Roger Severino Gives Update on OCR HIPAA Enforcement Priorities
Oct17

Roger Severino Gives Update on OCR HIPAA Enforcement Priorities

Roger Severino, Director of the HHS’ Office for Civil Rights, has given an update on OCR’s HIPAA enforcement priorities at the OCR/NIST 11th Annual HIPAA Conference in Washington D.C. Severino confirmed that one of OCR’s top policy initiatives is still enforcing the rights of patients under the HIPAA Privacy Rule and ensuring they are given timely access to their health information at a reasonable cost. Under HIPAA, patients have the right to view and check their medical records and obtain a copy of their health data, yet there are still healthcare organizations that are making this difficult. OCR has already agreed to settle one case this year with a HIPAA-covered entity that failed to provide a patient with a copy of her health information. OCR had to intervene before those records were provided to the patient. The entity in question, Bayfront Health St Petersburg, paid a financial penalty of $85,000 to resolve the HIPAA violation. More financial penalties will be issued to covered entities that fail to comply with this important provision of HIPAA. Severino confirmed that...

Read More
Adoption of Standards Improves Cybersecurity of Internet of Medical Things (IoMT) Devices
Oct17

Adoption of Standards Improves Cybersecurity of Internet of Medical Things (IoMT) Devices

Internet of Medical Things (IoMT) technology is helping to increase efficiency, improve the quality of healthcare, and lower healthcare costs; however, IoMT introduces risks. The failure to reduce those risks to a low and acceptable level leaves IoMT devices vulnerable to cyberattacks. Those attacks can be expensive to resolve, which drives up the cost of healthcare and can result in patients coming to harm. Not only must the devices be secured, cybersecurity must also be managed throughout the entire lifespan of the devices. Software and firmware must be kept up to date, patches must be applied promptly to fix vulnerabilities, and the devices need to be returned when they reach end of life and support comes to an end. Without a thorough understanding of the risks, securing IoMT devices can be a major challenge. The U.S. Department of Veteran Affairs (VA) has taken steps to improve the safety and security of IoMT devices and has been seeking solutions for securing large-scale IoMT device deployments to better protect the 9 million people under its care. The VA, in conjunction with...

Read More
MITA Publishes New Medical Device Security Standard
Oct14

MITA Publishes New Medical Device Security Standard

The Medical Imaging & Technology Alliance (MITA) has released a new medical device security standard which provides healthcare delivery organizations (HDOs) with important information about risk management and medical device security controls to harden the devices against unauthorized access and cyberattacks. The new voluntary standard – Manufacturer Disclosure Statement for Medical Device Security (MDS2) (NEMA/MITA HN 1-2019) – was developed in conjunction with a diverse range of industry stakeholders and aligns with the 2018 U.S. Food and Drug Administration (FDA) Medical Device Cybersecurity Playbook, issued in October 2018. The guidance explains that cybersecurity of medical devices is a shared responsibility. HDOs must collaborate with medical device manufacturers to ensure best practices are adopted. Device manufacturers, HDOs, government entities, and cybersecurity researchers need to work together to ensure threats to medical devices are managed and reduced to reasonable and appropriate levels. The new standard is intended to help streamline communications between...

Read More
HHS Proposes New Stark Law Safe Harbor Covering Cybersecurity Donations
Oct11

HHS Proposes New Stark Law Safe Harbor Covering Cybersecurity Donations

The U.S. Department of Health and Human Services (HHS) has proposed changes to physician self-referral and federal anti-kickback regulations which will see the creation of a new safe harbor covering hospital donations of cybersecurity software and associated services to physicians. The proposed law change is detailed in two new rules issued by the HHS’ Office of Inspector General (OIG) and the Centers for Medicaid and Medicare Services (CMS) which aim to modernize and clarify regulations that interpret the Federal Anti-Kickback Statute and Physician Self-Referral law known as Stark Law. The proposed rules are part of the HHS’s Regulatory Sprint to Coordinated Care which promotes value-based care by eliminating federal regulatory barriers that are impeding efforts to improve the coordination of care between providers. “The digitization of the healthcare delivery system and related rules designed to increase interoperability and data sharing in the delivery of healthcare create numerous targets for cyberattacks,” explained OIG. “The healthcare industry and the...

Read More
New York Legislation Prohibits First Responders from Selling Patient Data for Marketing Purposes
Oct10

New York Legislation Prohibits First Responders from Selling Patient Data for Marketing Purposes

On October 7, 2019, New York Governor Andrew Cuomo signed new legislation into law – S.4119/A.230 – that prohibits first responders and ambulance service personnel from selling or disclosing patient data to third parties for marketing or fundraising purposes. The bill was originally introduced by New York Assembly Member Edward Braunstein in 2014 following reports that ambulance and first response service personnel were selling patient data such as names, addresses, phone numbers and medical histories to third parties such as pharmaceutical firms and nursing homes for marketing and fundraising purposes. Prior to the introduction of the new law, these disclosures and the sale of patient information were permitted in New York. “Patients have a right to privacy and their medical information should never be sold to pharmaceutical companies, insurers, nursing homes, or other businesses,” explained Braunstein. The legislation follows the June 25, 2019 signing of the Stop Hacks and Improve Electronic Data Security (SHIELD) Act into law, which overhauled state regulations...

Read More
Pulse Connect, GlobalProtect, Fortigate VPN Vulnerabilities Being Actively Exploited by APT Actors
Oct09

Pulse Connect, GlobalProtect, Fortigate VPN Vulnerabilities Being Actively Exploited by APT Actors

Vulnerabilities in popular VPN products from Pulse Secure, FortiGuard, and Palo Alto are being actively exploited by advanced persistent threat (APT) actors to gain access to VPNs and internal networks. The DHS’ Cybersecurity and Infrastructure Security Agency (CISA) and other cybersecurity agencies issued security advisories about multiple vulnerabilities in VPN products over the summer of 2019; however, many organizations have been slow to take action. Weaponized exploits for the vulnerabilities have now been developed and are being used by APT actors and exploit code is freely available online on GitHub and the Metasploit framework. On October 1, 2019, the UK’s National Cyber Security Centre issued a warning about the vulnerabilities following several attacks on government agencies, the military, businesses, and the education and healthcare sectors. The National Security Agency (NSA) also issued a security advisory about the vulnerabilities along with mitigations on October 7. The vulnerabilities are present in outdated versions of the Pulse Secure VPN (CVE-2019-11508 and...

Read More
An Internal Security Operations Center Cuts Data Breach Costs by More Than Half
Oct08

An Internal Security Operations Center Cuts Data Breach Costs by More Than Half

A recent survey conducted by B2B International on behalf of Kaspersky Lab has revealed the average cost of an enterprise-level data breach has risen to $1.41 million from $1.23 million in 2018. The increased risk of a data breach and the increasing remediation costs has prompted enterprises to invest more heavily in cybersecurity. When the Kaspersky Global Corporate IT Security Risks Survey was last conducted in 2018, average IT security budgets were $8.9 million. In 2019, budgets had increased to an average of $18.9 million. The biggest costs from a data breach were found to be damage to the company’s credit rating and increased insurance costs, followed by the cost of hiring external security consultants, loss of business, brand repair, additional wages for internal staff, compensation, and financial penalties and regulatory fines. While there are several things enterprises can do to cut data breach costs, the appointment of a dedicated Data Protection Officer (DPO) and deploying an internal Security Operations Center (SOC) are the two most important for reducing...

Read More
FBI Issues Updated Ransomware Guidance: Extent of U.S. Ransomware Epidemic Revealed
Oct04

FBI Issues Updated Ransomware Guidance: Extent of U.S. Ransomware Epidemic Revealed

A recent report from New Zealand-based cybersecurity firm Emsisoft has revealed the extent to which ransomware is being used in cyberattacks in the United States. The first 9 months of 2019 have seen 621 ransomware attacks on government entities, healthcare organizations, and educational institutions. Ransomware attacks can have devastating consequences. This week, a healthcare provider announced that it will be permanently closing its doors as a result of a ransomware attack due to extensive damage to its systems and the permanent loss of patient data. This is the second healthcare provider known to have been forced out of business due to a ransomware attack this year. Even when recovery is possible – by paying the ransom or restoring files from backups – the attacks cause major disruption and result in substantial losses. A ransomware attack on DCH health system forced its three hospitals to temporarily close to all but critical patients while systems were restored. Attacks on municipalities have resulted in essential services grinding to a halt, police departments have lost...

Read More
Dental Practice Fined $10,000 for PHI Disclosures on Yelp
Oct03

Dental Practice Fined $10,000 for PHI Disclosures on Yelp

The Department of Health and Human Services’ Office for Civil Rights has agreed to settle a HIPAA violation case with Elite Dental Associates over the impermissible disclosure of multiple patients’ protected health information (PHI) when responding to patient reviews on the Yelp review website. Elite Dental Associates is a Dallas, TX-based privately-owned dental practice that provides general, implant and cosmetic dentistry. On June 5, 2016, OCR received a complaint from an Elite patient about a social media HIPAA violation. The patient claimed the dental practice had responded to a review she left on Yelp and publicly disclosed some of the PHI. When replying to the patient’s June 4, 2016 post, Elite disclosed the patient’s last name along with details of her health condition, treatment plan, insurance, and cost information. The investigation confirmed that to be the case, but also found it was not the first time that PHI had been disclosed without authorization on the social media platform when responding to patient reviews. Further impermissible PHI disclosures were found on the...

Read More
URGENT/11 Cybersecurity Vulnerabilities in Medical Devices Prompt FDA Warning
Oct02

URGENT/11 Cybersecurity Vulnerabilities in Medical Devices Prompt FDA Warning

Security researchers at Armis have identified 11 vulnerabilities in the Interpeak IPnet TCP/IP Stack, a third-party software component used in hospital networks and certain medical devices. The vulnerabilities were reported to the DHS Cybersecurity and Infrastructure Security Agency (CISA) prompting an ICS Medical Advisory and a Food and Drug Administration (FDA) Safety Communication warning patients, healthcare providers, facility staff and manufacturers about the flaws. The FDA alert – named URGENT/11 – explains that the vulnerabilities could be remotely exploited by a threat actor allowing full control to be taken of a vulnerable medical device. An attacker could change the functions of the device, access sensitive information, cause logical flaws or denial of service attack that could stop the device from working. While there have been no reports of the flaws being exploited in the wild, the FDA warns that the software required to exploit the flaws is publicly available. Interpeak IPnet TCP/IP Stack supports network communications between computers, and while it is no longer...

Read More
Wood Ranch Medical Announces Permanent Closure Due to Ransomware Attack
Sep30

Wood Ranch Medical Announces Permanent Closure Due to Ransomware Attack

Another healthcare provider has announced it will be permanently closing its doors as a direct result of a ransomware attack. The devastating attack occurred at Wood Ranch Medical in Simi Valley, CA, which recently announced that the practice will permanently close on December 17, 2019. The attack occurred on August 10, 2019 and resulted in its servers being infected with ransomware. The attack caused widespread file encryption and prevented medical records from being accessed. The extent of the attack was such that computer systems were permanently damaged making file recovery impossible. The practice had created backups of patient records, but those backups were also encrypted and could not be used to restore patient data. Ransomware attacks are usually conducted with the sole purpose of extorting money. Files are encrypted and a ransom demand is issued. If the ransom is not paid, files remain permanently encrypted. Payment of the ransom comes with no guarantee that file recovery will be possible and encourages further attacks. For these reasons the FBI recommends ransom payments...

Read More
Sen. Rand Paul Introduces National Patient Identifier Repeal Act
Sep27

Sen. Rand Paul Introduces National Patient Identifier Repeal Act

Sen. Rand Paul, M.D., (R-Kentucky) has introduced a new bill that attempts to have the national patient identifier provision of HIPAA permanently removed due to privacy concerns over the implementation of such a system. Today, HIPAA is best known for its healthcare data privacy and security regulations, but the national patient identifier system was proposed in the original HIPAA legislation of 1996 as a measure to facilitate data sharing and help reduce wastage in healthcare. The provision called for the HHS to “adopt standards providing for a standard unique health identifier for each individual, employer, health plan, and healthcare provider for use in the health care system.” However, in 1998, former Congressman Ron Paul (R-Texas), Sen. Rand Paul’s father, introduced a proposal which called for a ban on funding the development and implementation of such a system. The ban was introduced into the Congressional budget for 1999 and has been written into all Congressional budgets ever since. This year there was hope that the ban would finally be removed following a June amendment to...

Read More
Senate Fails to Remove Ban on Funding of National Patient Identifier System
Sep25

Senate Fails to Remove Ban on Funding of National Patient Identifier System

The Department of Health and Human Services (HHS) is prohibited from using any of its budget to fund the development and implementation of a national patient identifier, but there was hope that the ban would finally be lifted this year. The House of Representatives added an amendment to its Departments of Labor, Health, and Human Services, and Education, and Related Agencies Act of 2020 which removed the ban, which would allow the HHS to follow through on this requirement of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). It now looks likely that the ban will remain in place for at least another year as the Senate Appropriations Subcommittee’s draft 2020 fiscal budget bill, released last Wednesday, has retained the text banning the HHS from acting on this HIPAA requirement. The ban has been in place since 1999 and was introduced because of concerns over patient privacy. The ban has been written into the Congressional budget every year since and the proposed 2020 fiscal budget bill is no different. The proposed fiscal budget bill includes the text, “None of...

Read More
Study Reveals Types of Protected Health Information Most Commonly Exposed in Healthcare Data Breaches
Sep24

Study Reveals Types of Protected Health Information Most Commonly Exposed in Healthcare Data Breaches

Researchers from Michigan State University and Johns Hopkins University have conducted a study of healthcare data breaches over the past 10 years to examine what types of information are most commonly exposed in healthcare data breaches. The study, published in the journal Annals of Internal Medicine on Monday September 23, 2019, confirms that the health information of approximately 169 million Americans was exposed, compromised, or impermissibly disclosed in 1,461 data breaches at 1,388 entities between October 2009 and July 2019. Those breaches each impacted 500 or more individuals and were reportable incidents under HIPAA and the HITECH Act. The researchers explain that information about the types of information exposed in data breaches is not widely available to the public, since it is not a requirement to share the types of data that have been compromised in the breaches. It is therefore difficult for researchers to classify the amount and types of healthcare information exposed and gain an accurate picture of the consequences of the breaches. “When the media reports...

Read More
August 2019 Healthcare Data Breach Report
Sep23

August 2019 Healthcare Data Breach Report

In August, healthcare data breaches continued to be reported at a rate of more than 1.5 per day, which is around twice the monthly average in 2018 (29.5 breaches per month). This is the second successive month when breaches have been reported at such an elevated level. While the number of breaches has not changed much since last month (49 compared to 50), there has been a substantial reduction in the number of exposed records.   August saw 729,975 healthcare records breached compared to 25,375,729 records in July, 3,452,442 records in June, and 1,988,376 records in May. The exceptionally high breach total for July was mostly due to the massive data breach at American Medical Collection Agency (See below for an update on the AMCA breach total). Causes of August 2019 Healthcare Data Breaches Hacking and other IT incidents dominated the breach reports in August. 32 breaches were attributed to hacking/IT incidents, which is almost double the number of breaches from all other causes. Hacking/IT incidents breached 602,663 healthcare records – 82.56% of all records breached in...

Read More
400 Million Medical Images Are Freely Accessible Online Via Unsecured PACS
Sep18

400 Million Medical Images Are Freely Accessible Online Via Unsecured PACS

A recent investigation by ProPublica, the German public broadcaster Bayerischer Rundfunk, and vulnerability and analysis firm, Greenbone Networks has revealed 24.3 million medical images contained in image storage systems are freely accessible online and require no authentication to view or download the images. Those images, which include X-rays, MRI, and CT scans, are stored in picture archiving and communications systems (PACS) connected to the Internet. Greenbone Networks audited 2,300 Internet-connected PACS between July and September 2019 and set up a RadiAnt DICOM Viewer to access the images stored on open PACS servers. Those servers were found to contain approximately 733 million medical images of which 399.5 million could be viewed and downloaded. The researchers found 590 servers required no authentication whatsoever to view medical images. PACS use the digital imaging and communications in medicine (DICOM) standard to view, process, store, and transmit the images. In most cases, a DICOM viewer would be required to access the images, but in some cases, all that is required...

Read More
Mobile Device Security Guidance for Corporate-Owned Personally Enabled Devices Issued by NCCoE
Sep18

Mobile Device Security Guidance for Corporate-Owned Personally Enabled Devices Issued by NCCoE

The National Cybersecurity Center of Excellence (NCCoE) has issued new draft NIST mobile device security guidance to help organizations mitigate the risks introduced by corporate-owned personally enabled (COPE) devices. Mobile devices allow employees to access resources essential for their work duties, no matter where those individuals are located. As such, the devices allow organizations to improve efficiency and productivity, but the devices bring unique threats to an organization. The devices typically have an always-on Internet connection and the devices often lack the robust security controls that are applied to devices such as desktop computers. Malicious or risky apps can be downloaded to mobile devices by users without the knowledge or authorization of the IT department. App downloads could introduce malware and app permissions could allow unauthorized access to sensitive data. Organizations therefore need to have total visibility into all mobile devices used by employees for work activities and they must ensure that mobile device security risks are effectively mitigated....

Read More
NCCoE Issues Draft Guidelines for Securing the Picture Archiving and Communication System (PACS) Ecosystem
Sep17

NCCoE Issues Draft Guidelines for Securing the Picture Archiving and Communication System (PACS) Ecosystem

The National Cybersecurity Center of Excellence (NCCoE) has issued draft NIST guidelines for securing the picture archiving and communications system (PACS) ecosystem. The guidelines – NIST Cybersecurity Practice Guide, SP 1800-24 – have been written for health healthcare delivery organizations (HDOs) to help them secure their PACS and reduce the probability of a data breach and data loss, protect patient privacy, and ensure the integrity of medical images while minimizing disruption to hospital systems. PACS is used by virtually all HDOs for storing, viewing, and sharing digital medical images. The systems make it easy for healthcare professionals to access and share medical images to speed up diagnosis. The system can often be accessed via desktops, laptops, and mobile devices and a PACS may also link to electronic health records, other hospital systems, regulatory registries, and government, academic, and commercial archives. With many users and devices and interactions with multiple systems, HDOs can face challenges securing their PACS ecosystem, especially without...

Read More
Consumer Technology Association Publishes Privacy Guidelines for Handling Health and Wellness Data
Sep17

Consumer Technology Association Publishes Privacy Guidelines for Handling Health and Wellness Data

The Consumer Technology Association (CTA) has released data privacy guidelines to help companies better protect health and wellness data. The guidelines have been developed to help CTA members address tangible privacy risks and securely collect, use, and share health and wellness data from health/wellness apps, wearable devices, and other digital tools. The guidelines – Guiding Principles for the Privacy of Personal Health and Wellness Information – were developed by the CTA to help members address privacy gaps, discover consumer preferences, and earn consumer trust. “[The] privacy guidelines, developed with consensus among industry stakeholders, will help give both individuals and companies the confidence to invest in innovative technologies which will improve health,” explained CTA president and CEO, Gary Shapiro. “The CTA Privacy Principles demonstrate that health tech companies understand they must be trusted stewards of patient data.” Consumers now have access to a plethora of apps, devices, and digital tools that let them keep track of their health metrics,...

Read More
Multi-Factor Authentication Blocks 99.9% of Automated Cyberattacks
Sep13

Multi-Factor Authentication Blocks 99.9% of Automated Cyberattacks

The healthcare industry experiences more than its fair share of phishing attacks. Each week, several phishing attacks are reported by healthcare organizations that have resulted in the exposure or theft of protected health information. In the majority of cases, those attacks could be prevented by following basic cybersecurity best practices. Cyberattacks are becoming more sophisticated, but the majority of attacks are not. They involve the use of default and commonly used passwords in brute force attacks or basic phishing emails. Brute force attacks can be thwarted by creating and enforcing strong password policies. It should not be possible for users to use dictionary words as passwords or commonly used weak passwords such as 12345678. Accounts are also commonly breached due to password re-use. Figures from Microsoft suggest 73% of users duplicate passwords on work and personal accounts. If a personal account is breached, the password can be used to access the user’s work account. Many phishing emails succeed in bypassing anti-spam defenses. A recent report from Avanan suggests as...

Read More
HSCC Publishes Guidance on Healthcare Information Sharing Organizations
Sep12

HSCC Publishes Guidance on Healthcare Information Sharing Organizations

The Healthcare and Public Health Sector Coordinating Council (HSCC) has published guidance on cybersecurity information sharing organizations in the healthcare sector. HSCC is a public-private partnership of more than 200 companies and organizations, including health IT companies, medical device manufacturers, laboratories, pharmaceutical companies, health plans, payers and government agencies. Its role is to provide collaborative solutions to help mitigate cybersecurity threats affecting the healthcare industry. The Health Industry Cybersecurity Matrix of Information Sharing Organizations (HIC-MISO) is the fourth cybersecurity resource published by HSCC as mandated by the Health Care Industry Cybersecurity Task Force, which requires HSCC to help improve information sharing of industry threats, risks, and mitigations. Other resources previously published by HSCC cover healthcare industry cybersecurity best practices, developing a medical device joint security plan, and the development of a health industry cybersecurity workforce. “Many health organizations are beginning to...

Read More
Insurance Companies are Fueling the Ransomware Epidemic by Paying Ransoms
Sep11

Insurance Companies are Fueling the Ransomware Epidemic by Paying Ransoms

A recent ProPublica investigation has highlighted a growing problem that is fueling the current ransomware epidemic. Insurance companies are opting to pay ransom demands as it is the most cost-effective way of settling claims, even though paying ransoms encourages further attacks. A ransom demand may be high, but it is far cheaper to pay the ransom than cover the cost of rebuilding systems from scratch and restoring data from backups. Paying the ransom demand is a win-win for the insurer and breached entity. The insurer saves money and since most insurance policies only require payment of a small deductible, the breached entity does too. They are also likely to regain access to their files and systems far more quickly, which saves time and money by reducing downtime. The hackers responsible for the attack are also happy, as their demand is met. This has been clearly demonstrated in recent attacks where the breached entity has refused to pay up. The ransomware attack on the city of Atlanta saw the attackers issued a demand of $51,000 for the keys to decrypt files. The city refused...

Read More
OCR Settles First HIPAA Violation Case Under 2019 Right of Access Initiative
Sep10

OCR Settles First HIPAA Violation Case Under 2019 Right of Access Initiative

Earlier this year, the Department of Health and Human Services’ Office for Civil Rights (OCR) announced that one of the main areas of HIPAA enforcement in 2019 would be HIPAA right of access failures, including untimely responses to access requests and overcharging for copies of medical records. The HIPAA right of access allows patients to obtain copies of their medical records on request. HIPAA-covered entities are required to honor those requests and provide patients with access to PHI or copies of health data contained in a ‘designated record set’ within 30 days of the request being received. A covered entity is permitted to charge a reasonable, cost-based fee for providing a copy of the individual’s PHI, which can include the cost of certain labor, supplies and postage. HIPAA-covered entities that fail to provide copies of records in a reasonable time frame or charge excessive amounts for providing a copy of a patient’s PHI are in violation of the HIPAA Privacy Rule – See 45 CFR 164.501. Such violations can attract a sizable financial penalty. This week, OCR has announced...

Read More
Most Patients Happy to Share EHR Data for Research, But Not Entire Medical Record
Sep06

Most Patients Happy to Share EHR Data for Research, But Not Entire Medical Record

A majority of patients are comfortable with sharing their biospecimens and EHR data for research purposes, according to a new study published in JAMA Network Open; however, most patients want to restrict the sharing of at least one part of their medical record. Patients also exhibited preferences as to the institutions with whom their data and biospecimens were shared. Certain legislation covering the use of EHR data and biospecimens allow patient data to be shared for research purposes, either in identifiable or de-identified form, unless the patient explicitly opts out of data sharing. The researchers note that this all or nothing approach is problematic, as many patients are concerned about sharing certain types of information due to fears about secondary uses of their data. The researchers investigated the attitudes of 1,246 adults in the United States about a tiered consent approach to EHR record sharing. This approach splits an individual’s medical records into smaller parts, which allows patients to consent to sharing certain parts of their medical records and restricting...

Read More
Study Confirms Why Prompt Data Breach Notifications Are So Important
Sep05

Study Confirms Why Prompt Data Breach Notifications Are So Important

When healthcare organizations experience a data breach it is understandable that breach victims will be upset and angry. Information is provided to healthcare organizations in the understanding that safeguards have been implemented to keep that information private and confidential. When patients and health plan members learn that their sensitive, private information has been exposed or stolen, many choose to take their business elsewhere. According to a new study* by the credit reporting agency Experian, if the breach response is properly managed and the breached entity is transparent and issues notifications promptly, customer churn rate can be kept to an absolute minimum. The Health Insurance Portability and Accountability Act’s (HIPAA) Breach Notification Rule requires notifications to be issued to breach victims ‘without unreasonable delay’ and no later than 60 days from the discovery of the breach. However, a majority of patients expect to be notified much more quickly. The study showed 73% of patients/plan members expect to be notified about a breach within 24 hours of the...

Read More
Hurricane Dorian: Limited HIPAA Waiver Issued in Puerto Rico, Florida, Georgia, North and South Carolina
Sep04

Hurricane Dorian: Limited HIPAA Waiver Issued in Puerto Rico, Florida, Georgia, North and South Carolina

Alex Azar, Secretary of the Department of Health and Human Services (HHS), has declared a public health emergency (PHE) in Puerto Rico and the states of Florida, Georgia, and South Carolina due to Hurricane Dorian.  On September 4, a PHE was also declared in North Carolina, retroactive to September 1, 2019. The announcement follows the presidential PHE in the above areas as the states prepare for when the hurricane makes landfall. The declaration was accompanied by the announcement of a limited waiver of HIPAA sanctions and penalties for certain provisions of the HIPAA Privacy Rule, as mandated by the Project Bioshield Act of 2004 of the Social Security Act. The waiver only applies in the emergency areas and for the period of time covered by the PHE. The waiver applies to hospitals that have implemented their disaster protocol, and only for up to 72 hours from when the disaster protocol was implemented, unless the PHE declaration terminates before that 72-hour period has elapsed. Once the PHE comes to an end, hospitals are required to comply with all requirements of the HIPAA...

Read More
82% of Healthcare Organizations Have Experienced a Cyberattack on Their IoT Devices
Sep03

82% of Healthcare Organizations Have Experienced a Cyberattack on Their IoT Devices

82% of healthcare providers that have implemented Internet-of-Things (IoT) devices have experienced a cyberattack on at least one of those devices over the course of the past 12 months, according to the Global Connected Industries Cybersecurity Survey from Swedish software company Irdeto. For the report, Irdeto surveyed 700 security leaders from healthcare organizations and firms in the transportation, manufacturing, and IT industries in the United States, United Kingdom, Germany, China, and Japan. Attacks on IoT devices were common across all those industry sectors, but healthcare organizations experienced the most cyberattacks out of all industries under study. The biggest threat from these IoT cyberattacks is theft of patient data. The attacks also have potential to compromise end user safety, result in the loss of intellectual property, operational downtime and damage to the organization’s reputation. The failure to effectively secure the devices could also potentially result in a regulatory fine. When asked about the consequences of a cyberattack on IoT devices, the biggest...

Read More
UCMC and Google File Motions to Dismiss HIPAA Privacy Lawsuit
Sep02

UCMC and Google File Motions to Dismiss HIPAA Privacy Lawsuit

On June 26, a patient of University of Chicago Medical Center (UCMC) filed a lawsuit against the medical center and Google over an alleged privacy violation related to the sharing of protected health information (PHI) without first properly de-identifying the data. Patient information was shared with Google to assist with the development of its predictive medical data analytics technology. HIPAA does not prohibit the sharing of information with third parties such as technology companies, provided consent is obtained from patients prior to information being shared. Alternatively, healthcare organizations can share patient information provided it is de-identified. Under HIPAA, that means removing 18 identifiers to ensure patients cannot be identified. HIPAA calls for one of two methods to be used to de-identify PHI: Expert determination or the safe harbor method. The latter involves stripping PHI of all 18 identifiers, while the former requires an expert to determine, through recognized statistical and scientific principles, that the risk of patients being re-identified is...

Read More
73 Email Accounts Compromised in Major Phishing Attack on NCH Healthcare System
Sep02

73 Email Accounts Compromised in Major Phishing Attack on NCH Healthcare System

The importance of security awareness training for healthcare employees has been highlighted by a recent phishing attack on Bonita Springs, FL-based NCH Healthcare System. The attack was detected on June 14, 2019 when suspicious email activity was identified in relation to its payroll system. The investigation revealed a staggering 73 employees had responded to phishing emails and disclosed their account credentials to the scammers. It is common for healthcare organizations to identify an email account breach and later discover the attack was more extensive than originally thought. Oftentimes, several emails accounts are discovered to have been compromised, often as a result of lateral phishing – The use of one compromised email account to send phishing emails to other individuals in the organization. However, a breach as extensive as this is fortunately rare. NCH Healthcare system is still investigating the attack and is being assisted by a third-party computer forensics firm. The initial findings of the investigation suggest the attackers were not concerned with obtaining PHI,...

Read More
OCR Offers Advice on Managing Malicious Insider Threats
Aug30

OCR Offers Advice on Managing Malicious Insider Threats

Healthcare organizations can implement robust defenses to prevent hackers from gaining access to sensitive data, but not all threats come from outside the organization. It is also important to implement policies, procedures, and technical solutions to detect and prevent attacks from within. Healthcare employees require access to protected health information (PHI) to perform their work duties. While those individuals may be deemed trustworthy, providing access to PHI exposes the organization to risk. Workers can go rogue and access patient information without authorization and could easily abuse their access rights and steal patient data for financial gain. There will always be the occasional bad apple, but the 2019 Verizon Data Breach Investigations Report suggests the problem is far more prevalent. According to the report, 59% of all security incidents and data breaches analyzed for the report were caused by insiders. Many of those breaches were due to mistakes made by healthcare employees, but a significant percentage were caused by malicious insiders who stole patient...

Read More
Ransomware Attack Impacts More Than 400 U.S. Dental Practices
Aug30

Ransomware Attack Impacts More Than 400 U.S. Dental Practices

A ransomware attack on a medical record backup service has prevented hundreds of dental practices in the United States from accessing their patients’ records. The attack occurred on August 26, 2019 and affected the DDS Safe backup solution developed by Wisconsin-based software company, Digital Dental Record (DDS). The DDS system was accessed via an attack on its cloud management provider, West Allis, WI-based PerCSoft. Ironically, the DDS website states DDS Safe helps to protect dental practices against ransomware attacks. The attack did not affect all dental practices using the DDS Safe solution. Initial reports suggest between 400 and 500 of the 900 dental practices using the solution have been affected by the REvil/Sodinokibi ransomware attack. PerCSoft, assisted by a third-party software company, has obtained a decryptor and is in the process of recovering the encrypted files. According to a statement from DDS, recovery of files is estimated to take between 30 minutes to 4 hours per client. Some dental practices have reported file loss as a result of the attack and others have...

Read More
AMCA Data Breach Total Nears 25M as Wisconsin Diagnostic Laboratories Confirms 115K Record Breach
Aug28

AMCA Data Breach Total Nears 25M as Wisconsin Diagnostic Laboratories Confirms 115K Record Breach

The victim count from the American Medical Collection Agency (AMCA) data breach has risen to almost 25 million as yet another healthcare organization has announced it has been impacted by the breach. Wisconsin Diagnostic Laboratories (WDL), a network of 13 medical testing facilities in and around Milwaukee, is notifying 114,985 patients that some of their protected health information was compromised in the AMCA data breach. On June 3, 2019, AMCA informed WDL that some of its patients’ data had been compromised as a result of the hacking of a web payment portal. The hacker gained access to the payment page on August 1, 2018. The breach was detected on March 30, 2019 and unauthorized access was terminated. The types of information in AMCA systems was limited to patients’ names, dates of birth, dates of service, names of lab or medical service providers, referring physician’s name, balances owed to WDL, and other medical information related the services provided by WDL. No Social Security numbers or lab test results were compromised in the breach. A limited number of individuals also...

Read More
OMB Audit Confirms HHS Information Security Program is “Not Effective”
Aug27

OMB Audit Confirms HHS Information Security Program is “Not Effective”

The Office of Management and Budget (OMB) has submitted its annual report to Congress on the state of cybersecurity in federal agencies, as required by the Federal Information Security Modernization Act of 2014 (FISMA). For the report, OMB assessed 4 of the 12 operating divisions of the Department of Health and Human Services (HHS) to assess compliance with FISMA and determined the HHS security program was ‘not effective.’ The agency had not achieved a Managed and Measurable level of maturity for the Identify, Protect, Detect, Respond and Recover functional areas. The HHS was determined to be managing risk in the ‘Detect’ functional area but was at risk in the other four functional areas. The HHS has been working on improving its security posture and progress has been made, but there is still a long way to go. OMB found major weaknesses in multiple areas, including identity and access management, risk management, contingency planning, and incident response. OMB notes that since the HHS is operating in a federated environment, there are many challenges in achieving a ‘Managed and...

Read More
July 2019 Healthcare Data Breach Report
Aug26

July 2019 Healthcare Data Breach Report

May 2019 was the worst ever month for healthcare data breaches with 46 reported breaches of more than 500 records. More breaches were reported in May than any other month since the HHS’ Office for Civil Rights started publishing breach summaries on its website in 2009. That record of 44 breaches was broken in July. July saw 50 healthcare data breaches of more than 500 records reported to the Department of Health and Human Services’ Office for Civil Rights, which is 13 more breaches than the monthly average for 2019 and 20.5 more breaches than the monthly average for 2018. July 2019 was the second worst month in terms of the number of healthcare records exposed. 25,375,729 records are known to have been exposed in July. There are still 5 months left of 2019, yet more healthcare records have been breached this year than in all of 2016, 2017, and 2018 combined. More than 35 million individuals are known to have had their healthcare records compromised, exposed, or impermissibly disclosed this year. Causes of July 2019 Healthcare Data Breaches   The main reason for the increase in...

Read More
HHS Proposes Rule Easing Restrictions on Substance Use Disorder Treatment Records
Aug23

HHS Proposes Rule Easing Restrictions on Substance Use Disorder Treatment Records

The Substance Abuse and Mental Health Services Administration (SAMHSA) has proposed a new rule that loosens restrictions on substance use disorder (SUD) treatment records, aligning Part 2 regulations more closely with HIPAA. The new rule, proposed on August 22, is the first element of the HHS’s Regulatory Sprint to Coordinated Care initiative, which will also see changes made to HIPAA, the Anti-Kickback Statute, and Stark Law. SUD treatment records are covered by Confidentiality of Substance Use Disorder Patient Records regulations – 42 CFR Part 2 (Part 2). Part 2 pre-dates HIPAA by two decades and was introduced at a time when there were no broader privacy and security standards for health data. Part 2 regulations were required to protect the privacy of patients by severely restricting the allowable uses and disclosures of SUD treatment records. When Part 2 was introduced, there was a stigma associated with SUD and without privacy protections, many individuals suffering from the disorder may have avoided seeking treatment. Since 1975, further privacy and security laws have...

Read More
32% of Healthcare Employees Have Received No Cybersecurity Training
Aug21

32% of Healthcare Employees Have Received No Cybersecurity Training

There have been at least 200 breaches of more than 500 records reported since January and 2019 looks set to be another record-breaking year for healthcare data breaches. The continued increase in data breaches prompted Kaspersky Lab to conduct a survey to find out more about the state of cybersecurity in healthcare. Kaspersky Lab has now published the second part of its report from the survey of 1,758 healthcare professionals in the United States and Canada. The study provides valuable insights into why so many cyberattacks are succeeding. Almost a third of surveyed healthcare employees (32%) said they have never received cybersecurity training in the workplace. Security awareness training for employees is essential. Without training, employees are likely to be unaware of some of the cyber threats that they will encounter on a daily basis. Employees must be trained how to identify phishing emails and told of the correct response when a threat is discovered. The failure to provide training is a violation of HIPAA. Even when training is provided, it is often insufficient. 11% of...

Read More
FINAL CALL to Take Part in Emergency Preparedness and Security Trends in Healthcare Survey
Aug19

FINAL CALL to Take Part in Emergency Preparedness and Security Trends in Healthcare Survey

Each year, Rave Mobile Safety conducts a survey to identify healthcare security trends and determine the state of emergency preparedness in the healthcare industry. For the 2020 Emergency Preparedness and Security Trends in Healthcare report, insight is being sought from leaders in the healthcare community. Many HIPAA Journal readers have already participated in last year’s survey and have provided information on the measures that have been deployed to improve safety in emergency situations. Their answers will be used to gain an overview of emergency preparedness throughout the United States. If you have not already participated, you are invited to share your feedback in this anonymous survey (click here). This is an opportunity for you to find out how your healthcare industry colleagues nationwide communicate in emergency preparedness and security matters and where they expect to take these practices next. You can participate completely anonymously. After you complete the survey, you will have the opportunity to enter into a raffle for a $200 gift card from the survey sponsor. If...

Read More
Study Reveals Widespread Noncompliance with HIPAA Right of Access
Aug16

Study Reveals Widespread Noncompliance with HIPAA Right of Access

A recent study conducted by the health manuscript archiving company medRxiv has revealed widespread noncompliance with the HIPAA right of access. For the study, the researchers sent medical record requests to 51 healthcare providers and assessed the experience of obtaining those records. The companies were also assessed on their response versus the requirements of HIPAA. In each case, the record request was a legitimate request for access to patient data. The requests were made to populate a new consumer platform that helps patients obtain their medical records. Record requests were sent for 30 patients at a rate of 2.3 medical requests per patient. Each of the providers was scored based on their response to the request and whether they satisfied four requirements of HIPAA – Accepting a request by email/fax, sending the records in the format requested by the patient, providing records within 30 days, and only charging a reasonable fee. Providers were given a 1-star rating for simply accepting a patient record request. Providers received a second star for satisfying the request and...

Read More
Hackers Demand $1 Million Ransom from Washington Hospital
Aug15

Hackers Demand $1 Million Ransom from Washington Hospital

A ransomware attack on an Aberdeen, WA-hospital and associated clinics is still causing problems two months after the attack occurred. The attackers have demanded $1 million for the keys to unlock the encryption. On June 15, 2019, Grays Harbor Community Hospital started experiencing IT problems. The attack occurred on a Saturday when staffing was limited so initially the problem was attributed to an IT issue. On Monday it became apparent that ransomware was involved and steps were taken to isolate the infection and secure the network; however, the attackers had already moved laterally and had gained access to servers and the systems used by Harbor Medical Group clinics. The initial point of attack appears to have been a response to a phishing email by a single employee. Harbor Medical Group operates 8 clinics in the Aberdeen and Hoquiam region, and those clinics were the worst affected by the attack. Grays Harbor Community Hospital used older software, which prevented the ransomware from being installed on the hospital’s main computer system. The clinics used more recent software,...

Read More
State Attorneys General Urge Congress to Align Part 2 Regulations with HIPAA
Aug14

State Attorneys General Urge Congress to Align Part 2 Regulations with HIPAA

The National Association of Attorneys General (NAAG) has urged leaders of the House and Senate to make changes to the Confidentiality of Substance Use Disorder Patient Records regulations, known as 42 CFR Part 2. The regulations in question, which NAAG called “cumbersome [and] out-of-date,” restrict the uses and disclosures of substance abuse treatment records. Under HIPAA, protected health information (PHI) can be shared between providers and caregivers for purposes related to treatment, payment, and healthcare operations without first obtaining consent from the patient. 42 CFR Part 2 prohibits the sharing of addiction treatment information by federally assisted treatment programs unless consent to do so has been obtained from the patient. The Part 2 regulations were created more than 40 years ago to ensure the privacy of patients was protected and to ensure that patients would not face any legal or civil consequences from seeking treatment for substance abuse disorder. NAAG argues that the regulations were created at a time when there was an “intense stigma” surrounding substance...

Read More
GAO Discovers Widespread Cybersecurity Risk Management Failures at Federal Agencies
Aug07

GAO Discovers Widespread Cybersecurity Risk Management Failures at Federal Agencies

The Government Accountability Office (GAO) conducted a study of 23 federal agencies and found widespread cybersecurity risk management failures. Federal agencies are targeted by cybercriminals, so it is essential for safeguards to be implemented to protect against those threats. Federal law requires government agencies to adopt a risk-based approach to cybersecurity to identify, prioritize, and manage cybersecurity risks. The GAO was asked to conduct its review to determine whether federal agencies had established the key elements of a cybersecurity risk management program, what challenges were faced when developing those programs, and what steps had been taken by the Department of Homeland Security (DHS) and the Office of Management and Budget (OMB) to address their responsibilities with respect to addressing cybersecurity challenges faced by federal agencies. The study revealed all but one (22) federal agency had appointed a cybersecurity risk executive, but other important elements of the risk management program had not been incorporated at many of the agencies assessed for the...

Read More
Judge Approves $74 Million Premera Blue Cross Data Breach Settlement
Aug05

Judge Approves $74 Million Premera Blue Cross Data Breach Settlement

A Federal District Judge has given preliminary approval to a proposed $74 million settlement to resolve a consolidated class action lawsuit against Premera Blue Cross for its 2014 data breach of more than 10.6 million records. US District Judge Michael Simon determined that the proposed settlement was fair, reasonable and adequate based on the defense’s case against Premera and the likely cost of continued litigation. The settlement will see $32 million made available to victims of the breach to cover claims for damages of which $10 million will reimburse victims for costs incurred as a result of the breach. The remaining $42 million will be used to improve Premera’s security posture over the next three years. Data security improvements are necessary. Internal and third-party audits of Premera before and after the data breach uncovered multiple vulnerabilities. Premera had been warned about the vulnerabilities prior to the breach and failed to take action. That lack of action allowed hackers to gain access to its network. Further, it took almost a year for Premera to determine that...

Read More
First Half of 2019 Sees 31.6 Million Healthcare Records Breached
Aug02

First Half of 2019 Sees 31.6 Million Healthcare Records Breached

It has been a particularly bad six months for the healthcare industry. Data breaches have been reported in record numbers and the number of healthcare records exposed on a daily basis is extremely concerning. The trend of more than one healthcare data breach a day has continued throughout 2019, even reaching a rate of 2 per day in May. According to the 2019 Mid-Year Data Breach Barometer Report from Protenus and Databreaches.net, 31,611,235 healthcare records were breached between January 2019 and June 2019. To put that figure into perspective, it is double the number of records exposed in healthcare data breaches in the entirety of 2018 (14,217,811 records). One breach stands out from the 285 incidents reported in the first half of the year: The data breach at American Medical Collection Agency (AMCA). A batch of stolen credentials on a dark net marketplace was traced back to AMCA, which discovered its payment web page had been compromised for months. It is not yet known exactly how many healthcare records were exposed in the incident, but 18 clients are known to have been...

Read More
DHS Issues Best Practices to Safeguard Against Ransomware Attacks
Aug01

DHS Issues Best Practices to Safeguard Against Ransomware Attacks

Ransomware appeared to have gone out of fashion in 2018, but that is certainly not the case in 2019. Q1, 2019 saw a 195% increase in ransomware attacks and a further 184% increase in Q2. Judging by the number of ransomware attacks reported in the past few weeks, the Q3 figures are likely to be even worse. States, cities, and local governments have been extensively targeted as has the healthcare industry. Many victims have been forced to pay sizable ransoms to regain access to critical data. Others have been forced to permanently close their doors. In response to the growing number of attacks, the U.S. Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA), Multi-State Information Sharing & Analysis Center (MS-ISAC), National Governors Association (NGA), and the National Association of State Chief Information Officers (NASCIO) have issued a joint statement in which recommendations are given to help improve resilience to ransomware attacks. The statement was issued primarily to state, local, territorial and tribal governments, although the...

Read More
More than 522,000 Puerto Rico Patients Impacted by Ransomware Attack
Jul30

More than 522,000 Puerto Rico Patients Impacted by Ransomware Attack

More than half a million patients in Bayamón, Puerto Rico have been affected by a ransomware attack on a medical center and its associated hospital. Bayamón Medical Center and Puerto Rico Women and Children’s Hospital discovered on May 21, 2019 that their computer systems had been infected with ransomware. The ransomware encrypted a wide range of files and prevented hospital staff from accessing patient information ‘for a short period of time,’ according to a July 19, 2019 press release announcing the attack. Approximately 522,000 current and former patients are being notified about the ransomware attack as a precautionary measure. The internal investigation into the attack confirmed that patient information was affected, but no evidence of unauthorized data access or theft was identified. The information potentially compromised was limited to names, demographic information, clinical information, financial information, and in some cases, diagnosis information, dates of birth, and Social Security numbers. The ransomware attack only rendered data temporarily inaccessible and...

Read More
HIPAA Compliance and Cloud Computing Platforms
Jul28

HIPAA Compliance and Cloud Computing Platforms

Before cloud services can be used by healthcare organizations for storing or processing protected health information (PHI) or for creating web-based applications that collect, store, maintain, or transmit PHI, covered entities must ensure the services are secure. Even when a cloud computing platform provider has HIPAA certification, or claims their service is HIPAA-compliant or supports HIPAA compliance, the platform cannot be used in conjunction with ePHI until a risk analysis – See 45 CFR §§ 164.308(a)(1)(ii)(A) – has been performed. A risk analysis is an essential element of HIPAA compliance for cloud computing platforms. After performing a risk analysis, a covered entity must establish risk management policies in relation to the service – 45 CFR §§ 164.308(a)(1)(ii)(B). Any risks identified must be managed and reduced to a reasonable and appropriate level. It would not be possible to perform a comprehensive, HIPAA-compliant risk analysis unless the covered entity fully understands the cloud computing environment and the service being offered by the platform...

Read More
NIST Releases Draft Mobile Device Security Guidance for Corporately-Owned Personally-Enabled Devices
Jul26

NIST Releases Draft Mobile Device Security Guidance for Corporately-Owned Personally-Enabled Devices

The National Institute of Standards and Technology’s (NIST) National Cybersecurity Center of Excellence (NCCoE) has issued draft mobile device security guidance to help organizations improve the security of corporately-owned personally-enabled (COPE) mobile devices and reduce the risk the devices pose to network security. Mobile devices are now essential in modern business. They provide easy access to resources and data and allow employees to work more efficiently. Mobile devices are increasingly being used to perform everyday enterprise tasks, which means they are used to access, view, and transmit sensitive data. The devices introduce new threats to the enterprise that do not exist for traditional IT devices such as desktop computers and mobile devices are subject to different types of attacks. A different approach is therefore required to ensure mobile devices are secured and risks are effectively managed. Mobile devices are typically always on and always connected to the Internet and they are often used to access corporate networks remotely via untrusted networks. Malicious...

Read More
How to Choose the Right Healthcare Cloud Provider
Jul24

How to Choose the Right Healthcare Cloud Provider

Healthcare organizations often turn to a HIPAA compliant cloud vendor or Managed Service Provider to help them ensure electronic patient records are secured and they are in compliance with the Health Insurance Portability and Accountability Act (HIPAA). HIPAA contains an extensive set of rules for healthcare organizations which were introduced in 1996 to improve privacy and security of patient information, eliminate waste in healthcare, and combat fraud. This legislative act introduced new and legally binding requirements for healthcare providers to secure their systems, improve privacy and security protections, and keep health data private and confidential at all times. The Act and its subsequent updates have served to strengthen privacy protections, give patients new rights, and ensure that all healthcare organizations achieve a minimum standard of data security. It may seem that HIPAA is at odds with cloud computing, but there is nothing in HIPAA legislation that prohibits use of the cloud for sharing or storing patient data. HIPAA covered entities can use cloud platforms and...

Read More
2019 Cost of A Data Breach Study Reveals Increase in U.S. Healthcare Data Breach Costs
Jul24

2019 Cost of A Data Breach Study Reveals Increase in U.S. Healthcare Data Breach Costs

The Ponemon Institute/IBM Security has published its 2019 Cost of a Data Breach Report – A comprehensive analysis of data breaches reported in 2018. The report shows data breach costs have continue to rise and the costliest breaches are experienced by healthcare organizations, as has been the case for the past 9 years. Average Data Breach Costs $3.92 Million Over the past five years, the average cost of a data breach has increased by 12%. The global average cost of a data breach has increased to $3.92 million. The average breach size is 25,575 records and the cost per breached record is now $150; up from $148 last year. Globally, the healthcare industry has the highest breach costs with an average mitigation cost of $6.45 million. Healthcare data breaches typically cost 65% more than data breaches experienced in other industry sectors. Data breach costs are the highest in the United States, where the average cost of a data breach is $8.19 million – or $242 per record. The average cost of a healthcare data breach in the United States is $15 million. Healthcare Data Breaches Cost...

Read More
June 2019 Healthcare Data Breach Report
Jul24

June 2019 Healthcare Data Breach Report

For the past two months, healthcare data breaches have been reported at a rate of 1.5 per day – Well above the typical rate of one per day. In June, data breaches returned to more normal levels with 30 breaches of more than 500 healthcare records reported in June – 31.8% fewer than May 2019.   While the number of reported data breaches fell,  June saw a 73.6% increase in the number of health records exposed in data breaches. 3,452,442 healthcare records were exposed in the 30 healthcare data breaches reported in June. Largest Healthcare Data Breaches in June 2019 The increase in exposed records is due to a major breach at the dental health plan provider Dominion Dental Services (Dominion National Insurance Company). Dominion discovered an unauthorized individual had access to its systems and patient data for 9 years. During that time, the protected health information of 2,964,778 individuals may have been stolen. That makes it the largest healthcare data breach to be reported to the Office for Civil Rights so far in 2019 – At least for a month until entities affected by...

Read More
Equifax Agrees to Pay up to $700 Million to Settle Data Breach Case
Jul23

Equifax Agrees to Pay up to $700 Million to Settle Data Breach Case

Equifax has agreed to settle its federal data breach case for a minimum of $575 million. The settlement will potentially rise to $700 million and also requires considerable improvements to be made to enhance security and better protect consumer data. In 2017, Equifax experienced a colossal data breach in which the personal data of 147 million Americans was compromised. Names, dates of birth, addresses, and Social Security numbers were potentially stolen in the attack and the breach victims now have to face an elevated risk of suffering identity theft and fraud. Equifax announced the breach in September 2017. In the two years that followed, Equifax has been called before Congress on multiple occasions to explain how the breach occurred and how the response was being handled. Regulators also investigated Equifax to determine whether reasonable and appropriate security measures had been implemented to protect the vast amounts of consumer data that was stored on its network. The Federal Trade Commission (FTC) determined there had been security failures at Equifax that left the door...

Read More
AMCA Victim Count Swells to Almost 25 Million Records
Jul23

AMCA Victim Count Swells to Almost 25 Million Records

The number of healthcare providers confirmed to have been affected by the data breach at American Medical Collection Agency (AMCA) has grown considerably over the past few days. The victim count is now nearing 25 million and 18 healthcare providers are now known to have been affected. The AMCA breach was discovered by its parent company, Retrieval Masters Credit Bureau (RMCB), on March 21, 2019. An investigation was launched to determine the extent of the attack, which revealed the hacker had access to the AMCA payment web page for around 8 months. During that time, the hacker had access to vast quantities of sensitive patient information, including financial information and Social Security numbers. AMCA notified all entities that had been affected by the breach in May 2019; however, only limited information was released. Most of the covered entities affected by the breach were not given sufficient information to allow the affected patients to be identified. Quest Diagnostics was the first to announce that it has been impacted by the breach, closely followed by LabCorp and...

Read More
Idaho Hospitals Must Now Comply with New Idaho Patient Rights Rules
Jul19

Idaho Hospitals Must Now Comply with New Idaho Patient Rights Rules

New rules for hospitals have been implemented in Idaho that give patients new rights. The rules were implemented by the Idaho Department of Health and Welfare (IDHW) and are effective from July 1, 2019. The new rules were suggested by patient advocacy groups and “incorporate standards that parallel—but do not exactly mirror—existing law and/or Medicare conditions of participation for hospitals,” according to IDHW. The policies align with the MyHealthEData initiative, which was launched in 2018 with the aim of removing the barriers to secure access to electronic medical records. Under previous state law, critical access hospitals (CAHs) were not required to comply with many of the regulatory conditions that applied to other healthcare providers. The new rules change that, which will mean new policies and procedures will need to be implemented by CAHs. That will come with a considerable administrative burden. The new rules apply to all hospitals in Idaho as well as any provider that renders services in hospitals. All hospitals and providers have been advised to check their policies...

Read More
HHS Declares Limited Waiver of HIPAA Sanctions and Penalties in Louisiana
Jul17

HHS Declares Limited Waiver of HIPAA Sanctions and Penalties in Louisiana

The Secretary of the U.S. Department of Health and Human Services (HHS) has issued a limited waiver of HIPAA sanctions and penalties in Louisiana due to the devastation likely to be caused by Tropical Storm Barry as it made landfall on July 13 as a hurricane. The HHS announced the public health emergency in Louisiana on Friday July 12, 2019. The waiver only applies to healthcare organizations in the emergency area and only for the length of time stated in the declaration. The waiver only applies to specific provisions of the HIPAA Privacy Rule and only for a maximum period of 72 hours after the hospital has implemented its emergency protocol. Once the time period for the waiver ends, healthcare providers will be required once again to comply with all aspects of the HIPAA Privacy Rule, even for patients still under their at the time the declaration ends, even if the 72-hour time window has not expired. While a waiver has been issued, the Privacy Rule does not prohibit the sharing of protected health information during disasters to assist patients and make sure they get the care they...

Read More
Premera Blue Cross Settles Multi-State Action for $10 Million
Jul12

Premera Blue Cross Settles Multi-State Action for $10 Million

Premera Blue Cross has agreed to a $10 million settlement to resolve a multi-state data breach lawsuit involving 30 state attorneys general. The settlement resolves alleged violations of state and federal laws that contributed to its 10.4 million record data breach in 2014. A hacker gained access to Premera Health’s network on May 5, 2014 and remained undetected until March 6, 2015. For almost a year the hacker had access to highly sensitive plan member information such as names, contact information, dates of birth, member ID numbers, and Social Security numbers. Alabama, Alaska, Arizona, Arkansas, California, Connecticut, Florida, Hawaii, Idaho, Indiana, Iowa, Kansas, Kentucky, Louisiana, Massachusetts, Minnesota, Mississippi, Montana, Nebraska, Nevada, New Jersey, North Carolina, North Dakota, Ohio, Oklahoma, Oregon, Rhode Island, Utah, Vermont and Washington all participated in the lawsuit. Washington State Attorney General Bob Ferguson led the investigation and looked at the security vulnerabilities that had been exploited by the hacker to gain access to such a large amount of...

Read More
Vulnerability Identified in GE Aestiva and Aespire Anesthesia Machines
Jul10

Vulnerability Identified in GE Aestiva and Aespire Anesthesia Machines

An improper authentication vulnerability has been identified in GE Aestiva and Aespire Anesthesia devices which are used in hospitals throughout the United States. The vulnerability – CVE-2019-10966 – could allow a remote attacker to modify the parameters of a vulnerable device and silence alarms. Possible alterations include making changes to gas composition parameters to correct flow sensor readings for gas density and altering the time on the device. The flaw is due to the exposure of certain terminal server implementations which extend GE Healthcare anesthesia device serial ports to TCP/IP networks. The vulnerability could be exploited if serial devices are connected via an added unsecured terminal server to a TCP/IP network configuration. The vulnerability has been assigned a CVSS v3 base score of 5.3 out of 10 and affects GE Aestiva and Aespire versions 7100 and 7900. GE Healthcare has confirmed this is not a vulnerability in GE Healthcare device themselves. While the flaw could be exploited, GE Healthcare has determined via a formal risk investigation that “there is no...

Read More
Critical Vulnerability Identified in Burrow-Wheeler Aligner Genomics Mapping Software
Jul08

Critical Vulnerability Identified in Burrow-Wheeler Aligner Genomics Mapping Software

Researchers at Sandia National Laboratories have discovered a vulnerability in open source software used by genomic researchers. If exploited, an attacker could gain access to and alter sensitive genetic information. DNA screening is a two-step process. First, a patient’s DNA is sequenced and their genome is mapped. Then, the patient’s genetic information is compared with a standardized human genome. Any differences between the two are assessed to determine whether genetic differences are due to diseases. A software tool is used to make the comparison. Sandia researchers discovered a stack-based buffer overflow vulnerability – CVE-2019-10269 – in the Burrow-Wheeler Aligner (BWA) program used by many researchers to perform DNA-based medical diagnostics. The vulnerability is present at the point where BWA imports the standardized human genome from government servers. Patient information is transmitted via an insecure channel and could be intercepted in a man-in-the-middle attack. An attacker could intercept the standardized human genome, combine it with malware, and then...

Read More
U.S. Cyber Command Warns of Active Exploitation of 2017 Outlook Vulnerability
Jul05

U.S. Cyber Command Warns of Active Exploitation of 2017 Outlook Vulnerability

A two-year-old vulnerability in Microsoft Outlook is being exploited by hackers in targeted attacks on U.S. government networks. U.S. Cyber Command has issued a warning about vulnerability CVE-2017-1174, which is being actively exploited to install remote access Trojans and other forms of malware.  U.S. Cyber Command strongly recommends patching the vulnerability immediately to prevent exploitation. The flaw is a sandbox escape vulnerability which can be exploited if the attacker has the user’s outlook credentials, which could be obtained via a phishing attack or other means. The attacker could then change the user’s home page to a page with embedded code that downloads and executes malware when Outlook is opened. U.S. Cyber Command made no mention of the threat actors believed to be behind the attacks, although security researchers at Palo Alto Networks, FireEye, Chronicale, and others have linked the attacks to the Iran-backed cyberespionage group APT33. APT33 has been exploiting this vulnerability for at least a year, but instead of using phishing, the group conducts brute force...

Read More
Smaller Healthcare Providers Struggling to Implement Healthcare Cybersecurity Best Practices
Jul03

Smaller Healthcare Providers Struggling to Implement Healthcare Cybersecurity Best Practices

A recent study of cybersecurity best practices adopted by large and small healthcare providers has revealed there is a growing gulf between the two. Larger providers are more likely to have mature, sophisticated cybersecurity defenses, while smaller providers are struggling to follow cybersecurity best practices. For the study, KLAS and CHIME analyzed responses to the 2018 Healthcare’s Most Wanted survey given by around 600 healthcare providers and assessed each to determine whether they were adhering to healthcare cybersecurity best practices. One of the requirements of the Cybersecurity Act of 2015 was for the Department of Health and Human Services (HHS) to form a task group to develop guidance for healthcare providers to help them manage and mitigate threats to patient data. The 405(d) Task Group released the document – Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients (HICP) – which details 10 cybersecurity principles relevant to healthcare providers of all sizes. These principles must be addressed to ensure cybersecurity risks are...

Read More
2.9 Million Members Affected by Dominion National 9-Year PHI Breach
Jul03

2.9 Million Members Affected by Dominion National 9-Year PHI Breach

Dominion National, a Virginia-based insurer, health plan administrator, and administrator of dental and vision benefits, has experienced a data security incident involving the personal information of individuals connected to the services it provides. Hackers first gained access to its servers in 2010. Following an internal alert, Dominion National launched an internal investigation and determined on April 24, 2019 that its systems had been breached. A leading cybersecurity company performed a comprehensive forensic analysis and review of affected data and confirmed the sensitive information of current and former members of Dominion National and Avalon Vision plans may have been compromised along with the PHI of individuals who are members of health plans for which the company provides administration services for. Data relating to individuals affiliated with the organizations that the company administers dental and vision benefits for, plan producers, and participating healthcare providers were also potentially compromised. Unauthorized access to its systems first occurred on August...

Read More
HELP Committee Approves Bill Calling for HIPAA Enforcement Safe Harbor
Jun28

HELP Committee Approves Bill Calling for HIPAA Enforcement Safe Harbor

The Senate Health, Education, Labor and Pensions (HELP) Committee has approved the Lower Health Care Costs (LHCC) Act of 2019, which has implications for HIPAA-covered entities. One of the main aims of the bill is to improve transparency of health care costs and service quality. The bill is intended to end surprise health bills and make sure patients are kept well informed about healthcare costs. The LHCC Act includes a provision that incentivizes healthcare organizations to adopt strong cybersecurity practices by calling for the Department of Health and Human Services’ Office for Civil Rights to consider the organization’s good faith security efforts when making decisions about enforcement actions. The bipartisan bill passed the HELP committee by 20 votes to 3. The bill includes 54 different proposals from 65 senators. With the bill now passed, HELP committee chairman Lamar Alexander (R-Tenn) hopes to present the bill to the Majority and Minority Leaders for consideration by the full senate in July. Many healthcare organizations have been calling for OCR to consider adoption of...

Read More
OCR Clarifies Allowable Uses and Disclosures of PHI for Care Coordination and Continuity of Care
Jun27

OCR Clarifies Allowable Uses and Disclosures of PHI for Care Coordination and Continuity of Care

The Department of Health and Human Services’ Office for Civil Rights has issued new HIPAA guidance for health plans on how protected health information can be shared to support care coordination and continuity of care. The guidance, which is in the form of an FAQ, answers two questions commonly asked by health plans: Can PHI be disclosed to another health plan for care coordination purposes? OCR has confirmed that the HIPAA Privacy Rule allows PHI to be used and disclosed for healthcare operations, so it is possible to share PHI with another health plan or other covered entity if doing so is necessary for the entity’s own healthcare operations. PHI can also be shared with another health plan for the recipient’s healthcare operations provided the following conditions are met: Both entities have or had a relationship with the individual, the disclosure pertains to that relationship, and the healthcare operation is one permitted by HIPAA (See 45 CFR 164.502(a)(1)(ii); 45 CFR 164.506(c)(4)) Case management and care coordination are included in permitted ‘healthcare operations,’ so they...

Read More
DHS Warns of Increasing Risk of Wiper Malware Attacks by Iranian Threat Actors
Jun25

DHS Warns of Increasing Risk of Wiper Malware Attacks by Iranian Threat Actors

The Director of the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning following a rise in cyberattacks by ‘Iranian regime actors.’ The warning from Christopher C. Krebs came as tensions are building between the United States and Iran. Iran has been accused of planting magnetic mines to damage commercial shipping vessels and a U.S. surveillance drone was shot as it flew over the Strait of Hormuz. Iran claims the drone was flying in its territory. The U.S. responded with a planned air strike, although it was called off by President Trump due to the likely loss of life. However, a strike did take place in cyberspace. The U.S. Cyber Command has reportedly launched an attack on an Iranian spying group, Islamic Revolutionary Guard Corps, that is believed to have been involved in the mine laying operation. According to a recent report in the Washington Post, the cyberattacks disabled the command and control system that was used to launch missiles and rockets. Iranian threat actors have also been highly active. There have been...

Read More
May 2019 Healthcare Data Breach Report
Jun20

May 2019 Healthcare Data Breach Report

In April, more healthcare data breaches were reported than in any other month to date. The high level of data breaches has continued in May, with 44 data breaches reported. Those breaches resulted in the exposure of almost 2 million individuals’ protected health information. On average, 2018 saw 29.5 healthcare data breaches reported to the HHS’ Office for Civil Rights each month – a rate of more than one a day. From January 2019 to May 2019, an average of 37.2 breaches have been reported each month. Up until May 31, 2019, 186 healthcare data breaches had been reported to OCR, which is more than half (52%) the number of breaches reported last year. It remains to be seen whether the increase in data breaches is just a temporary blip or whether 40+ healthcare data breaches a month will become the new norm. May saw a 186% increase in the number of exposed records compared to April. Across the 44 breaches, 1,988,376 healthcare records were exposed or compromised in May. So far this year, more than 6 million healthcare records have been exposed, which is more than half of the number of...

Read More
Oregon Department of Human Services Notifies 645,000 Clients of Phishing Breach
Jun20

Oregon Department of Human Services Notifies 645,000 Clients of Phishing Breach

The Oregon Department of Human Services (ODHS) is notifying 645,000 clients that some of their personal information has potentially been compromised as a result of a phishing attack. The targeted attack started on January 9, 2019 and resulted in 9 ODHS employees following links in emails and disclosing their login credentials. ODHS and the Department of Administrative Services Enterprise Security Office discovered the breach on January 28 following reports from employees who believed their email accounts had been accessed. All affected email accounts were rapidly identified and remote access to the accounts was blocked the same day. An investigation was launched into the breach to determine what protected health information may have been viewed and who had been affected. That process has taken some time to complete as it involved checking around 2 million emails. The attackers accessed the compromised accounts and were able to access emails in the accounts for a period of 19 days. ODHS has confirmed that no malware was installed by the attackers but they may have viewed or obtained...

Read More
Estes Park Health Ransomware Attack Highlights Risks of Paying Ransoms
Jun18

Estes Park Health Ransomware Attack Highlights Risks of Paying Ransoms

Estes Park Health (EPH) in Colorado has suffered a ransomware attack that resulted in widespread file encryption across the network. The attack was noticed by employees on Sunday June 2, 2019 who reported that their computers were behaving strangely. EPH contacted its on-call IT technician who logged in and experienced the same issues, as the ransomware systematically encrypted files on the network. EPH, Chief Information Office, Gary Hall, witnessed the ransomware locking files and taking control of programs on his computer, according to a recent report in the Estes Park Trail Gazette. IT staff responded quickly and started locking systems down, but it was not possible to prevent widespread file encryption. Software in the clinic was the first to go offline, followed by its digital imaging software, which stores all X-rays and other medical images. The attack wiped out the network and its phone service. EPH activated its incident response center and switched to emergency mode procedures while its computer system was down. EPH uses software that constantly monitors the network and...

Read More
House Overturns Ban on HHS Funding HIPAA National Patient Identifier Development
Jun17

House Overturns Ban on HHS Funding HIPAA National Patient Identifier Development

One of the requirements of the HIPAA Administrative Simplification Rules was the development of a national identifier for all patients. Such an identifier would be used by all healthcare organizations to match patients with health records from multiple sources and would improve the reliability of health information and ensure it could be shared quickly and efficiently. That national patient identifier has failed to materialize. For the past two decades, the Department of Health and Human Services has been prohibited from using funds to develop or promote a unique patient identifier system out of concerns over privacy and security of patient data. Just as was the case in 1996, the benefits of using national patient identifiers remain and the need for such a system is greater than ever. Many hospitals, healthcare and health IT groups have been urging Congress to lift the HHS ban due to the benefits that would come from using a national identifier. They argue it would make it much easier to match medical information from multiple sources with the correct patient and the potential for...

Read More
Alabama Jury Awards Woman $300,000 Damages over HIPAA Breach
Jun14

Alabama Jury Awards Woman $300,000 Damages over HIPAA Breach

A woman in Alabama has been awarded $300,000 in damages after a doctor illegally accessed and disclosed her protected health information to a third party. Plaintiff Amy Pertuit filed a lawsuit against Medical Center Enterprise (MCE) in Alabama, a former MCE physician, and an attorney over the violation of her privacy in January 2015. According to lawyers for the plaintiff, Amy Pertuit’s husband was experiencing visitation issues and was involved in a custody battle with his former wife, Deanna Mortenson. Deanna Mortenson contacted Dr. Lyn Diefendfer, a physician at MCE, and convinced her to obtain health information about Amy Pertuit for use against her ex husband in the custody battle. Dr. Diefendfer accessed Pertuit’s records through the Alabama Prescription Drug Monitoring Program website and disclosed the information to her attorney, Gary Bradshaw.  Since Dr. Diefendfer had no treatment relationship with Pertuit, she was not authorized to access her medical information. The access and disclosure were violations of hospital policies and HIPAA Rules. After discovering that her...

Read More
HHS One of Three Departments in Most Critical Need of IT Modernization
Jun13

HHS One of Three Departments in Most Critical Need of IT Modernization

The Government Accountability Office (GAO) has published the findings of an audit of all federal government systems that run on legacy systems. The aim of the audit was to determine the extent to which legacy software and systems are in use, and which departments are in most critical need of modernization. In total, 65 federal agency systems were assessed at 24 different agencies to produce a list of the top ten systems in need of modernization. GAO then assessed the agencies’ plans to update their systems and measured those plans against IT modernization best practices. The Department of Health and Human Services (HHS) is one of the top three departments in need of modernization, behind the Department of Education (DoE) and the Department of Defense (DoD). Only three departments were deemed to have both high system criticality and a high security risk: HHS, DoE, and the Department of Homeland Security. The level of modernization required by HHS is considerable. One legacy system is 50 years old yet is still being extensively used to support clinical and patient administrative...

Read More
AMCA Breach Sparks Flurry of Lawsuits and Investigations
Jun12

AMCA Breach Sparks Flurry of Lawsuits and Investigations

The dust has barely settled after the news of the massive data breach at American Medical Collection Agency (AMCA) broke last week, but already more than a dozen lawsuits have been filed by victims of the breach. The breach was officially announced by Quest Diagnostics on June 3, 2019 through a 8-K filing with the Securities and Exchange Commission (SEC), and a SEC filing by LabCorp on June 4, 2019, shortly followed by BioReference Laboratories. Currently, the personal of up to 20 million individuals has potentially been compromised. The data breach at AMCA was identified by security researchers at Gemini Advisory who found a batch of 200,000 payment card numbers for sale on a popular darknet marketplace. The numbers included dates of birth and Social Security numbers. AMCA and law enforcement were notified, and systems were secured. However, the investigation revealed hackers had access to its web payment portal for 7 months. It would appear that the hackers behind the breach have at least made an effort to monetize some of the stolen data so it is no surprise that there has been...

Read More
Ransomware and Data Destruction Attacks Dominate Healthcare Threat Landscape
Jun11

Ransomware and Data Destruction Attacks Dominate Healthcare Threat Landscape

A recent report from Carbon Black has revealed 66% of healthcare organizations have experienced a ransomware attack in the past year and 45% experienced an attack in which data destruction was the main motivation behind the attack. The figures come from Carbon Black’s latest report: Healthcare Cyber Heists in 2019. Carbon Black sought input from 20 industry leading CISOs and questioned them about the cyberattacks they had experienced in the past year, the tactics used in the attacks, and how the threat landscape is evolving. Last year was a record-breaking year for healthcare data breaches and attacks are continuing at an unprecedented level. April 2019 was the worst ever month for healthcare data breaches with 46 major breaches (500+ records) reported to the HHS’ Office for Civil Rights. “The potential, real-world effect cyberattacks can have on healthcare organizations and patients is substantial,” explained Rick McElroy, Carbon Black’s Head of Security Strategy and co-author of the report. “Cyber attackers have the ability to access, steal and sell patient information on the...

Read More
AMCA Data Breach Tally Passes 20 Million as BioReference Laboratories Added to List of Impacted Entities
Jun07

AMCA Data Breach Tally Passes 20 Million as BioReference Laboratories Added to List of Impacted Entities

The total number of victims of the American Medical Collections Agency (AMCA) data breach has now passed 20 million, as yet another healthcare organizations has been confirmed as being affected by the breach. New Jersey-based laboratory and clinical testing company BioReference Laboratories is the latest confirmed victim, with approximately 422,600 of its customers having had their personal information exposed in the AMCA data breach. BioReference Laboratories joins Quest Diagnostics/Optum360 (11.9 million records) and LabCorp (7.7 million records), with the total number of compromised records now standing at 20,022,600 records. That number may well continue to grow as the investigation progresses and more healthcare entities are notified that their data has also been compromised. BioReference Laboratories confirmed the breach in an 8-K Security and Exchange Commission (SEC) filing on Monday. The OPKO Health subsidiary was notified it has been impacted by the breach on June 3, 2019. The breach at AMCA occurred between August 1, 2018 and March 30, 2019, during which time hackers had...

Read More
Coffey Health System Agrees to $250,000 Settlement to Resolve Alleged Violations of False Claims and HITECH Acts
Jun06

Coffey Health System Agrees to $250,000 Settlement to Resolve Alleged Violations of False Claims and HITECH Acts

Coffey Health System has agreed to a $250,000 settlement with the U.S. Department of Justice to resolve alleged violations of the False Claims and HITECH Acts. The Kansas-based health system attested to having met HITECH Act risk analysis requirements during the 2012 and 2013 reporting period in claims to Medicare and Medicaid under the EHR Incentive Program. One of the main aims of the HITECH Act was to encourage healthcare organizations to adopt electronic health records. Under the then named Meaningful Use Program, healthcare organizations were required to demonstrate meaningful use of EHRs in order to receive incentive payments. In addition to demonstrating meaningful use of EHRs, healthcare organizations were also required to meet certain requirements related to EHR technology and address the privacy and security risks associated with EHRs. In 2016, Coffey Health System’s former CIO, Bashar Awad, and its former compliance officer, Cynthia McKerrigan, filed a lawsuit in federal court in Kansas against their former employer alleging violations of the False Claims Act. Both...

Read More
Fresh BlueKeep Warning Issued by Microsoft: Public Exploits Exist and Attacks Imminent
Jun05

Fresh BlueKeep Warning Issued by Microsoft: Public Exploits Exist and Attacks Imminent

Microsoft has issued a fresh warning about the recently discovered BlueKeep vulnerability in Remote Desktop Services (CVE-2019-0708) following the online publication of proof-of-concept exploits for the flaw. Microsoft released fixes for the flaw on May 14, 2019. As was the case with the vulnerability that was exploited in the WannaCry ransomware attacks in 2017, patches were also released for unsupported Windows versions. The vulnerability is critical and could be exploited remotely via Remote Desktop Protocol (RDP) without any user interaction required. As one security researcher has shown, finding devices that have not been patched is far from difficult. Robert Graham of Errata Security performed a scan of the internet and found almost 1 million devices that have still not had the patch applied or protected using Microsoft’s recommended mitigations. Graham is not the only person to have performed scans for vulnerable devices. There has been a major increase in scans in recent days. It appears that cybercriminals are preparing for attacks. The fresh warning is an unusual step for...

Read More
Up to 7.7 Million Patients of LabCorp Impacted by AMCA Breach
Jun05

Up to 7.7 Million Patients of LabCorp Impacted by AMCA Breach

Following the news that the data breach at American Medical Collection Agency (AMCA) exposed the records of 11.9 million Quest Diagnostics patients, comes news of another healthcare company that has been affected by the breach. On June 4, 2019, LabCorp, another national network of blood testing centers, announced that 7.7 million individuals whose blood samples were processed by the company may have had their sensitive information exposed. As was the case with Quest Diagnostics, LabCorp disclosed the breach through a U.S. Securities and Exchange Commission (SEC) filing. LabCorp said it had been notified by AMCA that its data had also been exposed as a result of the cyberattack on AMCA’s web payment portal, which saw hackers gain access to the system between August 1, 2018 and March 30, 2019. LabCorp said AMCA held data on 7.7 million of its customers. According to the AMCA website, the company manages more than $1 billion in annual receivables for a diverse client base, which includes “laboratories, hospitals, physician groups, billing services, and medical providers all...

Read More
$74 Million Settlement Proposed to Resolve Premera Blue Cross Class Action Lawsuit
Jun04

$74 Million Settlement Proposed to Resolve Premera Blue Cross Class Action Lawsuit

In March 2015, the Seattle-based health insurer Premera Blue Cross announced it had experienced a major data breach that impacted around 10.6 million plan members. The breach occurred in 2014 and resulted in the theft of a broad range of data, including Social Security numbers, bank account information, and health data. The cyberattack is thought to have been conducted by an APT group operating out of China. Shortly after the data breach was announced, several class action lawsuits were filed seeking damages for victims of the breach. More than 40 of those class action lawsuits were consolidated into a single class action lawsuit in the United States District Court in Oregon. The lawsuit alleged the cybersecurity practices at Premera Blue Cross were insufficient and vulnerabilities were exploited by threat actors to gain access to the sensitive information of its plan members. Premera Blue Cross has made the decision to settle the lawsuit and a $74 million settlement has been proposed. Under the terms of the settlement, Premera Blue Cross will pay $32 million to victims of the...

Read More
AMCA Data Breach Impacts 12 Million Quest Diagnostics Patients
Jun04

AMCA Data Breach Impacts 12 Million Quest Diagnostics Patients

A hacker has gained access to the systems of Elmsford, NY-based billing collections company American Medical Collection Agency (AMCA) and potentially viewed and copied the protected health information of 11.9 million patients of Quest Diagnostics. Quest Diagnostics is one of the largest blood testing laboratories in the United States but is just one entity that uses AMCA services. It is possible that the breach could be much larger and impact patients of other healthcare organizations. At almost 12 million records, it is already the second largest healthcare data breach ever to be reported, behind Anthem’s 78.8 million record data breach of 2015. The data breach first came to light in May 2019 when researchers at Gemini Advisory notified databreaches.net that they had discovered the payment card details of around 200,000 patients listed for sale on a darknet marketplace. Gemini Advisory determined that the credit card details came from AMCA and appeared to have been obtained between September 2018 and March 2019. Gemini Advisory notified AMCA about the potential breach, although no...

Read More
40% of Healthcare Delivery Organizations Attacked with WannaCry Ransomware in the Past 6 Months
May31

40% of Healthcare Delivery Organizations Attacked with WannaCry Ransomware in the Past 6 Months

Healthcare organizations have been slow to correct the flaw in Remote Desktop Services that was patched by Microsoft on May 14, 2019, but a new report from cybersecurity firm Armis has revealed many healthcare organizations have still not patched the Windows Server Message Block (SMB) flaw that was exploited in the WannaCry ransomware and NotPetya wiper attacks in May and June 2017. The WannaCry attacks served as a clear reminder of the importance of prompt patching. Microsoft released patches for the vulnerability on March 2017. On May 12, 2017, the WannaCry ransomware attacks started. In the space of just a few days, more than 200,000 devices were infected in 150 countries. The hackers behind the attack used the NSA exploits EternalBlue and DoublePulsar to spread the malware across entire networks. The National Health Service (NHS) in the UK was hit particularly badly due to the extensive use of legacy systems and the failure to apply patches promptly. Around one third of NHS Trusts in the UK were affected, 19,000 appointments had to be cancelled at a cost of around £20 million,...

Read More
Almost 1 Million Windows Devices Still Vulnerable to Microsoft BlueKeep RDS Flaw
May30

Almost 1 Million Windows Devices Still Vulnerable to Microsoft BlueKeep RDS Flaw

More than two weeks after Microsoft issued a patch for a critical, wormable flaw in Remote Desktop Services, nearly 1 million devices have yet to have the patch applied and remain vulnerable. Those devices have also not had the recommended mitigations implemented to reduce the potential for exploitation of the flaw. The vulnerability – CVE-2019-0708 – can be exploited remotely with no user interaction required and could allow a threat actor to execute arbitrary code on a vulnerable device, view, change, or delete data, install programs, create admin accounts, and take full control of the device. It would also be possible to then move laterally and compromise other devices on the network. Microsoft has warned that the vulnerability could be exploited via RDP and could potentially be used in another WannaCry-style attack. Microsoft released patches for the vulnerability on May 14 and, due to the seriousness of the flaw, the decision was taken to also release patches for unsupported Windows versions. The flaw affects Windows XP, Windows 7, Windows 2003, Windows Server 2008, and...

Read More
Multi-State Action Results in $900,000 Financial Penalty for Medical Informatics Engineering
May28

Multi-State Action Results in $900,000 Financial Penalty for Medical Informatics Engineering

Medical Informatics Engineering (MIE) is required to pay a financial penalty of $900,000 to resolve a multi-state action over HIPAA violations related to a breach of 3.9 million records in 2015. The announcement comes just a few days after the HHS’ Office for Civil Rights settled its HIPAA violation case with MIE for $100,000. MIE licenses a web-based electronic health record application called WebChart and its subsidiary, NoMoreClipboard (NMC), provides patient portal and personal health record services to healthcare providers that allow patients to access and manage their health information. By providing those services, MIE and NMC are business associates and are required to comply with HIPAA Rules. Between May 7 and May 26 2015, hackers gained access to a server containing data related to its NMC service.  Names, addresses, usernames, passwords, and sensitive health information were potentially accessed and stolen. A lawsuit was filed in December 2018 alleging MIE and NMC had violated state laws and several HIPAA provisions. 16 state attorneys general were named as plaintiffs in...

Read More
HHS Confirms When HIPAA Fines Can be Issued to Business Associates
May27

HHS Confirms When HIPAA Fines Can be Issued to Business Associates

Since the Department of Health and Human Services implemented the requirements of the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 in the 2013 Omnibus Final Rule, business associates of HIPAA covered entities can be directly fined for violations of HIPAA Rules. On May 24, 2019, to clear up confusion about business associate liability for HIPAA violations, the HHS’ Office for Civil Rights clarified exactly what HIPAA violations could result in a financial penalty for a business associate. Business associates of HIPAA Covered entities can only be held directly liable for the requirements and prohibitions of the HIPAA Rules detailed below. OCR does not have the authority to issue financial penalties to business associates for any aspect of HIPAA noncompliance not detailed on the list.   You can download the HHS Fact Sheet on direct liability of business associates on this link. Penalties for HIPAA Violations by Business Associates The HITECH Act called for an increase in financial penalties for noncompliance with HIPAA Rules. In 2009, the...

Read More
Medical Informatics Engineering Settles HIPAA Breach Case for $100,000
May24

Medical Informatics Engineering Settles HIPAA Breach Case for $100,000

Medical Informatics Engineering, Inc (MIE) has settled its HIPAA violation case with the HHS’ Office for Civil Rights for $100,000. MIE, an Indiana-based provider of electronic medical record software and services, experienced a major data breach in 2015 at its NoMoreClipboard subsidiary. Hackers used a compromised username and password to gain access to a server that contained the protected health information (PHI) of 3.5 million individuals. The hackers had access to the server for 19 days between May 7 and May 26, 2015. 239 of its healthcare clients were impacted by the breach. OCR was notified about the breach on July 23, 2015 and launched an investigation to determine whether it was the result of non-compliance with HIPAA Rules. OCR discovered MIE had failed to conduct an accurate and through risk analysis to identify all potential risks to the confidentiality, integrity, and availability of PHI prior to the breach – A violation of the HIPAA Security Rule 45 C.F.R. § 164.308(a)(l)(ii)(A). As a result of that failure, there was an impermissible disclosure of 3.5 million...

Read More
PHI of 1.5 Million Individuals Exposed Online by Inmediata
May22

PHI of 1.5 Million Individuals Exposed Online by Inmediata

In April, Inmediata, a provider of clearinghouse services to healthcare organizations, announced that the protected health information of certain patients had been exposed online as a result of a misconfigured setting on an internal web page. The incident has now been reported to the Department of Health and Human Services’ Office for Civil Rights. The breach report indicates 1,565,338 individuals had their PHI exposed. That makes the data breach the largest to be reported in 2019. The information had been made available to employees through an internal web page, but the failure to configure that page correctly allowed the data to be made accessible over the internet without the need for authentication. The page was indexed by Google and patient information could be found through online searches. The information had been provided by hospitals, health plans, and independent physicians and included names, addresses, dates of birth, gender, claims data and, for a small number of patients, Social Security numbers. Inmediata immediately deactivated the web page when it was discovered...

Read More
ONC Report Reveals Trends in Access and Viewing of Medical Records Online
May22

ONC Report Reveals Trends in Access and Viewing of Medical Records Online

Most hospitals and physicians have now adopted electronic medical records, yet only half of patients have been offered access to their medical records online, according to a new report from the HHS’ Office of the National Coordinator for Health Information Technology (ONC). Two of the aims of the 21st Century Cures Act were to make it easier for patents to access their health information and to improve education of patients about their rights to access their health data. The ONC conducted its Health Information Trends Survey (HINTS) to determine whether patients are being offered access to their medical records online and whether they have exercised that right and have viewed medical records that have been made available. In 2018, there was no change in the number of patients being offered access to their medical records online. As was the case in 2017, 51% of patients were given that opportunity. However, the number of patients using that access to view or download their medical records increased. 30% of patients who were given the option had viewed their records at least once,...

Read More
AAN Suggests Third Party App Security Framework Must be Included in the CMS Interoperability Plan
May21

AAN Suggests Third Party App Security Framework Must be Included in the CMS Interoperability Plan

The American Academy of Neurology (AAN) has voiced concerns about the interoperability plans of the Centers for Medicare and Medicaid Services (CMS) and the HHS’ Office of the National Coordinator for Health IT (ONC). In February, both ONC and CMS proposed new rules that aim to reduce information blocking and improve interoperability. The AAN supports ONC and CMS efforts to reduce information blocking and improve interoperability. Data blocking and interoperability problems force clinicians to spend more time on clerical work, which means less time is spent providing direct care to patients. The AAN believes many of the provisions in the new rules are necessary for empowering patients and providers by providing comprehensive access to patient data; however, in a recent letter to CMS Administrator Seema Verma, the AAN has expressed concern about patient safety and security if the ONC and CMS interoperability plans are implemented. The AAN supports efforts to advance the use of standardized Fast Healthcare Interoperability Resources (FHIR) based APIs to allow patients to easily gain...

Read More
April 2019 Healthcare Data Breach Report
May20

April 2019 Healthcare Data Breach Report

April was the worst ever month for healthcare data breaches. More data breaches were reported than any other month since the Department of Health and Human Services’ Office for Civil Rights started publishing healthcare data breach reports in October 2009. In April, 46 healthcare data breaches were reported, which is a 48% increase from March and 67% higher than the average number of monthly breaches over the past 6 years. While breach numbers are up, the number of compromised healthcare records is down. In April 2019, 694,710 healthcare records were breached – A 23.9% reduction from March.  While the breaches were smaller in March, the increase in breaches is of great concern, especially the rise in the number of healthcare phishing attacks. Largest Healthcare Data Breaches in April 2019 Two 100,000+ record data breaches were reported in April. The largest breach of the month was reported by the business associate Doctors Management Services – A ransomware attack that exposed the records of 206,695 patients. The ransomware was deployed 7 months after the attacker had first gained...

Read More
New Study Uncovers Serious Holes in Healthcare Cybersecurity
May16

New Study Uncovers Serious Holes in Healthcare Cybersecurity

The sorry state of healthcare cybersecurity has been highlighted by a recent Forescout study. The study revealed the healthcare industry is overly reliant on legacy software, vulnerable protocols are extensively used, and medical devices are not properly secured. 75 global healthcare deployments were analyzed for the study, which included more than 1.5 million devices operating on 10,000 virtual local area networks (VLANs). The majority of those devices were running on legacy systems. While just 1% of devices used unsupported operating systems such as Windows XP, 71% had operating systems that are rapidly approaching end-of-life such as Windows 7, Windows 2008, and Windows Mobile. In January 2020, all three of those operating systems will be at end-of-life and will no longer be supported by Microsoft. The analysis revealed 85% of Windows devices had SMB running. It was a flaw in SMB that was behind the WannaCry ransomware attacks of 2017. Remote Desktop Protocol (RDP) is also commonly used. 35% of devices did not have RDP disabled. The use of File Transfer Protocol (FTP) was also...

Read More
Microsoft Patches Critical Flaw That Could be Exploited in WannaCry-Style Malware Attacks
May15

Microsoft Patches Critical Flaw That Could be Exploited in WannaCry-Style Malware Attacks

On Tuesday May 14, 2019, Microsoft released a patch to fix a ‘wormable’ flaw in Windows, similar to the vulnerability that was exploited in the WannaCry ransomware attacks in May 2017. The flaw is a remote code execution vulnerability in Remote Desktop Services – formerly Terminal Services – that can be exploited via RDP. The flaw (CVE-2019-0708) can be exploited by sending specially crafted requests via RDP to a vulnerable system. No authentication is required and the flaw can be exploited without any user interaction. If exploited, malware could propagate from one compromised computer to all other vulnerable computers on a network. If ransomware exploited the vulnerability, healthcare organizations could experience widespread file encryption and major disruption to operations. Microsoft has not received any reports to suggest the flaw is being actively exploited at present, but it is almost certain that exploits will be developed for the vulnerability and that those exploits will be incorporated into malware. The vulnerability is not present in Windows 8 and Windows 10, only...

Read More
Alleged Anthem Hackers Indicted Over 2015 Cyberattack Involving the Theft of 78.8 Million Records
May10

Alleged Anthem Hackers Indicted Over 2015 Cyberattack Involving the Theft of 78.8 Million Records

Two Chinese nationals who were allegedly behind the 2015 hacking of Anthem Inc., have been charged by the U.S. Department of Justice. 32-year-old Fujie Wang and an unnamed man have been charged in a 4-count indictment in relation to the Anthem cyberattack and theft of 78.8 million health insurance records, along with cyberattacks on three other U.S. businesses between 2014 and 2015. “The allegations in the indictment unsealed today outline the activities of a brazen China-based computer hacking group that committed one of the worst data breaches in history,” said Assistant Attorney General Brian A. Benczkowski. “These defendants allegedly attacked U.S. businesses operating in four distinct industry sectors and violated the privacy of over 78 million people by stealing their PII.” The charges are one count of conspiracy to commit fraud and related activity in relation to computers and identity theft, one count of conspiracy to commit wire fraud, and two counts of intentional damage to a protected computer. According to the indictment, the international hacking scheme saw Wang and...

Read More
Key Findings of the 2019 Verizon Data Breach Investigations Report
May08

Key Findings of the 2019 Verizon Data Breach Investigations Report

Today sees the release of the 2019 Verizon Data Breach Investigations Report. This is the 12th edition of report, which contains a comprehensive summary of data breaches reported by public and private entities around the globe. The extensive report provides in-depth insights and perspectives on the tactics and techniques used in cyberattacks and detailed information on the current threat landscape.  The 2019 Verizon Data Breach Investigations Report is the most comprehensive report released by Verizon to date and includes information from 41,686 reported security incidents and 2,013 data breaches from 86 countries. The report was compiled using data from 73 sources. The report highlights several data breach and cyberattack trends. Some of the key findings of the report are detailed below: C-Suite executives are 12 time more likely to be targeted in social engineering attacks than other employees Cyber-espionage related data breaches increased from 13% of breaches in 2017 to 25% in 2018 Nation-state attacks increased from 12% of attacks in 2017 to 23% in 2018 Financially motivated...

Read More
Touchstone Medical Imaging Fined $3 Million by OCR for Extensive HIPAA Failures
May06

Touchstone Medical Imaging Fined $3 Million by OCR for Extensive HIPAA Failures

The Department of Health and Human Services’ Office for Civil Rights (OCR) has announced a settlement has been reached with the Franklin, TN-based diagnostic medical imaging services company, Touchstone Medical Imaging. The settlement resolves multiple violations of HIPAA Rules discovered by OCR during the investigation of a 2014 data breach. Touchstone Medical Imaging has agreed to a settlement of $3,000,000 to resolve the violations and will adopt a corrective action plan (CAP) to address its HIPAA compliance issues. The high settlement amount reflects widespread and prolonged noncompliance with HIPAA Rules. OCR alleged 8 separate violations across 10 HIPAA provisions. The settlement resolves the HIPAA case with no admission of liability. On May 9, 2014, Touchstone Medical Imaging was informed by the FBI that one of its FTP servers was accessible over the Internet and allowed anonymous connections to a shared directory. The directory contained files that included the protected health information (PHI) of 307,839 individuals. As a result of the lack of access controls, files had...

Read More
Facebook Makes Changes to Health Support Groups to Better Protect Users’ Privacy
May06

Facebook Makes Changes to Health Support Groups to Better Protect Users’ Privacy

Facebook is making changes to Facebook Groups used to discuss health conditions. The move comes following criticism that Facebook Groups were being promoted as private and confidential when information about participants in health groups was being made available to third parties for advertising purposes. In January, a complaint was filed with the Federal Trade Commission alleging the content of private Facebook health groups had been shared with third parties. Some members of these health support groups claimed they had been targeted by advertisers who had offered products and services related to health conditions that had only ever been discussed in closed, private Facebook health groups. The groups are used by individuals with health conditions to obtain advice and receive support. Groups have been set up to help people with a wide range of health conditions, including cancer, substance abuse disorder, and mental health issues. Information was being openly discussed by members of the groups in the belief that the groups were confidential. Not only were advertisers able to contact...

Read More
Ransomware Attacks Increased by 195% in Q1, 2019 but Trojans Remain the Biggest Threat
May03

Ransomware Attacks Increased by 195% in Q1, 2019 but Trojans Remain the Biggest Threat

Malwarebytes has released a new report detailing the current tactics and techniques being used by cybercriminals to gain access to business networks and sensitive data. Malwarebytes’ Cybercrime Tactics and Techniques Q1 2019 was compiled using data collected by its intelligence, and data science teams and telemetry from its consumer and business products between January 1 and March 31, 2019. The report reveals there has been a 235% increase in cyberattacks on corporate targets in the past 12 months. There has also been a marked decline in cryptomining and other threats on consumers, which fell by 40% in 2018. It is clear from the report that cybercriminals are concentrating their efforts on attacking businesses and SMBs are most at risk as they typically lack the resources to significantly improve their cybersecurity defenses. The report shows that Trojans are currently the biggest malware threat. Attacks involving Trojans are up 650% from the same time last year and attacks increased by 200% in Q1, 2019. The biggest threat is Emotet, which Malwarebytes describes as the “most...

Read More
Arizona Court of Appeals Rules Patient Can Proceed with Negligence Claim Based on HIPAA Violation
May02

Arizona Court of Appeals Rules Patient Can Proceed with Negligence Claim Based on HIPAA Violation

An Arizona man who sued Costco over a privacy violation and had the lawsuit dismissed by the trial court has had the decision overturned by the Court of Appeals, which ruled that the patient can sue the pharmacy for negligence based on a violation of the Health Insurance Portability and Accountability Act (HIPAA). The privacy violation in question occurred in 2016. The man had received a sample of an erectile dysfunction drug in January 2016 and received a telephone call from Costco letting him know that his full prescription was ready to be collected. The man cancelled the prescription but when he contacted the pharmacy a month later about a separate prescription, he discovered the cancellation had not been processed. He then cancelled the prescription for a second time but, again, the prescription was not cancelled. The man subsequently authorized his ex-wife to collect his regular prescription. While at the pharmacy, the pharmacist joked with his ex-wife about the uncollected erectile dysfunction prescription. The man was attempting to reconcile with his ex-wife at the time. The...

Read More
HHS Changes HITECH Act Penalties for HIPAA Violations
Apr29

HHS Changes HITECH Act Penalties for HIPAA Violations

The Department of Health and Human Services has issued a notification of enforcement discretion regarding the civil monetary penalties that are applied when violations of HIPAA Rules are discovered. The HHS has reduced the maximum financial penalty for HIPAA violations in three of the four penalty tiers. The Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 increased the penalties for HIPAA violations. The new penalties were based on the level of knowledge a HIPAA covered entity or business associate had about the violation and whether action was voluntarily taken to correct any violations. The 1st penalty tier applies when a covered entity or business associate is unaware that HIPAA Rules were violated and, by exercising a reasonable level of due diligence, would not have known that HIPAA was being violated. The 2nd tier applies when a covered entity knew about the violation or would have known had a reasonable level of due diligence been exercised, but when the violation falls short of willful neglect of HIPAA Rules. The 3rd penalty tier applies...

Read More
Feature of DICOM Image Format Could Be Abused to Fuse Malware with PHI
Apr26

Feature of DICOM Image Format Could Be Abused to Fuse Malware with PHI

The DICOM image format, which has been in use for around for 30 years, contains a design ‘flaw’ that could be exploited by hackers to embed malware in image files. Were that to happen, the malware would become permanently fused with protected health information. The DICOM file format was developed to allow medical images to be easily stored and shared. It eliminated the need for physical films and solved hardware compatibility issues. DICOM is now the standard format used for MRI and CT images and is supported by most medical imaging systems. The file format can be read by a range of devices that are used to view patient image files and diagnostic information. DICOM images contain a section at the start of the files called a Preamble. This section is used to facilitate access to the metadata within the images and ensure compatibility with image viewers which do not support the DICOM image format. By altering the Preamble section of the file, image viewers treat DICOM images as a file type that they support, such as a jpeg, allowing the file to be opened. This design feature is part...

Read More
HHS’ ONC Releases Second Draft of Trusted Exchange Framework and Common Agreement
Apr24

HHS’ ONC Releases Second Draft of Trusted Exchange Framework and Common Agreement

The HHS’ Office of the National Coordinator for Health IT (ONC) has released the second draft of its Trusted Exchange Framework and Common Agreement (TEFCA) and is seeking comments on the updated text. The purpose of TEFCA is to help ensure there is seamless, interoperable exchange of health information, which is critical to the creation of a health system that empowers providers and patients and delivers better healthcare at a lower cost. The 21st Century Cures Act promoted a national framework and common agreement for the trusted exchange of health information. The framework is required as there is currently no core exchange mechanism that can be used by healthcare providers, health plans, vendors, public health departments, and federal, state, local and tribal governments. Trusted exchange is too complex. Currently, multiple exchange methods need to be used. The majority of hospitals use three or four exchange methods and three in ten use more than five methods. This approach is inefficient and expensive. Healthcare organizations are having to build several point-to-point...

Read More
HHS Extends Comment Period on Proposed Rules to Improve ePHI Interoperability
Apr23

HHS Extends Comment Period on Proposed Rules to Improve ePHI Interoperability

The Department of Health and Human Services has extended the deadline for submitting comments on its proposed rules to promote the interoperability of health information technology and electronic protected health information. Two new rules were released on February 11, 2019 by the Office of the National Coordinator for Health IT (ONC) and the Centers for Medicare and Medicaid Services (CMS). The purpose of the new rules is to support the secure access, exchange, and use of electronic health information. The rules cover technical and healthcare industry factors that are proving to be barriers to the interoperability of health information and are limiting the ability of patients to gain access to their health data. The deadline has been extended to give the public and industry stakeholders more time to read the proposed rules and provide meaningful input that can be used to help achieve the objectives of the rules. The extension has come in response to feedback from many stakeholders who have asked for more time to review the rules, which have potential to cause a range of issues for...

Read More
Washington State University Settles Class Action Data Breach Lawsuit for $4.7 Million
Apr23

Washington State University Settles Class Action Data Breach Lawsuit for $4.7 Million

A $4.7 million settlement has recently been approved by the King County Superior Court to reimburse individuals whose personal information was stolen from Washington State University in April 2017. Washington State University had backed up personal information on portable hard drives which were stored in a safe in a self-storage locker. On April 21, 2017, the university discovered a break-in had occurred at the storage facility and the safe had been stolen. The hard drives contained the sensitive personal information of 1,193,190 individuals. Most of the files on the hard drives were not encrypted. The drives contained the types of information sought by identity thieves: Names, contact information, and Social Security numbers, in addition to health data of patients, college admissions test scores, and other information. The information dated back around 15 years and had been collected by the WSU Social and Economic Sciences Research Center for a research project. While the hard drive was stolen, Washington State University maintains there are no indications any data stored on the...

Read More
Unsecured Database of Addiction Service Provider Potentially Contained Records of 145,000 Patients
Apr23

Unsecured Database of Addiction Service Provider Potentially Contained Records of 145,000 Patients

A database containing highly sensitive information of patients who had previously sought treatment for addiction at rehabilitation centers has been discovered to be freely accessible over the internet. The database contained approximately 4.91 million records which related to an estimated 145,000 patients of the Levittown, PA-based addiction rehabilitation service provider Steps to Recovery. The unsecured database was discovered on March 24, 2019 by Justin Paine, Director of Trust and Safety at Cloudflare. Following the discovery, Paine notified Steps to Recovery and its hosting provider on March 24. No reply was received from Steps to Recovery, but its hosting company made contact and the database has now been secured and is no longer accessible online. Paine had performed a search on the Shodan search engine to identify unsecured databases and devices. According to Paine, the ElasticSearch database contained two indexes which included more than 1.45 GB of data. The information could be accessed by anyone over the internet without the need for any authentication. The database was...

Read More
Blue Cross of Idaho Website Hacked and Attempts Made to Reroute Payments
Apr17

Blue Cross of Idaho Website Hacked and Attempts Made to Reroute Payments

Blue Cross of Idaho has discovered its website has been hacked and an unauthorized individual gained access to its member portal and viewed the protected health information of some of its members. Blue Cross of Idaho is one of the largest health insurers in the state and serves approximately 560,000 Idahoans. Blue Cross of Idaho’s executive vice president Paul Zurlo said the breach affected around 1% of its members – around 5,600 individuals. (Update 05/03/2019: The HHS breach portal indicates 6,045 individuals have been affected) The website security breach occurred on March 21, 2019 and was discovered the following day. During the time that portal access was possible, the hacker accessed provider remittance documents and attempted to reroute provider financial transactions. Upon discovery of the breach, Blue Cross of Idaho terminated the unauthorized access and secured its portal to prevent financial fraud and further accessing of documents. The incident was reported to the FBI and the investigation remains open. The health insurer is working with internal and external...

Read More
Healthcare Organizations Found Not to be In Conformance with NIST CSF and HIPAA Rules
Apr16

Healthcare Organizations Found Not to be In Conformance with NIST CSF and HIPAA Rules

A recent study conducted by the consultancy firm CynergisTek has revealed many healthcare organizations are not in conformance with NIST Cybersecurity Framework (CSF) controls and the HIPAA Privacy and Security Rules. For the study, CynergisTek analyzed the results of assessments at almost 600 healthcare organizations against NIST CSF and the HIPAA Privacy and Security Rules. The NIST CSF is a voluntary framework, but the standards and best practices help organizations manage cyber risks. Healthcare organizations that are not in conformance with CSF controls face a higher risk of experiencing a cyberattack or data breach. On average, healthcare organizations were only in conformance with 47% of NIST CSF controls. Conformance has only increased by 2% in the past year. Assisted living organizations had the highest level of conformance with NIST CSF (95%), followed by payers (86%), and accountable care organizations (73%). Business associates of HIPAA covered entities only had an average conformance level of 48%. Physician groups had the lowest level of conformance (36%). Out of the...

Read More
March 2019 Healthcare Data Breach Report
Apr15

March 2019 Healthcare Data Breach Report

In March 2019, healthcare data breaches continued to be reported at a rate of one a day. 31 healthcare data breaches were reported to the HHS’ Office for Civil Rights by HIPAA-covered entities and their business associates. The March total is almost 14% higher than the average of the past 60 months.   The number of reported breaches fell by 3.12% month over month and there was a 56.79% decrease in the number of breached healthcare records. March saw the healthcare records of 912,992 individuals exposed, impermissibly disclosed, or stolen as a result of healthcare data breaches. Causes of March 2019 Healthcare Data Breaches The HHS’ Office for Civil Rights groups together hacking and other IT incidents such as malware and ransomware attacks. This category dominated the breach reports in March with 19 incidents reported. Hacking/IT incidents accounted for 88.40% of all compromised records (807,128 records). There were 8 unauthorized access/disclosure incidents reported in March. 81,904 healthcare records were impermissibly accessed or disclosed. There were also four theft...

Read More
MD Anderson Cancer Center Appeals Against $4,348,000 HIPAA Penalty
Apr12

MD Anderson Cancer Center Appeals Against $4,348,000 HIPAA Penalty

In 2018, University of Texas MD Anderson Cancer Center was issued with a $4,348,000 civil monetary penalty by the HHS’ Office for Civil Rights (OCR) following the discovery of multiple alleged HIPAA violations that contributed to three data breaches that were experienced in 2012 and 2013. OCR launched an investigation into the breaches and determined there had been an impermissible disclosure of the electronic protected health information (ePHI) of 34,883 patients and that HIPAA Rules had been violated as a result of the failure to use encryption. OCR reasoned that had encryption been used, the breaches could have been prevented. MD Anderson contested the financial penalty and the case was sent to an administrative law judge who ruled that the MD Anderson must pay the financial penalty. MD Anderson has now filed a complaint against the Secretary of the HHS and has launched an appeal with the U.S. Court of Appeals, Fifth Circuit in Texas. MD Anderson alleges the civil monetary penalty is unlawful, that OCR has exceeded its authority by issuing the penalty, and the penalty is...

Read More
Minnesota DHS Suffers Another Phishing Attack: State IT Services Struggling to Cope with Barrage of Attacks
Apr12

Minnesota DHS Suffers Another Phishing Attack: State IT Services Struggling to Cope with Barrage of Attacks

The Minnesota Department of Human Services (DHS) has discovered another employee email account has been compromised as a result of a phishing attack. The latest incident has only just been reported, although the breach occurred on or before March 26, 2018. Three Phishing Attacks: 31,800 Records Exposed The breach is in addition to two other phishing attacks that saw email accounts compromised in June and July of 2018. Those attacks were announced in October 2018 and resulted in the exposure of 20,800 Minnesotans’ PHI. The March 26 email account compromise saw the PHI of 10,263 Minnesotans exposed. The March phishing attack allowed the attacker to gain access to the email account of an employee of the Direct care and Treatment Administration. Emails were then sent from that account to co-workers requesting wire transfers be made. The email requests were flagged as suspicious and were reported to MNIT, which secured the account. No wire transfers were made. During the time that the account was accessible, the attacker potentially accessed emails in the account which included...

Read More
Data Security Incident Response Analysis Published by BakerHostetler
Apr11

Data Security Incident Response Analysis Published by BakerHostetler

BakerHostetler has released its fifth annual Data Security Incident Response Report, which contains an analysis of the 750+ data breaches the company helped manage in 2018. BakerHostetler suggests there has been a collision of data security, privacy, and compliance, and companies have been forced to change the way they respond to security breaches. In addition to federal and state regulations covering data breaches and notifications, companies in the United States must also comply with global privacy laws such as the EU’s General Data Protection Regulation (GDPR).  All of these different regulations make the breach response a complex process. The definitions of personal information and breach response and reporting requirements differ for GDPR, HIPAA, and across the 50 states. The failure to comply with any of the above-mentioned regulations can lead to severe financial penalties. It is therefore of major importance to be prepared for breaches and be able to respond as soon as a breach is discovered. This has led many companies to create committees to help manage data breaches,...

Read More
FDA Considers New Review Framework for AI-Based Medical Devices
Apr09

FDA Considers New Review Framework for AI-Based Medical Devices

AI-based medical devices can be used to identify diseases and individuals at risk of developing medical conditions. They can perform a great deal of time-consuming work on behalf of doctors and radiologists and can help to speed up the diagnosis of diseases. Faster diagnoses mean patients can receive treatment more quickly at a time when it is most likely to be effective. They can also help to identify the most effective treatments to allow personalized medicine to be provided. Currently, the U.S. Food & Drug Administration (FDA) performs reviews of medical devices as part of its market authorization processes. Generally, in order to be granted market authorization the algorithms used by the devices need to be locked and not have the ability to learn each time they are used. These locked algorithms can be subsequently updated by developers at intervals using new data, but after those updates have been applied, the devices need to be subjected to a further manual review and the updated algorithm must be validated. The FDA authorized two AI-based medical devices in 2018: An...

Read More
Hardin Memorial Health Cyberattack Results in EHR Downtime
Apr09

Hardin Memorial Health Cyberattack Results in EHR Downtime

Hardin Memorial Health in Kentucky has experienced a cyberattack which caused disruption to its IT systems and EHR downtime. The cyberattack started on the evening of Friday April 5. A statement issued by a spokesperson for the health system confirmed that IT systems were disrupted as a result of a security breach. Details of the cyberattack have not yet been released so it is unclear whether this was a hacking incident, malware or ransomware attack. The health system has been working round the clock to restore affected systems and servers. Hardin Memorial Health’s IT team has already brought most IT systems back online and has restored access to its EHR system in some units. Despite the lack of access to its EHR system, business continued as usual and the hospital did not have to cancel appointments. All 50 of its locations remained open. “At no time during this event has the quality and safety of patient care been affected,” said HMH Vice President and Chief Marketing and Development Officer, Tracee Troutt. Upon discovery of the security breach, emergency procedures were...

Read More
Amazon Announces 6 New HIPAA Compliant Alexa Skills
Apr05

Amazon Announces 6 New HIPAA Compliant Alexa Skills

Six new HIPAA compliant Alexa skills have been launched by Amazon that allow protected health information to be transmitted without violating HIPAA Rules. The new HIPAA compliant Alexa skills were developed by six different companies that have participated in the Amazon Alexa healthcare program. The new skills allow patients to schedule appointments, find urgent care centers, receive updates from their care providers, access their latest blood sugar reading, and check the status of their prescriptions. This is not the first time that Alexa skills have been developed, but a stumbling block has been the requirements of the HIPAA Privacy Rule, which limit the use of voice technology with protected health information. Now, thanks to HIPAA compliant data transfers, the voice assistant can now be used by a select group of healthcare organizations to communicate PHI without violating the HIPAA Privacy Rule.  You can read more about the issues related to virtual assistants and HIPAA compliance here. Amazon has stated that it plans to work with many other developers through an invite-only...

Read More
Malware Alters CT Scans and Creates and Removes Tumors
Apr05

Malware Alters CT Scans and Creates and Removes Tumors

There is growing concern about hackers gaining access to medical devices and conducting attacks to cause harm to patients. Now malware has been created that can add fake tumors to CT scans. The malware is not being used in real-world attacks. It has been created by researchers at the Ben Gurion University Cybersecurity Center in Israel to demonstrate just how easy it is to exploit vulnerabilities in medical imaging equipment. In addition to adding tumors to medical images the malware could be used to remove real tumors. The former could be conducted for political reasons such as preventing a candidate from running for office, the latter would prevent individuals from receiving treatment for a life-threatening illness. The technique could also be used for insurance fraud, sabotaging of medical trials, and cyber terrorism. Prior to a patient being prescribed radiation therapy or chemotherapy additional tests would be performed and the incorrect diagnosis would be identified, but patients would still be caused considerable emotional distress. The removal of tumors to make the patient...

Read More
OCR Issues Warning on Advanced Persistent Threats and Zero-Day Exploits
Apr04

OCR Issues Warning on Advanced Persistent Threats and Zero-Day Exploits

The HHS’ Office for Civil Rights has raised awareness of the risk of advanced persistent threats and zero-day exploits in its spring cybersecurity newsletter. Healthcare organizations are attractive targets for hackers due to quantity of sensitive data they store. Individual’s protected health information is highly valuable as it can be used for many different purposes, including identity theft, tax fraud, and gaining access to medical services. Sensitive information about medical conditions can also be used to blackmail individuals. Healthcare organizations also store research data, genetic data, and data from experimental treatments, all of which are of great value cybercriminals. The information can be used by foreign governments to drive innovation. There are many techniques that hackers use to break through defenses and silently gain access to networks, two of the most serious threats being advanced persistent threats and zero-day exploits. An advanced persistent threat (APT) is a term used to refer to repeated cyberattacks that attempt to exploit vulnerabilities to gain...

Read More
Study Reveals Health Information the Least Likely Data Type to be Encrypted
Apr03

Study Reveals Health Information the Least Likely Data Type to be Encrypted

Health information is the least likely data type to be encrypted, according to the Global Encryption Trends Study conducted by the Ponemon Institute on behalf of cryptographic solution provider nCipher. The study was conducted on 5,856 people across several industry sectors in 14 countries, including the United States. The aim of the study was to investigate data encryption trends, the types of data most likely to be encrypted, how extensively encryption has been adopted to improve security, and the challenges faced by companies when encrypting data. The study shows the use of encryption has steadily increased over the past four years. 45% of surveyed organizations said they have an overall encryption plan or strategy that is applied across the whole organization. 42% said they have a limited encryption plan or strategy, with encryption only used on certain applications and data types. 13% of respondents said they do not use encryption at all on any type of data. The use of encryption varies considerably from country to country. Germany leads the world with the highest prevalence...

Read More
Michigan Practice Forced to Close Following Ransomware Attack
Apr02

Michigan Practice Forced to Close Following Ransomware Attack

A ransomware attack can prove costly to resolve. That cost was not deemed worth it by one Michigan practice, which has now permanently closed its doors. The ransomware encrypted the system at Brookside ENT and Hearing Center in Battle Creek which housed patient records, appointment schedules, and payment information rendering the data inaccessible. The attackers claimed to be able to provide a key to unlock the encryption, but in order to obtain the key to decrypt files, a payment of $6,500 was required. The two owners of the practice, William Scalf, MD and John Bizon, MD, decided not to pay the ransom as there was no guarantee that a valid key would be supplied and, after paying, the attackers could simply demand another payment. Since no payment was made, the attackers deleted all files on the system ensuring no information could be recovered. The partners decided to take early retirement rather than having to rebuild their practice from scratch. The FBI was alerted to the security incident and explained that this appeared to be an isolated attack. No patient data appeared to...

Read More
Lawsuit Alleges Sharp Grossmont Hospital Secretly Recorded Patients Having Gynecology Operations
Apr01

Lawsuit Alleges Sharp Grossmont Hospital Secretly Recorded Patients Having Gynecology Operations

A lawsuit has been filed against Sharp HealthCare and Sharp Grossmont Hospital which alleges the hospital secretly recorded video footage of female patients undressing and having gynaecological examinations performed. According to the lawsuit, the hospital installed video cameras in three operating rooms as part of an internal investigation into the theft of the anaesthesia drug, propofol, from drug carts. The cameras were actively recording between July 17, 2012 and June 30, 2013 at its facility on Grossmont Center Drive in El Cajon, San Diego. During the time that the cameras were recording 1,800 patients were filmed undergoing procedures such as hysterectomies, Caesarean births, dilation and curettage for miscarriages, and other surgical procedures. The motion-activated cameras had been installed on drug carts and continued to record even after motion had stopped. A spokesperson for Sharp Grossmont Hospital confirmed that three cameras had been installed to ensure patient safety by determining the cause of missing drugs from the carts. The lawsuit states that, “At times,...

Read More
CMS Launches Review Program to Assess Compliance with the HIPAA Administrative Simplification Rules
Mar28

CMS Launches Review Program to Assess Compliance with the HIPAA Administrative Simplification Rules

The HHS’ Centers for Medicare and Medicaid Services (CMS) has launched a compliance review program to assess whether HIPAA covered entities are complying with the HIPAA Administrative Simplification Rules for electronic healthcare transactions. The compliance reviews will commence in April 2019. The HIPAA Administrative Simplification Rules The HIPAA Administrative Simplification Rules were introduced to improve efficiency and the effectiveness of the health system in the United States. They require healthcare organizations to adopt national standards for healthcare transactions that are conducted electronically, including the use of standard code sets and unique health identifiers, in addition to complying with the requirements of the HIPAA Privacy and Security Rules. The HHS’ Office for Civil Rights is responsible for enforcing the HIPAA Privacy, Security, and Breach Notification Rules. The CMS is responsible for administering and enforcing the rules covering transaction and code sets standards, the employer identifier standard, and the national provider identifier standard, as...

Read More
Texas Department of Aging and Disability Services Agrees to $1.6 Million Settlement Over 2015 Data Breach
Mar27

Texas Department of Aging and Disability Services Agrees to $1.6 Million Settlement Over 2015 Data Breach

The Department of Health and Human Services’ Office for Civil Rights has agreed to settle a HIPAA violation case with the Texas Department of Aging and Disability Services (DADS) to resolve HIPAA violations discovered during the investigation of a 2015 data breach that exposed the protected health information of 6,617 Medicaid recipients. The breach was caused by an error in a web application which made ePHI accessible over the internet for around 8 years. DADS submitted a breach report to OCR on June 11, 2015. OCR launched an investigation into the breach to determine whether there had been any violation of HIPAA Rules. On July 2015, OCR notified DADS that the investigation had revealed there had been multiple violations of HIPAA Rules. DADS was deemed to have violated the risk analysis provision of the HIPAA Security Rule – 45 C.F.R. § 164.308(a)(1)(ii)(A) – by failing to conduct a comprehensive, organization-wide risk analysis to identify potential risks to the confidentiality, integrity, and availability of ePHI. There had also been a failure to implement appropriate...

Read More
Healthcare Industry Ranks 8th for Cybersecurity but Poor DNS Health and Endpoint Security of Concern
Mar26

Healthcare Industry Ranks 8th for Cybersecurity but Poor DNS Health and Endpoint Security of Concern

Through compliance with HIPAA, healthcare organizations have achieved a baseline standard of security, but there is still plenty of room for improvement and healthcare cybersecurity is at best mediocre. Security Scorecard has ranked the healthcare industry 8th out of the 18 industry sectors for cybersecurity. The findings have been detailed in its 2019 Healthcare Cybersecurity Report. The worst aspects of security for the healthcare industry were DNS health and endpoint security, where the industry ranked 13th and 12th respectively. Without proper DNS security measures in place, attacks could take place in which DNS records are changed. Such an attack would allow cybercriminals to route web traffic to fraudulent websites where credentials could be harvested. The US Department of Homeland Security’s Cybersecurity and Infrastructure Agency (CISA) issued a warning about this attack method in January 2019. Endpoint security is another big concern. In healthcare, employees use a wide range of different types of devices to gain access to healthcare networks, which introduces risks and...

Read More
D.C. Attorney General Proposes Tougher Breach Notification Laws
Mar25

D.C. Attorney General Proposes Tougher Breach Notification Laws

Washington D.C. Attorney General Karl. A. Racine is looking to strengthen data breach notification laws to provide greater protection for D.C. residents when their personal information is exposed in a data breach. On March 21, 2019, Attorney General Racine introduced the Security Breach Protection Amendment Act, which expands the definition of personal information that warrants notifications to be sent to consumers in the event of a data breach. Currently laws in the District of Columbia require breach notifications to be sent if there has been a breach of Social Security numbers, driver’s license numbers, or financial information such as credit and debit card numbers. If passed, the Security Breach Protection Amendment Act will expand the definition of personal information to include taxpayer ID numbers, genetic information including DNA profiles, biometric information, passport numbers, military Identification data, and health insurance information. Attorney General Racine said one of the main reasons why the update was required was to better protect state residents from breaches...

Read More
350,000 Affected by Oregon Department of Human Services Phishing Attack
Mar22

350,000 Affected by Oregon Department of Human Services Phishing Attack

Oregon Department of Human Services (ODHS) has experienced a phishing attack that has potentially allowed unauthorized individuals to view or obtain the protected health information of more than 350,000 individuals. ODHS learned on January 28, 2019 that unauthorized individuals had gained access to email accounts containing clients’ personal information. Third-party forensics experts from IDExperts were called in to determine the number of individuals affected, the types of data that could have been accessed, and whether clients’ personal information had been extracted. The investigation conformed that nine employees had clicked links in phishing emails and divulged their login credentials, which allowed the attackers to gain access to their email accounts. The first account was compromised on January 8, 2019. The compromised email accounts contained almost 2 million emails. Checks are still being performed to find out which individuals have been affected. ODHS has confirmed that emails in the account contained information such as clients’ first and last names, addresses, birth...

Read More
UCLA Health Settles Class Action Data Breach Lawsuit for $7.5 Million
Mar22

UCLA Health Settles Class Action Data Breach Lawsuit for $7.5 Million

UCLA Health has settled a class action lawsuit filed on behalf of victims of data breach that was discovered in October 2014. UCLA Health has agreed to pay $7.5 million to settle the lawsuit. UCLA Health detected suspicious activity on its network in October 2014 and contacted the FBI to assist with the investigation. The forensic investigation confirmed that hackers had succeeded in gaining access to its network, although at the time it was thought that they did not access the parts of the network where patients’ medical information was stored. However, on May 5, 2015, UCLA confirmed that the hackers had gained access to parts of the network containing patients’ protected health information and may have viewed/copied names, addresses, dates of birth, Medicare IDs, health insurance information, and Social Security numbers. In total, 4.5 million patients were affected by the breach. The Department of Health and Human Services’ Office for Civil Rights investigated the breach and was satisfied with UCLA Health’s breach response and the technical and administrative safeguards that had...

Read More
Potentially Massive Breach of Protected Health Information Discovered
Mar19

Potentially Massive Breach of Protected Health Information Discovered

Sacramento, CA-based medical software provider Meditab Software Inc., and it’s San Juan, PR-based affiliate, MedPharm Services have suffered a massive breach of protected health information. Meditab provides electronic medical record (EMR) and practice management software to hospitals, physician’s offices, and pharmacies. According to the company website, its software is used by more than 2,200 healthcare clients. Meditab also provides a fax processing service and one of the servers used for processing faxes has been discovered to be leaking data and could be accessed over the internet without the need for any authentication. The unprotected fax server was discovered by the Dubai-based cybersecurity firm SpiderSilk. The fax server was hosted on a subdomain of MedPharm Services and housed an Elastisearch database containing fax communications. Those faxes could be accessed in real time. The database was created in March 2018 and housed more than 6 million records. It is currently unclear how many of those records contained protected health information. According to a recent report...

Read More
February 2019 Healthcare Data Breach Report
Mar18

February 2019 Healthcare Data Breach Report

Healthcare data breaches continued to be reported at a rate of more than one a day in February. February saw 32 healthcare data breaches reported, one fewer than January. The number of reported breaches may have fell by 3%, but February’s breaches were far more severe. More than 2.11 million healthcare records were compromised in February breaches – A 330% increase from the previous month. Causes of Healthcare Data Breaches in February 2019 Commonly there is a fairly even split between hacking/IT incidents and unauthorized access/disclosure incidents; however, in February, hacking and IT incidents such as malware infections and ransomware attacks dominated the healthcare data breach reports. 75% of all reported breaches in February (24 incidents) were hacking/IT incidents and those incidents resulted in the theft/exposure of 96.25% of all records that were breached. All but one of the top ten healthcare data breaches in February were due to hacks and IT incidents. There were four unauthorized access/disclosure incidents and 4 cases of theft of physical or electronic PHI. The...

Read More
Internet of Things Improvement Act Requires Minimum Security Standards for IoT Devices
Mar15

Internet of Things Improvement Act Requires Minimum Security Standards for IoT Devices

U.S. Sens. Mark R. Warner (D-VA) and Cory Gardner (R-CO), co-chairs of the Senate Cybersecurity Caucus, and Sens. Maggie Hassan (D-NH) and Steve Daines (R-MT) have introduced The Internet of Things Improvement Act, which requires all IoT devices purchased by the U.S. government to meet minimum security standards. A companion bill has been introduced in the House by Representatives by Reps. Robin Kelly (D-IL) and Will Hurd (R-TX). Ericcson has predicted there will be 18 billion IoT devices in use by 2022 and IDC predicts IoT spending will reach $1.2 trillion the same year. As the number of IoT devices in use grows, so does concern about the security risk posed by the devices. Sen. Warner wants to make sure that a baseline for security is achieved before any IoT device is allowed to connect to a government network and wants to use the purchasing power of the U.S. government to help establish minimum standards of security for IoT devices. Currently IoT devices are coming to market with scant cybersecurity protections. When cybersecurity measures are integrated into IoT devices, it is...

Read More
Study Confirms Healthcare Employees Are Susceptible to Phishing Attacks
Mar14

Study Confirms Healthcare Employees Are Susceptible to Phishing Attacks

The healthcare industry is being targeted by cybercriminals and phishing is one of the most common ways that they gain access to healthcare networks and sensitive data. The number of successful phishing attacks on healthcare institutions is a serious concern. At HIMSS19, OCR highlighted email as being the main location of breached ePHI and the high risk of data breaches from phishing attacks. Could the high number of successful phishing attacks be mostly down to the industry being targeted more than other industry sectors, or are healthcare employees more susceptible to phishing attacks? A recently published study has provided some answers. Dr. William Gordon of Boston’s Brigham and Women’s Hospital and Harvard Medical School and his team conducted a study to determine the susceptibility of healthcare employees to phishing attacks. For the study, Gordon and his team analysed data from 6 healthcare institutions in the United States that used custom-developed tools or vendor solutions to send simulated phishing emails to their employees. The researchers analyzed data from simulated...

Read More
25% of Healthcare Organizations Have Experienced a Mobile Security Breach in Past 12 Months
Mar11

25% of Healthcare Organizations Have Experienced a Mobile Security Breach in Past 12 Months

The Verizon Mobile Security Index 2019 report indicates 25% of healthcare organizations have experienced a security breach involving a mobile device in the past 12 months. All businesses face similar risks from mobile devices, but healthcare organizations appear to be addressing risks better than most other industry sectors. Out of the eight industry sectors surveyed, healthcare experienced the second lowest number of mobile security incidents behind manufacturing/transportation. Healthcare mobile security breaches have fallen considerably since 2017 when 35% of surveyed healthcare organizations said they had experienced a mobile security breach in the past 12 months. While the figures suggest that healthcare organizations are getting better at protecting mobile devices, Verizon suggests that may not necessarily be the case. Healthcare organizations may simply be struggling to identify security incidents involving mobile devices. 85% of surveyed healthcare organizations were confident that their security defenses were effective and 83% said they believed they would be able to...

Read More
‘Dozens’ of Northwestern Memorial Hospital Employees Fired for Accessing Jussie Smollett’s Medical Records
Mar08

‘Dozens’ of Northwestern Memorial Hospital Employees Fired for Accessing Jussie Smollett’s Medical Records

A major case of snooping on celebrity medical records has been reported that has resulted in dozens of healthcare workers being fired from Chicago’s Northwestern Memorial Hospital for allegedly accessing the medical records of Jussie Smollett without authorization. Jussie Smollett reportedly attended the hospital’s emergency room for treatment for injuries sustained in an alleged racially motivated attack by two men on January 29, 2019. Following a police investigation into the alleged attack, Chicago Police Superintendent Eddie Johnson announced that the Empire actor had been arrested on February 21 and charged with disorderly conduct and filing a false police report. The police allege that the attack was a hoax and that it had been staged by Smollett as a publicity stunt. The charges against Smollett were dropped on Tuesday 26, March. After Smollett was treated at Northwestern Memorial Hospital, curiosity got the better of some employees who searched for Smollett on the hospital’s system, some of whom accessed his chart and viewed his medical records. Accessing the medical...

Read More
HIPAA Compliance at Odds with Healthcare Cybersecurity
Mar06

HIPAA Compliance at Odds with Healthcare Cybersecurity

The College of Healthcare Information Management Executives (CHIME) has told Congress that complying with HIPAA Rules is not enough to prevent data breaches and HIPAA compliance can, in some cases, result in a lessening of healthcare cybersecurity defenses. Russell P. Branzell, President and CEO of CHIME and Shafiq Rab, CHCIO Chair of the CHIME Board of Trustees recently responded to a request for information (RFI) by Congress on ways to address rising healthcare costs. In a March 1, 2019 letter to Lamar Alexander, Chairman of the Committee on Health, Education, Labor, and Pensions (HELP), they explained that the use of technology in healthcare helps to reduce costs and can, if harnessed correctly, improve efficiency as well as outcomes. “Significant advancements in healthcare technology have been made possible through policy, however, often overly stringent prescriptive mandates have added to healthcare costs, impeded innovation and increased burdens on clinicians.” The use of technology and data sharing are essential for improving the level of care that can be provided to...

Read More
Moody’s: Hospitals at High Risk of Suffering Devastating Cyberattack
Mar06

Moody’s: Hospitals at High Risk of Suffering Devastating Cyberattack

A new Moody’s Investors Service Report has revealed four industry sectors – hospitals, banks, market infrastructure providers, and securities firms – face significant financial risks from cyberattacks. Those four sectors were determined to have high risk exposure to cyberattacks. All four sectors are heavily reliant on technology for day to day operations, distribution of content, or customer engagement. Increasing digitalization and interconnectedness within each sector and across different sectors is increasing cyber risk. For the report, Moody’s assessed vulnerability to a cyberattack and the impact such an attack could have on critical businesses processes, disclosure of data, and reputation damage. Cybersecurity measures that had been deployed to protect against attacks were not considered for the report, unless mitigants had been applied uniformly across each sector – Supply chain diversity for instance. In total, 35 broad industry sectors were assessed and were given a rating of low-risk, medium-risk, or high-risk. The health insurance, pharmaceutical, and...

Read More
Ransomware Attack Impacts up to 400,000 Patients of Columbia Surgical Specialists of Spokane
Mar06

Ransomware Attack Impacts up to 400,000 Patients of Columbia Surgical Specialists of Spokane

A ransomware attack on Columbia Surgical Specialists of Spokane in Washington has potentially allowed unauthorized individuals to access the protected health information of up to 400,000 patients. Columbia Surgical Specialists learned of the ransomware attack on January 9, 2019. The security breach was immediately investigated and assistance was provided by IT security provider Intrinium. Files encrypted by the ransomware were found to contain patient information, which included names, driver’s license numbers, Social security numbers and other types of protected health information. Columbia Surgical Specialists told HIPAA Journal that the data security firm “went through our systems with a fine-tooth comb,” and concluded that patient data had not been stolen by the attackers. “but due to the nature of the ransomware and how the infection first began, there cannot be a guarantee.” Columbia Surgical Specialists believes the risk to patients is very low, and notifications were sent to patients out of an abundance of caution. The vulnerability that was exploited to gain access to the...

Read More
New Jersey Expands Definition of Personal Information Requiring Breach Notifications
Mar05

New Jersey Expands Definition of Personal Information Requiring Breach Notifications

The New Jersey Assembly has unanimously passed a bill that expands the types of personal information that require notifications to be sent to consumers in the event of a data breach. New Jersey breach notification laws require businesses and public entities to send notifications to consumers if there has been a breach of their Social Security number, driver’s license number, or bank account number or credit/debit card information if they are accompanied with a password or code that allows the account to be accessed. The amendment to the New Jersey data breach notification requirements of the Consumer Fraud Act expands the definition of personal information to include email addresses and usernames along with a password or answers to security questions that would allow accounts to be accessed. The bill – A-3245 – was sponsored by Ralph Caputo (D-Essex) and was recently passed by the Senate by a 37-0 vote and by the Assembly by a 76-0 vote. An identical bill – S-52- was passed by the Senate and Assembly in 2018, but it was not signed by then state governor Chris Christie....

Read More
IRS Issues Warning About Tax-Related Phishing Scams
Mar05

IRS Issues Warning About Tax-Related Phishing Scams

The IRS has launched its 2019 ‘Dirty Dozen’ campaign warning taxpayers about the most common tax-related phishing scams that lead to tax fraud and identity theft. Each year the IRS provides taxpayers, businesses, and tax professionals with information on the 12 most common phishing and tax scams to raise awareness of the most prevalent threats. During tax season, cybercriminals are highly active and seek tax information to commit identity theft and submit fraudulent tax returns. Each year, many consumers are fooled into disclosing their personal information and scores of organizations fall victim to these scams and disclose the tax information of employees to scammers. The scams are conducted over the phone, via text messages, on social media platforms, websites, and via email. On March 4, 2019, the IRS launched this year’s Dirty Dozen campaign with a warning about the most serious threat during tax season – phishing. On each of the following 11 weekdays, the IRS will highlight a different scam. Tax-related phishing scams are often cleverly disguised. Emails are sent that appear to...

Read More
Nevada Senator Proposes New Federal Data Privacy Act
Mar04

Nevada Senator Proposes New Federal Data Privacy Act

Nevada Senator Catherine Cortex Masto, (D-NV) has introduced a bill – the Data Privacy Act – which calls for greater accountability and transparency for data collection practices, improved privacy protections for consumers, and the prohibition of discriminatory data practices. HIPAA-covered entities are required to obtain consent from patients prior to using or disclosing their health information for reasons other than the provision of healthcare, payment for healthcare, or for healthcare operations. However, companies not bound by HIPAA Rules do not have the same restrictions in place. Several states have introduced or are considering introducing laws covering health and other sensitive data collected by entities that are not covered by HIPAA in the absence of a federal law that provides such protections. While Congress is assessing privacy protections for consumers, currently protection is provided by patchwork of state laws. Privacy protections can vary greatly depending on where a person lives. The bill – The Digital Accountability and Transparency to Advance Privacy (DATA...

Read More
Senator Demands Answers from Government Agencies and Healthcare Associations on Healthcare Cybersecurity
Feb28

Senator Demands Answers from Government Agencies and Healthcare Associations on Healthcare Cybersecurity

Senator Mark Warner (D-Va) has written letters to leaders of the Department of Health and Human Services (HHS), the Food and Drug Administration (FDA), the Centers for Medicare and Medicaid Services (CMS), the National Institute of Standards and Technology (NIST), and 12 healthcare associations requesting answers to a list of healthcare cybersecurity questions. Warner, a member of the Senate Finance Committee and co-chair of the Senate Cybersecurity Caucus, is deeply concerned about the state of cybersecurity in healthcare and is calling for a collaborative effort “to develop a short- and long-term strategy [for] reducing cybersecurity vulnerabilities in the health care sector” and “develop a national strategy that improves the safety, resilience, and security of our healthcare industry.” The healthcare industry is being targeted by cybercriminals and those attacks are succeeding far too frequently. 2014 was the sixth successive year to see an annual increase in healthcare data breaches. In 2015, another record was broken. The most healthcare records ever breached. 113 million...

Read More
Healthcare Associations Call for Safe Harbor for Breached Entities That Have Adopted Cybersecurity Best Practices
Feb27

Healthcare Associations Call for Safe Harbor for Breached Entities That Have Adopted Cybersecurity Best Practices

Several healthcare associations have requested a safe harbor for healthcare organizations that would prevent OCR and state attorneys general from issuing financial penalties for breaches of protected health information if the breached entity has met certain standards for safeguarding protected health information (PHI). The suggestions were made in response to the Department of Health and Human Services’ request for information (RFI) on potential changes to HIPAA to reduce the burden on healthcare organizations and improve data sharing for the coordination of patient care. The HHS received more than 1,300 comments on possible changes prior to the February 12, 2019 deadline. The safe harbor was suggested by the College of Healthcare Information Management Executives (CHIME), the Association for Executives in Healthcare Information Technology (AEHIT), the Association for Executives in Healthcare Information Security (AEHIS), the American Medical Association (AMA), and the American Hospital Association (AHA). Healthcare organizations can adopt cybersecurity frameworks, create layered...

Read More
New York State Departments Investigate Facebook Over Health Data Sharing Practices
Feb26

New York State Departments Investigate Facebook Over Health Data Sharing Practices

A recent analysis of Facebook’s data collection practices has revealed sensitive health data is obtained by Facebook from third party apps, even if the user has not logged in via Facebook or does not even have a Facebook account. Private information including blood pressure measurements, heart rate data, menstrual cycle data, and other health metrics are provided to Facebook, often without the user’s knowledge or any specific disclosure that data provided by users or collected directly by the apps are shared with the ocial media platform. The investigation was conducted by the Wall Street Journal, which conducted tests on various health-related apps. While it was known that some of those apps send data to Facebook about when they are used, the extent of data sharing was not well understood. The report revealed that 11 popular smartphone apps have been passing sensitive data to Facebook without apparently obtaining consent from users. One app, Flo Period & Ovulation Tracker, shares dates of a user’s last period with Facebook and the predicted date when the user is ovulating. The...

Read More
NHS to Phase Out Pagers by End of 2021
Feb26

NHS to Phase Out Pagers by End of 2021

The National Health Service (NHS) has commissioned a report on the costs of pagers and the extent of their use in NHS Trusts in the UK. The study revealed around 130,000 pagers are used in NHS Trusts – Approximately 10% of the world’s pagers – and the annual cost is around £6.6 million ($8.73 million). Advantages and Disadvantages of Pagers in Healthcare Pagers have served the healthcare industry well for several decades and they are still useful devices. Pagers are easy to use, they are small, easy to carry, and batteries can last months between charges. The pager system uses its own transmitters and frequencies and the signals can pass through structures. Consequently, coverage is excellent, and communication is fast and reliable. Pagers have one function and they perform that task very well. However, there are many drawbacks to pagers in healthcare. Most of the pagers used by NHS Trusts do not support two-way communication. When a message is received, a doctor must find a phone and call a number to receive the message. When an immediate response is not possible, messages are...

Read More
January 2019 Healthcare Data Breach Report
Feb25

January 2019 Healthcare Data Breach Report

After a relatively quiet month for healthcare data breaches, breach numbers rose to more typical levels and were reported at a rate of more than one per day in January. There were 33 healthcare data breaches reported in January 2019. January was the second successive month where there was a fall in the number of individuals impacted by healthcare data breaches. January’s healthcare data breaches saw 490,937 healthcare records exposed, stolen or impermissibly disclosed. Largest Healthcare Data Breaches in January 2019   Rank Name of Covered Entity Covered Entity Type Individuals Affected Type of Breach 1 Centerstone Insurance and Financial Services (BenefitMall) Business Associate 111589 Hacking/IT Incident 2 Las Colinas Orthopedic Surgery & Sports Medicine, PA Healthcare Provider 76000 Theft 3 Valley Hope Association Healthcare Provider 70799 Hacking/IT Incident 4 Roper St. Francis Healthcare Healthcare Provider 35253 Hacking/IT Incident 5 Managed Health Services Health Plan 31300 Hacking/IT Incident 6 EyeSouth Partners Business Associate 24113 Hacking/IT Incident 7 Dr....

Read More
UConn Health Phishing Attack Sees PHI of 326,000 Patients Exposed
Feb25

UConn Health Phishing Attack Sees PHI of 326,000 Patients Exposed

UConn Health is notifying approximately 326,000 patients that some of their personal information has been exposed as a result of a phishing attack on some of its employees. UConn Health learned about the phishing attack on December 24, 2018. All email accounts were secured, and an internal investigation was launched. The investigation confirmed that multiple email accounts had been accessed by unauthorized individuals. A third-party computer forensics company was retained to investigate the attack and search for protected health information in emails and email attachments in the compromised accounts. While it was not possible to determine who was responsible for the attack nor whether emails and email attachments in the compromised accounts had been viewed by the attacker(s), PHI access could not be ruled out. UConn Health explained in its substitute breach notice that no reports have been received to indicate any patient information has been misused. The majority of individuals affected by the attack were patients. Some employees have also had personal information exposed....

Read More
NIST NCCoE Releases Mobile Device Security Guide
Feb22

NIST NCCoE Releases Mobile Device Security Guide

The National Cybersecurity Center of Excellence (NCCoE) has released final guidance on mobile device security to help organizations secure mobile devices and prevent data breaches. Mobile devices offer convenience and allow data to be accessed from any location. Not only do they allow healthcare organizations to make cost savings, they are vital for remote workers who need access to patients’ health information. Mobile devices allow onsite and offsite workers to communicate information quickly and they can help to improve patient care and outcomes. However, mobile devices introduce security risks. Stolen devices can be used to gain access to corporate email accounts, contacts, calendars, and other sensitive information stored on the devices or accessible through them. There have been many cases where mobile healthcare devices have been lost or stolen causing the exposure of patients’ protected health information. Mobile device security failures have resulted in several financial penalties for HIPAA covered entities, including a $4,348,000 civil monetary penalty for University of...

Read More
Facebook Accused of Privacy Violations and Exposure of Sensitive Health Information Disclosed in Private Groups
Feb21

Facebook Accused of Privacy Violations and Exposure of Sensitive Health Information Disclosed in Private Groups

A complaint has been filed with the FTC over misleading practices by Facebook. The complaint alleges health information disclosed in closed, supposedly anonymous and private Facebook groups has been exposed. Congress is calling for Facebook to provide answers about the alleged privacy violations involving the Facebook PHR (Groups) platform. Leaders from the House Committee on Energy & Commerce have written to Facebook CEO Mark Zuckerberg requesting an urgent response to the privacy complaint filed with the FTC by users of Facebook Groups. The complaint was sent to the FTC in December and was made public this week. In the complaint letter, security researcher Fred Trotter and members of a Facebook health group allege that personal health information disclosed by users of closed Facebook groups has been exposed. As a result, members of the groups are at risk of harassment and discrimination. Closed Facebook groups are used by sufferers of health and mental health conditions to get support. Many support groups have been sent up on the platform specifically for that purpose....

Read More
PHI of Almost 1 Million UW Medicine Patients Exposed Online
Feb21

PHI of Almost 1 Million UW Medicine Patients Exposed Online

Approximately 974,000 patients of UW Medicine have had their protected health information exposed online due to the accidental removal of protections on a website server. The error resulted in sensitive internal files being indexed by search engines. Internet searches allowed sensitive patient information to be accessed by unauthorized individuals without any need for authentication. Seattle-based UW Medicine discovered a vulnerability on a website server on December 26, 2018, following a tip-off from a patient who was performing a Google search of their own name. An investigation was launched to determine how information was exposed, for how long, and how many patients had potentially been affected. UW Medicine determined that an error had been made in the configuration of a database which resulted in internal files being temporarily available over the Internet. The server misconfiguration occurred on December 4, 2019. The incident was attributed to human error. Ironically, the exposed database was used by UW Medicine to keep track of patient health information disclosures. The...

Read More
Maryland Considers Tougher Penalties for Ransomware Attacks
Feb20

Maryland Considers Tougher Penalties for Ransomware Attacks

Following a spate of ransomware attacks on businesses and hospitals in Maryland, a new bill (Senate Bill 151) has been introduced which seeks to increase the penalties for ransomware attacks. It is hoped that tougher penalties for ransomware attacks would discourage individuals from conducting attacks in the state. The bill defines ransomware as a computer or data contaminant, encryption, or lock that is introduced without authorization on a computer, computer network, or computer system that restricts access to the computer, data, network, or system and is accompanied by a demand for payment to remove the contaminant, encryption or lock. Currently in Maryland, a ransomware attack is classed as a misdemeanor if the attacker causes losses of less than $10,000 and a felony if the attack results in losses of $10,000 or more. The bill seeks to reclassify a ransomware attack as a felony if it results in aggregate losses of more than $1,000. Aggregate losses include “the value of any money, property, or service lost, stolen, or rendered unrecoverable by the crime,” along with reasonable...

Read More
March 1, 2019: Deadline for Reporting Small Healthcare Data Breaches
Feb14

March 1, 2019: Deadline for Reporting Small Healthcare Data Breaches

The deadline for reporting 2018 data breaches of fewer than 500 records is fast approaching. HIPAA covered entities and their business associates must ensure that the Department of Health and Human Services’ Office for Civil Rights (OCR) is notified of all 2018 data breaches of fewer than 500 records before March 1, 2019. The HIPAA Breach Notification Rule requires HIPAA-covered entities and their business associates to report data breaches of 500 or more records within 60 days of discovering the breach. The deadline for reporting small healthcare data breaches is 60 days from the end of the calendar year in which the breach was experienced. If it is not possible to determine how many individuals have been affected by a data breach, or if the breach investigation has not been concluded before the 60-day deadline, an interim breach report should be submitted. The breach report can then be updated as and when further information becomes available. If a data breach is not reported within the 60-day reporting window, OCR can issue a financial penalty for noncompliance. While fines for...

Read More
2019 Data Breach Barometer Report Shows Massive Increase in Exposed Healthcare Records
Feb13

2019 Data Breach Barometer Report Shows Massive Increase in Exposed Healthcare Records

Protenus has released its 2019 Breach Barometer report: An analysis of healthcare data breaches reported in 2018. The data for the report came from Databreaches.net, which tracks data breaches reported in the media as well as breach notifications sent to the Department of Health and Human Services’ Office for Civil Rights and state attorneys general. The report shows there was a small annual increase in the number of healthcare data breaches but a tripling of the number of healthcare records exposed in data breaches. According to the report, there were 503 healthcare data breaches reported in 2018, up from 477 in 2017. 2017 was a relatively good year in terms of the number of healthcare records exposed – 5,579,438 – but the number rose to 15,085,302 exposed healthcare records in 2018. In 2017, March was the worst month of the year in terms of the number of records exposed and there was a general downward trend in exposed records throughout the rest of the year. In 2018, there was a general increase in exposed records as the year progressed. The number of exposed records increased...

Read More
ONC and CMS Propose New Rules on Patient Access and Information Blocking
Feb12

ONC and CMS Propose New Rules on Patient Access and Information Blocking

On Monday, February 11, 2019, the HHS’ Office of the National Coordinator for Health Information Technology (ONC) and the Centers for Medicare and Medicaid Services (CMS) released new rules covering patient data access and information blocking. The aim of the new rules is to advance interoperability and support the meaningful exchange and use of health information. The rules are intended to increase competition, encourage innovation, and give patients control over their health data. One of the main goals is to make health information accessible via application programming interfaces (APIs). Currently consumers use a wide range of smartphone apps for paying bills and accessing information. It should be just as easy to gain access to healthcare data through apps and for healthcare data to be provided electronically at no cost. One of the main requirements of the new rules is for healthcare providers and health plans to implement data sharing technologies that support the transition of care to new healthcare providers and health plans. Whenever a patient wishes to start seeing a new...

Read More
HIMSS Cybersecurity Survey: Phishing and Legacy Systems Raise Grave Concerns
Feb12

HIMSS Cybersecurity Survey: Phishing and Legacy Systems Raise Grave Concerns

Each year, HIMSS conducts a survey to gather information about security experiences and cybersecurity practices at healthcare organizations. The survey provides insights into the state of cybersecurity in healthcare and identifies attack trends and common security gaps. 166 health information security professionals were surveyed for the 2019 HIMSS Cybersecurity Survey, which was conducted from November to December 2018. This year’s survey revealed security incidents are a universal phenomenon in healthcare. Almost three quarters (74%) of healthcare organizations experienced a significant security breach in the past 12 months. 22% said they had not experienced a significant security incident in the past year. The figures are in line with the 2018 HIMSS Cybersecurity Survey, when 21% of respondents said they had not experienced a significant security incident. In 2018, 82% of hospital systems reported a significant security incident, as did almost two thirds of non-acute and vendor organizations. The most common actors implicated in security incidents were online scam artists (28%)...

Read More
OCR Settles Cottage Health HIPAA Violation Case for $3 Million
Feb08

OCR Settles Cottage Health HIPAA Violation Case for $3 Million

The Department of Health and Human Services’ Office for Civil Rights (OCR) has agreed to settle a HIPAA violation case with the Santa Barbara, CA-based healthcare provider Cottage Health for $3,000,000. Cottage Health operates four hospitals in California – Santa Barbara Cottage Hospital, Santa Ynez Cottage Hospital, Goleta Valley Cottage Hospital and Cottage Rehabilitation Hospital. In 2013 and 2015, Cottage Health experienced two security incidents that resulted in the exposure of the electronic protected health information (ePHI) of 62,500 patients. In 2013, Cottage Health discovered a server containing patients’ ePHI had not been properly secured. Files containing patients’ ePHI could be accessed over the internet without the need for a username or password. Files on the server contained patient names, addresses, dates of birth, diagnoses, conditions, lab test results and other treatment information. Another server misconfiguration was discovered in 2015. After responding to a troubleshooting ticket, the IT team removed protection on a server which similarly exposed...

Read More
EHR Vendor False Claims Act Violation Case Settled for $57.25 Million
Feb07

EHR Vendor False Claims Act Violation Case Settled for $57.25 Million

The Tampa, FL-based electronic health record (EHR) software developer Greenway Health LLC has agreed to settle violations of the False Claims Act with the Department of Justice for $57.25 million. The case concerns Greenway Health’s EHR product Prime Suite. The DOJ alleged that by misrepresenting the capabilities of the product, users submitted false claims to the U.S. government. Further, Greenway Health was alleged to have provided unlawful remuneration to users to induce them to recommend the EHR product to other healthcare providers. The U.S. government provided incentives to healthcare organizations to encourage them to transition to EHRs from paper records through the Meaningful Use program. Most healthcare providers have now made the change and now rely on EHR systems to support the healthcare decision process. It is therefore essential that EHR products allow patient health information to be recorded and transmitted accurately. In order for healthcare providers to qualify for Meaningful Use payments, they must only use EHR products that have been certified as meeting...

Read More
Settlement Reached in Community Health Systems 4.5 Million-Record Data Breach Case
Feb05

Settlement Reached in Community Health Systems 4.5 Million-Record Data Breach Case

Community Health Systems’ (CHS) patients whose protected health information (PHI) was stolen in a cyberattack in 2014 have been offered compensation for the theft of their PHI. Tennessee-based Community Health Systems operates over 200 hospitals, making it one of the largest healthcare systems in the U.S. In 2014, CHS discovered malware had been installed on its network. The malware allowed unauthorized individuals to gain access to patient information between April and June 2014. The cyberattack is believed to have been conducted by threat actors based in China. An advanced malware variant was used in the attack, which had the sole purpose of obtaining sensitive information. An investigation into the breach confirmed that patient data including names, addresses, phone numbers, dates of birth, and Social Security numbers had been exfiltrated. The PHI of 4.5 million patients was stolen by the attackers. At the time it was the largest healthcare data breach to be reported to the Department of Health and Human Services’ Office for Civil Rights and still ranks as one of the top six...

Read More
Aetna Settles HIV Status Breach Case with California AG for $935,000
Feb01

Aetna Settles HIV Status Breach Case with California AG for $935,000

Hartford, CT-based health insurer Aetna has agreed to pay the California Attorney General $935,000 to resolve alleged violations of state laws related to a 2017 privacy breach that exposed state residents’ HIV status. On July 28, 2017, Aetna’s mailing vendor sent letters to plan members who were receiving HIV medications or pre-exposure prophylaxis to prevent them from contracting HIV. The letters contained instructions for their HIV medications; however, information about the HIV medications was clearly visible through the window of the envelopes, resulting in the impermissible disclosure of highly sensitive information to postal workers, friends, family members, and roommates.  Approximately 12,000 individuals were sent letter, 1,991 of whom lived in California. The privacy breach was a violation of HIPAA Rules, and according to California Attorney General Xavier Becerra, also a violation of several California laws including the Unfair Competition Law, the Confidentiality of Medical Information Act, the Health and Safety Code (section 120980), and the State Constitution. In...

Read More