HHS Announces Limited HIPAA Privacy Rule Waivers Due to Hurricane Laura and the Californian Wildfires
The Secretary of the HHS, Alex Azar, has declared a public health emergency exists in the states of Louisiana and Texas as a result of the consequences of Hurricane Laura, and in California due to ongoing wildfires. During public health emergencies the HIPAA Rules are not suspended; however, the HHS Secretary may choose to waive certain provisions of the HIPAA Privacy Rule under the Project Bioshield Act of 2004 (PL 108-276) and section 1135(b)(7) of the Social Security Act. In addition to the declaration of public health emergencies, the HHS Secretary has declared that sanctions and penalties against hospitals will be waived for the following provisions of the HIPAA Privacy Rule. The requirements to obtain a patient’s agreement to speak with family members or friends involved in the patient’s care. See 45 CFR 164.510(b). The requirement to honor a request to opt out of the facility directory. See 45 CFR 164.510(a). The requirement to distribute a notice of privacy practices. See 45 CFR 164.520. The patient’s right to request privacy restrictions. See 45 CFR 164.522(a)....
OCR Highlights the Importance of Creating and Maintaining a Comprehensive IT Asset Inventory
The risk analysis is one of the most important requirements of the HIPAA Security Rule, yet it is one of the most common areas of noncompliance discovered during Office for Civil Rights data breach investigations, compliance reviews, and audits. While there have been examples of HIPAA-covered entities ignoring this requirement entirely, in many cases, noncompliance is due to the failure to perform a comprehensive risk analysis across the entire organization. In order to perform a comprehensive risk analysis to identify all threats to the confidentiality, integrity, and availability of electronic protected health information (ePHI), you must first know how ePHI arrives in your organization, where it flows, where all ePHI is stored, and the systems that can be used to access that information. One of the common reasons for a risk analysis compliance failure, is not knowing where all ePHI is located in the organization. In its Summer 2020 Cybersecurity Newsletter, OCR highlighted the importance of maintaining a comprehensive IT asset inventory and explained how it can assist with the...
Dynasplint Systems Data Breach Impacts Almost 103,000 Individuals
Severna Park, MD-based Dynasplint Systems, a manufacturer of proprietary stretching devices to improve joint motion, has experienced a cyberattack in which personal and protected health information may have been accessed or stolen. The security breach occurred on May 16, 2020 and prevented employees from accessing computer systems. In a letter to the Iowa Attorney General, a lawyer representing Dynasplint explained that the company had suffered “an encryption attack” which prevented employees from accessing computer systems. Assisted by a digital forensics firm, Dynasplint Systems determined on June 4, 2020 that information such as names, addresses, dates of birth, Social Security numbers, and medical information may have been accessed and acquired by the attackers. The cyberattack was reported to the FBI and Dynasplint Systems is cooperating with the investigation to hold the individuals responsible accountable. The breach report submitted to the Department of Health and Human Services’ Office for Civil Rights indicates 102,800 individuals were potentially affected by...
Study Reveals Increase in Credential Theft via Spoofed Login Pages
A new study conducted by IRONSCALES shows there has been a major increase in credential theft via spoofed websites. This is particularly important for healthcare records that are subject to HIPAA compliance rules. IRONSCALES researchers spent the first half of 2020 identifying and analyzing fake login pages that imitated major brands. More than 50,000 fake login pages were identified with over 200 brands spoofed. The login pages are added to compromised websites and other attacker-controlled domains and closely resemble the genuine login pages used by those brands. In some cases, the fake login is embedded within the body of the email. The emails used to direct unsuspecting recipients to the fake login pages use social engineering techniques to convince recipients to disclose their usernames and passwords, which are captured and used to login to the real accounts for a range of nefarious purposes such as fraudulent wire transfers, credit card fraud, identity theft, data extraction, and more. IRONSCALES researchers found the brands with the most fake login pages closely mirrored the...
Personal and COVID-19 Status Data Stolen from South Dakota Fusion Center in “BlueLeaks” Hacking Incident
The Houston, TX-based web developer Netsential had its web servers hacked and almost 270 gigabytes of data were stolen and was published online on June 19, 2020 by hacktivists and the data stolen was published by Distributed Denial of Secrets (DDoSecrets). The hack and data leak incident was termed “BlueLeaks” and included 10 years of law enforcement data from around 200 police departments and fusion centers. Fusion centers gather and analyze threat information and share the data with states, government organizations, and private sector firms. The leaked data contained more than 1 million lines and included scanned documents, video and audio files, and emails. The South Dakota Department of Public Safety’s State Fusion Center has recently announced that it has also been impacted by the data breach. The South Dakota Fusion Center developed a secure online portal in the spring of 2020 using Netsential’s services. The portal was developed to allow first responders to identify COVID-19 positive individuals so they would be able to take extra precautions to avoid being infected...



