Alliance Health Reports 30-Month Health Data Exposure
Alliance Health has discovered one of its patient databases had been misconfigured and left accessible via the Internet, resulting in the protected health information of 40,000 patients being exposed for a period of 30 months. A database configuration error was discovered on December 17, 2015., which had left it unsecured and potentially accessible by the public, although an investigation did not uncover any evidence to suggest that patient data were accessed during the time the database was unsecured. Upon discovery of the error the database was taken offline and secured, and unauthorized access is no longer possible. The investigation revealed that patient data were accessible between July 2013 and December 17, 2015. No Social Security numbers or financial data were stored in the database, although patient names, telephone numbers, addresses, and email addresses could potentially have been accessed. A limited amount of clinical information including the medications that had been prescribed to patients were also stored in the database. The only patients affected are those who...
Cyberattack Detection: Confidence High Even If Detection is Often Slow
Detecting a cyberattack promptly is critical in order to minimize the damage caused, but how quickly are cyberattacks actually detected? Tripwire, a leading provider of advanced security and compliance solutions, set out to find out whether IT professionals believed they had the technology and policies in place to enable them to identify a cyberattack rapidly. For the study, 763 IT security professionals from public sector organizations and the energy, financial services and retail industries were asked about the efficacy of seven key security controls that should be implemented to detect a cyberattack while it is taking place. Accurate hardware inventory Accurate software inventory Continuous configuration management and hardening Comprehensive vulnerability management Patch management Log management Identity and access management The results of the study have been published in the Tripwire 2016 Breach Detection Study. Confidence High in Ability to Detect a Cyberattack… The majority of respondents were confident that the measures they had put in place to detect a cyberattack...
HHS Proposes Rule Change to Facilitate Sharing of Substance Abuse Data
On Friday February 9, 2016., a proposed rule change was published in the federal register by the Department of Health and Human Services. The proposed rule change aims to improve the sharing of health information of patients diagnosed with or seeking treatment for alcohol and drug dependency. The proposed rule change applies to 42 CFR Part 2: The Confidentiality of Alcohol and Drug Abuse Patient Records regulations. New integrated health care models will incentivize healthcare providers who put patients at the center of their care; however current restrictions on the sharing of health data of patients seeking treatment for drug and alcohol abuse does not fit in with the new models. The rules covering the privacy of patients suffering from drug and alcohol abuse were first promulgated in 1975, and while they were updated in 1987, little has changed since. Patients covered by “Part 2” rules receive stronger privacy protections than are stipulated in HIPAA. When the regulations were introduced there was concern that the sharing of drug and alcohol abuse data could potentially...
Magnolia Health Victim of Spoofed Email Scam
Magnolia Health Corporation is the latest healthcare provider to report a data breach caused by an employee responding to a spoofed email, which appeared to have been sent by the CEO. The data breach affects employees of Magnolia Health Corporation as well as those employed at facilities managed by MHC subsidiaries Kaweah Manor, Inc., Merritt Manor, Inc., Porterville Convalescent Inc., Twin Oaks Assisted Living, Inc., and Twin Oaks Rehabilitation and Nursing Center Inc. No patients have reportedly been affected, although all active employees have had their personal information compromised. The exposed data include the full names of employees, their address, employee number, date of birth, gender, hire date, seniority date, Social Security number, salary and hourly rate, job title, department, and last worked date. Employee Falls for Email Request for Employee Data An employee responded to an email that appeared to have been sent by Magnolia Health CEO Kenny Moyle and included a spreadsheet containing the details of active employees on February 3, 2015., as requested. However, a...
Cyberattackers Demand $3.6M Ransom from Hollywood Hospital
Hollywood Presbyterian Medical Center has declared an internal emergency and is suffering significant IT issues after ransomware was installed on its computer system. $3.6 Million Ransom Demanded to Unlock Hollywood Presbyterian Medical Center Computers Hollywood Presbyterian Medical Center (HPMC) has suffered a ransomware attack that has forced it to take part of its computer network offline as a precaution to prevent the lateral spread of the infection. The ransomware attack took place on February 5, and many of the hospital’s computers have now been out of action for over a week. No healthcare data have been encrypted, although the ransomware infection is affecting day-to-day healthcare operations. HPMC claims that healthcare patients have not been put at risk although the emergency room has been impacted. Some of the computers essential for CT scans, laboratory work, and pharmacy operations to take place have been taken out of action, reduc8ing the efficiency of the provision of healthcare services. One physician reportedly told CBS news that the hospital’s email system is...



