Federal Judge Rules in Favor of UMMC in Legal Battle Over Theft of Patient Data
A federal judge has ruled in favor of University of Mississippi Medical Center (UMMC) in an unauthorized access and data theft case against three former employees. UMMC took legal action against Dr. Spencer Sullivan and other former employees over the alleged theft and use of patients’ medical records. In July 2014, UMMC hired Dr. Sullivan as the medical director of its Hemophilia Treatment Center. When he joined UMMC, Dr. Sullivan signed a contract with a non-compete clause, which prevented him from using UMMC data to solicit patients for an independent practice. According to the lawsuit, in January 2016, Sullivan started making arrangements to open his own hemophilia clinic and pharmacy and conspired with other UMMC staff members – Linnea McMillan, Kathryn Sue Stevens, and Rachel Henderson Harris – to assist with setting up the new practice, which included compiling a list of UMMC patients. A patient list was created that included patient names, telephone numbers, dates of birth, diagnosis, prescription information, insurance information, and pharmacy information....
Security Breaches Reported by Lavaca Medical Center and Throckmorten County Memorial Hospital
Lavaca Medical Center, a critical access hospital in Hallettsville, TX, has started notifying 48,705 patients about a security breach in which their protected health information was exposed. Lavaca Medical Center said unusual activity was detected in its computer network on August 22, 2021, indicating a potential cyberattack. Steps were immediately taken to secure its network and a third-party computer forensics firm was engaged to assist with the investigation. The forensic investigators confirmed unauthorized individuals had access to the network between August 17 and August 21. While no evidence of data theft was uncovered, the possibility that patient data were viewed or exfiltrated could not be ruled out. Affected systems contained names, dates of birth, Social Security numbers, patient account numbers, and medical record numbers. The electronic medical record system was not accessed. Lavaca Medical Center said it has no reason to believe any patient data were removed from its systems or misused; however, as required by the HIPAA Breach Notification Rule, notification letters...
PHI of Employees Potentially Compromised in Tech Etch Ransomware Attack
Tech Etch, a Plymouth, MA-based manufacturer of precision-engineered thin metal components, flexible printed circuits, and EMI/RFI shielding, has announced it was the victim of a ransomware attack in which the personal and protected health information (PHI) of current and former employees was potentially compromised. Companies such as Tech Etch would not normally be required to comply with HIPAA; however, the company provides a health plan for its employees and, as such, is classed as a HIPAA-covered entity. Tech Etch discovered the ransomware attack on August 25, 2021, with the investigation determining the attackers gained access to its network on August 20. Tech Etch engaged an external forensic cybersecurity team to assist with the breach investigation, help secure its network, and prevent any further unauthorized access. Tech Etch had viable backups that were unaffected and was able to restore all encrypted data without paying the ransom. Multiple safeguards had been implemented to secure employees’ personal and protected health information, but despite those protections, some...
Study Reveals Healthcare Employees Have Unnecessary Access to Huge Amounts of PHI
A new study has revealed widespread security failures at healthcare organizations, including poor access controls, few restrictions on access to protected health information (PHI), and poor password practices, all of which are putting sensitive data at risk. The study, conducted by the data security and insider threat detection platform provider Varonis, involved an analysis of around 3 billion files at 58 healthcare organizations, including healthcare providers, pharmaceutical companies, and biotechnology firms. The aim of the study was to determine whether security controls had been implemented to secure sensitive data and to help organizations better understand their cybersecurity vulnerabilities in the face of increasing threats. The Health Insurance Portability and Accountability Act (HIPAA) requires access to PHI to be limited to employees who need to view PHI for work purposes. When access is granted, the HIPAA minimum necessary standard applies, and only the minimum amount of PHI should be accessible. Each user must be provided with a unique username that allows access to...
International Law Enforcement Operation Takes Down REvil Ransomware Gang’s Infrastructure
In July 2021, the notorious REvil (Sodinokibi) ransomware gang appeared to have ceased operations, with both its Tor payment site and data leak blog suddenly going offline. The DarkSide ransomware operation also went quiet, leading many security experts to believe that the operators of the ransomware-as-a-service (RaaS) operations were laying low or that there had been a law enforcement takedown of their infrastructure. Some of the servers used by the REvil gang were brought back online temporarily but were shut down again in mid-October. This temporary resurrection was thought to be an affiliate attempting to continue the operation. The apparent shutdown of the REvil operation followed two major attacks on the food production company JBS and the software management company Kaseya, with the later attack affecting around 50 managed service providers and up to 1,500 downstream businesses. Associates of the REvil gang had developed the DarkSide ransomware variant, which was used in the attack on Colonial Pipeline and caused its fuel pipeline to the Eastern seaboard of the United...



