HHS Information Blocking and Interoperability Regulations Now in Effect
Apr09

HHS Information Blocking and Interoperability Regulations Now in Effect

The new information blocking and interoperability regulations developed by the Department of Health and Human Services as part of the 21st Century Cures Act took effect on Monday this week. It has been over a year since the final rule was released, and now the benefits of the information blocking and interoperability provisions can now be realized. The final rule defines information blocking and stipulates the penalties for providers that engage in activities that interfere with access, exchange, and use of electronic health information (EHI). The final rule also gives patients new rights over their healthcare data and allows them to request it be sent to the application of their choosing. The compliance date was April 5, 2021, after which healthcare providers, certified health IT developers, and health information exchanges must comply with the provisions of the final rule. For the first 18 months from April 5, 2021, the information blocking provision only applies to a subset of EHI detailed in the US Core Data for Interoperability (v1). Core EHI includes clinical notes,...

Read More
Vulnerabilities in Mission Critical SAP Systems Actively Exploited by Multiple Threat Groups
Apr08

Vulnerabilities in Mission Critical SAP Systems Actively Exploited by Multiple Threat Groups

Researchers at security firm Onapsis have observed cybercriminals exploiting multiple vulnerabilities in mission-critical SAP systems. Since mid-2020, there have been more than 300 observed attacks exploiting one or more of six unpatched vulnerabilities. Vulnerabilities in SAP systems are highly sought after by cybercriminals due to the widespread use of SAP systems. SAP says 92% of the Forbes Global 2000 use SAP to power their operations, including the majority of pharmaceutical firms, critical infrastructure and utility companies, food distributors, defense contractors and others. Over 400,000 organizations use SAP globally and 77% of the world’s transactional revenue touches a SAP system. Onapsis reports critical SAP vulnerabilities are typically weaponized within 72 hours of patches being released. Unprotected SAP applications in cloud environments are often discovered and compromised in less than 3 hours. Despite the high risk of exploitation, many organizations are slow to apply patches. One of the vulnerabilities currently being exploited is 11 years old, while the others...

Read More
PHI from Multiple Covered Entities Published on GitHub
Apr05

PHI from Multiple Covered Entities Published on GitHub

Med-Data Inc. has confirmed that the protected health information of patients of several of its clients has been uploaded to the open-source software development hosting website GitHub, where it could have been accessed by unauthorized individuals. The Spring, TX-based revenue cycle management services vendor assists healthcare providers and health plans by processing Medicaid eligibility, third party liability, workers’ compensation and patient billing. On December 10, 2020, Med-Data was notified by security researcher Jelle Ursem that some data of its data had been discovered on GitHub. Dissent Doe of Databreaches.net provided a link to the uploaded data on December 14, 2020, according to the Med-Data breach notice. An investigation was immediately launched, and it was determined that one of its employees had saved files containing protected health information to personal folders on GitHub Arctic Code Vault between December 2018 and September 2019. Med-Data said the files were removed from GitHub on December 17, 2020. The files contained names, addresses, dates of birth, Social...

Read More
Ransomware Attack on Home Healthcare Service Provider Affects 753,000 Individuals
Apr02

Ransomware Attack on Home Healthcare Service Provider Affects 753,000 Individuals

Personal Touch Holding Corp, a Lake Success, NY-based provider of home health services, is alerting 753,107 patients about a breach of their protected health information. Personal Touch Holding Corp operates around 30 Personal Touch Home Care subsidiaries in more than half a dozen U.S. states. On January 27, 2021, Personal Touch discovered it was the victim of a cyberattack involving its private cloud hosted by its managed service providers. The attackers encrypted the cloud-stored business records of Personal Touch and 29 of its direct and indirect subsidiaries. The investigation into the ransomware attack is ongoing. At this stage it is unclear to what extent individual’s protected health information was compromised; however, it is possible that the attackers obtained data stored in its private cloud prior to the use of ransomware. An analysis of its cloud environment revealed the following types of patient information may have been compromised in the attack: names, addresses, telephone numbers, dates of birth, Social Security numbers, financial information, including check...

Read More
New Jersey Plastic Surgery Practice Pays $30K to OCR to Settle HIPAA Right of Access Case
Mar29

New Jersey Plastic Surgery Practice Pays $30K to OCR to Settle HIPAA Right of Access Case

The HHS’ Office for Civil Rights has announced a settlement has been reached with Ridgewood, NJ-based Village Plastic Surgery to resolve potential violations of the HIPAA Right of Access. Under the terms of the settlement, Village Plastic Surgery will pay a $30,000 penalty and will adopt a corrective action plan that requires policies and procedures to be implemented related to access to protected health information (PHI). OCR will also monitor Village Plastic Surgery for compliance for 2 years. OCR launched an investigation into Village Plastic Surgery following receipt of a complaint from a patient of the practice on September 7, 2019. The patient had requested a copy of the medical records held by the plastic surgery practice but had not been provided with those records within the maximum time allowed by the HIPAA Privacy Rule. OCR intervened and, during the course of its investigation, Village Plastic Surgery did not provide the patient with the requested records. OCR investigators determined that the delay in providing the records, which exceeded the 30 allowed days for acting...

Read More
SalusCare Takes Legal Action Against Amazon to Obtain AWS Audit Logs to Investigate Data Breach
Mar26

SalusCare Takes Legal Action Against Amazon to Obtain AWS Audit Logs to Investigate Data Breach

SalusCare, a provider of behavioral healthcare services in Southwest Florida, experienced a cyberattack in March that saw patient and employee data exfiltrated from its systems. The exact method used to gain access to its servers has not been confirmed, although the cyberattack is believed to have started with a phishing email that was used to deliver malware. The malware was used to exfiltrated its entire database to an Amazon AWS storage account. The attack occurred on March 16, 2021 and the investigation into the breach established that the attacker, an individual who appeared to be based in Ukraine, gained access to its Microsoft 365 environment, downloaded sensitive data, and uploaded the stolen data to two Amazon S3 storage buckets. Amazon was notified about the illegal activity and it suspended access to the S3 buckets to stop the attacker accessing the stolen data.  SalusCare requested access to the audit logs, which it requires to continue to investigate the breach and determine exactly what data was stolen. SalusCare also wants to make sure that the suspension is...

Read More
Massachusetts Mental Health Clinic Settles HIPAA Right of Access Case for $65,000
Mar25

Massachusetts Mental Health Clinic Settles HIPAA Right of Access Case for $65,000

Arbour Hospital, a mental health clinic in Boston, MA, has settled a HIPAA Right of Action investigation with the HHS’ Office for Civil Rights (OCR) and has agreed to pay a $65,000 penalty. OCR was informed about a potential violation of the HIPAA Right of Access on July 5, 2019. A patient of Arbour Hospital alleged he had requested a copy of his medical records from the hospital on May 7, 2019 but had not been provided with those records within two months. When a healthcare provider receives a request from a patient who wishes to exercise their HIPAA Privacy Rule right to obtain a copy of their healthcare records, a copy of those records must be provided as soon as possible and no later than 30 days after the request is received. A 30-day extension is possible in cases where records are stored offsite or are otherwise not easily accessible. In such cases, the patient requesting the records must be informed about the extension in writing within 30 days and be provided with the reason for the delay. OCR contacted Arbour Hospital and provided technical assistance on the HIPAA Right...

Read More
February 2021 Healthcare Data Breach Report
Mar19

February 2021 Healthcare Data Breach Report

There was a 40.63% increase in reported data breaches of 500 or more healthcare records in February 2021. 45 data breaches were reported to the Department of Health and Human Services’ Office for Civil Rights by healthcare providers, health plans and their business associates in February, the majority of which were hacking incidents. After two consecutive months where more than 4 million records were breached each month there was a 72.35% fall in the number of breached records. 1,234,943 records were exposed, impermissibly disclosed, or stolen across the 45 breaches. Largest Healthcare Data Breaches Reported in February 2021 Name of Covered Entity State Covered Entity Type Individuals Affected Type of Breach Cause of Breach The Kroger Co. OH Healthcare Provider 368,100 Hacking/IT Incident Ransomware BW Homecare Holdings, LLC (Elara Caring single affiliated covered entity) TX Healthcare Provider 100,487 Hacking/IT Incident Phishing RF EYE PC dba Cochise Eye and Laser AZ Healthcare Provider 100,000 Hacking/IT Incident Ransomware Gore Medical Management, LLC GA Healthcare Provider...

Read More
CISA/FBI Issue Joint Alert About Spear Phishing Attacks Delivering TrickBot Malware
Mar18

CISA/FBI Issue Joint Alert About Spear Phishing Attacks Delivering TrickBot Malware

The DHS’ Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have issued a joint security alert about TrickBot malware. TrickBot was first identified in 2016 and started out as a banking Trojan; but the malware has since had a host of new capabilities added and is now extensively used as a malware loader for delivering other malware variants, including ransomware such as Ryuk and Conti. “TrickBot has evolved into a highly modular, multi-stage malware that provides its operators a full suite of tools to conduct a myriad of illegal cyber activities,” explained CISA/FBI in the alert. In late 2019, TrickBot survived an attempt by Microsoft and its partners to disrupt its infrastructure and spam campaigns distributing the malware soon recommenced, with TrickBot activity surging in recent weeks. Earlier this month, Check Point researchers warned about an increase in TrickBot infections following the takedown of the Emotet botnet. TrickBot was the 4th most prevalent malware variant in 2020 and rose to third in January 2021; however, since...

Read More
2020 Saw Major Increase in Healthcare Hacking Incidents and Insider Breaches
Mar16

2020 Saw Major Increase in Healthcare Hacking Incidents and Insider Breaches

2021 was a challenging year for healthcare organizations. Not only was the industry on the frontline in the fight against COVID-19, hackers who took advantage of overrun hospitals to steal data and conduct ransomware attacks. The 2021 Breach Barometer Report from Protenus shows the extent to which the healthcare industry suffered from cyberattacks and other breaches in 2020. The report is based on 758 healthcare data breaches that were reported to the HHS’ Office for Civil Rights or announced via the media and other sources in 2020, with the data for the report provided by databreaches.net. The number of data breaches has continued to rise every year since 2016 when Protenus started publishing its annual healthcare breach report. 2020 saw the largest annual increase in breaches with 30% more breaches occurring than 2019. Data was obtained on 609 of those incidents, across which 40,735,428 patient and health plan members were affected. 2020 was the second consecutive year that saw more than 40 million healthcare records exposed or compromised. Healthcare Hacking Incidents Increased...

Read More
What is a HIPAA Violation?
Mar14

What is a HIPAA Violation?

Barely a day goes by without a news report of a hospital, health plan, or healthcare professional violating HIPAA, but what is a HIPAA violation and what happens when a violation occurs? What is a HIPAA Violation? The Health Insurance Portability and Accountability Act of 1996 is a landmark piece of legislation that was introduced to simplify the administration of healthcare, eliminate wastage, prevent healthcare fraud, and ensure that employees could maintain healthcare coverage when between jobs. There have been notable updates to HIPAA to improve privacy protections for patients and health plan members over the years which help to ensure healthcare data is safeguarded and the privacy of patients is protected. Those updates include the HIPAA Privacy Rule, HIPAA Security Rule, HIPAA Omnibus Rule, and the HIPAA Breach Notification Rule. A HIPAA violation is a failure to comply with any aspect of HIPAA standards and provisions detailed in detailed in 45 CFR Parts 160, 162, and 164. The combined text of all HIPAA regulations published by the Department of Health and Human Services...

Read More
Hackers Access Live Feeds and Archived Footage from 150,000 Verkada Security Cameras
Mar12

Hackers Access Live Feeds and Archived Footage from 150,000 Verkada Security Cameras

A hacking collective has gained access to the systems of the Californian security camera startup Verkada Inc. and viewed live feeds and archived footage from cloud-connected surveillance cameras used by large corporations, schools, police departments, jails, and hospitals. As initially reported by Bloomberg, Verkada’s systems were accessed by a white hat hacking collective named Advanced Persistent Threat 69420 using credentials they found on the Internet. Those credentials gave the group super admin level privileges, which provided root access to the security cameras and, in some cases, the internal networks of the company’s clients. The hackers also said they were able to obtain the full list of Verkada clients and view the company’s private financial information. Verkada’s systems were not accessed with a view to conducting any malicious actions, instead the aim was to raise awareness of the ease at which the systems could be hacked. Malicious threat actors could also have easily gained access to the Verkada’s systems for a range of malicious purposes. Till Kottmann, one of the...

Read More
HIPAA Social Media Rules
Mar12

HIPAA Social Media Rules

HIPAA was enacted several years before social media networks such as Facebook were launched, so there are no specific HIPAA social media rules; however, there are HIPAA laws and standards that apply to social media use by healthcare organizations and their employees. Healthcare organizations must therefore implement a HIPAA social media policy to reduce the risk of privacy violations. There are many benefits to be gained from using social media. Social media channels allow healthcare organizations to interact with patients and get them more involved in their own healthcare. Healthcare organizations can quickly and easily communicate important messages or provide information about new services. Healthcare providers can attract new patients via social media websites. However, there is also considerable potential for HIPAA Rules and patient privacy to be violated on social media networks. So how can healthcare organizations and their employees use social media without violating HIPAA Rules? HIPAA and Social Media The first rule of using social media in healthcare is to never disclose...

Read More
Multistate Settlement Resolves 2019 American Medical Collection Agency Data Breach Investigation
Mar12

Multistate Settlement Resolves 2019 American Medical Collection Agency Data Breach Investigation

A coalition of 41 state Attorneys General has agreed to settle an investigation into Retrieval-Masters Creditors Bureau dba American Medical Collection Agency (AMCA) over a 2019 data breach that resulted in the exposure/theft of the protected health information of at least 21 million Americans. Retrieval-Masters Creditors Bureau is a debt collection agency, with its AMCA arm providing small debt collection services to healthcare clients such as laboratories and medical testing facilities. From August 1, 2018 until March 30, 2019, an unauthorized individual had access to AMCA’s systems and exfiltrated sensitive data such as names, personal information, Social Security numbers, payment card information and, for some individuals, medical test information and diagnostic codes. The AMCA data breach was the largest healthcare data breach reported in 2019. AMCA notified states about the breach starting June 3, 2019, and individuals affected by the breach were offered two years of complimentary credit monitoring services. The high cost of remediation of the breach saw AMCA file for...

Read More
Cost of 2020 US Healthcare Ransomware Attacks Estimated at $21 Billion
Mar11

Cost of 2020 US Healthcare Ransomware Attacks Estimated at $21 Billion

Ransomware attacks on the healthcare industry skyrocketed in 2020. In 2020, at least 91 US healthcare organizations suffered ransomware attacks, up from 50 the previous year. 2020 also saw a major ransomware attack on the cloud software provider Blackbaud, with that attack known to have affected at least 100 US healthcare organizations. The first known ransomware attack occurred in 1989 but early forms of ransomware were not particularly sophisticated and attacks were easy to mitigate. The landscape changed in 2016 when a new breed of ransomware started to be used in attacks. These new ransomware variants use powerful encryption and delete or encrypt backup files to ensure data cannot be easily recovered without paying the ransom. Over the past 5 years ransomware has been a constant threat to the healthcare industry, with healthcare providers being increasingly targeted in recent years. Attacks now see sensitive data stolen prior to file encryption, so even if files can be recovered from backups, payment is still required to prevent the exposure or sale of stolen data. Healthcare...

Read More
Comment Period on Proposed HIPAA Privacy Rule Changes Extended by 45 Days
Mar10

Comment Period on Proposed HIPAA Privacy Rule Changes Extended by 45 Days

Changes to the HIPAA Rules are infrequent, so when updates are proposed they tend to include a slew of new requirements and updates to existing provisions. Before any updates are made, a request for information (RFI) is issued to allow the HHS to obtain feedback on aspects of the HIPAA Rules that are causing problems, and areas where improvements could be made. Following the RFI, a notice of proposed rulemaking is issued by the HHS followed by a comment period. The comment period is the last chance for industry stakeholder, including patients and their families, to voice their opinions about the proposed changes before they are signed into law. After issuing an RFI, the HHS’ Office for Civil Rights published a Notice of Proposed Rulemaking on December 10, 2020, along with the standard 60-day comment period from the date of publication in the Federal Register (January 21, 2021). The comment period was due to expire on March 22, 2021. Since the proposed changes include updates to the HIPAA Privacy Rule that will impact virtually everyone in the healthcare industry, the HHS has taken...

Read More
The HIPAA Password Requirements and the Best Way to Comply With Them
Mar09

The HIPAA Password Requirements and the Best Way to Comply With Them

The HIPAA password requirements stipulate procedures must be put in place for creating, changing and safeguarding passwords unless an alternative, equally-effective security measure is implemented. We suggest the best way to comply with the HIPAA password requirements is with two factor authentication. The HIPAA password requirements can be found in the Administrative Safeguards of the HIPAA Security Rule. Under the section relating to Security Awareness and Training, §164.308(a)(5) stipulates Covered Entities must implement “procedures for creating, changing and safeguarding passwords”. Experts Disagree on Best HIPAA Compliance Password Policy Although all security experts agree the need for a strong password (the longest possible, including numbers, special characters, and a mixture of upper and lower case letters), many disagree on the best HIPAA compliance password policy, the frequency at which passwords should be changed (if at all) and the best way of safeguarding them. Whereas some experts claim the best HIPAA compliance password policy involves changing passwords every...

Read More
FTC Urged to Enforce Breach Notification Rule When Fertility Tracking Apps Share User Data Without Consent
Mar09

FTC Urged to Enforce Breach Notification Rule When Fertility Tracking Apps Share User Data Without Consent

On March 4, 2021, Senator Robert Menendez (D-New Jersey), and Reps. Bonnie Watson Coleman (D-New Jersey) and Mikie Sherrill (D-New Jersey) wrote a letter urging the Federal Trade Commission (FTC) to start enforcing the Health Breach Notification Rule. The Federal Trade Commission (FTC) has a mandate to protect Americans from bad actors that betray consumer trust and misuse consumers’ healthcare data and has the authority to take enforcement action but is not enforcing compliance with the Health Breach Notification Rule. The Health Breach Notification Rule was introduced as part of the American Recovery and Reinvestment Act of 2009 and requires vendors of personal health records, PHR related entities, and third-party service providers to inform consumers about unauthorized disclosures of personal health information. The Health Breach Notification Rule applies to entities not covered by the Health Insurance Portability and Accountability Act (HIPAA), and has similar provisions to the HIPAA Breach Notification Rule. While the HHS’ Office for Civil Rights has enforced compliance with...

Read More
Virginia Consumer Data Protection Act Signed into Law
Mar08

Virginia Consumer Data Protection Act Signed into Law

The Virginia Consumer Data Protection Act (CDPA) has been signed into law by Governor Ralph Northam. CDPA requires persons conducting business in the Commonwealth of Virginia to comply with new data privacy and security requirements. The CDPA takes effect on January 1, 2023. The CDPA mirrors some of the privacy and security provisions of the EUs General Data Protection Regulation (GDPR) that took effect on March 25, 2018, and the California Consumer Privacy Act (CCPA) that took effect on January 1, 2020. While there are similarities with the GDPR and the CCPA, there are some differences, so compliance with either the CCPA or the GDPR does not guarantee compliance with the CDPA. Like the CCPA, the CDPA only applies to organizations that control or process significant amounts of consumer data, with the data threshold twice as high as the CCPA, although there is no minimum revenue threshold in the CDPA. The CDPA applies to any person or business that: Controls or processes the personal data of 100,000 or more Virginia residents in a calendar year; or Controls or processes the data of...

Read More
Two Employees Fired for Impermissible PHI Disclosures to Third Parties
Mar08

Two Employees Fired for Impermissible PHI Disclosures to Third Parties

Humana has discovered an employee of a subcontractor of a business associate impermissibly disclosed the protected health information of 62,950 of its members to a third-party for training purposes. Cotiviti was contracted by Humana to provide assistance requesting medical records and used a subcontractor to review the requested medical records. Under HIPAA, subcontractors used by business associates are also required to comply with HIPAA. The privacy violations occurred between October 12, 2020 and December 16, 2020 and Cotiviti notified Humana about the HIPAA violation on December 22, 2020. Cotiviti has worked with Humana to ensure that safeguards are implemented to prevent similar privacy breaches in the future, and that those safeguards are put in place at any subcontractors it uses. The individual who disclosed the data is no longer employed by the subcontractor. The types of data disclosed includes member names’, addresses, phone numbers, email addresses, dates of birth, full or partial Social Security Numbers, insurance identification numbers, provider names, dates of...

Read More
IBM X-Force: Healthcare Cyberattacks Doubled in 2020
Mar03

IBM X-Force: Healthcare Cyberattacks Doubled in 2020

A new report from IBM X-Force shows healthcare cyberattacks doubled in 2020 with 28% of attacks involving ransomware. The massive increase in healthcare industry cyberattacks saw the sector rise from last place to 7th, with the finance and insurance industry the most heavily targeted, followed by manufacturing, energy, retail, professional services, and government. Healthcare accounted for 6.6% of cyberattacks across all industry sectors in 2020. The 2021 X-Force Threat Intelligence Index report was compiled from monitoring data from over 130 countries and included data from more than 150 billion security events a day, with the data gathered from multiple sources including IBM Security X-Force Threat Intelligence and Incident Response, X-Force Red, IBM Managed Security Services, and external sources such as Intezer and Quad9. The most common way networks were breached was the exploitation of vulnerabilities in operating systems, software, and hardware, which accounted for 35% of all attacks up from 30% in 2019. This was closely followed by phishing attacks, which were the initial...

Read More
NSA Releases Guidance on Adopting a Zero Trust Approach to Cybersecurity
Mar02

NSA Releases Guidance on Adopting a Zero Trust Approach to Cybersecurity

The National Security Agency (NSA) has recently released new guidance to help organizations adopt a Zero Trust approach to cybersecurity to better defend against increasingly sophisticated cyber threats. Zero Trust is a security strategy which assumes that breaches are inevitable or have happened and an intruder is already inside the network. This approach assumes that any device or connection may have been compromised so it cannot be implicitly trusted. Continuous verification is required in real time from multiple sources before access is granted and for system responses. Adopting a Zero Trust approach to security means adhering to the concept of least-privileged access for every access decision and constantly limiting access to what is needed, with anomalous and potentially malicious activity constantly examined. “Zero Trust is a security model, a set of system design principles, and a coordinated cybersecurity and system management strategy based on an acknowledgement that threats exist both inside and outside traditional network boundaries,” explained the NSA in the guidance....

Read More
March 1, 2021: Deadline for Reporting 2020 Small Healthcare Data Breaches
Feb25

March 1, 2021: Deadline for Reporting 2020 Small Healthcare Data Breaches

The deadline for reporting healthcare data breaches of fewer than 500 records that were discovered in 2020 is fast approaching. HIPAA covered entities and business associates have until March 1, 2021 to submit breach reports to the Department of Health and Human Services’ Office for Civil Rights (OCR)that were discovered between January 1, 2020 and December 31, 2020. HIPAA defines a breach as “an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information.  An impermissible use or disclosure of protected health information is presumed to be a breach unless the covered entity or business associate, as applicable, demonstrates that there is a low probability that the protected health information has been compromised.” A risk assessment should be conducted to determine the probability that PHI has been compromised, that must include the nature and extent of PHI involved, the probability of identification of individuals; the person who used/disclosed the PHI; whether PHI was viewed or acquired by an unauthorized...

Read More
Whistleblower Who Falsely Claimed Nurse Violated HIPAA Jailed for 6 Months
Feb24

Whistleblower Who Falsely Claimed Nurse Violated HIPAA Jailed for 6 Months

A Georgia man who falsely claimed a former acquaintance had violated patient privacy and breached the HIPAA Rules has been sentenced to 6 months in jail and fined $1,200. In October 2019, Jeffrey Parker, 44, of Rincon, GA, claimed to be a HIPAA whistleblower and alerted the authorities about serious privacy violations by a nurse at a Savannah, GA hospital, including emailing graphic pictures of traumatic injuries of hospital patients internally and externally. According to court documents, Parker “engaged in an intricate scheme” to frame a former acquaintance for violations of the Federal Health Insurance Portability and Accountability Act’s Privacy Rule. To back up the fake claims, Parker created multiple email accounts in the names of real patients and used those accounts to send false accusations of privacy violations. Emails were sent to the hospital where the nurse worked, the Federal Bureau of Investigation (FBI), and the Department of Justice (DOJ). Parker also alleged that he had been threatened for his actions as a whistleblower and law enforcement took steps to ensure his...

Read More
Insights into Healthcare Industry Cyber Threats and the Supply Chain Supporting Criminal Activity
Feb23

Insights into Healthcare Industry Cyber Threats and the Supply Chain Supporting Criminal Activity

Throughout the pandemic, cybercriminals have taken advantage of new opportunities and have been attacking hospitals, clinics and other businesses and organizations on the front line in the fight against COVID-19. Ransomware attacks on the healthcare industry soared in 2020, especially in the fall when a coordinated campaign claimed many healthcare victims. Ransomware remains a major threat to the healthcare sector and the high numbers of attacks have continued into 2021. A recent report from the CTI League provides further information on these attacks and some of the other ways the healthcare industry was targeted in 2020. The report highlights the work conducted by the CTIL Dark team, which monitors the darknet and deep web for signs of data breaches and cybercriminal activity that has potential to impact the healthcare industry or general public health. This is the first report to be released that highlights the discoveries and achievements of the CTIL Dark team, and delves into realm of healthcare ransomware attacks and the dark markets where access to healthcare networks are...

Read More
January 2021 Healthcare Data Breach Report
Feb19

January 2021 Healthcare Data Breach Report

January saw a 48% month-over-month reduction in the number of healthcare data breaches of 500 or more records, falling from 62 incidents in December to just 32 in January. While this is well below the average number of data breaches reported each month over the past 12 months (38), it is still more than 1 data breach per day. There would have been a significant decline in the number of breached records were it not for a major data breach discovered by Florida Healthy Kids Corporation that affected 3.5 million individuals. With that breach included, 4,467,098 records were reported as breached in January, which exceeded December’s total by more than 225,000 records. Largest Healthcare Data Breaches Reported in January 2021 The breach reported by Florida Healthy Kids Corporation was one of the largest healthcare data breaches of all time. The breach was reported by the health plan, but actually occurred at one of its business associates. The health plan used an IT company for hosting its website and an application for applications for insurance coverage. The company failed to apply...

Read More
100% of Tested mHealth Apps Vulnerable to API Attacks
Feb16

100% of Tested mHealth Apps Vulnerable to API Attacks

The personally identifiable health information of millions of individuals is being exposed through the Application Programming Interfaces (APIs) used by mobile health (mHealth) applications, according to a recent study published by cybersecurity firm Approov. Ethical hacker and researcher Allissa Knight conducted the study to determine how secure popular mHealth apps are and whether it is possible to gain access to users’ sensitive health data. One of the provisos of the study was she would not be permitted to name any of the apps if vulnerabilities were identified. She assessed 30 of the leading mHealth apps and discovered all were vulnerable to API attacks which could allow unauthorized individuals to gain access to full patient records, including personally identifiable information (PII) and protected health information (PHI), indicating security issues are systemic. mHealth apps have proven to be invaluable during the COVID-19 pandemic and are now increasingly relied on by hospitals and healthcare providers. According to Pew Research, mHealth apps are now generating more user...

Read More
Sharp HealthCare Pays $70,000 to Resolve HIPAA Right of Access Violation
Feb15

Sharp HealthCare Pays $70,000 to Resolve HIPAA Right of Access Violation

The HHS’ Office for Civil Rights (OCR) has fined Sharp HealthCare $70,000 for failing to provide a patient with timely access to his medical records. This is the sixteenth financial penalty to be agreed with OCR under the HIPAA Right of Access enforcement initiative that was launched in late 2019. OCR received a complaint from a patient on June 11, 2019 that alleged Sharp Healthcare, doing business as Sharp Rees-Stealy Medical Centers (SRMC), failed to provide him with a copy of his medical records within 30 days, as is required by the HIPAA Privacy Rule. The patient claimed to have made a request in writing on April 2, 2019 but had not been provided with the requested records after waiting more than 2 months. OCR investigated and provided technical assistance to SRMC on the HIPAA Right of Access provision of the HIPAA Privacy Rule and the requirement to send medical records to a third party if requested by a patient. OCR closed the complaint on June 25, 2019. The same patient filed a second complaint with OCR on August 19, 2019 when the requested medical records had still not been...

Read More
Renown Health Pays $75,000 to Settle HIPAA Right of Access Case
Feb11

Renown Health Pays $75,000 to Settle HIPAA Right of Access Case

The Department of Health and Human Services’ Office for Civil Rights (OCR) is continuing to crackdown on noncompliance with the HIPAA Right of Access. This week, OCR announced its fifteenth settlement to resolve a HIPAA Right of Access enforcement action. Renown Health, a not-for-profit healthcare network in Northern Nevada, agreed to settle its HIPAA case with OCR to resolve potential violations of the HIPAA Right of Access and has agreed to pay a financial penalty of $75,000. OCR launched an investigation after receiving a complaint from a Renown Health patient who had not been provided with an electronic copy of her protected health information. In January 2019, the patient submitted a request to Renown Health and asked for her medical and billing records to be sent to her attorney. After waiting more than a month for the records to be provided, the patient filed a complaint with OCR. It took Renown Health until December 27, 2019 to provide the requested records, almost a year after the initial request was made. The HIPAA Privacy Rule (45 C.F.R. § 164.524) requires medical...

Read More
Feds Release Ransomware Fact Sheet
Feb09

Feds Release Ransomware Fact Sheet

A ransomware factsheet has been released by the National Cyber Investigative Joint Task Force (NCIJTF) to raise awareness of the threat of ransomware attacks and provide insights that can be leveraged to prevent and mitigate attacks. The fact sheet was developed by an interagency group of more than 15 government agencies and is primarily intended for use by police and fire departments, state, local, tribal and territorial governments, and critical infrastructure entities. The factsheet was released as part of the “Reduce the Risk of Ransomware Campaign” launched by the DHS’ Cybersecurity and Infrastructure Security Agency (CISA) in January 2021. The fact sheet explains the impact ransomware attacks have had on the public sector, provides information on U.S. government efforts to combat ransomware threats, and details the most common methods used by threat actors to gain access to networks to deploy ransomware payloads: Phishing emails, Remote Desktop Protocol (RDP) vulnerabilities, and software vulnerabilities. Phishing emails contain either a malicious link or file attachment. If...

Read More
Public Health Emergency Privacy Act Introduced to Ensure Privacy and Security of COVID-19 Data
Feb03

Public Health Emergency Privacy Act Introduced to Ensure Privacy and Security of COVID-19 Data

On January 28, 2021, Democratic senators introduced the Public Health Emergency Privacy Act to protect the privacy of Americans and ensure data security measures are applied to safeguard COVID-19 related health data collected for public health purposes. The Public Health Emergency Privacy Act was introduced by Sens. Mark Warner, D-Va., Richard Blumenthal, D-Conn. and U.S. representatives Anna Eshoo, D-CA., Jan Schakowsky, D-IL., and Suzan DelBene, D-WA and requires strong and enforceable privacy and data security rights for health information to be set. “Technologies like contact tracing, home testing, and online appointment booking are absolutely essential to stop the spread of this disease, but Americans are rightly skeptical that their sensitive health data will be kept safe and secure,” said Sen. Blumenthal. “Legal safeguards protecting consumer privacy failed to keep pace with technology, and that lapse is costing us in the fight against COVID-19.” The Public Health Emergency Privacy Act will ensure strict privacy protections are implemented to ensure any health data collected...

Read More
OIG: Two VA Employees Concealed Privacy and Security Risks of a Big Data Project
Feb02

OIG: Two VA Employees Concealed Privacy and Security Risks of a Big Data Project

Two members of the Department of Veteran Affairs’ (VA) information technology staff are alleged to have made false representations about the privacy and security risks of a big data AI project between the VA and a private company that would have seen the private and confidential health data of tens of millions of veterans fed into the AI system. An administrative investigation was conducted by the VA Office of Inspector General (OIG) into a potential conflict of interest related to a cooperative research and development agreement (CRADA) between the VA and a private company in 2016. The purpose of the collaboration was to improve the health and wellness of veterans using AI and deep learning technology developed by Flow Health. The project aimed to identify common elements that make people susceptible to disease, identify potential treatments and possible side effects to inform care decisions and to improve the accuracy of diagnoses. The CRADA would have resulted in the private and confidential health data, including genomic data, of all veterans who had received medical treatment...

Read More
Multinational Law Enforcement Operation Takes Down the Emotet Botnet
Jan28

Multinational Law Enforcement Operation Takes Down the Emotet Botnet

Europol has announced the notorious Emotet Botnet has been taken down as part of a multinational law enforcement operation. Law enforcement agencies in Europe, the United States, and Canada took control of the Emotet infrastructure, which is comprised of hundreds of servers around the world. The Emotet botnet was one of the most prolific malware botnets of the last decade and the Emotet Trojan was arguably the most dangerous malware variant to emerge in recent years. The Emotet operators ran one of the most professional and long-lasting cybercrime services and was one of the biggest players in the cybercrime world. Around 30% of all malware attacks involved the Emotet botnet. The Emotet Trojan was first identified in 2014 and was initially a banking Trojan, but the malware evolved into a much more dangerous threat and became the go-to solution for many cybercriminal operations. The Emotet Trojan acted as a backdoor into computer networks and access was sold to other cybercriminal gangs for data theft, malware distribution, and extortion, which is what made the malware so dangerous....

Read More
Ransomware Attacks Account for Almost Half of Healthcare Data Breaches
Jan28

Ransomware Attacks Account for Almost Half of Healthcare Data Breaches

A new report published by Tenable has revealed almost half of all healthcare data breaches are the result of ransomware attacks, and in the majority of cases the attacks were preventable. According to the Tenable Research 2020 Threat Landscape Retrospective Report, 730 data breaches were reported across all industry sectors in the first 10 months of 2020 and more than 22 billion records were exposed. 8 million of those records were exposed in healthcare data breaches. Healthcare registered the highest number of data breaches of any industry sector between January and October 2020, accounting for almost a quarter (24.5%) of all reported data breaches, ahead of technology (15.5%), education (13%), and the government (12.5%). Due to the high number of healthcare data breaches, Tenable researchers analyzed those breaches to identify the main causes and found that ransomware attacks accounted for 46.4% of all reported data breaches, followed by email compromise attacks (24.6%), insider threats (7.3%), app misconfigurations (5.6%) and unsecured databases (5%). Across all industry...

Read More
FBI Issues Warning Following Spike in Vishing Attacks
Jan25

FBI Issues Warning Following Spike in Vishing Attacks

Many data breaches start with a phishing email, but credential phishing can also occur via other communication channels such as instant messaging platforms or SMS messages. One often overlooked way for credentials to be obtained is phishing over the telephone. These phishing attacks, termed vishing, can give attackers the credentials they need to gain access to email accounts and cloud services and escalate privileges. Recently, the Federal Bureau of Investigation (FBI) issued an alert after a spike in vishing incidents to steal credentials to corporate accounts, including credentials for network access and privilege escalation. The change to remote working in 2020 due to COVID-19 has made it harder for IT teams to monitor access to their networks and privilege escalation, which could allow these attacks to go undetected. The FBI warned that it has observed a change in tactics by threat actors. Rather than only targeting credentials of individuals likely to have elevated privileges, cybercriminals are now trying to obtain all credentials. While the credentials of low-ranking...

Read More
At Least 560 U.S. Healthcare Facilities Were Impacted by Ransomware Attacks in 2020
Jan20

At Least 560 U.S. Healthcare Facilities Were Impacted by Ransomware Attacks in 2020

Ransomware attacks have had a massive impact on businesses and organizations in the United States, and 2020 was a particularly bad year. The healthcare industry, education sector, and federal, state, and municipal governments and agencies have been targeted by ransomware gangs and there were at least 2,354 attacks on these sectors in 2020, according to the latest State of Ransomware report from the New Zealand-based cybersecurity firm Emsisoft. The number of ransomware attacks increased sharply toward the end of 2019, and while the attacks slowed in the first half of 2020, a major coordinated campaign was launched in September when attacks dramatically increased and continued to occur in large numbers throughout the rest of the year. In 2020 there were at least 113 ransomware attacks on federal, state, and municipal governments and agencies, 560 attacks on healthcare facilities in 80 separate incidents, and 1,681 attacks on schools, colleges, and universities. These attacks have caused significant financial harm and in some cases the disruption has had life threatening...

Read More
OCR Announces Enforcement Discretion Regarding Use of Online or Web-based Scheduling Applications for COVID-19 Vaccination Appointments
Jan20

OCR Announces Enforcement Discretion Regarding Use of Online or Web-based Scheduling Applications for COVID-19 Vaccination Appointments

The Department of Health and Human Services’ Office for Civil Rights has announced it will be exercising enforcement discretion and will not impose financial penalties on HIPAA-covered entities or their business associates for violations of the HIPAA Rules in connection with the good faith use of online or web-based scheduling applications (WBSAs) for scheduling individual appointments for COVID-19 vaccinations. The notice of enforcement discretion applies to the use of WBSAs for the limited purpose of scheduling individual appointments for COVID-19 vaccinations during the COVID-19 public health emergency. The notification is effectively immediately, is retroactive to December 11, 2020, and will remain in effect for the duration of the COVID-19 nationwide public health emergency. A WBSA is a non-public facing online or web-based application that allows individual appointments to be scheduled in connection with large scale COVID-19 vaccination. The purpose of a WBSA is to allow covered healthcare providers to rapidly schedule large numbers of appointments for COVID-19 vaccinations....

Read More
2020 Healthcare Data Breach Report: 25% Increase in Breaches in 2020
Jan19

2020 Healthcare Data Breach Report: 25% Increase in Breaches in 2020

More large healthcare data breaches were reported in 2020 than in any other year since the HITECH Act called for the U.S. Department of Health and Human Services’ Office for Civil Rights to start publishing healthcare data breach figures on its website. In 2020, healthcare data breaches of 500 or more records were reported at a rate of more than 1.76 per day. 2020 saw 642 large data breaches reported by healthcare providers, health plans, healthcare clearing houses and business associates of those entities – 25% more than 2019, which was also a record-breaking year. More than twice the number of data breaches are now being reported than 6 years ago and three times the number of data breaches that occurred in 2010. Key Takeaways 25% year-over-year increase in healthcare data breaches. Healthcare data breaches have doubled since 2014. 642 healthcare data breaches of 500 or more records were reported in 2020. 1.76 data breaches of 500 or more healthcare records were reported each day in 2020. 2020 saw more than 29 million healthcare records breached. One breach involved more than 10...

Read More
December 2020 Healthcare Data Breach Report
Jan18

December 2020 Healthcare Data Breach Report

2020 ended with healthcare data breaches being reported at a rate of 2 per day, which is twice the rate of breaches in January 2020. Healthcare data breaches increased 31.9% month over month and were also 31.9% more than the 2020 monthly average. There may still be a handful more breaches to be added to the OCR breach portal for 2020 but, as it stands, 642 healthcare data breaches of 500 or more records have been reported to OCR in 2020. That is more than any other year since the HITECH Act required OCR to start publishing data breach summaries on its website.   December was the second worst month of 2020 in terms of the number of breached records. 4,241,603 healthcare records were exposed, compromised, or impermissibly disclosed across the month’s 62 reported data breaches. That represents a 272.35% increase in breached records from November and 92.25% more than the monthly average in 2020. For comparison purposes, there were 41 reported breaches in December 2019 and 397,862 healthcare records were breached. Largest Healthcare Data Breaches Reported in December 2020 Name of...

Read More
Excellus Health Plan Settles HIPAA Violation Case and Pays $5.1 Million Penalty
Jan18

Excellus Health Plan Settles HIPAA Violation Case and Pays $5.1 Million Penalty

The Department of Health and Human Services’ Office for Civil Rights has announced the health insurer Excellus Health Plan has agreed to pay a $5.1 million penalty to settle a HIPAA violation case stemming from a 2015 data breach that affected 9.3 million individuals. The breach in question was discovered by Excellus Health Plan in 2015, the same year that massive data breaches were discovered by the health insurers Anthem Inc. (78.8 million records) and Premera Blue Cross (10.6 million records). All three entities have now settled breach investigations with OCR and have paid substantial financial penalties. Excellus Health Plan, doing business as Excellus BlueCross BlueShield and Univera Healthcare, serves individuals in upstate and western New York. In August 2015, the health insurer discovered hackers had gained access to its computer systems. The breach investigation revealed access to its systems was first gained around December 23, 2013 and continued until May 11, 2015. The breach was reported to OCR on September 9, 2015. The hackers installed malware on its systems,...

Read More
M.D. Anderson Cancer Center Has $4.3 Million OCR HIPAA Fine Overturned on Appeal
Jan15

M.D. Anderson Cancer Center Has $4.3 Million OCR HIPAA Fine Overturned on Appeal

The U.S. Court of Appeals for the Fifth Circuit has overturned a $4,348,000 HIPAA violation penalty imposed on University of Texas M.D. Anderson Cancer Center by the Department of Health and Human Services’ Office for Civil Rights. The Civil Monetary Penalty was imposed on M.D. Anderson in 2018 following an investigation of three data breaches that were reported to the Office for Civil Rights between 2013 and 2014 that involved the loss/theft of unencrypted devices between 2012 and 2013. Two unencrypted flash drives containing the ePHI of 2,264 and 3,598 patients were lost, and an unencrypted laptop computer containing the ePHI of 29,021 patients was stolen. The Office for Civil Rights investigation concluded that M.D. Anderson was in violation of two provisions of the HIPAA Rules. The first violation was the failure to implement encryption or adopt an alternative and equivalent method to limit access to ePHI stored on electronic devices, and the second prohibits unauthorized disclosures of ePHI. HIPAA penalties are tiered and are based on the level of culpability, with the Office...

Read More
2020 HIPAA Violation Cases and Penalties
Jan13

2020 HIPAA Violation Cases and Penalties

The Department of Health and Human Services’ Office for Civil Rights (OCR) settled 19 HIPAA violation cases in 2020. More financial penalties were issued in 2020 than in any other year since the Department of Health and Human Services was given the authority to enforce HIPAA compliance. $13,554,900 was paid to OCR to settle the HIPAA violation cases. Penalties for Noncompliance with the HIPAA Right of Access In late 2019, the OCR announced a new HIPAA enforcement initiative to tackle noncompliance with the Right of Access standard of the HIPAA Privacy Rule. Since then, OCR has been highly active and has imposed 14 financial penalties for noncompliance, 11 of which were announced in 2020. The HIPAA Right of Access standard – 45 C.F.R. § 164.524(a) – gives patients the right to access, inspect, and obtain a copy of their own protected health information in a designated record set.  When a request is received from an individual or their personal representative, the records must be provided within 30 days. A reasonable, cost-based fee may be charged for providing a copy of...

Read More
OCR Continues HIPAA Right of Access Crackdown with $200,000 Fine
Jan13

OCR Continues HIPAA Right of Access Crackdown with $200,000 Fine

The HHS’ Office for Civil Rights (OCR) is continuing to crackdown on healthcare providers that are not providing patients with timely access to their medical records. Yesterday, OCR announced a settlement had been agreed with Banner Health to resolve a HIPAA Right of Access investigation. Banner Health agreed to pay $200,000 to settle the case. The HIPAA Privacy Rule gives individuals the right to access, inspect, and obtain a copy of their own protected health information. When a request is received, HIPAA-covered entities are required to provide a copy of the requested records within 30 days. In late 2019, OCR announced it was cracking down on noncompliance with this important provision of HIPAA. Since then, 14 financial penalties have been imposed on covered entities that have failed to provide patients with timely access to their medical records. Phoenix, AZ-based Banner Health is one of the largest health care systems in the United States. The non-profit health system operates 30 hospitals and many primary care, urgent care, and specialty care facilities. OCR received two...

Read More
HITECH Act Amendment Creating Cybersecurity Safe Harbor Signed into Law
Jan12

HITECH Act Amendment Creating Cybersecurity Safe Harbor Signed into Law

On January 5, 2020, President Trump added his signature to a bill (HR 7898) that amends the Health Information Technology for Economic and Clinical Health Act (HITECH Act) and creates a safe harbor for companies that have implemented recognized security best practices prior to experiencing a data breach. While the bill does not go as far as preventing the Department of Health and Human Services’ Office for Civil Rights from imposing financial penalties for HIPAA compliance issues that contributed to a data breach, the amendment requires OCR to take into consideration the security measures that were in place to reduce cybersecurity risk in the 12 months prior to a data breach. The main aim of the bill is to incentivize healthcare organizations to adopt an established, formalized, and recognized cybersecurity framework and adhere to industry security best practices, as doing so will provide a degree of insulation against regulatory enforcement actions. The bill requires the HHS to consider an entity’s use of recognized security best practices when investigating reported data breaches...

Read More
FBI Issues Warning About Increasing Egregor Ransomware Activity
Jan11

FBI Issues Warning About Increasing Egregor Ransomware Activity

The Federal Bureau of Investigation (FBI) has issued a Private Industry Alert about the growing threat of Egregor ransomware attacks. Egregor ransomware is a ransomware-as-a-service operation that was first identified in September 2020. The threat actors behind the operation recruit affiliates to distribute their ransomware and give them a cut of any ransoms they generate. The affiliates have been highly active over the past three months and have conducted attacks on many large enterprises. High-profile victims include Barnes & Noble, Ubisoft, Kmart, Crytek, and the Canadian transportation agency TransLink. The threat group claims to have gained access to more than 150 corporate networks and deployed their ransomware, with the ransom demands exceeding $4 million. Many affiliates have been recruited by the Egregor ransomware gang and each has their preferred method of distributing the ransomware. With a wide range of tactics, techniques, and procedures used to deliver the ransomware, defending against attacks can be a challenge for network defenders. Initial access to corporate...

Read More
Jail Terms for HIPAA Violations by Employees
Jan10

Jail Terms for HIPAA Violations by Employees

The penalties for HIPAA violations by employees can be severe, especially those involving the theft of protected health information. HIPAA violations by employees can attract a fine of up to $250,000 with a maximum jail term of 10 years and a 2-year jail term for aggravated identity theft. Jail terms for HIPAA violations are relatively rare, but there have been several cases where HIPAA violations by employees have been referred to the Department of Justice and have resulted in financial penalties and jail time. Some cases that have resulted in jail terms for HIPAA violations by employees are listed below, along with cases where jail terms have only narrowly been avoided. Jail Term for Former Transformations Autism Treatment Center Employee In February 2017, a former behavioral analyst at the Transformations Autism Treatment Center (TACT) was discovered to have stolen the protected health information of patients following termination. Jeffrey Luke, 29, of Collierville, TN gained access to a TACT Google Drive account containing the PHI of patients following termination and...

Read More
How Should You Respond to an Accidental HIPAA Violation?
Jan06

How Should You Respond to an Accidental HIPAA Violation?

The majority of HIPAA covered entities, business associates, and healthcare employees take great care to ensure HIPAA Rules are followed, but what happens when there is accidental HIPAA violation? How should healthcare employees, covered entities, and business associates respond? How Should Employees Report an Accidental HIPAA Violation? Accidents happen. If a healthcare employee accidentally views the records of a patient, if a fax is sent to an incorrect recipient, an email containing PHI is sent to the wrong person, or any other accidental disclosure of PHI has occurred, it is essential that the incident is reported to your Privacy Officer. Your Privacy Officer will need to determine what actions need to be taken to mitigate risk and reduce the potential for harm. The incident will need to be investigated, a risk assessment may need to be performed, and a report of the breach may need to be sent to the Department of Health and Human Services’ Office for Civil Rights (OCR). You should explain that a mistake was made and what has happened. You will need to explain which patient’s...

Read More
Healthcare Industry Cyberattacks Increase by 45%
Jan06

Healthcare Industry Cyberattacks Increase by 45%

In the fall of 2020, a warning was issued to the healthcare and public health sector following a spike in ransomware activity. The joint CISA, FBI, and HHS cybersecurity advisory explained that the healthcare industry was being actively targeted by threat actors with the aim of infecting systems with ransomware. Several ransomware gangs had stepped up attacks on the healthcare and public health sector, with the Ryuk and Conti operations the most active. A new report from Check Point shows attacks continued to increase in November and December 2020, when there was a 45% increase in cyber-attacks on healthcare organizations globally. The increase was more than double the percentage rise in attacks on all industry sectors worldwide over the same period. Globally, there was an average of 626 cyberattacks on healthcare organizations each week in November and December, compared to 430 attacks in October. The vectors used in the attacks have been varied, with Check Point researchers identifying an increase in ransomware, botnet, remote code execution, and DDoS attacks in November and...

Read More
Largest Healthcare Data Breaches in 2020
Jan01

Largest Healthcare Data Breaches in 2020

2020 was the worst ever year for healthcare industry data breaches. 616 data breaches of 500 or more records were reported to the HHS’ Office for Civil Rights. 28,756,445 healthcare records were exposed, compromised, or impermissibly disclosed in those breaches, which makes 2020 the third worst year in terms of the number of breached healthcare records. The chart below clearly shows how healthcare industry data breaches have steadily increased over the past decade and the sharp rise in breaches in the past two years. The Largest Healthcare Data Breaches in 2020 When a breach occurs at a business associate of a HIPAA-covered entity, it is often the covered entity that reports the breach rather than the business associate. In 2020, a massive data breach was experienced by the cloud service provider Blackbaud Inc. Hackers gained access to its systems and stole customer fundraising databases before deploying ransomware. Blackbaud was issued with a ransom demand and a threat that the stolen data would be released publicly if the ransom was not paid. Blackbaud decided to pay the ransom...

Read More
CISA Launches SolarWinds Supply Chain Compromise Website and Free Malicious Activity Detection Tool
Dec30

CISA Launches SolarWinds Supply Chain Compromise Website and Free Malicious Activity Detection Tool

The DHS’ Cybersecurity and Infrastructure Security Agency has launched a website providing resources related to the ongoing cyber activities of the advanced persistent threat (APT) group responsible for compromising the SolarWinds Orion software supply chain. The threat actors behind the attack gained access to the networks of federal, state, and local governments, critical infrastructure entities, and private sector organizations around the world. In addition to compromising the software update mechanism of SolarWinds Orion, the hackers also exploited vulnerabilities in commonly used authentication mechanisms to gain persistent access to networks. According to Microsoft, the main goal of the attackers appears to be to gain persistent local access to networks by delivering the Sunburst/Solarigate backdoor, then pivot to victims’ cloud assets. Recently it has become clear that more than one threat group is conducting cyber espionage after the discovery of a different malware variant that was introduced through the SolarWinds Orion software update feature. Microsoft and Palo Alto...

Read More
OCR Announces its 19th HIPAA Penalty of 2020
Dec23

OCR Announces its 19th HIPAA Penalty of 2020

The Department of Health and Human Services’ Office for Civil Rights (OCR) has settled a HIPAA Right of Access compliance case with Peter Wrobel, M.D., P.C., doing business as Elite Primary Care. Elite Primary Care is a provider of primary health services in Georgia. OCR launched a compliance investigation following receipt of a complaint from an Elite Primary Care patient on April 22, 2019 who alleged he had been denied access to his health records. OCR contacted the practice and provided technical assistance on the HIPAA Right of Access on May 2, 2019. OCR advised the practice to review the facts of the request and provide access to the requested records if the request met the requirements of the HIPAA Privacy Rule. The patient subsequently submitted a request for access in writing which was received by the practice on June 5, 2019. The patient filed a second complaint with OCR on October 9, 2019, as the practice continued to deny him access to his requested records. Elite Primary Care sent the patient’s medical records to his new healthcare provider on November 21, 2019 and...

Read More
November 2020 Healthcare Data Breach Report
Dec22

November 2020 Healthcare Data Breach Report

For the second successive month, the number of reported healthcare data breaches has fallen; however, it should be noted that the number of breaches reported in October 2020 was almost three times the average monthly number due, in a large part, to the ransomware attack on the cloud service provider Blackbaud. November saw 47 data breaches of 500 or more healthcare records reported to the HHS’ Office for Civil Rights by HIPAA-covered entities and business associates, 25.39% fewer than October. Even with that reduction, breaches are still well above the 12-month average of 41 data breaches a month (Median = 38 breaches).   The number of healthcare records exposed in healthcare data breaches similarly fell for the second successive month. In November, 1,139,151 healthcare records were exposed or impermissibly disclosed, a 54.73% fall from October. The average number of monthly breached healthcare records over the past 12 months is 1,885,959 records and the median is 1,101,902 records. Largest Healthcare Data Breaches Reported in November 2020 Name of Covered Entity State Covered...

Read More
NIST Releases Final Guidance on Securing the Picture Archiving and Communication System (PACS) Ecosystem
Dec22

NIST Releases Final Guidance on Securing the Picture Archiving and Communication System (PACS) Ecosystem

The National Cybersecurity Center of Excellence (NCCoE) at the National Institute of Standards and Technology (NIST) has released final guidance for healthcare delivery organizations on securing the Picture Archiving and Communication System (PACS) ecosystem. PACS is a medical imaging technology that is used to securely store and digitally transmit medical images such as MRIs, CT scans, and X-rays and associated clinical reports and is ubiquitous in healthcare. These systems eliminate the need to store, send, and receive medical images manually, and assist healthcare delivery organizations by allowing the images to be securely and cheaply stored offsite in the cloud. PACS allows medical images to be easily retrieved using PACS software from any location. PACS is a system that by design cannot operate in isolation. In healthcare delivery organizations, PACS is usually integrated into highly complex environments and interfaces with many interconnected systems. The complexity of those environments means securing the PACS ecosystem can be a major challenge and it is easy for...

Read More
OCR Issues Guidance on Disclosures of PHI to Health Information Exchanges under HIPAA
Dec21

OCR Issues Guidance on Disclosures of PHI to Health Information Exchanges under HIPAA

The Department of Health and Human Services’ Office for Civil Rights has published new guidance on the Health Insurance Portability and Accountability Act (HIPAA) Rules covering disclosures of protected health information (PHI) to health information exchanges (HIEs) for the public health activities of a public health authority (PHA). An HIE is an organization that enables the sharing of electronic PHI (ePHI) between more than two unaffiliated entities such as healthcare providers, health plans, and their business associates. HIEs’ share ePHI for treatment, payment, or healthcare operations, for public health reporting to PHAs, and for providing other functions and services such as patient record location and data aggregation and analysis. HIPAA supports the use of HIEs and the sharing of health data to improve public health, which has been especially important during the COVID-19 public health emergency. The HIPAA Privacy Rule permits HIPAA-covered entities and their business associates to disclose protected health information to an HIE for reporting to a PHA that is engaged in...

Read More
OCR HIPAA Audits Industry Report Identifies Common Areas of Noncompliance with the HIPAA Rules
Dec18

OCR HIPAA Audits Industry Report Identifies Common Areas of Noncompliance with the HIPAA Rules

The Department of Health and Human Services’ Office for Civil Rights has published its 2016-2017 HIPAA Audits Industry Report, highlighting areas where HIPAA-covered entities and their business associates are complying or failing to comply with the requirements of the Health Insurance Portability and Accountability Act. The Health Information Technology for Economic and Clinical Health (HITECH) Act requires the HHS to conduct periodic audits of HIPAA covered entities and business associates to assess compliance with the HIPAA Rules. Between 2016 and 2017, the HHS conducted its second phase of compliance audits on 166 covered entities and 41 business associates to assess compliance with certain provisions of the HIPAA Privacy, Security, and Breach Notification Rules. The 2016/2017 HIPAA compliance audits were conducted on a geographically representative, broad cross-section of covered entities and business associates and consisted of desk audits – remote reviews of HIPAA documentation – rather than on-site audits. All entities have since been notified of the findings of their...

Read More
FTC Settles 2019 Consumer Data Breach Case with SkyMed
Dec18

FTC Settles 2019 Consumer Data Breach Case with SkyMed

The Nevada-based emergency services provider SkyMed has reached a settlement with the Federal Trade Commission (FTC) following an audit of its information security practices in the wake of a 2019 data breach that exposed consumers’ personal information. SkyMed was notified by security researcher Jeremiah Fowler in 2019 that it had a misconfigured Elasticsearch database that was leaking patient information. The lack of protection meant the records of 136,995 patients could be accessed over the internet without the need for any authentication. The database could be accessed using any Internet browser and personal information in the database could be downloaded, edited, or even deleted. The database contained information such as patient names, addresses, email addresses, dates of birth, membership account numbers, and health information, according to Fowler. Fowler also identified artifacts related to ransomware in the database. When notified about the exposed database, SkyMed launched an investigation but found no evidence to indicate any information in the database had been misused....

Read More
House Passes Bill Calling for HHS to Recognize Adoption of Cybersecurity Best Practices
Dec16

House Passes Bill Calling for HHS to Recognize Adoption of Cybersecurity Best Practices

A new bill (HR 7898) has been passed by the House Energy and Commerce Committee which seeks to amend the HITECH Act to require the Department of Health and Human Services to recognize whether cybersecurity best practices have been adopted by HIPAA-covered entities and business associates when making certain determinations, such as financial penalties following security breaches or for other regulatory purposes. The HIPAA Safe Harbor Bill, if signed into law, would reward covered entities and business associates that have met cybersecurity practices through reduced financial penalties and shorter compliance audits. The legislation calls for the HHS Secretary to consider whether the entity has adequately demonstrated recognized security practices have been in place for no less than 12 months, which may mitigate financial penalties, result in an early, favorable termination of an audit, or mitigate other remedies which may otherwise have been agreed with respect to resolving potential HIPAA Security Rule violations. The bill defines ‘Recognized Security Practices’ as “standards,...

Read More
CISA: SolarWinds Orion Software Under Active Attack
Dec15

CISA: SolarWinds Orion Software Under Active Attack

The Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning that sophisticated hackers are actively exploiting SolarWinds Orion IT monitoring and management software. The cyberattack, which is ongoing, is believed to be the work of a highly sophisticated, evasive, nation state hacking group who created a Trojanized version of Orion software that has been used to deploy a backdoor into customers’ systems dubbed SUNBURST. The supply chain attack has impacted around 18,000 customers, who are understood to have downloaded the Trojanized version of SolarWinds Orion and the SUNBURST backdoor. SolarWinds Orion is used by large public and private organizations and government agencies. SolarWinds customers include all five branches of the U.S. military, the Pentagon, State Department, NASA and National Security Agency. Its solutions are also used by 425 of the 500 largest publicly traded U.S. companies. The US Treasury, US National Telecommunications and Information Administration (NTIA), and Department of Homeland Security are known to have been attacked. The campaign...

Read More
HIPAA Privacy Rule Changes Proposed to Improve Care Coordination and Patient Rights
Dec10

HIPAA Privacy Rule Changes Proposed to Improve Care Coordination and Patient Rights

The Department of Health and Human Services has issued a notice of proposed rulemaking detailing multiple HIPAA Privacy Rule changes that are intended to remove regulatory burdens, improve care coordination, and give patients better access to their protected health information (PHI). OCR issued a request for public input on potential HIPAA Privacy Rule changes in December 2018 under the HHS’ Regulatory Sprint to Coordinated Care. The regulatory sprint was intended to accelerate transformation of the healthcare system and remove some of the barriers that have hampered the coordination of care, were making it difficult for healthcare providers to share patient information and placed an unnecessary burden on patients and their families who were trying to get their health information exchanged. In response to the request for information, the HHS received around 1,300 comments spanning 4,000 pages. The HHS has had to strike a balance between providing more flexibility to allow health information to be shared easily and ensuring the privacy and security of healthcare data. “Our proposed...

Read More
Russian State-Sponsored Hackers Exploiting Vulnerability in VMWare Virtual Workspaces
Dec10

Russian State-Sponsored Hackers Exploiting Vulnerability in VMWare Virtual Workspaces

The U.S. National Security Agency (NSA) has issued a cybersecurity advisory warning Russian state-sponsored hacking groups are targeting a vulnerability in VMWare virtual workspaces used to support remote working. The flaw, tracked as CVE-2020-4006, is present in certain versions of VMware Workspace One Access, Access Connector, Identity Manager, and Identity Manager Connector products and is being exploited to gain access to enterprise networks and protected data on the affected systems. The flaw is a command-injection vulnerability in the administrative configurator component of the affected products. The vulnerability can be exploited remotely by an attacker with valid credentials and access to the administrative configurator on port 8443. If successfully exploited, an attacker would be able to execute commands with unrestricted privileges on the operating system and access sensitive data. VMWare released a patch to correct the vulnerability on December 3, 2020 and also published information to help network defenders identify networks that have already been compromised, along...

Read More
Six More Healthcare Providers Impacted by Ransomware Attacks
Dec10

Six More Healthcare Providers Impacted by Ransomware Attacks

GBMC HealthCare in Maryland, Golden Gate Regional Center in California, and Dyras Dental in Michigan have recently suffered ransomware attacks and Allegheny Health Network, AMITA Health, and Bayhealth have announced they have been affected by the ransomware attack on Blackbaud Inc. GBMC HealthCare Towson, MD-based GBMC HealthCare has announced it suffered a ransomware attack on December 6, 2020 that forced its computer systems offline and the healthcare provider is now operating under EHR downtime procedures while the attack is mitigated.  GBMC HealthCare had planned for such an attack and had processes in place to ensure care could continue to be provided to patients while keeping disruption to a minimum. Safe and effective care continues to be provided to patients and its emergency department did not stop receiving patients; however, some elective procedures scheduled for Monday 7, December were postponed. Efforts are underway to bring systems back online and restore the encrypted data and law enforcement has been notified and is investigating the attack. The Egregor ransomware...

Read More
Xavier Becerra Named Secretary of the Department of Health and Human Services
Dec07

Xavier Becerra Named Secretary of the Department of Health and Human Services

President-elect Joe Biden has named California Attorney General Xavier Becerra as Secretary of the Department of Health and Human Services. While the decision has been made according to The New York Times, the appointment has yet to be announced by his transition team. Biden is committed to building the most diverse administration in history and while progress has been made so far, Biden has faced criticism over the number of Latinos appointed to date. If the appointment of Becerra is confirmed by the senate, he will become the first ever Latino Secretary of the Department of Health and Human Services. The news of his selection has drawn praise from the Congressional Hispanic Caucus. Becerra has a long record of supporting the Affordable Care Act and helped steer the legislation through Congress in 2009 and 2010. The former Los Angeles area congressman also led the coalition of Democratic states that defended the Affordable Care Act and resisted attempts by the Trump Administration to overturn it. Becerra will be responsible for expanding the Affordable Care Act and is likely to...

Read More
COVID-19 Vaccine Cold Chain Organizations Targeted in Global Phishing Campaign
Dec04

COVID-19 Vaccine Cold Chain Organizations Targeted in Global Phishing Campaign

The Cybersecurity Infrastructure and Security Agency has issued a warning about a global spear phishing campaign targeting organizations in the cold storage and supply chain that are involved with the distribution of COVID-19 vaccines. Two of the first vaccines to be produced must be kept and low temperatures during storage and transit prior to being administered. The Pfizer/BioNTech vaccine must be kept at -94°F (-70°C) and the Moderna vaccine at -4°F (-20°C), so cold chain organizations are a key element of the supply chain. At the start of the pandemic, IBM X-Force established a cyber threat task force to track threats targeting organizations involved in the fight against COVID-19. The task force recently published a report about an ongoing spear phishing campaign that started in September 2020 which is targeting organizations supporting the Cold Chain Equipment Optimization Platform program. The program was launched in 2015 by the United Nations Children’s Fund and partner organizations to distribute vaccines worldwide. Phishing emails have been sent to executives in sales,...

Read More
Researchers Describe Possible Synthetic DNA Supply Chain Attack
Dec02

Researchers Describe Possible Synthetic DNA Supply Chain Attack

A team of researchers at Ben-Gurion University in Israel have described a possible bioterrorist attack scenario in which the supply chain of synthetic DNA could be compromised. DNA synthesis providers could be tricked into producing harmful DNA sequences and delivering them to unsuspecting customers. Synthetic DNA is currently produced for research purposes and is available in many ready-to-use forms. Clients of DNA synthesis providers specify the DNA sequences they require and the DNA synthesis company generates the requested sequences to order and ships them to their customers. There are safety controls in place to prevent DNA being synthesized that could be harmful, but the Ben-Gurion University researchers point out that those safety checks are insufficient. Hackers could potentially exploit security weaknesses and inject rogue genetic information into the synthesis process, unbeknown to the customers or DNA synthesis providers. For example, rogue genetic material could be inserted that encodes for a harmful protein or a toxin. The researchers describe an attack scenario where...

Read More
FBI Issues Warning About Increasing Ragnar Locker Ransomware Activity
Nov26

FBI Issues Warning About Increasing Ragnar Locker Ransomware Activity

Threat actors using Ragnar Locker ransomware have stepped up their attacks and have been targeting businesses and organizations in many sectors, according to a recent private industry alert from the Federal Bureau of Investigation (FBI). Ragnar Locker ransomware was first identified by security researchers in April 2019, with the first known attack targeting a large corporation that was issued with an $11 ransom demand for the keys to decrypt files and ensure the secure deletion of the 10 terabytes of sensitive data stolen in the attack. While not named in the FBI alert, the attack appears to have been on the multinational energy company, Energias de Portugal. The gang was also behind the ransomware attacks on the Italian drinks giant Campari and the Japanese gaming firm Capcom. Since that attack, the number of Ragnar Locker victims has been steadily growing. Attacks have been successfully conducted on cloud service providers, and companies in communication, construction, travel, enterprise software, and other industries. As with other human-operated ransomware attacks, the threat...

Read More
Free Google Services Abused in Phishing Campaigns
Nov26

Free Google Services Abused in Phishing Campaigns

Several phishing campaigns have been identified that are using free Google services to bypass email security gateways and ensure malicious messages are delivered to inboxes. Phishing emails often include hyperlinks that direct users to websites hosting phishing forms that harvest credentials. Email security gateways use a variety of methods to detect these malicious hyperlinks, including blacklists of known malicious websites, scoring of domains, and visiting the links to analyze the content on the destination website. If the links are determined to be suspicious or malicious, the emails are quarantined or rejected. However, by using links to legitimate Google services, phishers are managing to bypass these security measures and ensure their messages are delivered. The use of Google services by phishers is nothing new; however, security researchers at Arborblox have identified an uptick in this activity that has coincided with increased adoption of remote working. The researchers identified 5 campaigns abusing free Google services such as Google Forms, Google Drive, Google Sites,...

Read More
HHS Releases Final Rules with Safe Harbors for Cybersecurity Donations
Nov25

HHS Releases Final Rules with Safe Harbors for Cybersecurity Donations

On Friday last week, the Department of Health and Human Services’ Centers for Medicare and Medicaid Services (CMS) and Office of Inspector General (OIG) published final rules that aim to improve the coordination of care and reduce regulatory barriers. Both final rules contain safe harbor provisions that allow hospitals and healthcare delivery systems to donate cybersecurity technology to physician practices. The CMS released the final version of the 627-page Modernizing and Clarifying the Physician Self-Referral Regulations, commonly called Stark Law, and the OIG finalized revisions to the 1,049-page Safe Harbors Under the Anti-Kickback Statute and Civil Monetary Penalty Rules Regarding Beneficiary Inducements. Physician practices often have limited resources, which makes it difficult for them to implement solutions to address cybersecurity risks. Without the necessary protections, sensitive healthcare data could be accessed by unauthorized individuals, stolen, deleted, or encrypted by threat actors. Threat actors could also conduct attacks on small physician practices and...

Read More
October 2020 Healthcare Data Breach Report
Nov23

October 2020 Healthcare Data Breach Report

October saw well above average numbers of data breaches reported the HHS’ Office for Civil Rights. There were 63 reported breaches of 500 or more records, which is a 33.68% reduction from September but still 41.82% more breaches than the monthly average over the last 12 months. The elevated numbers of breaches can be partly explained by continued reports from healthcare organizations that were impacted by the ransomware attack on the cloud software firm Blackbaud. The protected health information of more than 2.5 million individuals were exposed or compromised in those 63 breaches, which is 74.08% fewer records than September, but still 26.81% more than the monthly average number of breached records over the past 12 months. Largest Healthcare Data Breaches Reported in October 2020 Name of Covered Entity Covered Entity Type Type of Breach Individuals Affected Breach Cause Luxottica of America Inc. Business Associate Hacking/IT Incident 829,454 Ransomware Attack AdventHealth Orlando Healthcare Provider Hacking/IT Incident 315,811 Blackbaud Ransomware Presbyterian Healthcare Services...

Read More
HIPAA Right of Access Failure Results in $65,000 Fine for University of Cincinnati Medical Center
Nov20

HIPAA Right of Access Failure Results in $65,000 Fine for University of Cincinnati Medical Center

The HHS’ Office for Civil Rights has announced its 18th HIPAA financial penalty of the year with the 12th fine under its HIPAA Right of Access enforcement initiative. In 2019, OCR announced a new drive to ensure individuals are given timely access to their health records, at a reasonable cost, as mandated by the HIPAA Privacy Rule. It had become clear to OCR that healthcare providers were not always fully complying with this important HIPAA Privacy Rule provision and some patients were having trouble obtaining a copy of their medical records. The latest financial penalty of $65,000 was imposed on the University of Cincinnati Medical Center, LLC (UCMC) and stemmed from a complaint received by OCR on May 30, 2019 from a patient who had sent a request to UCMC on February 22, 2019 asking for an electronic copy of the medical records maintained in UCMC’s electronic health record system to be sent to her lawyer. The HIPAA Right of Access requires copies of medical records to be provided, on request, no later than 30 days after receipt of the request. 45 C.F.R. § 164.524 also states that...

Read More
Microsoft Warns of Ongoing Sophisticated Phishing Campaign Targeting Office 365 Users
Nov19

Microsoft Warns of Ongoing Sophisticated Phishing Campaign Targeting Office 365 Users

Microsoft has issued a warning to Office 365 about an ongoing phishing campaign targeting user credentials. The campaign uses sophisticated techniques to bypass email security gateways and social engineering tactics to fool company employees into visiting websites where credentials are harvested. A variety of lures are used in the phishing emails which target remote workers, such as fake password update requests, information on teleconferencing, SharePoint notifications, and helpdesk tickets. The lures are plausible and the websites to which Office 365 users are directed are realistic and convincing, complete with replicated logos and color schemes. The threat actors have used a range of techniques to bypass secure email gateways to ensure the messages are delivered to inboxes. These include redirector URLs that can detect sandbox environments and will direct real users to the phishing websites and security solutions to benign websites, to prevent analysis. The emails also incorporate heavy obfuscation in the HTML code. Microsoft notes that the redirector sites have a unique...

Read More
ASPR Provides Update on Ransomware Activity Targeting the Healthcare Sector
Nov18

ASPR Provides Update on Ransomware Activity Targeting the Healthcare Sector

The HHS’ Office of the Assistant Secretary for Preparedness and Response (ASPR) has issued an update on ransomware activity targeting the healthcare and public health sectors, saying, “At this time, we consider the threat to be credible, ongoing, and persistent.” In late October, a joint alert was issued by the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the HHS warning of an imminent increase in ransomware activity targeting the healthcare sector. Within a week of the alert being issued, six healthcare providers reported ransomware attacks in a single day. More than a dozen healthcare organizations have reported being attacked in the past two months, with over 62 attacks reported by healthcare organizations so far in 2020. Human-operated ransomware attacks have previously seen attackers gain access to networks many weeks and even months prior to the deployment of ransomware. ASPR notes that in many recent ransomware attacks, the time from the initial compromise to the deployment of ransomware has been very short, just a...

Read More
Nation State APT Groups Targeting Companies Involved in COVID-19 Research and Vaccine Development
Nov16

Nation State APT Groups Targeting Companies Involved in COVID-19 Research and Vaccine Development

Advanced Persistent Threat (APT) groups in Russia and North Korea are targeting companies involved in research into COVID-19 and vaccine development, according to Microsoft. Six large pharmaceutical firms and a clinical research company are known to have been targeted by three APT groups who are attempting to gain access to research and vaccine data. The cyberattacks have been on “pharmaceutical companies in Canada, France, India, South Korea and the United States,” according to Microsoft and three APT groups are known to be conducting attacks – the Russian APT group Strontium (aka Fancy Bear/APT28) and two APT groups with links to North Korea – The Lazarus Group (aka Zinc) and Cerium. Additionally, in the summer of 2020, warnings were issued by several government agencies about attacks on COVID-19 research firms by another Russian APT group, Cozy Bear (aka APT29). The targeted organizations have contracts with or investments from governments to advance research into COVID-19 and vaccine development. Most of the targeted companies have developed vaccines which are currently...

Read More
Private Practitioner Pays $15,000 Penalty for HIPAA Right of Access Failure
Nov13

Private Practitioner Pays $15,000 Penalty for HIPAA Right of Access Failure

The U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) has announced its 11th financial penalty under its HIPAA Right of Access enforcement initiative. Dr. Rajendra Bhayani, a Regal Park, NY-based private practitioner specializing in otolaryngology has agreed to pay a financial penalty of $15,000 to settle the case and adopt a corrective action plan to address areas of noncompliance discovered by OCR during the investigation. OCR launched an investigation after a complaint was received from a patient in September 2018 alleging Dr. Bhayani had failed to provider her with a copy of her medical records. The patient had sent a request to the otolaryngologist in July 2018, but two months later and the records had still not been provided. OCR contacted Dr. Bhayani and provided technical assistance on the HIPAA Right of Access and closed the complaint; however, a second complaint was received from the patient a year after the first in July 2019 claiming she had still not been provided with her medical records. OCR intervened again and the records were eventually...

Read More
FTC Settlement with Zoom Resolves Allegations of Cybersecurity Failures and Deceptive Security Practices
Nov11

FTC Settlement with Zoom Resolves Allegations of Cybersecurity Failures and Deceptive Security Practices

The U.S. Federal Trade Commission has reached a settlement with Zoom to resolve allegations that the teleconferencing platform provider misled its customers about the level encryption and had failed to implement appropriate cybersecurity protections for its users. During the pandemic, use of the Zoom platform skyrocketed, with business users and consumers adopting the platform in the millions. The platform was used by consumers to maintain contact with friends and family, while remote workers used the platform to communicate with the office and collaborate while working from home. The platform proved to be extremely popular in healthcare for providing telehealth services and in education for communicating with students. Zoom reported in its second quarter earnings call that it has seen 400% growth of corporate clients with more than 10 employees and around 300 million meetings were taking place each day. The massive increase in popularity attracted the attention of security researchers, who discovered multiple security vulnerabilities in the platform. One of the main issues...

Read More
Ransomware Attack on Medicaid Billing Service Provider Impacts 116,000 Individuals
Nov11

Ransomware Attack on Medicaid Billing Service Provider Impacts 116,000 Individuals

Timberline Billing Service, LLC, a Des Moines, IA-based Medicaid billing company, has suffered a ransomware attack that resulted in the encryption and theft of data. An investigation into the attack revealed an unknown individual gained access to its systems between February 12, 2020 and March 4, 2020 and deployed ransomware. Prior to the encryption of files, some information was exfiltrated from its systems. Timberline’s clients include around 190 schools in Iowa. School districts in the state that have been impacted by the breach have now been notified. It is currently unclear exactly how many schools were affected and if the breach was limited to schools in Iowa. Timberline also has offices in Kansas and Illinois. The types of data potentially obtained by the attacker included names, dates of birth, Medicaid ID numbers, and billing information. A limited number of Social Security numbers were also potentially compromised. While data theft occurred, no reports have been received to indicate any data have been misused. The breach has been reported to the Department of Health and...

Read More
Office for Civil Rights Announces 10th HIPAA Fine Under Right of Access Initiative
Nov06

Office for Civil Rights Announces 10th HIPAA Fine Under Right of Access Initiative

The U.S. Department of Health and Human Services’ Office for Civil Rights has announced its 10th financial penalty under its HIPAA Right of Access enforcement initiative. California-based Riverside Psychiatric Medical Group has agreed to pay a financial penalty of $25,000 to resolve a potential HIPAA Right of Access violation and will adopt a corrective action plan to ensure compliance with this important provision of the HIPAA Privacy Rule. The HHS will monitor Riverside Psychiatric Medical Group for 2 years to ensure continued compliance. OCR launched an investigation following receipt of a complaint from a patient in March 2019 alleging Riverside Psychiatric Medical Group failed to provide a copy of her medical records after she had made several requests, with the first request made in February 2019. OCR contacted Riverside Psychiatric Medical Group and provided technical assistance on how the practice could comply with the HIPAA Right of Access and the case was closed. A month later, in April 2019, a second complaint was received from the patient saying she had still not been...

Read More
Wakefern Food Corporation Settles HIPAA Breach Case with NJ Attorney General for $235,000
Nov04

Wakefern Food Corporation Settles HIPAA Breach Case with NJ Attorney General for $235,000

Wakefern Food Corporation has agreed to pay $235,000 in civil financial penalties to resolve allegations of violations of federal and state laws related to a data breach involving the protected health information of 9,700 customers of two ShopRite supermarkets in Millville, New Jersey and Kingston, New York. In addition to the financial penalties, the settlement requires improvements to be made to data security practices. Wakefern Food Corporation is the parent company of Union Lake Supermarket, LLC, which owns the ShopRite store in Millville and ShopRite Supermarkets, Inc., which owns the ShopRite store in Kingston, NY. In 2016, Wakefern replaced electronic devices that were used to collect customer signatures and purchase information at the two locations. The old devices were disposed of in regular dumpsters without first destroying the devices or purging/clearing the stored data to ensure sensitive information could not be recovered. The devices contained the protected health information of 9,700 customers of the two stores including names, contact information, zip codes,...

Read More
ONC Extends Deadline for Compliance with its Information Blocking and Interoperability Rule
Nov03

ONC Extends Deadline for Compliance with its Information Blocking and Interoperability Rule

The deadline for compliance with the information blocking and health IT certification requirements of the 21st Century Cures Act have been extended due to the ongoing COVID-19 pandemic. On October 29, 2020, the US Department of Health and Human Services’ (HHS) Office of the National Coordinator for Health IT (ONC) announced the release of an interim final rule with comment period that extended the compliance dates and timeframes for meeting certain information blocking and Conditions and Maintenance of Certification (CoC/MoC) requirements. The ONC’s Cures Act Final Rule, released on March 9, 2020, defined exceptions to the information blocking provision of the 21st Century Cures Act and adopted new Health IT certification requirements which, through the use of application programming interfaces (APIs), would enhance patients’ access to their own health data through their smartphones at no cost. Compliance deadlines were set for 2020, but health IT stakeholders expressed concern about meeting the deadlines due to the COVID-19 pandemic. On April 21, 2020, ONC announced that it would...

Read More
Failure to Terminate Former Employee’s Access Rights Results in $202,400 HIPAA Fine for New Haven, CT
Nov02

Failure to Terminate Former Employee’s Access Rights Results in $202,400 HIPAA Fine for New Haven, CT

The City of New Haven, Connecticut has agreed to pay a $202,400 financial penalty to the Department of Health and Human Services’ Office for Civil Rights to resolve a HIPAA violation case. An OCR investigation was launched in May 2017 following receipt of a data breach notification from New Haven on January 24, 2017. OCR investigated whether the data breach was linked to potential violations of HIPAA Rules. During the investigation, OCR discovered the New Haven Health Department had terminated an employee on July 27, 2016 during her probationary period. The former employee returned to the New Haven Heath Department on July 27, 2016 with her union representative and used her work key to access her old office, where she locked herself inside with her union representative. While in her office, the former employee logged into her old computer using her username and password and copied information from her computer onto a USB drive. She also removed personal items and documents from the office, and then exited the premises. A file on the computer contained the protected health...

Read More
TigerConnect Survey Confirms Widespread Support for Telehealth Among Providers and Patients
Oct30

TigerConnect Survey Confirms Widespread Support for Telehealth Among Providers and Patients

The coronavirus pandemic has resulted in a major increase in healthcare providers offering telehealth services to patients. Virtual visits are being offered to reduce the number of patients visiting hospitals and physician offices to limit transmission of the virus to ensure patient safety. The increase in use is out of necessity, but new research confirms telehealth services are popular with providers and patients alike. TigerConnect, the provider of the most widely adopted communication platform in healthcare, recently commissioned a comprehensive Harris Poll survey to explore attitudes to telehealth among patients and healthcare providers. The survey was conducted on 2,039 U.S. adults aged 18 or older between July 23-27, 2020 and 500 healthcare clinicians between June and July 2020. 88% of healthcare providers who were already offering telehealth services to patients saw an increase in the use of telehealth services due to the coronavirus pandemic, with 71% of providers saying there was a large increase in use. It is understandable that so many providers and patients have...

Read More
Advisory Warns of Targeted Ryuk Ransomware Attacks on the Healthcare and Public Health Sector
Oct29

Advisory Warns of Targeted Ryuk Ransomware Attacks on the Healthcare and Public Health Sector

The Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), and the Department of Health and Human Services (HHS) have issued an advisory warning about increased Ryuk ransomware activity targeting the healthcare and public health sector. Credible evidence has been obtained indicating an increased and imminent threat to hospitals and healthcare providers in the United States. The advisory details some of the tactics, techniques, and procedures (TTPs) used by the operators of Ryuk ransomware and other cybercriminal groups who are assisting with the distribution of the ransomware to help the healthcare sector manage risk and protect their networks from attacks. The advisory explains that Ryuk ransomware is commonly delivered as a secondary payload by the TrickBot Trojan. TrickBot is a banking Trojan that was first identified in 2016 that has since been updated with a host of new functions. In addition to stealing banking credentials, TrickBot is capable of mail exfiltration, cryptomining, data exfiltration from point of sale systems, and acts as...

Read More
Aetna Hit with $1 Million HIPAA Fine for Three Data Breaches
Oct29

Aetna Hit with $1 Million HIPAA Fine for Three Data Breaches

Aetna Life Insurance Company and the affiliated covered entity (Aetna) has agreed to settle multiple potential HIPAA violations with the Department of Health and Human Services’ Office for Civil Rights (OCR) that were discovered during the investigation of three data breaches that occurred in 2017. The first of those data breaches was reported to OCR in June 2017 and concerned the exposure of the protected health information (PHI) of health plan members over the Internet. Two web services were used to display health plan-related documents to its members, but those documents could be accessed over the Internet without the need for any login credentials. The lack of authentication allowed the documents to be indexed by search engines and displayed in search results. Aetna’s investigation revealed the PHI of 5,002 individuals had been exposed, which included names, insurance identification numbers, claim payment amounts, procedures service codes, and dates of service. The second two HIPAA breaches involved the exposure and impermissible disclosure of highly sensitive information in...

Read More
FDA Approves Tool for Scoring Medical Device Vulnerabilities
Oct23

FDA Approves Tool for Scoring Medical Device Vulnerabilities

The FDA has approved a new rubric designed by the MITRE Corporation for assigning Common Vulnerability Scoring System (CVSS) scores to medical device vulnerabilities. The CVSS was designed for assigning scores to vulnerabilities in IT systems according to their severity, and while the system works well for many IT systems, it is less well suited to scoring vulnerabilities in medical devices. When vulnerabilities are discovered in medical devices, device manufacturers use the CVSS as a consistent and standardized way of communicating the severity of a vulnerability to the Department of Homeland Security (DHS) National Cybersecurity and Communications Integration Center (NCCIC) and other agencies. The scores are used by IT teams in hospitals and clinics for prioritizing patching and software updates. If a vulnerability has a score of 9.0, it naturally takes priority over a vulnerability with a CVSS score of 3.0, for instance. However, CVSS base scores do not adequately reflect the clinical environment and potential patient safety impacts. To address this issue, the FDA contracted the...

Read More
September 2020 Healthcare Data Breach Report: 9.7 Million Records Compromised
Oct22

September 2020 Healthcare Data Breach Report: 9.7 Million Records Compromised

September has been a bad month for data breaches. 95 data breaches of 500 or more records were reported by HIPAA-covered entities and business associates in September – A 156.75% increase compared to August 2020. Not only did September see a massive increase in reported data breaches, the number of records exposed also increased significantly. 9,710,520 healthcare records were exposed in those breaches – 348.07% more than August – with 18 entities suffering breaches of more than 100,000 records. The mean breach size was 102,216 records and the median breach size was 16,038 records. Causes of September 2020 Healthcare Data Breaches The massive increase in reported data breaches is due to the ransomware attack on the cloud software company Blackbaud. In May 2020, Blackbaud suffered a ransomware attack in which hackers gained access to servers housing some of its customers’ fundraising databases. Those customers included many higher education and third sector organizations, and a significant number of healthcare providers. Blackbaud was able to contain the breach; however, prior...

Read More
6 Russian Hackers Indicted for Offensive Cyber Campaigns Including 2017 NotPetya Wiper Attacks
Oct21

6 Russian Hackers Indicted for Offensive Cyber Campaigns Including 2017 NotPetya Wiper Attacks

The U.S. Department of Justice has announced 6 Russian hackers have been indicted for their role in the 2017 NotPetya malware attacks and a long list of offensive cyber campaigns on multiple targets in the United States and other countries. The six individuals are suspected members of the GRU: Russia’s Main Intelligence Directorate, specifically GRU Unit 74455, which is also known as Sandworm. The Sandworm unit is believed to be behind a long list of offensive cyber campaigns spanning several years. Sandworm is suspected of being instrumental in attempts to influence foreign elections, including the 2016 U.S. presidential election and the 2017 French Presidential election. One of the most destructive offensive campaigns involved the use of NotPetya malware in 2017. NotPetya was a wiper malware used in destructive attacks worldwide that leveraged the Microsoft Windows Server Message Block (SMBv1) vulnerability. Several hospitals and medical clinics were affected by NotPetya and had data wiped and computer systems taken out of action. NotPetya hit the pharmaceutical giant Merck,...

Read More
Active Threat Warning Issued About SharePoint RCE Vulnerability
Oct20

Active Threat Warning Issued About SharePoint RCE Vulnerability

The UK National Cyber Security Centre (NCSC) has recently issued a security alert advising organizations to patch a serious remote code execution vulnerability in Microsoft SharePoint. The DHS Cybersecurity and infrastructure Security Agency is also urging organizations to patch the flaw promptly to prevent exploitation. The vulnerability, tracked as CVE-2020-16952, is due to the failure of SharePoint to check the source markup of an application package. If exploited, an attacker could run arbitrary code in the context of the SharePoint application pool and SharePoint server farm account, potentially with administrator privileges. To exploit the vulnerability an attacker would need to convince a user to upload a specially crafted SharePoint application package to a vulnerable version of SharePoint. This could be achieved in a phishing campaign using social engineering techniques. The vulnerability has been assigned a CVSS v3 base score of 8.6 out of 10 and affects the following SharePoint releases: Microsoft SharePoint Foundation 2013 Service Pack 1 Microsoft SharePoint Enterprise...

Read More
Exposed Broadvoice Databases Contained 350 Million Records, Including Health Data
Oct19

Exposed Broadvoice Databases Contained 350 Million Records, Including Health Data

Comparitech security researcher Bob Diachenko has discovered an exposed cluster of databases belonging to the Voice over IP (VoIP) telecommunications vendor Broadvoice that contained the records of more than 350 million customers. The exposed Elasticsearch cluster was discovered on October 1, 2020, the day the database cluster was indexed by the Shodan.io search engine. The Elasticsearch cluster was found to contain 10 collections of data, the largest of which consisted of 275 million records and included information such as caller names, phone numbers, and caller locations, along with other sensitive data. One database in the cluster was found to contain transcribed voicemail messages which included a range of sensitive data such as information about financial loans and medical prescriptions. More than 2 million voicemail records were included in that subset of data, 200,000 of which had been transcribed. The voicemails included caller names, phone numbers, voicemail box identifiers, internal identifiers, and the transcripts included personal information such as full names, phone...

Read More
Patch Wormable ‘Bad Neighbor’ Windows TCP/IP Flaw Now, Warns CISA
Oct16

Patch Wormable ‘Bad Neighbor’ Windows TCP/IP Flaw Now, Warns CISA

On October 2020 Patch Tuesday, Microsoft released a patch to correct a critical remove code execution vulnerability in the Microsoft Windows Transmission Control Protocol (TCP)/IP stack. The flaw concerns how the TCP/IP stack handles Internet Control Message Protocol version 6 (ICMPv6) Router Advertisement packets. The flaw was assigned a CVSS v3 score of 9.8 out of 10. While all patches should be applied promptly to prevent exploitation, there is usually a delay between patches being released and exploits being developed and used offensively against organizations; however, due to the severity of the flaw and the ease at which it can be exploited, patching this vulnerability is especially important. So much so that the Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA) took to Twitter to urge all organizations to apply the patch immediately. An attacker could exploit the flaw remotely in a Denial of Service attack, resulting in a ‘blue screen of death’ system crash; however, exploitation could also allow the remote execution of arbitrary code on...

Read More
Sen. Warner Seeks Answers about Suspected Universal Health Services Ransomware Attack
Oct14

Sen. Warner Seeks Answers about Suspected Universal Health Services Ransomware Attack

Universal Health Services has confirmed that all 250 of its hospitals in the United States are back up and running after a suspected ransomware attack that knocked out its systems for 3 weeks. The attack started on or around September 27, 2020. All systems were brought back online by October 12. An update was posted on the UHS website this week saying, “With back-loading of data substantially complete at this point, hospitals are resuming normal operations.” While systems were down, clinicians were forced to work with pen and paper in order to continue providing care for patients and, at some locations, patients had to be diverted to alternate facilities to receive treatment. The health system reported the security breach as a malware attack which forced it to shut down its network; however, several insiders took to Reddit to voice their concerns and explain that this was a ransomware attack. Based on the data posted by those insiders, the attack appeared to have involved Ryuk ransomware. The operators of Ryuk ransomware are known to exfiltrate data prior to the...

Read More
CISA/FBI: APT Groups Chaining Legacy Vulnerabilities with Netlogon Flaw
Oct13

CISA/FBI: APT Groups Chaining Legacy Vulnerabilities with Netlogon Flaw

A joint advisory has been issued by the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) warning about sophisticated advanced persistent threat actors chaining exploits for multiple vulnerabilities in cyberattacks against federal and state, local, tribal, and territorial (SLTT) government networks, critical infrastructure, and election support systems. While there have been successful attacks on the latter, no evidence has been found to suggest any election data have been compromised to date. Several legacy vulnerabilities are being targeted along with more recently discovered vulnerabilities, such as the Windows Server Netlogon remote protocol vulnerability – CVE-2020-1472 – also known as Zerologon. A patch for the flaw was issued by Microsoft on August 2020 Patch Tuesday but patching has been slow. Chaining vulnerabilities in a single cyberattack is nothing new. It is a common tactic used by sophisticated threat groups to compromise networks and applications, elevate privileges, and achieve persistent access to victims’...

Read More
OCR Announces 9th Financial Penalty under its HIPAA Right of Access Initiative
Oct12

OCR Announces 9th Financial Penalty under its HIPAA Right of Access Initiative

The HHS’ Office for Civil Rights (OCR) is continuing its crackdown on healthcare providers that are not fully complying with the HIPAA right of access. Last week, OCR announced its ninth enforcement action against a HIPAA-covered entity for the failure to provide patients with timely access to their medical records at a reasonable cost. HIPAA gives patients the right to view or receive a copy of their medical records. When a request is made for access to medical records, HIPAA-covered entities must provide access or supply a copy of the requested medical records as soon as possible, but no later than 30 days after the request is received. By obtaining a copy of their medical records, patients can share those records with other providers, research organizations, or individuals of their choosing. Patients can check their medical records for errors and submit requests to correct any mistakes. In the event of a ransomware attack that renders medical records inaccessible, patients who have a copy of their records ensure that their health histories are never lost. Under the OCR HIPAA...

Read More
Community Health Systems Pays $5 Million to Settle Multi-State Breach Investigation
Oct09

Community Health Systems Pays $5 Million to Settle Multi-State Breach Investigation

Franklin, TN-based Community Health Systems and its subsidiary CHSPCS LLC have settled a multi-state action with 28 state attorneys general for $5 million. A joint investigation, led by Tennessee Attorney General Herbert H. Slatery III, was launched following a breach of the protected health information (PHI) of 6.1 million individuals in 2014. At the time of the breach, Community Health Systems owned, leased, or operated 206 affiliated hospitals. According to a 2014 8-K filing with the U.S. Securities and Exchange Commission, the health system was hacked by a Chinese advanced persistent threat group which installed malware on its systems that was used to steal data. PHI stolen by the hackers included names, phone numbers, addresses, dates of birth, sex, ethnicity, Social Security numbers, and emergency contact information. The same breach was investigated by the HHS’ Office for Civil Rights, which announced late last month that a settlement had been reached with CHSPCS over the breach and a $2.3 million penalty had been paid to resolve potential HIPAA violations discovered during...

Read More
OCR Imposes $160,000 Penalty on Healthcare Provider for HIPAA Right of Access Failure
Oct08

OCR Imposes $160,000 Penalty on Healthcare Provider for HIPAA Right of Access Failure

The Department of Health and Human Services’ Office for Civil Rights has announced its 12th HIPAA penalty of 2020 and its 8th under the HIPAA Right of Access enforcement initiative that was launched in 2019. The $160,000 settlement is the largest HIPAA penalty to date for a failure to provide an individual with timely access to their requested medical records. On January 24, 2018, Dignity Health, doing business as St. Joseph’s Hospital and Medical Center (SJHMC), received a request from the mother of a patient who wanted a copy of her son’s medical records. The mother was acting as the personal representative of her son. After not receiving all of the requested records by April 25, 2018, the mother lodged a complaint with the Office for Civil Rights. OCR investigated the potential HIPAA violation and determined the complainant had requested four specific sets of medical records from SJHMC. The first request was sent on January 24, 2018, and the same records were requested on March 22, April 3, and May 2, 2018. SJHMC did respond to the requests and provided some, but not all, of the...

Read More
What are the HIPAA Breach Notification Requirements?
Oct04

What are the HIPAA Breach Notification Requirements?

All HIPAA covered entities must familiarize themselves with the HIPAA breach notification requirements and develop a breach response plan that can be implemented as soon as a breach of unsecured protected health information is discovered. While most HIPAA covered entities should understand the HIPAA breach notification requirements, organizations that have yet to experience a data breach may not have a good working knowledge of the requirements of the Breach Notification Rule. Vendors that have only just started serving healthcare clients may similarly be unsure of the reporting requirements and actions that must be taken following a breach. The issuing of notifications following a breach of unencrypted protected health information is an important element of HIPAA compliance. The failure to comply with HIPAA breach notification requirements can result in a significant financial penalty. With this in mind, we have compiled a summary of the HIPAA breach notification requirements for covered entities and their business associates. Summary of the HIPAA Breach Notification Requirements...

Read More
Treasury Department Warns of Sanctions Risks if Facilitating or Paying a Ransomware Payment
Oct02

Treasury Department Warns of Sanctions Risks if Facilitating or Paying a Ransomware Payment

The U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) has warned that companies that facilitate ransom payments to cybercriminals on behalf of victims of the attacks could face sanctions risks for violating OFAC regulations. Victims of ransomware attacks that pay ransoms to cyber actors could similarly face steep fines from the federal government if it is discovered that the criminals behind the attacks are already under economic sanctions. “Demand for ransomware payments has increased during the COVID-19 pandemic as cyber actors target online systems that U.S. persons rely on to continue conducting business,” explained OFAC in its advisory on potential sanctions risks for facilitating ransomware payments. “Companies that facilitate ransomware payments to cyber actors on behalf of victims, including financial institutions, cyber insurance firms, and companies involved in digital forensics and incident response, not only encourage future ransomware payment demands but also may risk violating OFAC regulations.” Several individuals involved in ransomware attacks...

Read More
Financial information and SSNs Potentially Accessed in Blackbaud Ransomware Attack
Oct02

Financial information and SSNs Potentially Accessed in Blackbaud Ransomware Attack

On Wednesday, Blackbaud filed a Form 8-K with the U.S. Securities and Exchange Commission (SEC) that provided further information on the ransomware attack the company suffered in May 2020. Blackbaud explained that the forensic investigation into the breach has revealed further information was potentially compromised in the breach. For certain customers, unencrypted fields that were intended for Social Security numbers, bank account information, and usernames and passwords may also have been accessed by the hackers. Most of the customers affected by the breach did not have this additional information exposed, as the fields for sensitive information were encrypted and any data included in those fields would have been unreadable to the attackers. Blackbaud explained that any customers who may have had sensitive information exposed are being contacted and notified and additional support is being provided. Blackbaud explained in the SEC filing that the company was able to prevent the attackers from fully encrypting certain files but confirmed that prior to encryption a subset of data...

Read More
Anthem Inc. Settles State Attorneys General Data Breach Investigations and Pays $48.2 Million in Penalties
Oct01

Anthem Inc. Settles State Attorneys General Data Breach Investigations and Pays $48.2 Million in Penalties

The Indianapolis, IN-based health insurer Anthem Inc. has settled a multi-state investigation by state attorneys general over its 78.8 million record data breach in 2014. One settlement was agreed with Attorneys General in 43 states and Washington D.C for $39.5 million and a separate settlement was reached with the California Attorney General for $8.7 million.  The settlements resolve violations of Federal and state laws that contributed to the data breach – the largest ever breach of healthcare data in the United States. The cyberattack on Anthem occurred in 2014. Hackers targeted the health insurer with phishing emails, the responses to which gave them the foothold in the network they needed. From there, the hackers spent months exploring Anthem’s network and exfiltrating data from its customer databases. Data stolen in the attack included the names, contact information, dates of birth, health insurance ID numbers, and Social Security numbers of current and former health plan members and employees. And was announced by Anthem in February 2015. A Chinese national and an unnamed...

Read More
Universal Health Services Ransomware Attack Cripples IT Systems Across United States
Sep29

Universal Health Services Ransomware Attack Cripples IT Systems Across United States

Universal Health Services (UHS), a King of Prussia, PA-based health system with more than 400 healthcare facilities in the United States and UK, has suffered a major security breach that has seen its IT systems crippled. The Fortune 500 healthcare provider has more than 90,000 employees and serves around 3.5 million patients each year. According to a statement published on its website, the company “experienced an information technology security incident in the early morning hours of September 27, 2020.” Upon discovery of the breach, UHS “suspended user access to its information technology applications related to operations located in the United States.” UHS has implemented information security and emergency protocols and is working closely with its security partners to mitigate the attack and restore its IT operations as quickly as possible. The cyberattack crippled its IT systems, leaving affected hospitals without access to their computer and phone systems. UK facilities were unaffected by the attack. The attack forced UHS to redirect ambulances to other healthcare providers and...

Read More
OCR Imposes 2nd Largest Ever HIPAA Penalty of $6.85 Million on Premera Blue Cross
Sep28

OCR Imposes 2nd Largest Ever HIPAA Penalty of $6.85 Million on Premera Blue Cross

The Department of Health and Human Services’ Office for Civil Rights (OCR) has imposed a $6.85 million HIPAA penalty on Premera Blue Cross to resolve HIPAA violations discovered during the investigation of a 2014 data breach involving the electronic protected health information of 10.4 million individuals. Mountlake Terrace, WA-based Premera Blue Cross is the largest health plan in the Pacific Northwest and serves more than 2 million individuals in Washington and Alaska. In May 2014, an advanced persistent threat group gained access to Premera’s computer system where they remained undetected for almost 9 months. The hackers targeted the health plan with a spear phishing email that installed malware. The malware gave the APT group access to ePHI such as names, addresses, dates of birth, email addresses, Social Security numbers, bank account information, and health plan clinical information. The breach was discovered by Premera Blue Cross in January 2015 and OCR was notified about the breach in March 2015. OCR launched an investigation into the breach and discovered “systemic...

Read More
Business Associate Fined $2.3 Million for Breach of 6 Million Records and Multiple HIPAA Failures
Sep23

Business Associate Fined $2.3 Million for Breach of 6 Million Records and Multiple HIPAA Failures

The Department of Health and Human Services’ Office for Civil Rights has announced its 10th HIPAA violation fine of 2020. This is the 7th financial penalty to resolve HIPAA violations that has been announced in as many days. The latest financial penalty is the largest to be imposed in 2020 at $2.3 million and resolves a case involving 5 potential violations of the HIPAA Rules, including a breach of the electronic protected health information (ePHI) of 6,121,158 individuals. CHSPSC LLC is Tennessee-based management company that provides services to many subsidiary hospital operator companies and other affiliates of Community Health Systems, including legal, compliance, accounting, operations, human resources, IT, and health information management services. The provision of those services requires access to ePHI, so CHSPSC is classed as a business associate and is required to comply with the HIPAA Security Rule. On April 10, 2014, CHSPSC suffered a cyberattack by an advanced persistent threat group known as APT18. Using compromised admin credentials, the hackers remotely accessed...

Read More
Noncompliance with HIPAA Results in $1.5 Million Financial Penalty for Athens Orthopedic Clinic
Sep21

Noncompliance with HIPAA Results in $1.5 Million Financial Penalty for Athens Orthopedic Clinic

The HHS’ Office for Civil Rights has announced a $1.5 million settlement has been reached with Athens Orthopedic Clinic PA to resolve multiple violations of the Health Insurance Portability and Accountability Act (HIPAA) Rules. OCR conducted an investigation into a data breach reported by the Athens, GA-based healthcare provider on July 29, 2016.  Athens Orthopedic Clinic had been notified by Dissent of Databreaches.net on June 26, 2016 that a database containing the electronic protected health information (ePHI) of Athens Orthopedic Clinic patients had been listed for sale online by a hacking group known as The Dark Overlord. The hackers are known for infiltrating systems, stealing data, and issuing ransom demands, payment of which are required to prevent the publication/sale of data. Athens Orthopedic Clinic investigated the breach and determined that the hackers gained access to its systems on June 14, 2016 using vendor credentials and exfiltrated data from its EHR system. The records of 208,557 patients were stolen in the attack, including names, dates of birth, Social Security...

Read More
Hospital Ransomware Attack Results in Patient Death
Sep18

Hospital Ransomware Attack Results in Patient Death

Ransomware attacks on hospitals pose a risk to patient safety. File encryption results in essential systems crashing, communication systems are often taken out of action, and clinicians can be prevented from accessing patients’ medical records. Highly disruptive attacks may force hospitals to redirect patients to alternate facilities, which recently happened in a ransomware attack on the University Clinic in Düsseldorf, Germany. One patient who required emergency medical treatment for a life threatening condition had to be rerouted to an alternate facility in Wuppertal, approximately 21 miles away. The redirection resulted in a one-hour delay in receiving treatment and the patient later died. The death could have been prevented had treatment been provided sooner. The attack occurred on September 10, 2020 and completely crippled the clinic’s systems. Investigators determined that the attackers exploited a vulnerability in “widely used commercial add-on software” to gain access to the network. As the encryption process ran, hospital systems started to crash and medical records could...

Read More
CISA Warns of Public Exploit for Windows Netlogon Remote Protocol Vulnerability
Sep18

CISA Warns of Public Exploit for Windows Netlogon Remote Protocol Vulnerability

CISA has published information on a critical vulnerability in the Microsoft Windows Netlogon Remote Protocol (MS-NRPC) now that a public exploit for the flaw has been released. If exploited, an attacker could gain access to a domain controller with administrator privileges. MS-NRPC is a core component of Active Directory that provides authentication for users and accounts. “The Netlogon Remote Protocol (MS-NRPC) is an RPC interface that is used exclusively by domain-joined devices. MS-NRPC includes an authentication method and a method of establishing a Netlogon secure channel,” explained Microsoft. The vulnerability, tracked as CVE-2020-1472, is an elevation of privilege vulnerability that can be exploited when an attacker establishes a vulnerable Netlogon secure channel connection to a domain controller. MS-NRPC reuses a known, static, zero-value initialization vector (IV) in AES-CFB8 mode, which would allow an unauthenticated attacker to impersonate a domain-joined computer, including a domain controller, and gain domain administrator privileges. Microsoft is addressing the...

Read More
HHS Releases Updated Security Risk Assessment Tool
Sep16

HHS Releases Updated Security Risk Assessment Tool

The Department of Health and Human Services’ Office for Civil Rights (OCR) has announced that a new version of its Security Risk Assessment (SRA) Tool has now been released. The SRA tool was developed by the Office of the National Coordinator for Health Information Technology (ONC) in collaboration with OCR to help small- to medium-sized healthcare providers comply with the security risk assessment requirements of the HIPAA Security Rule and the Centers for Medicare and Medicaid Service (CMS) Electronic Health Record (EHR) Incentive Program. A security risk assessment is conducted to identify all risks to the confidentiality, integrity, and availability of protected health information (PHI). The risk assessment should identify any unaddressed risks, which can then be addressed by implementing appropriate physical, technical, and organizational safeguards. HIPAA compliance audits and investigations of data breaches have revealed healthcare providers often struggle with the risk assessment. Risk assessment failures are one of the most common reasons why HIPAA penalties are issued....

Read More
HIPAA Right of Access Failures Result in Five OCR HIPAA Fines
Sep16

HIPAA Right of Access Failures Result in Five OCR HIPAA Fines

The Department of Health and Human Services’ Office for Civil Rights has announced five settlements have been reached to resolve HIPAA violations discovered during the investigation of complaints from patients who had experienced problems obtaining a copy of their health records. The HIPAA Privacy Rule gives individuals the right to have timely access to their health records at a reasonable cost. If an individual chooses to exercise their rights under HIPAA and submit a request for a copy of their health records, a healthcare provider must provide those records without reasonable delay and within 30 days of receiving the request. After receiving multiple complaints from individuals who had been prevented from obtaining a copy of their health records, OCR launched its HIPAA right of access initiative in 2019 and made compliance with the HIPAA right of access one of its enforcement priorities. Two settlements were reached with HIPAA covered entities in 2019 over HIPAA right of access failures. Bayfront Health St Petersburg and Korunda Medical, LLC were each ordered to pay a financial...

Read More
CISA Warns of Ongoing Attacks by Chinese Hacking Groups Targeting F5, Citrix, Pulse Secure, and MS Exchange Flaws
Sep15

CISA Warns of Ongoing Attacks by Chinese Hacking Groups Targeting F5, Citrix, Pulse Secure, and MS Exchange Flaws

The Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA) has issued a security advisory warning hackers affiliated with China’s Ministry of State Security (MSS) are conducting targeted cyberattacks on U.S. government agencies and private sector companies. The attacks have been ongoing for more than a year and often target vulnerabilities in popular networking devices such as Citrix and Pulse Secure VPN appliances, F5 Big-IP load balancers, and Microsoft Exchange email servers. The hacking groups use publicly available information and open source exploit tools in the attacks such as China Chopper, Mimikatz, and Cobalt Strike. The hacking groups, which have varying levels of skill, attempt to gain access to federal computer networks and sensitive corporate data and several attacks have been successful. The software vulnerabilities exploited by the hackers are all well-known and patches have been released to correct the flaws, but there are many potential targets that have yet to apply the patches and are vulnerable to attack. Some of the most...

Read More
Privacy Lawsuit Against UChicago and Google Dismissed by Federal Judge
Sep09

Privacy Lawsuit Against UChicago and Google Dismissed by Federal Judge

A potential class action lawsuit filed against the University of Chicago, UChicago Medicine, and Google over an alleged privacy and HIPAA breach has been dismissed by a Federal judge. The lawsuit was filed in June 2019 in response to an alleged violation of HIPAA Rules related to a data sharing partnership between the University of Chicago Medicine and Google. In 2017, the University of Chicago Medicine sent the de-identified data of patients to Google as part of an initiative to use medical records to improve predictive analysis of hospitalizations, and by doing so, improve the quality of patient care. The aim of the partnership was to use machine learning techniques to identify when a patient’s health is declining, to allow timely interventions to prevent hospitalization. The University of Chicago Medicine sent hundreds of thousands of patient records dating from 2009 to 2016 to Google. The data shared with Google was deidentified but contained physicians’ notes and time stamps of dates of service. The lawsuit was filed by Edelson PC on behalf of lead plaintiff, Matt Dinerstein,...

Read More
Feedback Sought on Draft Consumer Privacy Framework for Health Data Not Covered by HIPAA
Sep08

Feedback Sought on Draft Consumer Privacy Framework for Health Data Not Covered by HIPAA

The eHealth Initiative & Foundation (eHI) and the Center for Democracy and Technology (CDT) recently released a draft consumer privacy framework for health data to address gaps in legal protections for the health data of consumers that falls outside the protection of the Health Insurance Portability and Accountability Act (HIPAA). The HIPAA Rules require healthcare providers, health plans, healthcare clearinghouses, and business associates of HIPAA-covered entities to implement safeguards to ensure the confidentiality, integrity, and availability of health data. There are restrictions on uses and disclosures of healthcare data and Americans are also given rights over how their protected health information is used, to whom that information may be disclosed, and they have the right to access their health data. Many organizations collect, use, store, and transmit many of the data elements within the category of ‘protected health information’, yet if they are not HIPAA-covered entities or business associates of HIPAA-covered entities, HIPAA Rules will not apply. The eHI/CDT...

Read More
CISA Issues Technical Guidance on Uncovering and Remediating Malicious Network Activity
Sep07

CISA Issues Technical Guidance on Uncovering and Remediating Malicious Network Activity

The Cybersecurity and Infrastructure Security Agency (CISA) has recently issued guidance for network defenders and incident response teams on identifying malicious activity and mitigating cyberattacks.  The guidance details best practices for detecting malicious activity and step by step instructions for investigating potential security incidents and securing compromised systems. The purpose of the guidance is “to enhance incident response among partners and network administrators along with serving as a playbook for incident investigation.” The guidance will help incident response teams collect the data necessary to investigate suspicious activity within the network, such host-based artifacts, conduct a host analysis review and analysis of network activity, and take the right actions to mitigate a cyberattack. The guidance document was created in collaboration with cybersecurity authorities in the United States, United Kingdom, Australia, New Zealand and Canada and includes technical help for security teams to help them identify malicious attacks in progress and mitigate attacks...

Read More
OCR Publishes New Resources for MHealth App Developers and Cloud Services Providers
Sep04

OCR Publishes New Resources for MHealth App Developers and Cloud Services Providers

The Department of Health and Human Services’ Office for Civil Rights has announced it has published additional resources for mobile health app developers and has updated and renamed its Health App Developer Portal. The portal – Resources for Mobile Health Apps Developers – provides guidance for mobile health app developers on the HIPAA Privacy, Security, and Breach Notification Rules and how they apply to mobile health apps and application programming interfaces (APIs). The portal includes a guidance document on Health App Use Scenarios and HIPAA, which explains when mHealth applications must comply with the HIPAA Rules and if an app developer will be classed as a business associate. “Building privacy and security protections into technology products enhances their value by providing some assurance to users that the information is secure and will be used and disclosed only as approved or expected,” explained OCR. “Such protections are sometimes required by federal and state laws, including the HIPAA Privacy, Security, and Breach Notification Rules.” The portal provides access to...

Read More
Blackbaud Data Breach Healthcare Victim Count Rises to Almost 1 Million
Sep04

Blackbaud Data Breach Healthcare Victim Count Rises to Almost 1 Million

The number of healthcare providers confirmed to have been affected by the Blackbaud ransomware attack and data breach is growing, with a further four healthcare providers issuing breach notifications in the past few days. Yesterday we reported Northwestern Memorial HealthCare had been affected and the personal information of 55,983 individuals was compromised. Now the Department of Health and Human Services’ Office for Civil Rights breach portal shows 179,189 MultiCare Health System donors and potential donors have been affected, as have 52,500 donors to Spectrum Health Lakeland Foundation, and 22,718 donors to the Richard J. Caron Foundation. Earlier this month, Northern Light Health Foundation confirmed that the information of 657,392 donors was compromised in the breach. Catholic Health and its foundations, the University of Detroit Mercy, and Children’s Hospital of Pittsburgh Foundation are also known to have been affected by the Blackbaud data breach. The total number of healthcare organizations affected by the breach is still not known, nor the total number of individuals...

Read More
Assured Imaging Ransomware Attack Affects Almost 245,000 Patients
Sep04

Assured Imaging Ransomware Attack Affects Almost 245,000 Patients

Tucson, AZ-based Assured Imaging, a subsidiary of Rezolut Medical Imaging and provider of Health Screening and Diagnostic Services, has announced it has suffered a ransomware attack that resulted in the encryption of its medical record system. Assured Imaging discovered the attack on May 19, 2020 and worked quickly to stop any further unauthorized access and restore the encrypted data. Assisted by a third-party computer forensics firm, Assured Imaging investigated the ransomware attack to determine the scope of the breach. The investigation revealed an unauthorized individual gained access to its systems between May 15, 2020 and May 17, 2020 and exfiltrated “limited data” prior to the deployment of ransomware. The forensic investigation confirmed data had been stolen but it was not possible to determine exactly what information was exfiltrated by the attackers. A review was conducted to identify all types of information that could potentially have been accessed. The compromised system was found to contain full names, addresses, dates of birth, patient IDs, facility used, treating...

Read More
Agent Tesla Trojan Distributed in COVID-19 Phishing Campaign Offering PPE
Sep01

Agent Tesla Trojan Distributed in COVID-19 Phishing Campaign Offering PPE

A sophisticated COVID-19 themed phishing campaign has been detected that spoofs chemical manufacturers and importers and exporters offering the recipient personal protective equipment (PPE) such as disposable face masks, forehead temperature thermometers, and other medical supplies to help in the fight against COVID-19. The campaign was detected by researchers at Area 1 Security, who say the campaign has been active since at least May 2020 and has so far targeted thousands of inboxes. The threat actors behind the campaign regularly change their tactics, techniques, and procedures (TTPs) to evade detection by security tools, typically every 10 days. The threat actors regularly rotate IP addresses for each new wave of phishing emails, frequently change the companies they impersonate, and revise their phishing lures. In several of the intercepted emails, in addition to spoofing a legitimate company, the names of real employees along with their email addresses and contact information are used to add legitimacy. The emails use the logos of the spoofed companies and the correct URL of...

Read More
Radiology Groups Issue Warning About PHI Exposure in Online Medical Presentations
Aug28

Radiology Groups Issue Warning About PHI Exposure in Online Medical Presentations

The American College of Radiology, the Society for Imaging Informatics in Medicine, and the Radiological Society of North America have issued a warning about the risk of accidental exposure of protected health information (PHI) in online medical presentations. Healthcare professionals often create presentations that include medical images for educational purposes; however, care must be taken to ensure that protected health information is not accidentally exposed or disclosed. Medical images contain embedded patient identifiers to ensure the images can be easily matched with the right patient but advances in web crawling technology is now allowing that information to be extracted, which places patient privacy at risk. The web crawling technology used by search engines such as Google and Bing have enabled the large-scale extraction of information from previously stored files. Advances in the technology now allow information in slide presentations that was previously considered to be de-identified to be indexed, which can include patient identifiers. Source images can be extracted...

Read More
HHS Announces Limited HIPAA Privacy Rule Waivers Due to Hurricane Laura and the Californian Wildfires
Aug28

HHS Announces Limited HIPAA Privacy Rule Waivers Due to Hurricane Laura and the Californian Wildfires

The Secretary of the HHS, Alex Azar, has declared a public health emergency exists in the states of Louisiana and Texas as a result of the consequences of Hurricane Laura, and in California due to ongoing wildfires. During public health emergencies the HIPAA Rules are not suspended; however, the HHS Secretary may choose to waive certain provisions of the HIPAA Privacy Rule under the Project Bioshield Act of 2004 (PL 108-276) and section 1135(b)(7) of the Social Security Act. In addition to the declaration of public health emergencies, the HHS Secretary has declared that sanctions and penalties against hospitals will be waived for the following provisions of the HIPAA Privacy Rule. The requirements to obtain a patient’s agreement to speak with family members or friends involved in the patient’s care. See 45 CFR 164.510(b). The requirement to honor a request to opt out of the facility directory. See 45 CFR 164.510(a). The requirement to distribute a notice of privacy practices. See 45 CFR 164.520. The patient’s right to request privacy restrictions. See 45 CFR 164.522(a)....

Read More
OCR Highlights the Importance of Creating and Maintaining a Comprehensive IT Asset Inventory
Aug27

OCR Highlights the Importance of Creating and Maintaining a Comprehensive IT Asset Inventory

The risk analysis is one of the most important requirements of the HIPAA Security Rule, yet it is one of the most common areas of noncompliance discovered during Office for Civil Rights data breach investigations, compliance reviews, and audits. While there have been examples of HIPAA-covered entities ignoring this requirement entirely, in many cases noncompliance is due to the failure to perform a comprehensive risk analysis across the entire organization. In order to perform a comprehensive risk analysis to identity all threats to the confidentiality, integrity, and availability of electronic protected health information (ePHI), you must first know how ePHI arrives in your organization, where it flows, where all ePHI is stored, and the systems that can be used to access that information. One of the common reasons for a risk analysis compliance failure, is not knowing where all ePHI is located in the organization. In its Summer 2020 Cybersecurity Newsletter, OCR highlighted the importance of maintaining a comprehensive IT asset inventory and explains how it can assist with the...

Read More
Study Reveals Increase in Credential Theft via Spoofed Login Pages
Aug26

Study Reveals Increase in Credential Theft via Spoofed Login Pages

A new study conducted by IRONSCALES shows there has been a major increase in credential theft via spoofed websites. IRONSCALES researchers spent the first half of 2020 identifying and analyzing fake login pages that imitated major brands. More than 50,000 fake login pages were identified with over 200 brands spoofed. The login pages are added to compromised websites and other attacker-controlled domains and closely resemble the genuine login pages used by those brands. In some cases, the fake login is embedded within the body of the email. The emails used to direct unsuspecting recipients to the fake login pages use social engineering techniques to convince recipients to disclose their usernames and passwords, which are captured and used to login to the real accounts for a range of nefarious purposes such as fraudulent wire transfers, credit card fraud, identity theft, data extraction, and more. IRONSCALES researchers found the brands with the most fake login pages closely mirrored the brands with the most active phishing websites. The brand with the most fake login pages – 11,000...

Read More
FBI and CISA Issue Joint Warning About Vishing Campaign Targeting Teleworkers
Aug24

FBI and CISA Issue Joint Warning About Vishing Campaign Targeting Teleworkers

An ongoing voice phishing (vishing) campaign is being conducted targeting remote workers from multiple industry sectors. The threat actors impersonate a trusted entity and use social engineering techniques get targets to disclose their corporate Virtual Private Network (VPN) credentials. The Federal Bureau of Investigation (FBI) and the DHS Cybersecurity and infrastructure Security Agency (CISA) have issued a joint advisory about the campaign, which has been running since mid-July. The COVID-19 pandemic forced many employers to allow their entire workforce to work from home and connect to the corporate network using VPNs. If those credentials are obtained by cybercriminals, they can be used to access the corporate network. The threat group first purchases and registers domains that are used to host phishing pages that spoof the targeted company’s internal VPN login page and SSL certificates are obtained for the domains to make them appear authentic. Several naming schemes are used for the domains to make them appear legitimate, such as [company]-support, support-[company], and...

Read More
New FritzFrog P2P Botnet Targets SSH Servers of Banks, Educational Institutions, and Medical Centers
Aug21

New FritzFrog P2P Botnet Targets SSH Servers of Banks, Educational Institutions, and Medical Centers

A new peer-to-peer (P2P) botnet has been discovered that is targeting SSH servers found in IoT devices and routers which accept connections from remote computers. The botnet, named FritzFrog, spreads like a computer worm by brute forcing credentials. The botnet was analyzed by security researchers at Guardicore Labs and was found to have successfully breached more than 500 servers, with that number growing rapidly. FritzFrog is modular, multi-threaded, and fileless, and leaves no trace on the machines it infects. FritzFrog assembles and executes malicious payloads entirely in the memory, making infections hard to detect. When a machine is infected, a backdoor is created in the form of an SSH public key, which provides the attackers with persistent access to the device. Additional payloads can then be downloaded, such as a cryptocurrency miner. Once a machine is compromised, the self-replicating process starts to execute the malware throughout the host server. The machine is added to the P2P network, can receive and execute commands sent from the P2P network, and is used to...

Read More
July 2020 Healthcare Data Breach Report
Aug19

July 2020 Healthcare Data Breach Report

July saw a major fall in the number of reported data breaches of 500 or more healthcare records, dropping below the 12-month average of 39.83 breaches per month. There was a 30.8% month-over-month fall in reported data breaches, dropping from 52 incidents in June to 36 in July; however, the number of breached records increased 26.3%, indicating the severity of some of the month’s data breaches.   1,322,211 healthcare records were exposed, stolen, or impermissibly disclosed in July’s reported breaches. The average breach size was 36,728 records and the median breach size was 6,537 records. Largest Healthcare Data Breaches Reported in July 2020 14 healthcare data breaches of 10,000 or more records were reported in July, with two of those breaches involving the records of more than 100,000 individuals, the largest of which was the ransomware attack on Florida Orthopaedic Institute which resulted in the exposure and potential theft of the records of 640,000 individuals. The other 100,000+ record breach was suffered by Behavioral Health Network in Maine. The breach was reported as...

Read More
Healthcare Data Leaks on GitHub: Credentials, Corporate Data and the PHI of 150,000+ Patients Exposed
Aug17

Healthcare Data Leaks on GitHub: Credentials, Corporate Data and the PHI of 150,000+ Patients Exposed

A new report has revealed the personal and protected health information of patients and other sensitive data are being exposed online without the knowledge of covered entities and business associates through public GitHub repositories. Jelle Ursem, a security researcher from the Netherlands, discovered at least 9 entities in the United States – including HIPAA-covered entities and business associates – have been leaking sensitive data via GitHub. The 9 leaks – which involve between 150,000 and 200,000 patient records – may just be the tip of the iceberg. The search for exposed data was halted to ensure the entities concerned could be contacted and to produce the report to highlight the risks to the healthcare community. Even if your organization does not use GitHub, that does not necessarily mean that you will not be affected. The actions of a single employee or third-party contracted developer may have opened the door and allowed unauthorized individuals to gain access to sensitive data. Exposed PII and PHI in Public GitHub Repositories Jelle Ursem is an ethical security...

Read More
Medical Software Database Containing Personal Information of 3.1 Million Patients Exposed Online
Aug17

Medical Software Database Containing Personal Information of 3.1 Million Patients Exposed Online

A database containing the personal information of more than 3.1 million patients has been exposed online and was subsequently deleted by the Meow bot. Security researcher Volodymyr ‘Bob’ Diachenko discovered the database on July 13, 2020. The database required no password to access and contained information such as patients’ names, email addresses, phone numbers, and treatment locations. Diachenko set about trying to identify the owner of the database and found it had been created by a medical software company called Adit, which makes online booking and patient management software for medical and dental practices. Diachenko contacted Adit to alert the company to the exposed database but received no response. A few days later, Diachenko discovered the data had been attacked by the Meow bot. The Meow bot appeared in late July and scans the internet for exposed databases. Security researchers such as Diachenko conduct scans to identify exposed data and then make contact with the data owners to try to get the data secured. The role of the Meow bot is search and destroy. When exposed...

Read More
NIST Publishes Final Guidance on Establishing Zero Trust Architecture to Improve Cybersecurity Defenses
Aug14

NIST Publishes Final Guidance on Establishing Zero Trust Architecture to Improve Cybersecurity Defenses

NIST has published the final version of its zero trust architecture guidance document (SP 800-207) to help private sector organizations apply this cybersecurity concept to improve their security posture. Zero trust is a concept that involves changing defenses from static, network-based perimeters to focus on users, assets, and resources. With zero trust, assets and user accounts are not implicitly trusted based on their physical or network location or asset ownership. Under the zero trust approach, authentication and authorization are discreet functions that occur with subjects and devices before a session is established with an enterprise resource. The use of credentials for gaining access to resources has been an effective security measure to prevent unauthorized access; however, credential theft – through phishing campaigns for instance – is now commonplace, so cybersecurity defenses need to evolve to better protect assets, services, workflows, and network accounts from these attacks. All too often, credentials are stolen and are used by threat actors to gain access to...

Read More
OCR Warns of Postal Scam Targeting HIPAA Compliance Officers
Aug10

OCR Warns of Postal Scam Targeting HIPAA Compliance Officers

The Department of Health and Human Services’ Office for Civil Rights is warning healthcare organizations about a potential phishing scam being conducted by mail that has been designed to scare compliance officers into visiting a website or taking other immediate action with respect to a mandatory HIPAA risk assessment. Postcards have been sent to several healthcare organizations that masquerade as an official communication from the Office for Civil Rights. The postcards are addressed to the HIPAA compliance officer and state a mandatory HIPAA compliance risk assessment must be performed. The postcards warn that “HIPAA violations cost your practice. The federal fines for noncompliance are based on perceived negligence found within your organization at the time of the HIPAA violation.” The postcards remind the recipient that “fines can range from $100 to $50,000 per violation (or per record), with a maximum penalty of $1.5 million per year for each violation.” The postcards claim to have been sent by the Secretary of Compliance of the HIPAA Compliance Division – a position that does...

Read More
House of Representatives Votes to Remove Ban on HHS Funding a National Patient Identifier System
Aug07

House of Representatives Votes to Remove Ban on HHS Funding a National Patient Identifier System

The House of Representatives has voted to lift the ban on the Department of Health and Human Services using federal funds to develop a national patient identifier system. The Health Insurance Portability and Accountability Act (HIPAA) called for the development of a national patient identifier system. As the name suggests, a national patient identifier system would see each person in the united States issued with a permanent, unique identification number, similar to a Social Security number, that would allow each patient to be identified across the entire healthcare system in the United States. If a patient from California visited an emergency room in New York, the patient identifier could be used to instantly identify the patient, allowing the healthcare provider to access their medical history. Currently, the lack of such an identifier makes matching patients with their medical records complicated, which increases the potential for misidentification of a patient. The extent to which records are mismatched has been shown in multiple studies. For instance, in 2012, a study...

Read More
FBI Urges Enterprises to Upgrade Windows 7 Devices to a Supported Operating System
Aug06

FBI Urges Enterprises to Upgrade Windows 7 Devices to a Supported Operating System

The FBI Cyber Division has issued a Private Industry Notification advising enterprises still using Windows 7 within their infrastructure to upgrade to a supported operating system due to the risk of security vulnerabilities in the Windows 7 operating system being exploited. The FBI has observed an increase in cyberattacks on unsupported operating systems once they reach end-of-life status. Any organization that is still using Windows 7 on devices faces an increased risk of cybercriminals exploiting vulnerabilities in the operating system to remotely gain network access. “As time passes, Windows 7 becomes more vulnerable to exploitation due to lack of security updates and new vulnerabilities discovered,” warned the FBI. The Windows 7 operating system reached end-of-life on January 14, 2020 and Microsoft stopped releasing free patches to correct known vulnerabilities. Microsoft is only providing security updates for Windows 7 Professional, Windows 7 Enterprise, and Windows 7 Ultimate if users sign up for the Extended Security Update (ESU) program. The ESU program will only run...

Read More
CISA Warns of Increase in Cyberattacks by Chinese Nation State Threat Groups using the Taidoor RAT
Aug05

CISA Warns of Increase in Cyberattacks by Chinese Nation State Threat Groups using the Taidoor RAT

The Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA) has issued a high priority alert warning enterprises of the risk of cyberattacks involving Taidoor malware, a remote access Trojan (RAT) used by the Chinese government in cyber espionage campaigns. Taidoor was first identified in 2008 and has been used in many attacks on enterprises. The alert was issued after CISA, the FBI and the Department of Defense (DoD) identified a new variant of the Taidoor RAT which is being used in attacks on US enterprises. Strong evidence has been found suggesting the Taidoor RAT is being used by threat actors working for the Chinese government. CISA explains in the alert that the threat actors are using the malware in conjunction with proxy servers to hide their location and gain persistent access to victims’ networks and for further network exploitation. Two versions of the malware have been identified which are being used to target 32-bit and 64-bit systems. Taidoor is downloaded onto victims’ systems as a service dynamic link library (DLL) and consists of two...

Read More
President Trump Signs Executive Order Calling for Expansion of Telehealth Services
Aug04

President Trump Signs Executive Order Calling for Expansion of Telehealth Services

On Monday, August 3, 2020, President Trump signed an executive order to expand access to telehealth services for the 57 million Americans living in under-served rural areas.  The Executive Order on Improving Rural and Telehealth Access will ensure that the expansion of telehealth services due to the COVID-19 pandemic will continue after the nationwide public health emergency is declared over. In 2019, Medicare started paying for virtual check-ins with doctors to determine whether an in-person visit was required, but the pandemic saw access to virtual visits expanded significantly in an effort to help prevent the spread of COVID-19. Geographic restrictions were lifted, and telehealth services were made available to Medicare beneficiaries across the country. The Centers for Medicare and Medicaid Services (CMS) also added a further 135 medical services to the list of services that are covered by Medicare if provided virtually. Figures from the CMS show that virtual visits via phone or video increased to nearly 1.7 million in the last week in April, compared to just 14,000 visits...

Read More
FBI Issues Flash Alert Warning of Increasing Netwalker Ransomware Attacks
Jul30

FBI Issues Flash Alert Warning of Increasing Netwalker Ransomware Attacks

This week, the Federal Bureau of Investigation (FBI) issued a (TLP:WHITE) FLASH alert following an increase in attacks involving Netwalker ransomware. Netwalker is a relatively new ransomware threat that was recognized in March 2020 following attacks on a transportation and logistics company in Australia and the University of California, San Francisco. UC San Francisco was forced to pay a ransom of around $1.14 million for the keys to unlock encrypted files to recover essential research data. One of the most recent healthcare victims was the Maryland-based nursing home operator, Lorien Health Services. The threat group has taken advantage of the COVID-19 pandemic to conduct attacks and has targeted government organizations, private companies, educational institutions, healthcare providers, and entities involved in COVID-19 research. The threat group initially used email as their attack vector, sending phishing emails containing a malicious Visual Basic Scripting (.vbs) file attachment in COVID-19 themed emails. In April, the group also started exploiting unpatched vulnerabilities...

Read More
IBM Security 2020 Cost of Data Breach Report Shows 10% Annual Increase in Healthcare Data Breach Costs
Jul29

IBM Security 2020 Cost of Data Breach Report Shows 10% Annual Increase in Healthcare Data Breach Costs

The 2020 Cost of Data Breach Report from IBM Security has been released and reveals there has been a slight reduction in global data breach costs, falling to $3.86 million per breach from $3.92 million in 2019 – A reduction of 1.5%. There was considerable variation in data breach costs in different regions and industries. Organizations in the United States faced the highest data breach costs, with a typical breach costing $8.64 million, up 5.5% from 2019. COVID-19 Expected to Increase Data Breach Costs This is the 15th year that IBM Security has conducted the study. The research was conducted by the Ponemon Institute, and included data from 524 breached organizations, and 3,200 individuals were interviewed across 17 countries and regions and 17 industry sectors. Research for the report was conducted between August 2019 and April 2020. The research was mostly conducted before the COVID-19 pandemic, which is likely to have an impact on data breach costs. To explore how COVID-19 is likely to affect the cost of a data breaches, the Ponemon Institute re-contacted study participants to...

Read More
OCR Imposes $1 Million HIPAA Penalty on Lifespan for Lack of Encryption and Other HIPAA Failures
Jul28

OCR Imposes $1 Million HIPAA Penalty on Lifespan for Lack of Encryption and Other HIPAA Failures

The HHS’ Office for Civil Rights has imposed a $1,040,000 HIPAA penalty on Lifespan Health System Affiliated Covered Entity (Lifespan ACE) following the discovery of systemic noncompliance with the HIPAA Rules. Lifespan is a not-for-profit health system based in Rhode Island that has many healthcare provider affiliates in the state. On April 21, 2017, a breach report was filed with OCR by Lifespan Corporation, the parent company and business associate of Lifespan ACE, about the theft of an unencrypted laptop computer on February 25, 2017. The laptop had been left in the vehicle of an employee in a public parking lot and was broken into. A laptop was stolen that contained information such as patient names, medical record numbers, medication information, and demographic data of 20,431 patients of its healthcare provider affiliates. OCR investigated the breach and discovered systemic noncompliance with the HIPAA Rules. Lifespan ACE uses a variety of mobile devices and had conducted a risk analysis to identify potential risks to the confidentiality, integrity, and availability of ePHI....

Read More
June 2020 Healthcare Data Breach Report
Jul24

June 2020 Healthcare Data Breach Report

The sharp drop in healthcare data breaches seen in May proved to be short lived, with June seeing a major increase in data breaches. In June, 52 breaches were reported by HIPAA covered entities and business associates. That represents an 85.71% month-over-month increase in reported breaches. The number of individuals impacted by healthcare data breaches changed little despite the large increase in breaches, with a month-over-month fall of 1.65% to 1,047,015 records, which is well above the 2020 monthly average of 896,374 breached records. Largest Healthcare Data Breaches in June 2020 The largest healthcare data breach reported by a single entity in June affected the Texas billing and collections agency, Benefit Recovery Specialists, Inc. (BRS) Malware was detected on its systems that potentially gave unauthorized individuals access to the protected health information of more than a quarter of a million people. There was, however, a much larger data breach reported in June that affected more than 365,000 individuals but was reported individually by each entity affected by the...

Read More
Small North Carolina Healthcare Provider Fined $25,000 for HIPAA Security Rule Noncompliance
Jul24

Small North Carolina Healthcare Provider Fined $25,000 for HIPAA Security Rule Noncompliance

The HHS’ Office for Civil Rights (OCR) has announced a $25,000 settlement has been reached with Metropolitan Community Health Services to resolve violations of the HIPAA Security Rule. Washington, NC-based Metropolitan Community Health Services is a Federally Qualified Health Center that provides integrated medical, dental, behavioral health & pharmacy services for adults and children. Operating as Agape Health Services, Metro provides discounted medical services to the underserved population in rural North Carolina. Metropolitan Community Health Services has around 43 employees and serves 3,100 patients each year. On June 9, 2011, Metropolitan Community Health Services filed a report with OCR over a breach of the protected health information of 1,263 patients. OCR conducted a compliance review to establish whether the breach was the direct result of noncompliance with the HIPAA Rules. The OCR investigation uncovered longstanding, systemic noncompliance with the HIPAA Security Rule. Prior to the breach, Metropolitan Community Health Service had failed to implement HIPAA...

Read More
Study Reveals COVID-19 Research Companies are Vulnerable to Cyberattacks
Jul23

Study Reveals COVID-19 Research Companies are Vulnerable to Cyberattacks

The biomedical community is working hard to develop vaccines against SARS-CoV-2 and discover new treatments for COVID-19 and nation-state hackers and cybercriminal organizations are targeting those organizations to gain access to their research data. Recently, security agencies in the United States, Canada, and the United Kingdom issued alerts about state-sponsored Russian hackers targeting organizations involved in COVID-19 research and vaccine development. The security agencies had found evidence that the Russian hacking group APT29 was actively conducting scans against the external IP addresses of companies engaged in COVID-19 research and vaccine development, and that it was almost certain that the hackers were working with the Russian intelligence services. An joint alert was also issued by the U.S. Department of Homeland Security Cybersecurity and Infrastructure Security Agency and the FBI indicating hackers linked to China were conducting similar attacks on pharmaceutical companies and academic research facilities to obtain intellectual property and sensitive data related to...

Read More
Two Chinese Nationals Indicted for 10-Year Hacking Campaign on U.S. Organizations and Government Agencies
Jul22

Two Chinese Nationals Indicted for 10-Year Hacking Campaign on U.S. Organizations and Government Agencies

Two Chinese nationals have been indicted by the U.S. Department of Justice (DOJ) for targeting and hacking US companies, government agencies, and others to steal sensitive information, including COVID-19 research data. The hackers are alleged to have been working under the direction of the Chinese government and also hacking organizations for personal financial gain. LI Xiaoyu, 34, and Dong Jiazhi, 33, were trained in computer application technologies and have been operating as state-backed hackers for more than 10 years. The DOJ said the hackers were operating on behalf of the China’s Ministry of State Security, the Guangdong State Security Department (GSSD), and other government agencies, as well as conducting their own attacks. The hackers have been accused of stealing more than a terabyte of intellectual property estimated to be worth hundreds of millions of dollars. The hackers were prolific and conducted sophisticated hacks on companies and organizations in the United States, Australia, Belgium, Germany, Japan, Lithuania, Spain, the Netherlands, South Korea, Sweden, and the...

Read More
Emotet Botnet Reactivated and Sending Large Volumes of Malicious Emails
Jul21

Emotet Botnet Reactivated and Sending Large Volumes of Malicious Emails

The Emotet botnet has been reactivated after a 5-month period of dormancy and is being used to send large volumes of spam emails to organizations in the United States and United Kingdom. The Emotet botnet is a network of compromised computers that have been infected with Emotet malware. Emotet malware is an information stealer and malware downloader that has been used to distribute a variety of banking Trojans, including the TrickBot Trojan. Emotet hijacks email accounts and uses them to send spam emails containing malicious links and email attachments, commonly Word documents and Excel spreadsheets containing malicious macros. If the macros are allowed to run, a PowerShell script is launched that silently downloads Emotet malware. Emotet malware can also spread to other devices on the network and all infected devices are added to the botnet. The emails being used in the campaign are similar to previous campaigns. They use fairly simple, yet effective lures to target businesses, typically fake invoices, purchase orders, receipts, and shipping notifications. The messages often only...

Read More
Russian APT Group is Targeting Organizations Involved in COVID-19 Research
Jul17

Russian APT Group is Targeting Organizations Involved in COVID-19 Research

The APT29 hacking group, aka Cozy Bear, is targeting healthcare organizations, pharma firms, and research entities in the United States, United Kingdom, and Canada and is attempting to steal COVID-19 research data and information about vaccine development. On July 16, 2020, a joint advisory was issued by the DHS’ Cybersecurity and Infrastructure Security Agency (CISA), UK National Cyber Security Centre (NCSC), Canada’s Communications Security Establishment (CSE), and the National Security Agency (NSA) to raise awareness of the threat. APT29 is a cyber espionage group that is almost certainly part of the Russian intelligence services. The group primarily targets government entities, think-tanks, diplomatic and energy targets in order to steal sensitive data. The group has been highly active during the COVID-19 pandemic and has conducted multiple attacks on entities involved COVID-19 research and vaccine development. The group conducts widespread scanning to identify unpatched vulnerabilities and uses publicly available exploits to gain a foothold in vulnerable systems. The group has...

Read More
At Least 41 Healthcare Providers Experienced Ransomware Attacks in the First Half of 2020
Jul15

At Least 41 Healthcare Providers Experienced Ransomware Attacks in the First Half of 2020

The New Zealand-based cybersecurity firm Emsisoft has released ransomware statistics for 2020 that show there have been at least 41 successful ransomware attacks on hospitals and other healthcare providers in the first half of the year. There were 128 successful ransomware attacks on federal and state entities, healthcare providers, and educational institutions in the first 6 months of 2020, with the healthcare industry accounting for 32% of those attacks. The large number of ransomware attacks in 2020 follows on from a spike in attacks in late 2019. 2019 saw more than double the number of ransomware attacks as 2018, attacks on healthcare providers increased by 350% in the final quarter of 2019. 966 entities were successfully attacked with ransomware across all industry sectors in 2019 and those attacks are estimated to have cost $7.5 billion. 2020 started badly for the healthcare industry with 10 successful ransomware attacks on healthcare providers in January, followed by a further 16 successful ransomware attacks in February. There was a marked decrease in attacks in March as...

Read More
HHS Adopts Changes to 42 CFR Part 2 Regulations to Improve Care Coordination
Jul14

HHS Adopts Changes to 42 CFR Part 2 Regulations to Improve Care Coordination

The Confidentiality of Substance Use Disorder Patient Records regulations (42 CFR Part 2) have been revised by the Department of Health and Human Services’ Substance Abuse and Mental Health Services (SAMHSA). The 42 CFR Part 2 regulations, first promulgated in 1975, were written at a time when there was great concern that information relating to substance use disorder could be used against an individual. The main purpose of 42 CFR Part 2 was to ensure that a person who seeks help and receives treatment for substance use disorder is not placed at any greater risk or is made more vulnerable than a person who does not seek treatment. Under the 42 CFR Part 2 regulations, before information relating to a substance use disorder treatment program can be shared, consent must be obtained from the patient in writing, except in limited circumstances. 42 CFR Part 2 was important at the time and remains so, but a lot has changed since 42 CFR Part 2 took effect. Many healthcare providers find the regulations burdensome, they can hamper care coordination, and can put a patient’s safety at risk....

Read More
States Start to Make Temporary COVID-19 Telehealth Changes Permanent
Jul10

States Start to Make Temporary COVID-19 Telehealth Changes Permanent

Following the decision of the HHS’ Centers for Medicare and Medicaid Services (CMS) to expand access to telehealth services and increase coverage in response to the COVID-19 pandemic, states introduced temporary emergency waivers to their telehealth laws. There have been increasing calls for the changes to telehealth regulations to be made permanent and several states, including Massachusetts, Colorado, and Idaho, and recently taken steps to see the recent changes to telehealth laws continue after the COVID-19 public health emergency is declared over. Massachusetts Makes COVID-19 Telehealth Policy Changes Permanent On March 16, 2020, the Massachusetts Board of Registration in Medicine (BORIM) approved a new policy that states the same standard of care applies to in-person and telehealth visits and a face-to-face encounter is not a pre-requisite for a telehealth visit. The policy was introduced on a temporary basis in response to COVID-19, but on June 26, 2020, BORIM made the policy change permanent. This is the first telehealth-specific policy to be adopted by BORIM and...

Read More
FBI and CISA Issue Joint Alert About Threat of Malicious Cyber Activity Through Tor
Jul09

FBI and CISA Issue Joint Alert About Threat of Malicious Cyber Activity Through Tor

A joint alert was recently issued by the FBI and the DHS’ Cybersecurity Infrastructure Security Agency (CISA) regarding cybercriminals’ use of The Onion Router (Tor) in cyberattacks. Tor is free, open source software that was developed by the U.S. Navy in the mid-1990s. Today, Tor is used to browse the internet anonymously. When using Tor, internet traffic is encrypted multiple times and a user is passed through a series of nodes in a random path to a destination server. When a user is connected to the Tor network, their online activity cannot easily be traced back to their IP address. When a Tor user accesses a website, rather than their own IP address being recorded, the IP address of the exit node is recorded. Unsurprisingly, given the level of anonymity provided by Tor, it has been adopted by many threat actors to hide their location and IP address and conduct cyberattacks and other malicious activities anonymously. Cybercriminals are using Tor to perform reconnaissance on targets, conduct cyberattacks, view and exfiltrate data, and deploy malware, ransomware, and conduct...

Read More
Microsoft Shuts Down COVID-19 Phishing Campaign and Warns of Malicious OAuth Apps
Jul09

Microsoft Shuts Down COVID-19 Phishing Campaign and Warns of Malicious OAuth Apps

A large-scale phishing campaign conducted in 62 countries has been shut down by Microsoft.  The campaign was first identified by Microsoft’s Digital Crimes Unit (DCU) in December 2019. The phishing campaign targeted businesses and was conducted to obtain Office 365 credentials. Those credentials were then used to access victims’ accounts to obtain sensitive information and contact lists. The accounts were then used for business email compromise (BEC) attacks to obtain fraudulent wire transfers and redirect payroll. Initially, the emails used in the campaign appeared to have been sent by an employer and contained business-related reports with a malicious email attachment titled Q4 Report – Dec19. Recently, the phishing campaign changed and the attackers switched to COVID-19 lures to exploit financial concerns related to the pandemic. One of the lures used the term “COVID-19 bonus” to get victims to open malicious email attachments or click malicious links. When the email attachments were opened or links clicked, users were directed to a webpage hosting a malicious application. The...

Read More
NSA Issues Guidance on Securing IPsec Virtual Private Networks
Jul07

NSA Issues Guidance on Securing IPsec Virtual Private Networks

The U.S. National Security Agency (NSA) has issued guidance to help organizations secure IP Security (IPsec) Virtual Private Networks (VPNs), which are used to allow employees to securely connect to corporate networks to support remote working. While IPsec VPNs can ensure sensitive data in traffic is protected against unauthorized access through the use of cryptography, if IPsec VPNs are not correctly configured they can be vulnerable to attack. During the pandemic, many organizations have turned to VPNs to support their remote workforce and the large number of employees working remotely has made VPNs a key target for cybercriminals. Many attacks have been performed on vulnerable VPNs and flaws and misconfigurations have been exploited to gain access to corporate networks to steal sensitive information and deploy malware and ransomware. The NSA warns that maintaining a secure VPN tunnel can be complex and regular maintenance is required. As with all software, regular software updates are required. Patches should be applied on VPN gateways and clients as soon as possible to prevent...

Read More
Serious Vulnerabilities Identified in Apache Guacamole Remote Access Software
Jul06

Serious Vulnerabilities Identified in Apache Guacamole Remote Access Software

Several vulnerabilities have been identified in the remote access system, Apache Guacamole.  Apache Guacamole has been adopted by many companies to allow administrators and employees to access Windows and Linux devices remotely. The system has proven popular during the COVID-19 pandemic for allowing employees to work from home and connect to the corporate network. Apache Guacamole is also embedded into many network accessibility and security products such as Fortress, Quali, and Fortigate and is one of the most prominent tools on the market with more than 10 million Docker downloads. Apache Guacamole is a clientless solution, meaning remote workers do not need to install any software on their devices. They can simply use a web browser to access their corporate device. System administrators only need to install the software on a server. Depending on how the system is configured, a connection is made using SSH or RDP with Guacamole acting as an intermediary between the browser and the device the user wants to connect to, relaying communications between the two. Check Point Research...

Read More
Extent of Magellan Health Ransomware Becomes Clear: More Than 364,000 Individuals Affected
Jul01

Extent of Magellan Health Ransomware Becomes Clear: More Than 364,000 Individuals Affected

HIPAA Journal previously reported on an April 2020 ransomware attack on Magellan Health. Further information on the attack has now been released that shows the scale of the attack. The incident has now been listed on the HHS’ Office for Civil Rights breach portal as affecting 6 Magellan entities, each of which has reported the incident separately. Several other entities have also submitted breach reports confirming their patients and subscribers have also been affected. It is too early to tell exactly how many individuals have been affected by the ransomware attack, but the total as of July 1, 2020 exceeds 364,000, making the attack the third largest healthcare data breach to be reported in 2020. There may still be some entities that have yet to report the breach. Entities known to have been impacted by the breach are listed in the table below. Affected Entity Entity Type Individuals Affected Magellan Healthcare, Maryland Business Associate 50,410 Magellan Complete Care of Florida Health Plan 76,236 Magellan Rx Pharmacy Healthcare Provider 33,040 Magellan Complete Care of Virginia...

Read More
Is Google Voice HIPAA Compliant?
Jun30

Is Google Voice HIPAA Compliant?

Google Voice is a popular telephony service, but is Google Voice HIPAA compliant or can it be used in a HIPAA compliant way? Is it possible for healthcare organizations – or healthcare employees – to use the service without violating HIPAA Rules? Is Google Voice HIPAA Compliant? Google Voice is a popular and convenient telephony service that includes voicemail, voicemail transcription to text, the ability to send text messages free of charge, and many other useful features. It is therefore unsurprising that many healthcare professionals would like to use the service at work, as well as for personal use. In order for a service to be used in healthcare in conjunction with any protected health information (PHI) it must be possible to use it in a HIPAA compliant way. That means the service must be covered by the conduit exemption rule – which was introduced when the HIPAA Omnibus Final Rule came into effect – or it must incorporate a range of controls and safeguards to meet the requirements of the HIPAA Security Rule. As with SMS, faxing, and email, Google Voice is not...

Read More
UnityPoint Health Proposes $2.8 Million+ Settlement to Resolve Class Action Data Breach Lawsuit
Jun30

UnityPoint Health Proposes $2.8 Million+ Settlement to Resolve Class Action Data Breach Lawsuit

Des Moines, Iowa-based UnityPoint Health has agreed to settle a proposed class action lawsuit filed by victims of two phishing attacks in 2017 and 2018 that saw the protected health information of 1.4 million patients exposed. The first phishing attack occurred in November 2017 and was discovered on February 15, 2018. The attackers had access to the email accounts of certain employees of its Madison campus for more than 3 months and potentially obtained the protected health information of approximately 16,429 patients. Patients were notified about the breach in April 2018. The second phishing attach was much more extensive. The campaign saw a UnityPoint executive impersonated in March 2018, and several employees responded to the message and disclosed their login credentials. The breach was detected in May 2018 and the investigation revealed the compromised email accounts contained the protected health information of 1.4 million patients, making it the second largest healthcare data breach to be reported in 2018.  The attackers had access to the email accounts for almost a month...

Read More
May 2020 Healthcare Data Breach Report
Jun23

May 2020 Healthcare Data Breach Report

May 2020 saw a marked fall in the number of reported healthcare data breaches compared to April, with 28 data breaches of 500 or more records reported to the HHS’ Office for Civil Rights. That is the lowest number of monthly breaches since December 2018 and the first time in 17 months that healthcare data breaches have been reported at a rate of less than one per day. The monthly total would have been even lower had one breach been reported by the business associate responsible for an improper disposal incident, rather than the 7 healthcare providers impacted by the breach.   Several cybersecurity companies have reported an increase in COVID-19-related breaches, such as phishing attacks that use COVID-19-themed lures. While there is strong evidence to suggest that these types of attacks have increased since the start of the pandemic, the number of cyberattacks appears to have broadly remained the same or increased slightly. Microsoft has reported that its data shows a slight increase in attacks, but says it only represents a blip and the number of threats and cyberattacks has...

Read More
Lack of Visibility and Poor Access Management are Major Contributors to Cloud Data Breaches
Jun23

Lack of Visibility and Poor Access Management are Major Contributors to Cloud Data Breaches

More companies are now completing their digital transformations and are taking advantage of the flexibility, scalability, and cost savings provided by public cloud environments, but securing public clouds can be a major challenge. One of the main factors that has stopped companies from taking advantage of the public cloud has been security. Security teams often feel protecting an on-premise data center is much easier than protecting data in public clouds, although many are now being won over and understand that public clouds can be protected just as easily. Public cloud providers now offer a range of security tools that can help companies secure their cloud environments. While these offerings can certainly make cloud security more straightforward, organizations must still ensure that their cloud services are configured correctly, identities and access rights are correctly managed, and they have full visibility into all of their cloud workloads. Cloud security vendor Ermetic recently commissioned IDC to conduct a survey of CISOs to explore the challenges associated with cloud...

Read More
Senate HELP Committee Considers Permanent Changes to Telehealth Policies
Jun18

Senate HELP Committee Considers Permanent Changes to Telehealth Policies

The Senate Health, Education, Labor, and Pensions (HELP) Committee is considering which of the 31 recent changes to telehealth policies should be kept in place when the COVID-19 national public health emergency comes to an end. The temporary changes to policies on telehealth have served to expand access during the COVID-19 public health emergency. These changes were necessary to help prevent the spread of COVID-19 and ensure that Americans are given easy access to medical services. During the COVID-19 crisis, patients have embraced the new approach and many have taken advantage of virtual visits and are using remote monitoring tools. The June 17, 2020 Senate HELP Committee meeting was convened to explore which of the recent changes should be made permanent or at least be extended once the COVID-19 crisis comes to an end. All members of the committee supported making at least some of the recent changes permanent, with HELP Committee Chairman Sen. Lamar Alexander (R-Tenn.) advocating two permanent changes: The elimination of limitations on originating sites and the expansion of the...

Read More