Hacking Incidents Reported by Illinois Gastroenterology Group & the Mental Health Center of Greater Manchester
Illinois Gastroenterology Group has recently announced that unauthorized individuals gained access to its computer environment and potentially accessed and exfiltrated sensitive patient data. The cyberattack was detected on October 22, 2021, when suspicious activity was identified within its computer network. Third-party cybersecurity specialists were engaged to investigate the attack and determine the nature and scope of the incident. On November 18, 2021, Illinois Gastroenterology learned that the parts of its systems that were accessed by unauthorized individuals contained patient information such as names, addresses, birth dates, Social Security numbers, driver’s license numbers, passport numbers, financial account information, payment card information, employer-assigned identification numbers, medical information, and biometric data. Illinois Gastroenterology said it was not possible to rule out unauthorized viewing or theft of files containing patient data, but at the time of issuing notification letters, no reports had been received to suggest any fraudulent misuse of the...
Email Security Incidents Reported by HealthPlex and Optima Dermatology
Healthplex Inc., one of the largest providers of dental insurance in New York State, has announced that the email account of an employee was compromised in a phishing attack on November 24, 2021. Upon discovery of the breach, the email account was immediately secured to prevent further unauthorized access, and an investigation was launched to determine the nature and scope of the breach. On April 5, 2021, Healthplex confirmed that the email account contained the personal and protected health information of 89,955 individuals who had previously enrolled in its dental plans. The exposed information varied from individual to individual and may have included first and last names in combination with one or more of the following data types: Address, group name and number, member ID number, plan affiliation, date of birth, date of service, provider name, ADA codes and their description, billed/paid amounts, prescription drug names, Social Security number, banking information, credit card number, username and password for the member portal, email address, phone number, and driver’s license...
Connecticut Passes Comprehensive Data Privacy Law
Connecticut has joined California, Colorado, Utah, and Virginia in passing a comprehensive new data privacy law that establishes responsibilities for businesses that collect and process the personal data of state residents and gives consumers new rights. The Connecticut Data Privacy Act (Senate Bill 6) was passed 35-0 by the Senate and 144-5 in the House of Representatives and awaits the signature of the state Governor, Ned Lamont. The new privacy law comes into effect on July 1, 2023. The new law establishes a framework for controlling and processing the personal data of state residents, sets privacy protection standards for data controllers and data processors, and gives state residents rights over the collection and use of their personal data. Consumers will be given the right to access their personal data held by a company, obtain a copy of that information, and correct any errors. Consumers will also have the right to be forgotten and have their personal data deleted. Consumers can also choose to opt out of the processing of their personal data for targeted advertising,...
New Framework for Assessing the Privacy, Security, and Safety of Digital Health Technologies
The American College of Physicians (ACP), American Telemedicine Association (ATA), and the Organization for the Review of Care and Health Applications (ORCHA) have collaborated to produce a new framework for assessing the digital health technologies used by healthcare professionals and patients. Currently, more than 86 million Americans use a health or fitness app. These digital health technologies, which include more than 365,000 individual products, can collect, store, process, and transmit personal and health information that would be classed as protected health information (PHI) under the Health Insurance Portability and Accountability Act (HIPAA); however, the majority of these technologies are not covered by HIPAA and fall outside of other regulations, federal laws, and government guidance. The lack of guidance in this area is hindering the adoption of digital health technologies, which have tremendous potential for improving condition management, clinical risk assessment, and decision support. The developers of digital health technologies often share user data collected by...
NIST Publishes Updated Cybersecurity Supply Chain Risk Management Guidance
On Thursday, the National Institute of Standards and Technology (NIST) published updated cybersecurity supply chain risk management (C-SCRM) guidance to help organizations develop an effective program for identifying, assessing, and responding to cybersecurity risks throughout the supply chain. Cyber threat actors are increasingly targeting the supply chain. A successful attack on a single supplier can allow the threat actor to compromise the networks of all companies that use the product or service, as was the case with the REvil ransomware attack on Kaseya in 2021. The threat actors exploited a vulnerability in Kaseya VSA software and the attack affected up to 1,500 businesses. The publication, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations (NIST Special Publication 800-161 Revision 1), is the result of a multiyear process that included the release of two draft versions of the guidance. The updated guidance can be used to identify, assess, and respond to cybersecurity risks throughout the supply chain at all levels of an organization. While...



