OCR Director Encourages HIPAA-Regulated Entities to Strengthen Their Cybersecurity Posture
In a recent blog post, Director of the HHS’ Office for Civil Rights, Lisa J. Pino, urged HIPAA-regulated entities to take steps to strengthen their cybersecurity posture in 2022 in light of the increase in cyberattacks on the healthcare industry. 2021 was a particularly bad year for healthcare organizations, with the number of reported healthcare data breaches reaching record levels. 714 healthcare data breaches of 500 or more records were reported to the HHS’ Office for Civil Rights in 2021 and more than 45 million records were breached. The breach reports were dominated by hacking and other IT incidents that resulted in the exposure or theft of the healthcare data of more than 43 million individuals. In 2021, hackers took advantage of healthcare organizations dealing with the COVID-19 pandemic and conducted several attacks that had a direct impact on patient care and resulted in canceled surgeries, medical examinations, and other services as a result of IT systems being taken offline and network access being disabled. Pino also drew attention to the critical vulnerability...
PHI of 10,000 Individuals Exposed Due to Houston Health Department Portal Glitch
The Houston Health Department has recently announced that the personal information and COVID-19 test results of 10,291 individuals have been exposed online as a result of a technical issue with its portal. The issue allowed approximately 3,500 portal users to access the data of other individuals. The Houston Health Department said it detected the issue on January 6, 2022, and the portal was deactivated within 48 hours. Notification letters had to be delayed for several weeks while the portal issue was investigated to determine the full nature and scope of the incident. The health department confirmed that this was not a hacking incident, and it does not appear that any exposed information has been misused. The types of data that could have been viewed included names, addresses, dates of birth, email addresses, testing dates, and test results. While no Social Security numbers were compromised, affected individuals have been offered a complimentary 12-month membership to an identity theft protection service. Priority Health Confirms Breach of Member Portal Accounts The Michigan...
Four Healthcare Providers Hit with Ransomware Attacks
Ransomware attacks have recently been reported by four healthcare providers across the country, which have collectively resulted in the exposure and potential theft of the protected health information of more than 49,000 individuals. Jax Spine & Pain Centers Jax Spine and Pain Centers in Jacksonville, FL has recently announced it was the victim of a ransomware attack that occurred on January 24, 2022. The attack was conducted on an inactive server that contained records of patients who had visited either its Jacksonville or St. Augustine locations prior to May 2018. Jacksonville Spine Center said the attackers claimed to have stolen files from the server and threatened to publish the stolen data if the ransom was not paid but did not say whether a payment was made to prevent the publication of the data. Monitoring software had been installed on the server which allowed the attack to be rapidly detected, and due to the prompt action taken in response to the breach, it was possible to prevent the encryption of data. As soon as the breach was detected the server was shut down, but...
NIST Requests Comments on How to Improve its Cybersecurity Framework
The National Institute of Standards and Technology (NIST) is seeking feedback on the usefulness of its Framework for Improving Critical Infrastructure Cybersecurity (NIST Cybersecurity Framework) and suggestions on any improvements that can be made. The NIST Cybersecurity Framework was released in 2014 to help public and private sector organizations implement cybersecurity standards and best practices to improve their cybersecurity posture, better defend against cyber threats, and quickly identify and respond to cyberattacks in progress to limit the harm that can be caused. The NIST Cybersecurity Framework is considered the gold standard for cyber threat management; however, that does not mean improvements could not be made. The last update to the Cybersecurity Framework occurred in April 2018 and the past four years have seen considerable changes to the cybersecurity threat landscape. New threats have emerged, the tactics, techniques, and procedures used by cyber threat actors have changed, there are new technologies and security capabilities, and more resources are available to...
Notifications Recently Sent to Alert Individuals About September 2020 and February 2021 Cyberattacks
Two HIPAA-regulated entities have recently started notifying individuals whose protected health information was potentially compromised in cyberattacks that occurred more than 12 months ago, including one where it took 18 months to notify affected individuals that their protected health information had been accessed and potentially acquired. Comprehensive Health Services Notifies 106,752 Patients About September 2020 Cyberattack Comprehensive Health Services, a Cape Canaveral, FL-based provider of workforce medical services and subsidiary of Acuity International, has recently announced it was the victim of a cyberattack that was detected on September 30, 2020. The security incident came to light after multiple fraudulent wire transfers had been made from its accounts. Third-party forensics experts were engaged to determine the extent of the security incident, secure its digital environment, identify how the attacker gained access to its systems, and whether any sensitive data had been exfiltrated from those systems. Comprehensive Health Services explained in its breach notification...



