Up to 58,000 Individuals Impacted by Healthcare Fiscal Management Ransomware Attack
Healthcare Fiscal Management Inc. (HFMI), a Wilmington, NC-based provider of self-pay conversion and insurance eligibility services to hospitals, clinics and physician groups, has experienced a ransomware attack in which the personal and protected health information of patients of St. Mary’s Health Care System in Athens, GA may have been accessed or obtained by the attackers. An unauthorized individual gained access to HFMI systems on April 12, 2020 and deployed a ransomware payload the following day which encrypted data on its systems. The systems accessed by the attacker were found to contain the personal and protected health information of patients who received healthcare services at St. Mary’s between November 2019 and April 2020. In total, the data of approximately 58,000 patients may have been accessed and obtained by the attackers, although data access/theft could not be confirmed. The PHI stored on the compromised systems was limited to names, dates of birth, Social Security numbers, account numbers, medical record numbers, and dates of service. HFMI had prepared for such...
30,000 Patients’ PHI Exposed in NC and TX Phishing Attacks
Claremont, NC-based Choice Health Management Services, a provider of rehabilitation services and operator of several nursing homes in North and South Carolina, has experienced an email security breach affecting employees, and current and former patients. The security breach was detected in late 2019 when suspicious activity was detected in the email accounts of some of its employees. An internal investigation was launched which determined on January 17, 2020 that the email accounts of 17 employees had been subjected to unauthorized access. Since it was not possible to determine which emails and/or email attachments had been opened by the attackers, a third-party firm was engaged to assist with the investigation. While the review concluded on March 27, 2020 that the compromised accounts contained sensitive information, it was unclear which facilities affected individuals had visited for treatment. It took until May 12, 2020 to tie those individuals to a particular facility. The compromised accounts contained a wide range of sensitive information including names, dates of birth,...
Serious Vulnerabilities identified in the OpenClinic GA Integrated Hospital Information Management System
12 vulnerabilities have been identified in the open source integrated hospital information management system, OpenClinic GA. OpenClinic GA is used by many hospitals and clinics for the management of administrative, financial, clinical, lab and pharmacy workflows, and is used for bed management, medical billing, ward management, in-patient and out-patient management, and other hospital management functions. Brian D. Hysell has been credited with finding the vulnerabilities, three of which are rated critical and 6 are rated high severity. Exploitation of the vulnerabilities could allow an attacker to bypass authentication, gain access to restricted information, view or manipulate database information, and remotely execute malicious code. The vulnerabilities require a low level of skill to exploit, several can be exploited remotely, and there are public exploits for some of the flaws. The vulnerabilities have been assigned CVSS v3 base codes ranging from 5.4 to 9.8. The flaws were identified in OpenClinic GA Versions 5.09.02 and 5.89.05b. The most serious flaws include: CVE-2020-14495...
The California Consumer Privacy Act is Now Being Enforced
On July 1, 2020, enforcement of the California Consumer Privacy Act (CCPA) of 2018 began. The CCPA took effect on January 1, 2020 and all companies covered by the Act were given a 6 month grace period before compliance with the CCPA would be enforced, although compliance with the provisions of the Act have been mandatory since January 1, 2020. The grace period has now elapsed. California Attorney General Xavier Bercerra confirmed there will be no delay to enforcement, even though dozens of requests were made by companies and trade associations asking for the grace period to be extended for a further 6 months due to the 2019 Novel Coronavirus pandemic. The requests were acknowledged but no extension was given. “Right now, we’re committed to enforcing the law upon finalizing the rules or July 1, whichever comes first,” said Attorney General Bercerra in a statement to Forbes. “We’re all mindful of the new reality created by COVID-19 and the heightened value of protecting consumers’ privacy online that comes with it. We encourage businesses to be particularly mindful of data security...
$185,000 Settlement Proposed to Resolve Grays Harbor Community Hospital Ransomware Lawsuit
A proposed settlement has been agreed between Grays Harbor Community Hospital and Harbor Medical Group and the representative plaintiff in a proposed class action lawsuit over a June 2019 ransomware attack that resulted in the encryption of patient data. The settlement was negotiated by the plaintiff and Grays Harbor to avoid the uncertainty of a trial and the costs of further litigation. The settlement was not decided in favor of either party by the Court. The ransomware attack that prompted the lawsuit was detected in June 2019. The Washington healthcare provider powered down its systems to contain the virus that had prevented servers from being accessed, but not in time to prevent its computer systems from being encrypted. Grays Harbor had backed up its data for such an eventuality, but the backup files were also encrypted in the attack. The attack took its electronic health record system offline for around two months. A ransom demand of $1 million was demanded by the attackers for the keys to decrypt the data. Gray’s Harbor had an insurance policy that provided cover of up to...



