Email Security Breaches Reported by Arkansas Otolaryngology Center and Centerstone
Centerstone, a provider of mental health and substance use disorder treatment services in Indiana, Illinois, Tennessee, and Florida, has discovered an employee’s email account has been accessed by an unauthorized individual. Unusual activity was detected in the email account and it was immediately secured. The investigation revealed the email account had been accessed between December 12, 2019 and December 16, 2019; however, it took until August 25, 2020 for the investigation to confirm that protected health information was contained within the account. The protected health information of patients was exposed in the incident, including names, dates of birth, Social Security numbers, driver’s license numbers, state identification card numbers, medical diagnoses, treatment information, Medicaid and Medicare information, and health insurance information. The types of exposed data varied from patient to patient. Some employee information was also potentially compromised. Notification letters were sent to affected patients on Thursday, October 22, 2020 and information has been provided...
ONC Extends Deadline for Compliance with its Information Blocking and Interoperability Rule
The deadline for compliance with the information blocking and health IT certification requirements of the 21st Century Cures Act have been extended due to the ongoing COVID-19 pandemic. On October 29, 2020, the US Department of Health and Human Services’ (HHS) Office of the National Coordinator for Health IT (ONC) announced the release of an interim final rule with comment period that extended the compliance dates and timeframes for meeting certain information blocking and Conditions and Maintenance of Certification (CoC/MoC) requirements. The ONC’s Cures Act Final Rule, released on March 9, 2020, defined exceptions to the information blocking provision of the 21st Century Cures Act and adopted new Health IT certification requirements which, through the use of application programming interfaces (APIs), would enhance patients’ access to their own health data through their smartphones at no cost. Compliance deadlines were set for 2020, but health IT stakeholders expressed concern about meeting the deadlines due to the COVID-19 pandemic. On April 21, 2020, ONC announced that it would...
Failure to Terminate Former Employee’s Access Rights Results in $202,400 HIPAA Fine for New Haven, CT
The City of New Haven, Connecticut has agreed to pay a $202,400 financial penalty to the Department of Health and Human Services’ Office for Civil Rights to resolve a HIPAA violation case. An OCR investigation was launched in May 2017 following receipt of a data breach notification from New Haven on January 24, 2017. OCR investigated whether the data breach was linked to potential violations of HIPAA Rules. During the investigation, OCR discovered the New Haven Health Department had terminated an employee on July 27, 2016, during her probationary period. The former employee returned to the New Haven Heath Department on July 27, 2016, with her union representative and used her work key to access her old office, where she locked herself inside with her union representative. While in her office, the former employee logged into her old computer using her username and password and copied information from her computer onto a USB drive. She also removed personal items and documents from the office and then exited the premises. A file on the computer contained the protected health...
Majority of Microsoft 365 Admins Have Not Enabled Multi-Factor Authentication
A new report published by CoreView has revealed the majority of Microsoft 365 admins have not enabled multi-factor authentication to protect their accounts from unauthorized remote access and are failing to implement other basic security practices. According to the study, 78% of Microsoft 365 administrators have not activated multi-factor authentication and 97% of Microsoft 365 users are not using MFA. “This is a huge security risk – particularly during a time where the majority of employees are remote – that IT departments must acknowledge and address in order to effectively deter cyberattacks and strengthen their organization’s security posture,” explained the researchers. The SANS Institute says 99% of data breaches can be prevented by using MFA, while Microsoft explained in an August 2020 blog post that MFA is the single most important measure to implement to prevent unauthorized account access, explaining that 99.9% of account breaches can be prevented by using MFA. The CoreView study also revealed 1% of Microsoft 365 admins do not use strong passwords, even though hackers are...
Sky Lakes Medical Center and St. Lawrence Health System Attacked with Ransomware
Two more hospitals have experienced ransomware attacks that have taken their computer systems offline and have forced clinicians to switch to pen and paper to record patient information. Both ransomware attacks occurred on Tuesday, October 27, 2020, one on Sky Lakes Medical Center in Klamath Falls, OR and the other on St. Lawrence Health System in New York. Both attacks involved Ryuk ransomware. Sky Lakes Medical Center announced on Facebook that while its computer systems had been taken out of action, care continued to be provided to patients and its emergency and urgent care departments remained open and fully operational and most scheduled elective procedures were continuing as planned. At this stage, no evidence has been found to indicate any patient data were compromised in the attack; however, the investigation is still in the early stages. The attack on St. Lawrence Health System was detected several hours after the initial compromise. St. Lawrence Health System issued a statement saying its IT department had taken systems offline in an effort to contain the attack and...



