Cyberattack Simulation Exercise Tests Incident Response Readiness
It is no longer a case of whether a data breach will be suffered, it is now just a matter of time as to when it will occur. It is therefore essential that covered entities have a data breach response plan that can be put into action as soon as a cybersecurity incident is discovered. If cyberattack simulation exercises are conducted prior to a breach being suffered, the ability of an organization to respond appropriately, and conduct an efficient breach response, will be greatly improved. Breach Response Plan Testing Must Include Rigorous Cyberattack Simulation Exercises It is essential that HIPAA-covered entities are able to respond quickly after discovering a cybersecurity incident has been suffered. The first few hours after an attack are critical. Key decisions must be made, personnel mobilized and third parties involved. Under HIPAA Rules, HIPAA-covered entities must conduct a breach investigation, which can be complex and longwinded. A full risk assessment must also be conducted, notices must be issued to victims, breach reports issued to the OCR, the media must be alerted,...
Guidance on Patient Rights Under HIPAA Due this Month
This December, OCR expects to issue a new document clarifying patient rights under HIPAA to access their own healthcare data, as part of the White House Precision Medicine Initiative. Clarification Due on Patient Rights Under HIPAA to Access their Own PHI The Health Insurance Portability and Accountability Act’s Privacy Rule introduced a number of new rules aimed at protecting the privacy of healthcare patients and health insurance subscribers. The Privacy Rule dictates when HIPAA-covered entities are permitted to disclose Protected Health Information (PHI) to third parties, and also makes provision for patients to access their own medical data. While most covered entities have now got to grips with the intricacies of the HIPAA Privacy Rule, not all appear to be certain about when medical records can be supplied to patients, and the extent of data that must be disclosed upon request. Consumers are similarly unsure about their data access rights under HIPAA. Office for Civil Rights (OCR) intends to clarify the situation, and will be issuing new guidance on patient rights under...
Californian Health Plan Administrator Announces 35K-Record Data Breach
Californian health plan administrator, Keenan & Associates, has announced a breach of Protected Health Information that has impacted 35,000 health plan subscribers. An error was made by a vendor with the configuration of a web portal. The server security settings had been misconfigured resulting in a number of confidential documents being inadvertently indexed by search engines. A search of the Internet would have resulted in the documents being displayed in the search results. Clicking on the links would have opened up the documents and a number of data fields would have been viewable. The data contained in the documents was mostly limited to personal information. Subscriber names, addresses, dates of birth, contact telephone numbers, health plan identifiers, and medical plan names were stored in the documents. Some Social Security numbers were also exposed, although Keenan & Assoc., reports that no financial information was detailed in the documents, neither any clinical or medical information. An investigation into the data breach has not uncovered any evidence to...
Santa Barbara Public Health Dept. Announces HIPAA Privacy Rule Violation
It’s been a bad week for healthcare patients in Santa Barbara. First came the news that 11,000 patients of Cottage Health System had their Social Security numbers, medical data, and personal information exposed in a data breach. Now follows news that the Santa Barbara Public Health Department has suffered a privacy breach involving 260 individuals. The breach occurred when an employee accessed the Protected Health Information of 260 individuals as part of a research project, but had not obtained prior authorization to access the data. Consequently, the employee violated the HIPAA Privacy Rule. The research project had not been authorized by the Public Health Dept., and the accessing of patient data was therefore illegal. Credit monitoring services have been offered to a limited number of those patients as a precaution against identity theft and fraud. The member of staff in question has been disciplined, and access to PHI has now been denied. The Public Health Department does not believe that any of the data that were accessed were shared with any individuals from outside the...
Cottage Health System Security Audit Reveals 11K-Record Data Breach
Cottage Health System notified 11,000 of its patients on Tuesday to advise them that some of their Protected Health Information (PHI) was exposed as a result of a server incident that occurred in late October, 2015. For 14 days, patients had their Social Security numbers, details of medical diagnoses and procedures, and their names and addresses exposed as a result of protections being removed from a server. A statement released by Cottage Health indicates no financial information or Driver’s license numbers were exposed in the incident The security breach was discovered on 8th November and resulted in the affected server being taken offline and secured. Upon investigation, Cottage Health determined that patient data first became accessible on October 26, 2015. An external computer forensics firm has been contracted to conduct a full audit into the security breach to determine whether any of the data were accessed during the period they were accessible. At this present moment in time, no information has been released to indicate whether the security breach was caused by an external...



