattacks are often made possible due to the failure to install patches promptly. In the majority of cases, hackers exploit vulnerabilities that have existed for months, even though patches have been made available. Verizon reports that 85% of successful exploits of took advantage of the top 10 known vulnerabilities. The biggest cause of data breaches this year is web application attacks, which have increased by 33% since the 2015 report....
American Dental Association Mails Malware-Infected USB Drives to Members
A recent mailing sent to American Dental Association (ADA) members included a USB stick containing malware. The USB drive contained a file with code that directed users to a domain which could enable cybercriminals to install malware, potentially allowing them to gain control of computers. The USB stick sent by the ADA was a credit card-sized drive that can be plugged into a laptop computer or a desktop. The device was used to send an electronic copy of the 2016 CDT manual containing dental procedure codes. One recipient of the device decided to check the contents of the USB stick on a spare machine as he was wary of using the device on a machine that contained sensitive data. He discovered the drive contained an HTML launcher in a hidden iframe that contained a potentially malicious URL with a Chinese ccTLD. An autorun file was also included on the device according to his DLS Reports post. ADA was informed about the malware infection and an investigation was launched. ADA informed Krebs on Security that the infection was introduced on certain devices during production in China....



