VA Reports Fall in Privacy Breach Victims in December
The Department of Veteran Affairs has released its monthly report to congress summarizing the information security incidents suffered by VA hospitals and clinics in December 2015. December 2015 VA Information Security Report September 2015 was a bad month for the Department of Veteran Affairs (VA), with 1,135 veterans affected by privacy breaches. The total fell substantially in October 2015, with 648 affected veterans, although that figure rose to 693 in November. The figures for December 2015 show a marked improvement month on month with only 394 veterans affected. That makes December the best month for the VA since March 2015, and the fourth best month of the year for privacy violations in terms of the number of individuals affected. While the victim count improved last month, the number of privacy and security incidents suffered actually increased. Fewer Lost PIV Cards but More Mishandled and Mis-mailed Incidents The number of lost and stolen device incidents was unchanged month on month, with 47 incidents reported in both November and December. December saw the number of lost...
MaineGeneral Discovers Additional PHI Was Exposed in November Data Breach
Last month, MaineGeneral announced it had suffered a cyberattack in which a limited amount of patient data had been exfiltrated and placed on an external website by an unknown individual. The data was not accessible to the public, but had been viewed by an unauthorized party. In accordance with HIPAA Rules, MaineGeneral immediately started an investigation and shortly thereafter issued breach notification letters to affected patients to alert them to the exposure of their PHI. An external security firm was also brought in to assist with a forensic investigation. The FBI was also investigating the data breach, and advised MaineGeneral about the data it had discovered on the third party website. The FBI determined that only patients’ dates of birth, emergency contact numbers, telephone numbers, addresses, and referring physician names had been copied. This was confirmed by MaineGeneral’s initial investigation findings. The investigation has been ongoing and is now almost at an end; however, it has since come to light that other Protected Health Information was exposed in the data...
25K Affected by New West Health Services Data Breach
New West Health Services has started notifying 25,000 patients about the loss of an unencrypted, password-protected laptop containing extensive Protected Health Information. New West Health Services Data Breach Affects 25,000 Patients New West Health Services, a Helena, MT., based not-for-profit provider of sponsored health plans, including Medicare Advantage and Medicare Supplement plans, has reported the theft of one of its laptop computers. New West, doing business as New West Medicare, announced on January 15, 2016., that the laptop computer contained the records of approximately 25,000 plan members. The device was password protected but this is not sufficient protection to prevent PHI from being accessed, as passwords can all too easily be cracked. Had the laptop computer been encrypted, no patient health information would have been exposed and it would not have been necessary for breach notices to have been issued. However, since there is a possibility that the PHI of patients could be accessed and used inappropriately, HIPAA requires a breach notice to be issued to all...
How Secure are Mobile Health Apps?
How secure are mobile health apps? It may not come as a surprise to find out that many mobile health apps have security vulnerabilities, but what about the health apps that have been tested and approved by the Food and Drug Administration (FDA)? How Secure are Mobile Health Apps? Apparently, even mobile health apps that have gained FDA approval are unsecure. A recent study conducted by Arxan Technologies indicates that 84% of FDA-approved health apps have at least two security vulnerabilities that pose a significant risk of exposing data or that could lead to the devices being compromised. For the study, Arxan assessed 71 of the top health apps used in the United States, United Kingdom, Japan, and Germany, and tested each using tools developed by Mi3, a leading application security company. Mi3 has developed tools that assess potential for data leaks, susceptibility to malware, and privacy risks. Each app was tested for susceptibility to Open Web Application Security Project’s (OWASP) top ten critical security risks. Overall, 86% of the apps were discovered to be vulnerable to at...
Telephone Phishing Scam Impacts 21K Blue Shield of California Subscribers
Blue Shield of California has reported a breach of PHI caused by an employee of a business associate who fell for a telephone phishing scam. Almost 21,000 individuals have been affected by the security breach. Healthcare providers and insurers should conduct staff training to ensure employees are aware of the risk of phishing campaigns delivered by email, but the latest Californian healthcare data breach shows that email is not the only medium phishers are using to obtain the login credentials of healthcare workers. Telephone phishing scams can be just as effective as email phishing campaigns. The latest healthcare security breach occurred at the call center of a business associate of the Blue Shield of California. In a breach of HIPAA telephone rules, a member of staff was asked for login details and provided these over the telephone. It is unclear how the caller convinced the individual to disclose this information. The incident affected individuals and Blue Shield Family Plan (IFP) members who took out health insurance coverage between October 2013 and December 2015. After login...



