15-Month Jail Term for Woman Who Stole Over $200,000 Using Patient Data
A woman has been sentenced to serve 15 months in federal prison for her role in a scheme to defraud patients of a Metairie, LA, medical clinic. In 2015, three individuals were arrested in connection with the scheme following an investigation by the Jefferson Parish Sheriff’s Office in New Orleans and the U.S. Postal Inspection Service. Brandon Livas, 37, and Royale Lassai, 32, of New Orleans, LA, both pled guilty to a one-count bill of information with Bank Larceny in July 2019 for their role in the scheme, and in August 2021, Ashley Green, 41, pled guilty to a one-count Bank Larceny Bill of Information. Green’s cousin, Lassai, was employed as a clerk at an unnamed Metairie, LA, medical clinic where she was provided with access to patient records to complete her work duties. Lassai accessed the medical records of patients without authorization and provided patient information such as names, dates of birth, addresses, and Social Security numbers to her cousin and her cousin’s then-boyfriend Livas. Lassai was reportedly paid with a $1,000 gift card and was provided with around $150...
JDC Healthcare Management Data Breach Affects More than 1 Million Texans
On March 17, 2022, Dallas, TX-based JDC Healthcare Management, which runs more than 70 Jefferson Dental & Orthodontics practices throughout the state of Texas, reported a security breach to the Office of the Attorney General of Texas that has affected more than 1 million Texans. As previously reported on this site, JDC Healthcare Management detected malware within its IT network on or around August 9, 2021, with the forensic investigation into the security breach confirming the malware was downloaded onto its systems on July 27, 2021. Further information on the data breach has now been obtained. JDC Healthcare Management explained that the malware gave unauthorized individuals access to its IT systems from July 27, 2021, to August 16, 2021, and its forensic investigation confirmed the attackers viewed or copied files on its systems that contained patients’ electronic protected health information (ePHI). JDC Healthcare Management explained in its March 2022 breach notification letters that the comprehensive review of the impacted files is ongoing, but it has been confirmed that...
Eastern Ozarks Regional Health Sued by Arkansas AG for Failure to Secure Patient Data
Arkansas Attorney General Leslie Rutledge announced this week that legal action is being taken against Country Medical Services Inc., the former operator of Eastern Ozarks Regional Health System in Cherokee Village, and owners Robert Becht of Hartsville, TN, and Theresa Hanson of Deland, FL, for mishandling the sensitive personal and protected information of thousands of individuals. In December 2004, Eastern Ozarks Regional Health’s 40-bed hospital was permanently closed. Country Medical Services had run the hospital for 9 years; however, an investigation by the state Department of Health identified almost 3 dozen potential violations of the Emergency Medical Treatment and Labor Act, as the hospital was unable to provide emergency services. Rather than face the financial penalties, the hospital immediately terminated its hospital license in 2004. 6 years later, the property was transferred to the state after the owners failed to pay their taxes. An inspection of the property by the office of the Attorney General identified boxes of files in the property that contained...
OCR: HIPAA Security Rule Compliance Can Prevent and Mitigate Most Cyberattacks
Healthcare hacking incidents have been steadily rising for a number of years. There was a 45% increase in hacking/IT incidents between 2019 and 2020, and in 2021, 66% of breaches of unsecured electronic protected health information were due to hacking and other IT incidents. A large percentage of those breaches could have been prevented if HIPAA-regulated entities were fully compliant with the HIPAA Security Rule. The Department of Health and Human Services’ Office for Civil Rights explained in its March 2022 cybersecurity newsletter that compliance with the HIPAA Security Rule will prevent or substantially mitigate most cyberattacks. Most cyberattacks on the healthcare industry are financially motivated and are conducted to steal electronic protected health information or encrypt patient data to prevent legitimate access. The initial access to healthcare networks is gained via tried and tested methods such as phishing attacks and the exploitation of known vulnerabilities and weak authentication protocols, rather than exploiting previously unknown vulnerabilities. Prevention of...
Russian State-Sponsored Actors are Exploiting MFA and the PrintNightmare Vulnerability
The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) have issued a joint cybersecurity advisory warning that Russian state-sponsored actors are exploiting default multi-factor authentication protocols and the PrintNightmare vulnerability to gain access to networks to steal sensitive data. These tactics have been used by Russian state-sponsored cyber actors from as early as May 2021, when a non-governmental organization (NGO) was attacked using these tactics. The threat actors were able to gain access to the network by exploiting default multi-factor authentication protocols (Cisco’s Duo MFA) on an account. The threat actors then exploited the PrintNightmare vulnerability to execute code with system privileges and were able to move laterally to the NGO’s cloud and email accounts and exfiltrated documents. PrintNightmare is a critical remote code execution vulnerability (CVE-2021-34527) in the print spooler service of Microsoft Windows. The attackers were able to enroll a new device in the NGO’s Duo MFA using compromised...



