Dedicated to providing the latest
HIPAA compliance news

The Compliancy Group Helps Imperial Valley Family Care Medical Group Pass HIPAA Audit
Sep20

The Compliancy Group Helps Imperial Valley Family Care Medical Group Pass HIPAA Audit

The Department of Health and Human Services’ Office for Civil Rights commenced the second round of HIPAA compliance audits late last year. The audit program consists of desk-based audits of HIPAA-covered entities and business associates, followed by a round of in-depth audits involving site visits. The desk audits have been completed, with the site audits put on hold and expected to commence in early 2018. Only a small number of...

Read More
PhishMe Report Shows Organizations Are Struggling to Prevent Phishing Attacks
Sep19

PhishMe Report Shows Organizations Are Struggling to Prevent Phishing Attacks

Organizations are struggling to prevent phishing attacks, according to a recently published survey by PhishMe. The survey, conducted on 200 IT executives from a wide range of industries, revealed 90% of IT executives are most concerned about email-related threats, which is not surprising given the frequency and sophisticated nature of attacks. When attacks do occur, many organizations struggle to identify phishing emails promptly and...

Read More
Hospital Staff Discovered to Have Taken and Shared Photographs of Patient’s Genital Injury
Sep15

Hospital Staff Discovered to Have Taken and Shared Photographs of Patient’s Genital Injury

An investigation has been conducted into a privacy violation at the University of Pittsburgh Medical Center’s Bedford Memorial hospital, in which photographs and videos of a patient’s genitals were taken by hospital staff and in some cases, were shared with other individuals including non-hospital staff. The patient was admitted to the hospital in late December 2017, with photos/videos shared over the following few weeks. The...

Read More
OCR Launches Information is Powerful Medicine Campaign to Encourage Patients to Access Their Health Data
Sep13

OCR Launches Information is Powerful Medicine Campaign to Encourage Patients to Access Their Health Data

The Department of Health and Human Services’ Office for Civil Rights has launched a new campaign to raise awareness of patients’ right to access their health information and the benefits of doing so. The “Information is Powerful Medicine” campaign informs patients that they have the right to obtain copies of their health data and tells them to “Get it. Check it. Use it.” The benefits to patients are clear. If they obtain copies of the...

Read More
Limited HIPAA Waiver Granted to Hospitals in Irma Disaster Zone
Sep12

Limited HIPAA Waiver Granted to Hospitals in Irma Disaster Zone

A public health emergency has been declared in areas of the U.S. Virgin Islands, Puerto Rico, and Florida affected by Hurricane Irma. As was the case in Texas and Louisiana after Hurricane Harvey, the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) has announced a limited waiver of HIPAA Privacy Rule sanctions and penalties for hospitals affected by Irma. OCR has stressed that the HIPAA Privacy and Security...

Read More
FDA Releases Final Premarket Guidance for Medical Device Manufacturers on Secure Data Exchange
Sep12

FDA Releases Final Premarket Guidance for Medical Device Manufacturers on Secure Data Exchange

The U.S. Food and Drug Administration (FDA) has released final guidance on medical device interoperability, making several recommendations for smart, safe, and secure interactions between medical devices and health IT systems. The FDA says, “Advancing the ability of medical devices to exchange and use information safely and effectively with other medical devices, as well as other technology, offers the potential to increase efficiency...

Read More
Vulnerabilities Identified in Smiths Medical Medfusion 4000 Devices
Sep11

Vulnerabilities Identified in Smiths Medical Medfusion 4000 Devices

The U.S. Department of Homeland Security (DHS) has issued a warning about vulnerabilities in Smiths Medical Medfusion 4000 wireless syringe infusion pumps. The vulnerabilities could potentially be exploited by hackers to alter the performance of the devices. Smiths Medical Medfusion 4000 devices are used to deliver small doses of medication and are used throughout the United States and around the world in acute care settings. Eight...

Read More
NCCoE/NIST Release Draft Guidelines for Ransomware Recovery
Sep08

NCCoE/NIST Release Draft Guidelines for Ransomware Recovery

Draft guidelines for ransomware recovery have been issued by the National Cybersecurity Center of Excellence (NCCoE) and the National Institute of Standards and Technology (NIST). The guidelines – NIST Special Publication 1800-11 – apply to all forms of data integrity attacks. SP 1800-11 is a detailed, standards-based guide that can be used by organizations of all sizes to develop recovery strategies to deal with data integrity...

Read More
OCR Stresses Need for Covered Entities to Prepare for Hurricanes and Other Natural Disasters
Sep08

OCR Stresses Need for Covered Entities to Prepare for Hurricanes and Other Natural Disasters

Hospitals in Texas and Louisiana had to ensure medical services continued to be provided during and after Hurricane Harvey, without violating HIPAA Rules. Questions were raised about when it is permitted to share health information with patients’ friends and family, the media and the emergency services and how the Privacy Rule applies in emergencies. The Department of Health and Human Services’ Office for Civil Rights responded by...

Read More
OCR Head Expects Major HIPAA Settlement for a Big, Juicy, Egregious Breach in 2017
Sep06

OCR Head Expects Major HIPAA Settlement for a Big, Juicy, Egregious Breach in 2017

Roger Severino, the Director of the Department of Health and Human Services’ Office for Civil Rights (OCR) has stated his main enforcement priority for 2017 is to find a “big, juicy, egregious” HIPAA breach and to use it as an example for other healthcare organizations on the dangers of failing to follow HIPAA Rules. When deciding on which cases to pursue, OCR considers the opportunity to use the case as an educational tool to remind...

Read More
HHS Issues Partial Waiver of Sanctions and Penalties for Privacy Rule Violations in Hurricane Harvey Disaster Zone
Aug31

HHS Issues Partial Waiver of Sanctions and Penalties for Privacy Rule Violations in Hurricane Harvey Disaster Zone

During emergencies such as natural disasters, complying with all HIPAA Privacy Rule provisions can be a challenge for hospitals and can potentially have a negative impact on patient care and disaster relief efforts. In emergency situations, HIPAA Rules still apply. The HIPAA Privacy Rule allows patient information to be shared to help with disaster relief efforts and ensure patients get the care they need. The Privacy Rule permits...

Read More
Lawsuit Filed Against Aetna for Disclosure of HIV Status of Patients
Aug31

Lawsuit Filed Against Aetna for Disclosure of HIV Status of Patients

A class action lawsuit has been filed against Aetna following a privacy breach that saw the HIV positive status of up to 12,000 individuals impermissibly disclosed. Details of prescribed HIV medications were visible through the clear plastic windows of envelopes, along with individuals’ names and addresses, in a recent mailing. The letters related to pharmacy benefits and information on how HIV medications could be received. As a...

Read More
FDA Announces Voluntary Recall of St. Jude Medical Implantable Cardiac Pacemakers
Aug30

FDA Announces Voluntary Recall of St. Jude Medical Implantable Cardiac Pacemakers

The U.S. Food and Drug Administration (FDA) has recommended all patients with vulnerable St. Jude Medical implantable cardiac pacemakers visit their providers to have the firmware on their devices updated. The update will make the devices more resilient to cyberattacks. Last year, MedSec Holdings passed on the findings of a study of cybersecurity vulnerabilities in St. Jude Medical devices to the short-selling firm Muddy Waters...

Read More
Researchers Call for Updates to Guidelines for Emailing Patients
Aug30

Researchers Call for Updates to Guidelines for Emailing Patients

Researchers from Indiana University have conducted a study of current guidelines on emailing patients and have identified major weaknesses, a lack of up-to-date best practices, and outdated security practices that are no longer required due to changes in technology. Additionally, they confirmed there is a lack of information on new methods of communication such as secure texting and a lack of evidence showing the effectiveness of...

Read More
Ransomware Attack on Salina Family Healthcare Impacts 77,000 Patients
Aug29

Ransomware Attack on Salina Family Healthcare Impacts 77,000 Patients

In June, ransomware was installed on servers and workstations at Salina Family Healthcare in Kansas resulting in the encryption and potential disclosure of patients’ protected health information. The attack occurred on June 18, 2017. Salina Family Healthcare was able to limit the extent of the attack by taking swift action to secure its systems. It was also possible to restore the encrypted data from recent backups so no ransom...

Read More
Security Scorecard Gives Government and Healthcare Poor Marks for Security Posture
Aug25

Security Scorecard Gives Government and Healthcare Poor Marks for Security Posture

Body: Security Scorecard has released the findings of its 2017 U.S. State and Federal Government Cybersecurity study. The study assesses the cybersecurity posture of 17 industries, ranking them based on their security scores in ten categories. This year, the U.S. Government performed poorly again for cybersecurity, registering the third lowest overall score out of any sector. Only the telecommunications and education sectors performed...

Read More
Third-Party Mailing Error Sees Aetna Plan Members’ HIV Status Disclosed
Aug25

Third-Party Mailing Error Sees Aetna Plan Members’ HIV Status Disclosed

Aetna is in the news again for the wrong reasons, having experienced another protected health information breach. The latest incident impacts approximately 12,000 Aetna plan members and resulted in highly sensitive information being disclosed to unauthorized individuals. An error was made in a recent mailing to plan members. That error resulted in the HIV positive of members being disclosed to other individuals. The letters advised...

Read More
Credit Monitoring Services Must Now Be Offered to Breach Victims in Delaware
Aug24

Credit Monitoring Services Must Now Be Offered to Breach Victims in Delaware

For the first time in 10 years, Delaware has amended its data breach notification law and has now introduced some of the strictest requirements of any state. Any ‘person’ operating in the state of Delaware must now notify individuals of the exposure or theft of their sensitive information and must offer breach victims complimentary credit monitoring services for 12 months. Connecticut was the first state to introduce similar laws,...

Read More
NIST Updates Digital Identity Guidelines and Tweaks Password Advice
Aug22

NIST Updates Digital Identity Guidelines and Tweaks Password Advice

The National Institute of Standards and Technology (NIST) has updated its Digital Identity Guidelines (NIST Special Publication 800-63B), which includes revisions to its advice on the creation and storage of passwords. Digital authentication helps to ensure only authorized individuals can gain access to resources and sensitive data. NIST says, “authentication provides reasonable risk-based assurances that the subject accessing the...

Read More
Phillips Ships DoseWise Portal with Serious Vulnerabilities
Aug22

Phillips Ships DoseWise Portal with Serious Vulnerabilities

The Phillips web-based radiation monitoring app – DoseWise Portal (DWP) – has been shipped with serious vulnerabilities that could be easily exploited by hackers to gain access to patients’ protected health information. ISC-CERT has warned healthcare providers the vulnerabilities could be remotely exploited by hackers with a low level of skill to gain access to medical data. Two vulnerabilities have been identified. The first...

Read More
Institute for Women’s Health Hacked: PHI Potentially Compromised
Aug21

Institute for Women’s Health Hacked: PHI Potentially Compromised

Ransomware attacks on healthcare organizations have increased, although that is far from the only malware threat. Keylogging malware can be used to obtain sensitive information such as login credentials, or in the case of the San Antonio Institute for Women’s Health (IFWH), credit and debit card information as it was entered into its system. The keylogging malware was discovered on the IFWH network on July 6, 2017, prompting a...

Read More
Healthcare Hacking Incidents Overtook Insider Breaches in July
Aug18

Healthcare Hacking Incidents Overtook Insider Breaches in July

Throughout 2017, the leading cause of healthcare data breaches has been insiders; however, in July hacking incidents dominated the breach reports. Almost half of the breaches (17 incidents) reported in July for which the cause of the breach is known were attributed to hacking, which includes ransomware and malware attacks. Ransomware was involved in 10 of the 17 incidents. The Protenus Breach Barometer report for July shows there were...

Read More
August Sees OCR Breach Reports Surpass 2,000 Incidents
Aug16

August Sees OCR Breach Reports Surpass 2,000 Incidents

Following the introduction of the HITECH Act in 2009, the Department of Health and Human Services’ Office for Civil Rights has been publishing summaries of healthcare data breaches on its Wall of Shame.  August saw an unwanted milestone reached. There have now been more than 2,000 healthcare data breaches (impacting more than 500 individuals) reported to OCR since 2009. As of today, there have been 2,022 healthcare data breaches...

Read More
Pacific Alliance Medical Center Announces Ransomware Attack
Aug14

Pacific Alliance Medical Center Announces Ransomware Attack

A ransomware attack on the Los Angeles Pacific Alliance Medical Center has potentially resulted in the attackers gaining access to the protected health information of its patients. The attack occurred on or around June 14, 2017. Pacific Alliance Medical Center became aware that its systems had been compromised when files started to be encrypted. The incident triggered Pacific Alliance Medical Center’s emergency response procedures and...

Read More
HIMSS Research Shows Healthcare Organizations Have Enhanced Their Cybersecurity Programs
Aug11

HIMSS Research Shows Healthcare Organizations Have Enhanced Their Cybersecurity Programs

HIMSS has published the findings of its 2017 Cybersecurity Survey. The survey was conducted on 126 cybersecurity professionals from the healthcare industry between April and May 2017. Most of the respondents were executive and non-executive managers who were primarily responsible or had some responsibility for information security in their organization. The report shows healthcare organizations in the United States are increasingly...

Read More
$5.5 Million Data Breach Settlement Highlights the Importance of Prompt Patching
Aug10

$5.5 Million Data Breach Settlement Highlights the Importance of Prompt Patching

The importance of applying patches promptly to address critical security vulnerabilities has been highlighted by a recent $5.5 million data breach settlement. Yesterday, New York Attorney General Eric T. Schneiderman announced a settlement has been reached with Nationwide Mutual Insurance Company and its subsidiary, Allied Property & Casualty Insurance Company, to resolve a multi-state data breach investigation involving New York...

Read More
U.S. Senate Passes Jessie’s Law to Help Prevent Drug Overdoses
Aug09

U.S. Senate Passes Jessie’s Law to Help Prevent Drug Overdoses

West Virginia senators Joe Manchin and Shelley Moore Capito have announced that Jessie’s Law has been passed by the Senate. The legislation is intended to ensure doctors are provided with details of a patient’s previous substance abuse history if consent to share the information is provided by the patient. Jesse’s law takes its name from Michigan resident Jessica Grubb who was in recovery from opioid abuse when she underwent surgery....

Read More
Medical Device Cybersecurity Act Takes Aim at Medical Device Security
Aug08

Medical Device Cybersecurity Act Takes Aim at Medical Device Security

A new bill has been introduced in Congress that aims to ensure the confidential medical information of patients on medical devices is protected and security is improved to make the devices more resilient to hacks. The bill – The Medical Device Cybersecurity Act of 2017 – was introduced on August 1, 2017 by Senator Richard Blumenthal (D-CT) and is supported by the College of Healthcare Information Management Executives (CHIME)...

Read More
Warning Issued Over Vulnerabilities in Siemens PET/CT Scanners: Exploits Publicly Available
Aug07

Warning Issued Over Vulnerabilities in Siemens PET/CT Scanners: Exploits Publicly Available

Warnings have been issued about four vulnerabilities in Siemens PET/CT scanner systems. Siemens is currently developing patches to address the vulnerabilities.  Exploits for the vulnerabilities are already publicly available. The flaws affect multiple Siemens medical imaging systems including Siemens CT, PET, SPECT systems and medical imaging workflow systems (SPECT Workplaces/Symbia.net) that are based on Windows 7. The...

Read More
Protenus Provides Insight into 2017 Healthcare Data Breach Trends
Aug03

Protenus Provides Insight into 2017 Healthcare Data Breach Trends

Protenus, in conjunction with Databreaches.net, has produced its Breach Barometer mid-year review. The report covers all healthcare data breaches reported over the past 6 months and provides valuable insights into 2017 data breach trends. The Breach Barometer is a comprehensive review of healthcare data breaches, covering not only the data breaches reported through the Department of Health and Human Services’ Office for Civil Rights’...

Read More