Broward Health Notifies Over 1.3 Million Individuals About October 2021 Data Breach
A major data breach has been announced by Florida’s Broward Health involving the personal and protected health information of more than 1.35 million individuals. The data breach occurred on October 15, 2021, when a hacker gained access to the Broward Health network through the office of a third-party medical provider that had been granted access to the Broward Health network for providing healthcare services. Broward Health discovered and blocked the intrusion on October 19, 2021, and a password reset was performed for all employees to prevent further unauthorized access. Assisted by a third-party cybersecurity company, Broward Health conducted a comprehensive investigation to determine the nature and scope of the HIPAA compliance breach. The investigation confirmed the attacker had access to parts of the network where employee and patient information were stored, including sensitive data such as names, dates of birth, addresses, email addresses, phone numbers, Social Security numbers, financial/bank account information, health insurance information, medical histories, health...
2020-2021 HIPAA Violation Cases and Penalties
The Department of Health and Human Services’ Office for Civil Rights (OCR) settled 19 HIPAA compliance violation cases in 2020. More financial penalties were issued in 2020 than in any other year since the Department of Health and Human Services was given the authority to enforce HIPAA compliance. $13,554,900 was paid to OCR to settle the HIPAA violation cases. 2021 saw a slight reduction in the number of settlements and fines for HIPAA violations, with 14 enforcement actions announced by OCR. Even so, 2021 had the second-highest number of HIPAA fines of any year since OCR started enforcing compliance with the HIPAA Rules. While the number of penalties was still high in 2021, there was a sizeable reduction in penalty amounts which totaled $5,982,150 for the year, and $5,100,000 of that total came from just one enforcement action. The reason for this is that most of the penalties were for violations of the HIPAA Right of Access, and were in response to investigations of complaints filed by patients who had not been provided with timely access to their medical records, rather than...
Saltzer Health Alerts Patients About PHI Exposure in Email Account Breach
Nampa, Idaho-based Saltzer Health has started notifying certain patients that some of their protected health information (PHI) has been exposed in an email account breach that was detected on June 1, 2021. The investigation revealed an unauthorized individual had access to an employee’s email account between May 25, 2021, and June 1, 2021. Saltzer Health was unable to find evidence indicating the attacker viewed or exfiltrated emails from the account, but it was not possible to rule the possibility of unauthorized PHI access and data theft. The investigation confirmed the breach was confined to a single email account and no other systems were affected. Assisted by third-party specialists, Saltzer Health conducted a comprehensive review of the email account to determine which patients had been affected. The review was completed on September 21, 2021, and revealed the following types of patient data were stored in the account: Names, contact information, state identification numbers, driver’s license numbers, medical record numbers, medical histories, diagnoses, treatment...
92% of IT Leaders Guilty of Password Reuse
A recent survey has revealed password reuse is rife, even amongst IT leaders who should know better. 92% of IT leaders admitted to reusing passwords for multiple accounts, even though this is a significant security risk. Password best practices include setting a strong, unique password for each account. If passwords are reused across multiple accounts, all it takes is for one of those accounts to be compromised for all other accounts that use that password to be accessed. Password reuse is exploited in credential stuffing attacks, where threat actors use lists of passwords obtained in previous data breaches to try to gain access to other accounts. These attacks are automated, often using multiple IPs to try small numbers of passwords to avoid being locked out of accounts. The survey was conducted by the password manager provider Bitwarden, which also found that other poor password practices were common. 53% of respondents stored passwords in documents on their computers, and 29% wrote their passwords down to make sure they did not forget them. 53% of IT decision-makers said they...
Avalon Healthcare Settles HIPAA Case with Oregon and Utah State AGs and Pays $200,000 Penalty
Avalon Healthcare has agreed to settle alleged violations of the Health Insurance Portability and Accountability Act (HIPAA) and state laws with the Oregon and Utah Attorneys General that were uncovered during an investigation of a 2019 breach of the personal and protected health information of 14,500 of its employees and patients. Avalon Healthcare is part of the Avalon Health Care Group and provides skilled nursing, therapy, senior living, assisted living, and other medical services throughout Oregon, Utah, California, Nevada, Washington, and Hawaii. In July 2019, an employee responded to a phishing email and disclosed credentials that allowed an email account to be accessed by unauthorized individuals. The account contained sensitive information such as names, addresses, Social Security numbers, dates of birth, driver’s license numbers, medical treatment information, and some financial information. It took 10 months from the date of the breach for the incident to be reported to the HHS and state attorneys general, and for affected individuals to be notified. Oregon Attorney...



