April 2019 Healthcare Data Breach Report
May20

April 2019 Healthcare Data Breach Report

April was the worst ever month for healthcare data breaches. More data breaches reported than any other month since the Department of Health and Human Services’ Office for Civil Rights started publishing healthcare data breach reports in October 2009. In April, 46 healthcare data breaches were reported, which is a 48% increase from March and 67% higher than the average number of monthly breaches over the past 6 years. While breach numbers are up, the number of compromised healthcare records is down. In April 2019, 694,710 healthcare records were breached – A 23.9% reduction from March.  While the breaches were smaller in March, the increase in breaches is of great concern, especially the rise in the number of healthcare phishing attacks. Largest Healthcare Data Breaches in April 2019 Two 100,000+ record data breaches were reported in April. The largest breach of the month was reported by the business associate Doctors Management Services – A ransomware attack that exposed the records of 206,695 patients. The ransomware was deployed 7 months after the attacker had first gained...

Read More
New Study Uncovers Serious Holes in Healthcare Cybersecurity
May16

New Study Uncovers Serious Holes in Healthcare Cybersecurity

The sorry state of healthcare cybersecurity has been highlighted by a recent Forescout study. The study revealed the healthcare industry is overly reliant on legacy software, vulnerable protocols are extensively used, and medical devices are not properly secured. 75 global healthcare deployments were analyzed for the study, which included more than 1.5 million devices operating on 10,000 virtual local area networks (VLANs). The majority of those devices were running on legacy systems. While just 1% of devices used unsupported operating systems such as Windows XP, 71% had operating systems that are rapidly approaching end-of-life such as Windows 7, Windows 2008, and Windows Mobile. In January 2020, all three of those operating systems will be at end-of-life and will no longer be supported by Microsoft. The analysis revealed 85% of Windows devices had SMB running. It was a flaw in SMB that was behind the WannaCry ransomware attacks of 2017. Remote Desktop Protocol (RDP) is also commonly used. 35% of devices did not have RDP disabled. The use of File Transfer Protocol (FTP) was also...

Read More
Microsoft Patches Critical Flaw That Could be Exploited in WannaCry-Style Malware Attacks
May15

Microsoft Patches Critical Flaw That Could be Exploited in WannaCry-Style Malware Attacks

On Tuesday May 14, 2019, Microsoft released a patch to fix a ‘wormable’ flaw in Windows, similar to the vulnerability that was exploited in the WannaCry ransomware attacks in May 2017. The flaw is a remote code execution vulnerability in Remote Desktop Services – formerly Terminal Services – that can be exploited via RDP. The flaw (CVE-2019-0708) can be exploited by sending specially crafted requests via RDP to a vulnerable system. No authentication is required and the flaw can be exploited without any user interaction. If exploited, malware could propagate from one compromised computer to all other vulnerable computers on a network. If ransomware exploited the vulnerability, healthcare organizations could experience widespread file encryption and major disruption to operations. Microsoft has not received any reports to suggest the flaw is being actively exploited at present, but it is almost certain that exploits will be developed for the vulnerability and that those exploits will be incorporated into malware. The vulnerability is not present in Windows 8 and Windows 10, only...

Read More
Alleged Anthem Hackers Indicted Over 2015 Cyberattack Involving the Theft of 78.8 Million Records
May10

Alleged Anthem Hackers Indicted Over 2015 Cyberattack Involving the Theft of 78.8 Million Records

Two Chinese nationals who were allegedly behind the 2015 hacking of Anthem Inc., have been charged by the U.S. Department of Justice. 32-year-old Fujie Wang and an unnamed man have been charged in a 4-count indictment in relation to the Anthem cyberattack and theft of 78.8 million health insurance records, along with cyberattacks on three other U.S. businesses between 2014 and 2015. “The allegations in the indictment unsealed today outline the activities of a brazen China-based computer hacking group that committed one of the worst data breaches in history,” said Assistant Attorney General Brian A. Benczkowski. “These defendants allegedly attacked U.S. businesses operating in four distinct industry sectors and violated the privacy of over 78 million people by stealing their PII.” The charges are one count of conspiracy to commit fraud and related activity in relation to computers and identity theft, one count of conspiracy to commit wire fraud, and two counts of intentional damage to a protected computer. According to the indictment, the international hacking scheme saw Wang and...

Read More
Key Findings of the 2019 Verizon Data Breach Investigations Report
May08

Key Findings of the 2019 Verizon Data Breach Investigations Report

Today sees the release of the 2019 Verizon Data Breach Investigations Report. This is the 12th edition of report, which contains a comprehensive summary of data breaches reported by public and private entities around the globe. The extensive report provides in-depth insights and perspectives on the tactics and techniques used in cyberattacks and detailed information on the current threat landscape.  The 2019 Verizon Data Breach Investigations Report is the most comprehensive report released by Verizon to date and includes information from 41,686 reported security incidents and 2,013 data breaches from 86 countries. The report was compiled using data from 73 sources. The report highlights several data breach and cyberattack trends. Some of the key findings of the report are detailed below: C-Suite executives are 12 time more likely to be targeted in social engineering attacks than other employees Cyber-espionage related data breaches increased from 13% of breaches in 2017 to 25% in 2018 Nation-state attacks increased from 12% of attacks in 2017 to 23% in 2018 Financially motivated...

Read More
Touchstone Medical Imaging Fined $3 Million by OCR for Extensive HIPAA Failures
May06

Touchstone Medical Imaging Fined $3 Million by OCR for Extensive HIPAA Failures

The Department of Health and Human Services’ Office for Civil Rights (OCR) has announced a settlement has been reached with the Franklin, TN-based diagnostic medical imaging services company, Touchstone Medical Imaging. The settlement resolves multiple violations of HIPAA Rules discovered by OCR during the investigation of a 2014 data breach. Touchstone Medical Imaging has agreed to a settlement of $3,000,000 to resolve the violations and will adopt a corrective action plan (CAP) to address its HIPAA compliance issues. The high settlement amount reflects widespread and prolonged noncompliance with HIPAA Rules. OCR alleged 8 separate violations across 10 HIPAA provisions. The settlement resolves the HIPAA case with no admission of liability. On May 9, 2014, Touchstone Medical Imaging was informed by the FBI that one of its FTP servers was accessible over the Internet and allowed anonymous connections to a shared directory. The directory contained files that included the protected health information (PHI) of 307,839 individuals. As a result of the lack of access controls, files had...

Read More
Facebook Makes Changes to Health Support Groups to Better Protect Users’ Privacy
May06

Facebook Makes Changes to Health Support Groups to Better Protect Users’ Privacy

Facebook is making changes to Facebook Groups used to discuss health conditions. The move comes following criticism that Facebook Groups were being promoted as private and confidential when information about participants in health groups was being made available to third parties for advertising purposes. In January, a complaint was filed with the Federal Trade Commission alleging the content of private Facebook health groups had been shared with third parties. Some members of these health support groups claimed they had been targeted by advertisers who had offered products and services related to health conditions that had only ever been discussed in closed, private Facebook health groups. The groups are used by individuals with health conditions to obtain advice and receive support. Groups have been set up to help people with a wide range of health conditions, including cancer, substance abuse disorder, and mental health issues. Information was being openly discussed by members of the groups in the belief that the groups were confidential. Not only were advertisers able to contact...

Read More
Ransomware Attacks Increased by 195% in Q1, 2019 but Trojans Remain the Biggest Threat
May03

Ransomware Attacks Increased by 195% in Q1, 2019 but Trojans Remain the Biggest Threat

Malwarebytes has released a new report detailing the current tactics and techniques being used by cybercriminals to gain access to business networks and sensitive data. Malwarebytes’ Cybercrime Tactics and Techniques Q1 2019 was compiled using data collected by its intelligence, and data science teams and telemetry from its consumer and business products between January 1 and March 31, 2019. The report reveals there has been a 235% increase in cyberattacks on corporate targets in the past 12 months. There has also been a marked decline in cryptomining and other threats on consumers, which fell by 40% in 2018. It is clear from the report that cybercriminals are concentrating their efforts on attacking businesses and SMBs are most at risk as they typically lack the resources to significantly improve their cybersecurity defenses. The report shows that Trojans are currently the biggest malware threat. Attacks involving Trojans are up 650% from the same time last year and attacks increased by 200% in Q1, 2019. The biggest threat is Emotet, which Malwarebytes describes as the “most...

Read More
Arizona Court of Appeals Rules Patient Can Proceed with Negligence Claim Based on HIPAA Violation
May02

Arizona Court of Appeals Rules Patient Can Proceed with Negligence Claim Based on HIPAA Violation

An Arizona man who sued Costco over a privacy violation and had the lawsuit dismissed by the trial court has had the decision overturned by the Court of Appeals, which ruled that the patient can sue the pharmacy for negligence based on a violation of the Health Insurance Portability and Accountability Act (HIPAA). The privacy violation in question occurred in 2016. The man had received a sample of an erectile dysfunction drug in January 2016 and received a telephone call from Costco letting him know that his full prescription was ready to be collected. The man cancelled the prescription but when he contacted the pharmacy a month later about a separate prescription, he discovered the cancellation had not been processed. He then cancelled the prescription for a second time but, again, the prescription was not cancelled. The man subsequently authorized his ex-wife to collect his regular prescription. While at the pharmacy, the pharmacist joked with his ex-wife about the uncollected erectile dysfunction prescription. The man was attempting to reconcile with his ex-wife at the time. The...

Read More
HHS Changes HITECH Act Penalties for HIPAA Violations
Apr29

HHS Changes HITECH Act Penalties for HIPAA Violations

The Department of Health and Human Services has issued a notification of enforcement discretion regarding the civil monetary penalties that are applied when violations of HIPAA Rules are discovered. The HHS has reduced the maximum financial penalty for HIPAA violations in three of the four penalty tiers. The Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 increased the penalties for HIPAA violations. The new penalties were based on the level of knowledge a HIPAA covered entity or business associate had about the violation and whether action was voluntarily taken to correct any violations. The 1st penalty tier applies when a covered entity or business associate is unaware that HIPAA Rules were violated and, by exercising a reasonable level of due diligence, would not have known that HIPAA was being violated. The 2nd tier applies when a covered entity knew about the violation or would have known had a reasonable level of due diligence been exercised, but when the violation falls short of willful neglect of HIPAA Rules. The 3rd penalty tier applies...

Read More
Feature of DICOM Image Format Could Be Abused to Fuse Malware with PHI
Apr26

Feature of DICOM Image Format Could Be Abused to Fuse Malware with PHI

The DICOM image format, which has been in use for around for 30 years, contains a design ‘flaw’ that could be exploited by hackers to embed malware in image files. Were that to happen, the malware would become permanently fused with protected health information. The DICOM file format was developed to allow medical images to be easily stored and shared. It eliminated the need for physical films and solved hardware compatibility issues. DICOM is now the standard format used for MRI and CT images and is supported by most medical imaging systems. The file format can be read by a range of devices that are used to view patient image files and diagnostic information. DICOM images contain a section at the start of the files called a Preamble. This section is used to facilitate access to the metadata within the images and ensure compatibility with image viewers which do not support the DICOM image format. By altering the Preamble section of the file, image viewers treat DICOM images as a file type that they support, such as a jpeg, allowing the file to be opened. This design feature is part...

Read More
HHS’ ONC Releases Second Draft of Trusted Exchange Framework and Common Agreement
Apr24

HHS’ ONC Releases Second Draft of Trusted Exchange Framework and Common Agreement

The HHS’ Office of the National Coordinator for Health IT (ONC) has released the second draft of its Trusted Exchange Framework and Common Agreement (TEFCA) and is seeking comments on the updated text. The purpose of TEFCA is to help ensure there is seamless, interoperable exchange of health information, which is critical to the creation of a health system that empowers providers and patients and delivers better healthcare at a lower cost. The 21st Century Cures Act promoted a national framework and common agreement for the trusted exchange of health information. The framework is required as there is currently no core exchange mechanism that can be used by healthcare providers, health plans, vendors, public health departments, and federal, state, local and tribal governments. Trusted exchange is too complex. Currently, multiple exchange methods need to be used. The majority of hospitals use three or four exchange methods and three in ten use more than five methods. This approach is inefficient and expensive. Healthcare organizations are having to build several point-to-point...

Read More
HHS Extends Comment Period on Proposed Rules to Improve ePHI Interoperability
Apr23

HHS Extends Comment Period on Proposed Rules to Improve ePHI Interoperability

The Department of Health and Human Services has extended the deadline for submitting comments on its proposed rules to promote the interoperability of health information technology and electronic protected health information. Two new rules were released on February 11, 2019 by the Office of the National Coordinator for Health IT (ONC) and the Centers for Medicare and Medicaid Services (CMS). The purpose of the new rules is to support the secure access, exchange, and use of electronic health information. The rules cover technical and healthcare industry factors that are proving to be barriers to the interoperability of health information and are limiting the ability of patients to gain access to their health data. The deadline has been extended to give the public and industry stakeholders more time to read the proposed rules and provide meaningful input that can be used to help achieve the objectives of the rules. The extension has come in response to feedback from many stakeholders who have asked for more time to review the rules, which have potential to cause a range of issues for...

Read More
Washington State University Settles Class Action Data Breach Lawsuit for $4.7 Million
Apr23

Washington State University Settles Class Action Data Breach Lawsuit for $4.7 Million

A $4.7 million settlement has recently been approved by the King County Superior Court to reimburse individuals whose personal information was stolen from Washington State University in April 2017. Washington State University had backed up personal information on portable hard drives which were stored in a safe in a self-storage locker. On April 21, 2017, the university discovered a break-in had occurred at the storage facility and the safe had been stolen. The hard drives contained the sensitive personal information of 1,193,190 individuals. Most of the files on the hard drives were not encrypted. The drives contained the types of information sought by identity thieves: Names, contact information, and Social Security numbers, in addition to health data of patients, college admissions test scores, and other information. The information dated back around 15 years and had been collected by the WSU Social and Economic Sciences Research Center for a research project. While the hard drive was stolen, Washington State University maintains there are no indications any data stored on the...

Read More
Unsecured Database of Addiction Service Provider Potentially Contained Records of 145,000 Patients
Apr23

Unsecured Database of Addiction Service Provider Potentially Contained Records of 145,000 Patients

A database containing highly sensitive information of patients who had previously sought treatment for addiction at rehabilitation centers has been discovered to be freely accessible over the internet. The database contained approximately 4.91 million records which related to an estimated 145,000 patients of the Levittown, PA-based addiction rehabilitation service provider Steps to Recovery. The unsecured database was discovered on March 24, 2019 by Justin Paine, Director of Trust and Safety at Cloudflare. Following the discovery, Paine notified Steps to Recovery and its hosting provider on March 24. No reply was received from Steps to Recovery, but its hosting company made contact and the database has now been secured and is no longer accessible online. Paine had performed a search on the Shodan search engine to identify unsecured databases and devices. According to Paine, the ElasticSearch database contained two indexes which included more than 1.45 GB of data. The information could be accessed by anyone over the internet without the need for any authentication. The database was...

Read More
Blue Cross of Idaho Website Hacked and Attempts Made to Reroute Payments
Apr17

Blue Cross of Idaho Website Hacked and Attempts Made to Reroute Payments

Blue Cross of Idaho has discovered its website has been hacked and an unauthorized individual gained access to its member portal and viewed the protected health information of some of its members. Blue Cross of Idaho is one of the largest health insurers in the state and serves approximately 560,000 Idahoans. Blue Cross of Idaho’s executive vice president Paul Zurlo said the breach affected around 1% of its members – around 5,600 individuals. (Update 05/03/2019: The HHS breach portal indicates 6,045 individuals have been affected) The website security breach occurred on March 21, 2019 and was discovered the following day. During the time that portal access was possible, the hacker accessed provider remittance documents and attempted to reroute provider financial transactions. Upon discovery of the breach, Blue Cross of Idaho terminated the unauthorized access and secured its portal to prevent financial fraud and further accessing of documents. The incident was reported to the FBI and the investigation remains open. The health insurer is working with internal and external...

Read More
Healthcare Organizations Found Not to be In Conformance with NIST CSF and HIPAA Rules
Apr16

Healthcare Organizations Found Not to be In Conformance with NIST CSF and HIPAA Rules

A recent study conducted by the consultancy firm CynergisTek has revealed many healthcare organizations are not in conformance with NIST Cybersecurity Framework (CSF) controls and the HIPAA Privacy and Security Rules. For the study, CynergisTek analyzed the results of assessments at almost 600 healthcare organizations against NIST CSF and the HIPAA Privacy and Security Rules. The NIST CSF is a voluntary framework, but the standards and best practices help organizations manage cyber risks. Healthcare organizations that are not in conformance with CSF controls face a higher risk of experiencing a cyberattack or data breach. On average, healthcare organizations were only in conformance with 47% of NIST CSF controls. Conformance has only increased by 2% in the past year. Assisted living organizations had the highest level of conformance with NIST CSF (95%), followed by payers (86%), and accountable care organizations (73%). Business associates of HIPAA covered entities only had an average conformance level of 48%. Physician groups had the lowest level of conformance (36%). Out of the...

Read More
March 2019 Healthcare Data Breach Report
Apr15

March 2019 Healthcare Data Breach Report

In March 2019, healthcare data breaches continued to be reported at a rate of one a day. 31 healthcare data breaches were reported to the HHS’ Office for Civil Rights by HIPAA-covered entities and their business associates. The March total is almost 14% higher than the average of the past 60 months.   The number of reported breaches fell by 3.12% month over month and there was a 56.79% decrease in the number of breached healthcare records. March saw the healthcare records of 912,992 individuals exposed, impermissibly disclosed, or stolen as a result of healthcare data breaches. Causes of March 2019 Healthcare Data Breaches The HHS’ Office for Civil Rights groups together hacking and other IT incidents such as malware and ransomware attacks. This category dominated the breach reports in March with 19 incidents reported. Hacking/IT incidents accounted for 88.40% of all compromised records (807,128 records). There were 8 unauthorized access/disclosure incidents reported in March. 81,904 healthcare records were impermissibly accessed or disclosed. There were also four theft...

Read More
MD Anderson Cancer Center Appeals Against $4,348,000 HIPAA Penalty
Apr12

MD Anderson Cancer Center Appeals Against $4,348,000 HIPAA Penalty

In 2018, University of Texas MD Anderson Cancer Center was issued with a $4,348,000 civil monetary penalty by the HHS’ Office for Civil Rights (OCR) following the discovery of multiple alleged HIPAA violations that contributed to three data breaches that were experienced in 2012 and 2013. OCR launched an investigation into the breaches and determined there had been an impermissible disclosure of the electronic protected health information (ePHI) of 34,883 patients and that HIPAA Rules had been violated as a result of the failure to use encryption. OCR reasoned that had encryption been used, the breaches could have been prevented. MD Anderson contested the financial penalty and the case was sent to an administrative law judge who ruled that the MD Anderson must pay the financial penalty. MD Anderson has now filed a complaint against the Secretary of the HHS and has launched an appeal with the U.S. Court of Appeals, Fifth Circuit in Texas. MD Anderson alleges the civil monetary penalty is unlawful, that OCR has exceeded its authority by issuing the penalty, and the penalty is...

Read More
Minnesota DHS Suffers Another Phishing Attack: State IT Services Struggling to Cope with Barrage of Attacks
Apr12

Minnesota DHS Suffers Another Phishing Attack: State IT Services Struggling to Cope with Barrage of Attacks

The Minnesota Department of Human Services (DHS) has discovered another employee email account has been compromised as a result of a phishing attack. The latest incident has only just been reported, although the breach occurred on or before March 26, 2018. Three Phishing Attacks: 31,800 Records Exposed The breach is in addition to two other phishing attacks that saw email accounts compromised in June and July of 2018. Those attacks were announced in October 2018 and resulted in the exposure of 20,800 Minnesotans’ PHI. The March 26 email account compromise saw the PHI of 10,263 Minnesotans exposed. The March phishing attack allowed the attacker to gain access to the email account of an employee of the Direct care and Treatment Administration. Emails were then sent from that account to co-workers requesting wire transfers be made. The email requests were flagged as suspicious and were reported to MNIT, which secured the account. No wire transfers were made. During the time that the account was accessible, the attacker potentially accessed emails in the account which included...

Read More
Data Security Incident Response Analysis Published by BakerHostetler
Apr11

Data Security Incident Response Analysis Published by BakerHostetler

BakerHostetler has released its fifth annual Data Security Incident Response Report, which contains an analysis of the 750+ data breaches the company helped manage in 2018. BakerHostetler suggests there has been a collision of data security, privacy, and compliance, and companies have been forced to change the way they respond to security breaches. In addition to federal and state regulations covering data breaches and notifications, companies in the United States must also comply with global privacy laws such as the EU’s General Data Protection Regulation (GDPR).  All of these different regulations make the breach response a complex process. The definitions of personal information and breach response and reporting requirements differ for GDPR, HIPAA, and across the 50 states. The failure to comply with any of the above-mentioned regulations can lead to severe financial penalties. It is therefore of major importance to be prepared for breaches and be able to respond as soon as a breach is discovered. This has led many companies to create committees to help manage data breaches,...

Read More
FDA Considers New Review Framework for AI-Based Medical Devices
Apr09

FDA Considers New Review Framework for AI-Based Medical Devices

AI-based medical devices can be used to identify diseases and individuals at risk of developing medical conditions. They can perform a great deal of time-consuming work on behalf of doctors and radiologists and can help to speed up the diagnosis of diseases. Faster diagnoses mean patients can receive treatment more quickly at a time when it is most likely to be effective. They can also help to identify the most effective treatments to allow personalized medicine to be provided. Currently, the U.S. Food & Drug Administration (FDA) performs reviews of medical devices as part of its market authorization processes. Generally, in order to be granted market authorization the algorithms used by the devices need to be locked and not have the ability to learn each time they are used. These locked algorithms can be subsequently updated by developers at intervals using new data, but after those updates have been applied, the devices need to be subjected to a further manual review and the updated algorithm must be validated. The FDA authorized two AI-based medical devices in 2018: An...

Read More
Hardin Memorial Health Cyberattack Results in EHR Downtime
Apr09

Hardin Memorial Health Cyberattack Results in EHR Downtime

Hardin Memorial Health in Kentucky has experienced a cyberattack which caused disruption to its IT systems and EHR downtime. The cyberattack started on the evening of Friday April 5. A statement issued by a spokesperson for the health system confirmed that IT systems were disrupted as a result of a security breach. Details of the cyberattack have not yet been released so it is unclear whether this was a hacking incident, malware or ransomware attack. The health system has been working round the clock to restore affected systems and servers. Hardin Memorial Health’s IT team has already brought most IT systems back online and has restored access to its EHR system in some units. Despite the lack of access to its EHR system, business continued as usual and the hospital did not have to cancel appointments. All 50 of its locations remained open. “At no time during this event has the quality and safety of patient care been affected,” said HMH Vice President and Chief Marketing and Development Officer, Tracee Troutt. Upon discovery of the security breach, emergency procedures were...

Read More
Amazon Announces 6 New HIPAA Compliant Alexa Skills
Apr05

Amazon Announces 6 New HIPAA Compliant Alexa Skills

Six new HIPAA compliant Alexa skills have been launched by Amazon that allow protected health information to be transmitted without violating HIPAA Rules. The new HIPAA compliant Alexa skills were developed by six different companies that have participated in the Amazon Alexa healthcare program. The new skills allow patients to schedule appointments, find urgent care centers, receive updates from their care providers, access their latest blood sugar reading, and check the status of their prescriptions. This is not the first time that Alexa skills have been developed, but a stumbling block has been the requirements of the HIPAA Privacy Rule, which limit the use of voice technology with protected health information. Now, thanks to HIPAA compliant data transfers, the voice assistant can now be used by a select group of healthcare organizations to communicate PHI without violating the HIPAA Privacy Rule.  You can read more about the issues related to virtual assistants and HIPAA compliance here. Amazon has stated that it plans to work with many other developers through an invite-only...

Read More
Malware Alters CT Scans and Creates and Removes Tumors
Apr05

Malware Alters CT Scans and Creates and Removes Tumors

There is growing concern about hackers gaining access to medical devices and conducting attacks to cause harm to patients. Now malware has been created that can add fake tumors to CT scans. The malware is not being used in real-world attacks. It has been created by researchers at the Ben Gurion University Cybersecurity Center in Israel to demonstrate just how easy it is to exploit vulnerabilities in medical imaging equipment. In addition to adding tumors to medical images the malware could be used to remove real tumors. The former could be conducted for political reasons such as preventing a candidate from running for office, the latter would prevent individuals from receiving treatment for a life-threatening illness. The technique could also be used for insurance fraud, sabotaging of medical trials, and cyber terrorism. Prior to a patient being prescribed radiation therapy or chemotherapy additional tests would be performed and the incorrect diagnosis would be identified, but patients would still be caused considerable emotional distress. The removal of tumors to make the patient...

Read More
OCR Issues Warning on Advanced Persistent Threats and Zero-Day Exploits
Apr04

OCR Issues Warning on Advanced Persistent Threats and Zero-Day Exploits

The HHS’ Office for Civil Rights has raised awareness of the risk of advanced persistent threats and zero-day exploits in its spring cybersecurity newsletter. Healthcare organizations are attractive targets for hackers due to quantity of sensitive data they store. Individual’s protected health information is highly valuable as it can be used for many different purposes, including identity theft, tax fraud, and gaining access to medical services. Sensitive information about medical conditions can also be used to blackmail individuals. Healthcare organizations also store research data, genetic data, and data from experimental treatments, all of which are of great value cybercriminals. The information can be used by foreign governments to drive innovation. There are many techniques that hackers use to break through defenses and silently gain access to networks, two of the most serious threats being advanced persistent threats and zero-day exploits. An advanced persistent threat (APT) is a term used to refer to repeated cyberattacks that attempt to exploit vulnerabilities to gain...

Read More
Study Reveals Health Information the Least Likely Data Type to be Encrypted
Apr03

Study Reveals Health Information the Least Likely Data Type to be Encrypted

Health information is the least likely data type to be encrypted, according to the Global Encryption Trends Study conducted by the Ponemon Institute on behalf of cryptographic solution provider nCipher. The study was conducted on 5,856 people across several industry sectors in 14 countries, including the United States. The aim of the study was to investigate data encryption trends, the types of data most likely to be encrypted, how extensively encryption has been adopted to improve security, and the challenges faced by companies when encrypting data. The study shows the use of encryption has steadily increased over the past four years. 45% of surveyed organizations said they have an overall encryption plan or strategy that is applied across the whole organization. 42% said they have a limited encryption plan or strategy, with encryption only used on certain applications and data types. 13% of respondents said they do not use encryption at all on any type of data. The use of encryption varies considerably from country to country. Germany leads the world with the highest prevalence...

Read More
Michigan Practice Forced to Close Following Ransomware Attack
Apr02

Michigan Practice Forced to Close Following Ransomware Attack

A ransomware attack can prove costly to resolve. That cost was not deemed worth it by one Michigan practice, which has now permanently closed its doors. The ransomware encrypted the system at Brookside ENT and Hearing Center in Battle Creek which housed patient records, appointment schedules, and payment information rendering the data inaccessible. The attackers claimed to be able to provide a key to unlock the encryption, but in order to obtain the key to decrypt files, a payment of $6,500 was required. The two owners of the practice, William Scalf, MD and John Bizon, MD, decided not to pay the ransom as there was no guarantee that a valid key would be supplied and, after paying, the attackers could simply demand another payment. Since no payment was made, the attackers deleted all files on the system ensuring no information could be recovered. The partners decided to take early retirement rather than having to rebuild their practice from scratch. The FBI was alerted to the security incident and explained that this appeared to be an isolated attack. No patient data appeared to...

Read More
Lawsuit Alleges Sharp Grossmont Hospital Secretly Recorded Patients Having Gynecology Operations
Apr01

Lawsuit Alleges Sharp Grossmont Hospital Secretly Recorded Patients Having Gynecology Operations

A lawsuit has been filed against Sharp HealthCare and Sharp Grossmont Hospital which alleges the hospital secretly recorded video footage of female patients undressing and having gynaecological examinations performed. According to the lawsuit, the hospital installed video cameras in three operating rooms as part of an internal investigation into the theft of the anaesthesia drug, propofol, from drug carts. The cameras were actively recording between July 17, 2012 and June 30, 2013 at its facility on Grossmont Center Drive in El Cajon, San Diego. During the time that the cameras were recording 1,800 patients were filmed undergoing procedures such as hysterectomies, Caesarean births, dilation and curettage for miscarriages, and other surgical procedures. The motion-activated cameras had been installed on drug carts and continued to record even after motion had stopped. A spokesperson for Sharp Grossmont Hospital confirmed that three cameras had been installed to ensure patient safety by determining the cause of missing drugs from the carts. The lawsuit states that, “At times,...

Read More
CMS Launches Review Program to Assess Compliance with the HIPAA Administrative Simplification Rules
Mar28

CMS Launches Review Program to Assess Compliance with the HIPAA Administrative Simplification Rules

The HHS’ Centers for Medicare and Medicaid Services (CMS) has launched a compliance review program to assess whether HIPAA covered entities are complying with the HIPAA Administrative Simplification Rules for electronic healthcare transactions. The compliance reviews will commence in April 2019. The HIPAA Administrative Simplification Rules The HIPAA Administrative Simplification Rules were introduced to improve efficiency and the effectiveness of the health system in the United States. They require healthcare organizations to adopt national standards for healthcare transactions that are conducted electronically, including the use of standard code sets and unique health identifiers, in addition to complying with the requirements of the HIPAA Privacy and Security Rules. The HHS’ Office for Civil Rights is responsible for enforcing the HIPAA Privacy, Security, and Breach Notification Rules. The CMS is responsible for administering and enforcing the rules covering transaction and code sets standards, the employer identifier standard, and the national provider identifier standard, as...

Read More
Texas Department of Aging and Disability Services Agrees to $1.6 Million Settlement Over 2015 Data Breach
Mar27

Texas Department of Aging and Disability Services Agrees to $1.6 Million Settlement Over 2015 Data Breach

The Department of Health and Human Services’ Office for Civil Rights has agreed to settle a HIPAA violation case with the Texas Department of Aging and Disability Services (DADS) to resolve HIPAA violations discovered during the investigation of a 2015 data breach that exposed the protected health information of 6,617 Medicaid recipients. The breach was caused by an error in a web application which made ePHI accessible over the internet for around 8 years. DADS submitted a breach report to OCR on June 11, 2015. OCR launched an investigation into the breach to determine whether there had been any violation of HIPAA Rules. On July 2015, OCR notified DADS that the investigation had revealed there had been multiple violations of HIPAA Rules. DADS was deemed to have violated the risk analysis provision of the HIPAA Security Rule – 45 C.F.R. § 164.308(a)(1)(ii)(A) – by failing to conduct a comprehensive, organization-wide risk analysis to identify potential risks to the confidentiality, integrity, and availability of ePHI. There had also been a failure to implement appropriate...

Read More
Healthcare Industry Ranks 8th for Cybersecurity but Poor DNS Health and Endpoint Security of Concern
Mar26

Healthcare Industry Ranks 8th for Cybersecurity but Poor DNS Health and Endpoint Security of Concern

Through compliance with HIPAA, healthcare organizations have achieved a baseline standard of security, but there is still plenty of room for improvement and healthcare cybersecurity is at best mediocre. Security Scorecard has ranked the healthcare industry 8th out of the 18 industry sectors for cybersecurity. The findings have been detailed in its 2019 Healthcare Cybersecurity Report. The worst aspects of security for the healthcare industry were DNS health and endpoint security, where the industry ranked 13th and 12th respectively. Without proper DNS security measures in place, attacks could take place in which DNS records are changed. Such an attack would allow cybercriminals to route web traffic to fraudulent websites where credentials could be harvested. The US Department of Homeland Security’s Cybersecurity and Infrastructure Agency (CISA) issued a warning about this attack method in January 2019. Endpoint security is another big concern. In healthcare, employees use a wide range of different types of devices to gain access to healthcare networks, which introduces risks and...

Read More
D.C. Attorney General Proposes Tougher Breach Notification Laws
Mar25

D.C. Attorney General Proposes Tougher Breach Notification Laws

Washington D.C. Attorney General Karl. A. Racine is looking to strengthen data breach notification laws to provide greater protection for D.C. residents when their personal information is exposed in a data breach. On March 21, 2019, Attorney General Racine introduced the Security Breach Protection Amendment Act, which expands the definition of personal information that warrants notifications to be sent to consumers in the event of a data breach. Currently laws in the District of Columbia require breach notifications to be sent if there has been a breach of Social Security numbers, driver’s license numbers, or financial information such as credit and debit card numbers. If passed, the Security Breach Protection Amendment Act will expand the definition of personal information to include taxpayer ID numbers, genetic information including DNA profiles, biometric information, passport numbers, military Identification data, and health insurance information. Attorney General Racine said one of the main reasons why the update was required was to better protect state residents from breaches...

Read More
350,000 Affected by Oregon Department of Human Services Phishing Attack
Mar22

350,000 Affected by Oregon Department of Human Services Phishing Attack

Oregon Department of Human Services (ODHS) has experienced a phishing attack that has potentially allowed unauthorized individuals to view or obtain the protected health information of more than 350,000 individuals. ODHS learned on January 28, 2019 that unauthorized individuals had gained access to email accounts containing clients’ personal information. Third-party forensics experts from IDExperts were called in to determine the number of individuals affected, the types of data that could have been accessed, and whether clients’ personal information had been extracted. The investigation conformed that nine employees had clicked links in phishing emails and divulged their login credentials, which allowed the attackers to gain access to their email accounts. The first account was compromised on January 8, 2019. The compromised email accounts contained almost 2 million emails. Checks are still being performed to find out which individuals have been affected. ODHS has confirmed that emails in the account contained information such as clients’ first and last names, addresses, birth...

Read More
UCLA Health Settles Class Action Data Breach Lawsuit for $7.5 Million
Mar22

UCLA Health Settles Class Action Data Breach Lawsuit for $7.5 Million

UCLA Health has settled a class action lawsuit filed on behalf of victims of data breach that was discovered in October 2014. UCLA Health has agreed to pay $7.5 million to settle the lawsuit. UCLA Health detected suspicious activity on its network in October 2014 and contacted the FBI to assist with the investigation. The forensic investigation confirmed that hackers had succeeded in gaining access to its network, although at the time it was thought that they did not access the parts of the network where patients’ medical information was stored. However, on May 5, 2015, UCLA confirmed that the hackers had gained access to parts of the network containing patients’ protected health information and may have viewed/copied names, addresses, dates of birth, Medicare IDs, health insurance information, and Social Security numbers. In total, 4.5 million patients were affected by the breach. The Department of Health and Human Services’ Office for Civil Rights investigated the breach and was satisfied with UCLA Health’s breach response and the technical and administrative safeguards that had...

Read More
Potentially Massive Breach of Protected Health Information Discovered
Mar19

Potentially Massive Breach of Protected Health Information Discovered

Sacramento, CA-based medical software provider Meditab Software Inc., and it’s San Juan, PR-based affiliate, MedPharm Services have suffered a massive breach of protected health information. Meditab provides electronic medical record (EMR) and practice management software to hospitals, physician’s offices, and pharmacies. According to the company website, its software is used by more than 2,200 healthcare clients. Meditab also provides a fax processing service and one of the servers used for processing faxes has been discovered to be leaking data and could be accessed over the internet without the need for any authentication. The unprotected fax server was discovered by the Dubai-based cybersecurity firm SpiderSilk. The fax server was hosted on a subdomain of MedPharm Services and housed an Elastisearch database containing fax communications. Those faxes could be accessed in real time. The database was created in March 2018 and housed more than 6 million records. It is currently unclear how many of those records contained protected health information. According to a recent report...

Read More
February 2019 Healthcare Data Breach Report
Mar18

February 2019 Healthcare Data Breach Report

Healthcare data breaches continued to be reported at a rate of more than one a day in February. February saw 32 healthcare data breaches reported, one fewer than January. The number of reported breaches may have fell by 3%, but February’s breaches were far more severe. More than 2.11 million healthcare records were compromised in February breaches – A 330% increase from the previous month. Causes of Healthcare Data Breaches in February 2019 Commonly there is a fairly even split between hacking/IT incidents and unauthorized access/disclosure incidents; however, in February, hacking and IT incidents such as malware infections and ransomware attacks dominated the healthcare data breach reports. 75% of all reported breaches in February (24 incidents) were hacking/IT incidents and those incidents resulted in the theft/exposure of 96.25% of all records that were breached. All but one of the top ten healthcare data breaches in February were due to hacks and IT incidents. There were four unauthorized access/disclosure incidents and 4 cases of theft of physical or electronic PHI. The...

Read More
Internet of Things Improvement Act Requires Minimum Security Standards for IoT Devices
Mar15

Internet of Things Improvement Act Requires Minimum Security Standards for IoT Devices

U.S. Sens. Mark R. Warner (D-VA) and Cory Gardner (R-CO), co-chairs of the Senate Cybersecurity Caucus, and Sens. Maggie Hassan (D-NH) and Steve Daines (R-MT) have introduced The Internet of Things Improvement Act, which requires all IoT devices purchased by the U.S. government to meet minimum security standards. A companion bill has been introduced in the House by Representatives by Reps. Robin Kelly (D-IL) and Will Hurd (R-TX). Ericcson has predicted there will be 18 billion IoT devices in use by 2022 and IDC predicts IoT spending will reach $1.2 trillion the same year. As the number of IoT devices in use grows, so does concern about the security risk posed by the devices. Sen. Warner wants to make sure that a baseline for security is achieved before any IoT device is allowed to connect to a government network and wants to use the purchasing power of the U.S. government to help establish minimum standards of security for IoT devices. Currently IoT devices are coming to market with scant cybersecurity protections. When cybersecurity measures are integrated into IoT devices, it is...

Read More
Study Confirms Healthcare Employees Are Susceptible to Phishing Attacks
Mar14

Study Confirms Healthcare Employees Are Susceptible to Phishing Attacks

The healthcare industry is being targeted by cybercriminals and phishing is one of the most common ways that they gain access to healthcare networks and sensitive data. The number of successful phishing attacks on healthcare institutions is a serious concern. At HIMSS19, OCR highlighted email as being the main location of breached ePHI and the high risk of data breaches from phishing attacks. Could the high number of successful phishing attacks be mostly down to the industry being targeted more than other industry sectors, or are healthcare employees more susceptible to phishing attacks? A recently published study has provided some answers. Dr. William Gordon of Boston’s Brigham and Women’s Hospital and Harvard Medical School and his team conducted a study to determine the susceptibility of healthcare employees to phishing attacks. For the study, Gordon and his team analysed data from 6 healthcare institutions in the United States that used custom-developed tools or vendor solutions to send simulated phishing emails to their employees. The researchers analyzed data from simulated...

Read More
25% of Healthcare Organizations Have Experienced a Mobile Security Breach in Past 12 Months
Mar11

25% of Healthcare Organizations Have Experienced a Mobile Security Breach in Past 12 Months

The Verizon Mobile Security Index 2019 report indicates 25% of healthcare organizations have experienced a security breach involving a mobile device in the past 12 months. All businesses face similar risks from mobile devices, but healthcare organizations appear to be addressing risks better than most other industry sectors. Out of the eight industry sectors surveyed, healthcare experienced the second lowest number of mobile security incidents behind manufacturing/transportation. Healthcare mobile security breaches have fallen considerably since 2017 when 35% of surveyed healthcare organizations said they had experienced a mobile security breach in the past 12 months. While the figures suggest that healthcare organizations are getting better at protecting mobile devices, Verizon suggests that may not necessarily be the case. Healthcare organizations may simply be struggling to identify security incidents involving mobile devices. 85% of surveyed healthcare organizations were confident that their security defenses were effective and 83% said they believed they would be able to...

Read More
‘Dozens’ of Northwestern Memorial Hospital Employees Fired for Accessing Jussie Smollett’s Medical Records
Mar08

‘Dozens’ of Northwestern Memorial Hospital Employees Fired for Accessing Jussie Smollett’s Medical Records

A major case of snooping on celebrity medical records has been reported that has resulted in dozens of healthcare workers being fired from Chicago’s Northwestern Memorial Hospital for allegedly accessing the medical records of Jussie Smollett without authorization. Jussie Smollett reportedly attended the hospital’s emergency room for treatment for injuries sustained in an alleged racially motivated attack by two men on January 29, 2019. Following a police investigation into the alleged attack, Chicago Police Superintendent Eddie Johnson announced that the Empire actor had been arrested on February 21 and charged with disorderly conduct and filing a false police report. The police allege that the attack was a hoax and that it had been staged by Smollett as a publicity stunt. The charges against Smollett were dropped on Tuesday 26, March. After Smollett was treated at Northwestern Memorial Hospital, curiosity got the better of some employees who searched for Smollett on the hospital’s system, some of whom accessed his chart and viewed his medical records. Accessing the medical...

Read More
HIPAA Compliance at Odds with Healthcare Cybersecurity
Mar06

HIPAA Compliance at Odds with Healthcare Cybersecurity

The College of Healthcare Information Management Executives (CHIME) has told Congress that complying with HIPAA Rules is not enough to prevent data breaches and HIPAA compliance can, in some cases, result in a lessening of healthcare cybersecurity defenses. Russell P. Branzell, President and CEO of CHIME and Shafiq Rab, CHCIO Chair of the CHIME Board of Trustees recently responded to a request for information (RFI) by Congress on ways to address rising healthcare costs. In a March 1, 2019 letter to Lamar Alexander, Chairman of the Committee on Health, Education, Labor, and Pensions (HELP), they explained that the use of technology in healthcare helps to reduce costs and can, if harnessed correctly, improve efficiency as well as outcomes. “Significant advancements in healthcare technology have been made possible through policy, however, often overly stringent prescriptive mandates have added to healthcare costs, impeded innovation and increased burdens on clinicians.” The use of technology and data sharing are essential for improving the level of care that can be provided to...

Read More
Moody’s: Hospitals at High Risk of Suffering Devastating Cyberattack
Mar06

Moody’s: Hospitals at High Risk of Suffering Devastating Cyberattack

A new Moody’s Investors Service Report has revealed four industry sectors – hospitals, banks, market infrastructure providers, and securities firms – face significant financial risks from cyberattacks. Those four sectors were determined to have high risk exposure to cyberattacks. All four sectors are heavily reliant on technology for day to day operations, distribution of content, or customer engagement. Increasing digitalization and interconnectedness within each sector and across different sectors is increasing cyber risk. For the report, Moody’s assessed vulnerability to a cyberattack and the impact such an attack could have on critical businesses processes, disclosure of data, and reputation damage. Cybersecurity measures that had been deployed to protect against attacks were not considered for the report, unless mitigants had been applied uniformly across each sector – Supply chain diversity for instance. In total, 35 broad industry sectors were assessed and were given a rating of low-risk, medium-risk, or high-risk. The health insurance, pharmaceutical, and...

Read More
Ransomware Attack Impacts up to 400,000 Patients of Columbia Surgical Specialists of Spokane
Mar06

Ransomware Attack Impacts up to 400,000 Patients of Columbia Surgical Specialists of Spokane

A ransomware attack on Columbia Surgical Specialists of Spokane in Washington has potentially allowed unauthorized individuals to access the protected health information of up to 400,000 patients. Columbia Surgical Specialists learned of the ransomware attack on January 9, 2019. The security breach was immediately investigated and assistance was provided by IT security provider Intrinium. Files encrypted by the ransomware were found to contain patient information, which included names, driver’s license numbers, Social security numbers and other types of protected health information. Columbia Surgical Specialists told HIPAA Journal that the data security firm “went through our systems with a fine-tooth comb,” and concluded that patient data had not been stolen by the attackers. “but due to the nature of the ransomware and how the infection first began, there cannot be a guarantee.” Columbia Surgical Specialists believes the risk to patients is very low, and notifications were sent to patients out of an abundance of caution. The vulnerability that was exploited to gain access to the...

Read More
New Jersey Expands Definition of Personal Information Requiring Breach Notifications
Mar05

New Jersey Expands Definition of Personal Information Requiring Breach Notifications

The New Jersey Assembly has unanimously passed a bill that expands the types of personal information that require notifications to be sent to consumers in the event of a data breach. New Jersey breach notification laws require businesses and public entities to send notifications to consumers if there has been a breach of their Social Security number, driver’s license number, or bank account number or credit/debit card information if they are accompanied with a password or code that allows the account to be accessed. The amendment to the New Jersey data breach notification requirements of the Consumer Fraud Act expands the definition of personal information to include email addresses and usernames along with a password or answers to security questions that would allow accounts to be accessed. The bill – A-3245 – was sponsored by Ralph Caputo (D-Essex) and was recently passed by the Senate by a 37-0 vote and by the Assembly by a 76-0 vote. An identical bill – S-52- was passed by the Senate and Assembly in 2018, but it was not signed by then state governor Chris Christie....

Read More
IRS Issues Warning About Tax-Related Phishing Scams
Mar05

IRS Issues Warning About Tax-Related Phishing Scams

The IRS has launched its 2019 ‘Dirty Dozen’ campaign warning taxpayers about the most common tax-related phishing scams that lead to tax fraud and identity theft. Each year the IRS provides taxpayers, businesses, and tax professionals with information on the 12 most common phishing and tax scams to raise awareness of the most prevalent threats. During tax season, cybercriminals are highly active and seek tax information to commit identity theft and submit fraudulent tax returns. Each year, many consumers are fooled into disclosing their personal information and scores of organizations fall victim to these scams and disclose the tax information of employees to scammers. The scams are conducted over the phone, via text messages, on social media platforms, websites, and via email. On March 4, 2019, the IRS launched this year’s Dirty Dozen campaign with a warning about the most serious threat during tax season – phishing. On each of the following 11 weekdays, the IRS will highlight a different scam. Tax-related phishing scams are often cleverly disguised. Emails are sent that appear to...

Read More
Nevada Senator Proposes New Federal Data Privacy Act
Mar04

Nevada Senator Proposes New Federal Data Privacy Act

Nevada Senator Catherine Cortex Masto, (D-NV) has introduced a bill – the Data Privacy Act – which calls for greater accountability and transparency for data collection practices, improved privacy protections for consumers, and the prohibition of discriminatory data practices. HIPAA-covered entities are required to obtain consent from patients prior to using or disclosing their health information for reasons other than the provision of healthcare, payment for healthcare, or for healthcare operations. However, companies not bound by HIPAA Rules do not have the same restrictions in place. Several states have introduced or are considering introducing laws covering health and other sensitive data collected by entities that are not covered by HIPAA in the absence of a federal law that provides such protections. While Congress is assessing privacy protections for consumers, currently protection is provided by patchwork of state laws. Privacy protections can vary greatly depending on where a person lives. The bill – The Digital Accountability and Transparency to Advance Privacy (DATA...

Read More
Senator Demands Answers from Government Agencies and Healthcare Associations on Healthcare Cybersecurity
Feb28

Senator Demands Answers from Government Agencies and Healthcare Associations on Healthcare Cybersecurity

Senator Mark Warner (D-Va) has written letters to leaders of the Department of Health and Human Services (HHS), the Food and Drug Administration (FDA), the Centers for Medicare and Medicaid Services (CMS), the National Institute of Standards and Technology (NIST), and 12 healthcare associations requesting answers to a list of healthcare cybersecurity questions. Warner, a member of the Senate Finance Committee and co-chair of the Senate Cybersecurity Caucus, is deeply concerned about the state of cybersecurity in healthcare and is calling for a collaborative effort “to develop a short- and long-term strategy [for] reducing cybersecurity vulnerabilities in the health care sector” and “develop a national strategy that improves the safety, resilience, and security of our healthcare industry.” The healthcare industry is being targeted by cybercriminals and those attacks are succeeding far too frequently. 2014 was the sixth successive year to see an annual increase in healthcare data breaches. In 2015, another record was broken. The most healthcare records ever breached. 113 million...

Read More
Healthcare Associations Call for Safe Harbor for Breached Entities That Have Adopted Cybersecurity Best Practices
Feb27

Healthcare Associations Call for Safe Harbor for Breached Entities That Have Adopted Cybersecurity Best Practices

Several healthcare associations have requested a safe harbor for healthcare organizations that would prevent OCR and state attorneys general from issuing financial penalties for breaches of protected health information if the breached entity has met certain standards for safeguarding protected health information (PHI). The suggestions were made in response to the Department of Health and Human Services’ request for information (RFI) on potential changes to HIPAA to reduce the burden on healthcare organizations and improve data sharing for the coordination of patient care. The HHS received more than 1,300 comments on possible changes prior to the February 12, 2019 deadline. The safe harbor was suggested by the College of Healthcare Information Management Executives (CHIME), the Association for Executives in Healthcare Information Technology (AEHIT), the Association for Executives in Healthcare Information Security (AEHIS), the American Medical Association (AMA), and the American Hospital Association (AHA). Healthcare organizations can adopt cybersecurity frameworks, create layered...

Read More
New York State Departments Investigate Facebook Over Health Data Sharing Practices
Feb26

New York State Departments Investigate Facebook Over Health Data Sharing Practices

A recent analysis of Facebook’s data collection practices has revealed sensitive health data is obtained by Facebook from third party apps, even if the user has not logged in via Facebook or does not even have a Facebook account. Private information including blood pressure measurements, heart rate data, menstrual cycle data, and other health metrics are provided to Facebook, often without the user’s knowledge or any specific disclosure that data provided by users or collected directly by the apps are shared with the ocial media platform. The investigation was conducted by the Wall Street Journal, which conducted tests on various health-related apps. While it was known that some of those apps send data to Facebook about when they are used, the extent of data sharing was not well understood. The report revealed that 11 popular smartphone apps have been passing sensitive data to Facebook without apparently obtaining consent from users. One app, Flo Period & Ovulation Tracker, shares dates of a user’s last period with Facebook and the predicted date when the user is ovulating. The...

Read More
NHS to Phase Out Pagers by End of 2021
Feb26

NHS to Phase Out Pagers by End of 2021

The National Health Service (NHS) has commissioned a report on the costs of pagers and the extent of their use in NHS Trusts in the UK. The study revealed around 130,000 pagers are used in NHS Trusts – Approximately 10% of the world’s pagers – and the annual cost is around £6.6 million ($8.73 million). Advantages and Disadvantages of Pagers in Healthcare Pagers have served the healthcare industry well for several decades and they are still useful devices. Pagers are easy to use, they are small, easy to carry, and batteries can last months between charges. The pager system uses its own transmitters and frequencies and the signals can pass through structures. Consequently, coverage is excellent, and communication is fast and reliable. Pagers have one function and they perform that task very well. However, there are many drawbacks to pagers in healthcare. Most of the pagers used by NHS Trusts do not support two-way communication. When a message is received, a doctor must find a phone and call a number to receive the message. When an immediate response is not possible, messages are...

Read More
January 2019 Healthcare Data Breach Report
Feb25

January 2019 Healthcare Data Breach Report

After a relatively quiet month for healthcare data breaches, breach numbers rose to more typical levels and were reported at a rate of more than one per day in January. There were 33 healthcare data breaches reported in January 2019. January was the second successive month where there was a fall in the number of individuals impacted by healthcare data breaches. January’s healthcare data breaches saw 490,937 healthcare records exposed, stolen or impermissibly disclosed. Largest Healthcare Data Breaches in January 2019   Rank Name of Covered Entity Covered Entity Type Individuals Affected Type of Breach 1 Centerstone Insurance and Financial Services (BenefitMall) Business Associate 111589 Hacking/IT Incident 2 Las Colinas Orthopedic Surgery & Sports Medicine, PA Healthcare Provider 76000 Theft 3 Valley Hope Association Healthcare Provider 70799 Hacking/IT Incident 4 Roper St. Francis Healthcare Healthcare Provider 35253 Hacking/IT Incident 5 Managed Health Services Health Plan 31300 Hacking/IT Incident 6 EyeSouth Partners Business Associate 24113 Hacking/IT Incident 7 Dr....

Read More
UConn Health Phishing Attack Sees PHI of 326,000 Patients Exposed
Feb25

UConn Health Phishing Attack Sees PHI of 326,000 Patients Exposed

UConn Health is notifying approximately 326,000 patients that some of their personal information has been exposed as a result of a phishing attack on some of its employees. UConn Health learned about the phishing attack on December 24, 2018. All email accounts were secured, and an internal investigation was launched. The investigation confirmed that multiple email accounts had been accessed by unauthorized individuals. A third-party computer forensics company was retained to investigate the attack and search for protected health information in emails and email attachments in the compromised accounts. While it was not possible to determine who was responsible for the attack nor whether emails and email attachments in the compromised accounts had been viewed by the attacker(s), PHI access could not be ruled out. UConn Health explained in its substitute breach notice that no reports have been received to indicate any patient information has been misused. The majority of individuals affected by the attack were patients. Some employees have also had personal information exposed....

Read More
NIST NCCoE Releases Mobile Device Security Guide
Feb22

NIST NCCoE Releases Mobile Device Security Guide

The National Cybersecurity Center of Excellence (NCCoE) has released final guidance on mobile device security to help organizations secure mobile devices and prevent data breaches. Mobile devices offer convenience and allow data to be accessed from any location. Not only do they allow healthcare organizations to make cost savings, they are vital for remote workers who need access to patients’ health information. Mobile devices allow onsite and offsite workers to communicate information quickly and they can help to improve patient care and outcomes. However, mobile devices introduce security risks. Stolen devices can be used to gain access to corporate email accounts, contacts, calendars, and other sensitive information stored on the devices or accessible through them. There have been many cases where mobile healthcare devices have been lost or stolen causing the exposure of patients’ protected health information. Mobile device security failures have resulted in several financial penalties for HIPAA covered entities, including a $4,348,000 civil monetary penalty for University of...

Read More
Facebook Accused of Privacy Violations and Exposure of Sensitive Health Information Disclosed in Private Groups
Feb21

Facebook Accused of Privacy Violations and Exposure of Sensitive Health Information Disclosed in Private Groups

A complaint has been filed with the FTC over misleading practices by Facebook. The complaint alleges health information disclosed in closed, supposedly anonymous and private Facebook groups has been exposed. Congress is calling for Facebook to provide answers about the alleged privacy violations involving the Facebook PHR (Groups) platform. Leaders from the House Committee on Energy & Commerce have written to Facebook CEO Mark Zuckerberg requesting an urgent response to the privacy complaint filed with the FTC by users of Facebook Groups. The complaint was sent to the FTC in December and was made public this week. In the complaint letter, security researcher Fred Trotter and members of a Facebook health group allege that personal health information disclosed by users of closed Facebook groups has been exposed. As a result, members of the groups are at risk of harassment and discrimination. Closed Facebook groups are used by sufferers of health and mental health conditions to get support. Many support groups have been sent up on the platform specifically for that purpose....

Read More
PHI of Almost 1 Million UW Medicine Patients Exposed Online
Feb21

PHI of Almost 1 Million UW Medicine Patients Exposed Online

Approximately 974,000 patients of UW Medicine have had their protected health information exposed online due to the accidental removal of protections on a website server. The error resulted in sensitive internal files being indexed by search engines. Internet searches allowed sensitive patient information to be accessed by unauthorized individuals without any need for authentication. Seattle-based UW Medicine discovered a vulnerability on a website server on December 26, 2018, following a tip-off from a patient who was performing a Google search of their own name. An investigation was launched to determine how information was exposed, for how long, and how many patients had potentially been affected. UW Medicine determined that an error had been made in the configuration of a database which resulted in internal files being temporarily available over the Internet. The server misconfiguration occurred on December 4, 2019. The incident was attributed to human error. Ironically, the exposed database was used by UW Medicine to keep track of patient health information disclosures. The...

Read More
Maryland Considers Tougher Penalties for Ransomware Attacks
Feb20

Maryland Considers Tougher Penalties for Ransomware Attacks

Following a spate of ransomware attacks on businesses and hospitals in Maryland, a new bill (Senate Bill 151) has been introduced which seeks to increase the penalties for ransomware attacks. It is hoped that tougher penalties for ransomware attacks would discourage individuals from conducting attacks in the state. The bill defines ransomware as a computer or data contaminant, encryption, or lock that is introduced without authorization on a computer, computer network, or computer system that restricts access to the computer, data, network, or system and is accompanied by a demand for payment to remove the contaminant, encryption or lock. Currently in Maryland, a ransomware attack is classed as a misdemeanor if the attacker causes losses of less than $10,000 and a felony if the attack results in losses of $10,000 or more. The bill seeks to reclassify a ransomware attack as a felony if it results in aggregate losses of more than $1,000. Aggregate losses include “the value of any money, property, or service lost, stolen, or rendered unrecoverable by the crime,” along with reasonable...

Read More
March 1, 2019: Deadline for Reporting Small Healthcare Data Breaches
Feb14

March 1, 2019: Deadline for Reporting Small Healthcare Data Breaches

The deadline for reporting 2018 data breaches of fewer than 500 records is fast approaching. HIPAA covered entities and their business associates must ensure that the Department of Health and Human Services’ Office for Civil Rights (OCR) is notified of all 2018 data breaches of fewer than 500 records before March 1, 2019. The HIPAA Breach Notification Rule requires HIPAA-covered entities and their business associates to report data breaches of 500 or more records within 60 days of discovering the breach. The deadline for reporting small healthcare data breaches is 60 days from the end of the calendar year in which the breach was experienced. If it is not possible to determine how many individuals have been affected by a data breach, or if the breach investigation has not been concluded before the 60-day deadline, an interim breach report should be submitted. The breach report can then be updated as and when further information becomes available. If a data breach is not reported within the 60-day reporting window, OCR can issue a financial penalty for noncompliance. While fines for...

Read More
2019 Data Breach Barometer Report Shows Massive Increase in Exposed Healthcare Records
Feb13

2019 Data Breach Barometer Report Shows Massive Increase in Exposed Healthcare Records

Protenus has released its 2019 Breach Barometer report: An analysis of healthcare data breaches reported in 2018. The data for the report came from Databreaches.net, which tracks data breaches reported in the media as well as breach notifications sent to the Department of Health and Human Services’ Office for Civil Rights and state attorneys general. The report shows there was a small annual increase in the number of healthcare data breaches but a tripling of the number of healthcare records exposed in data breaches. According to the report, there were 503 healthcare data breaches reported in 2018, up from 477 in 2017. 2017 was a relatively good year in terms of the number of healthcare records exposed – 5,579,438 – but the number rose to 15,085,302 exposed healthcare records in 2018. In 2017, March was the worst month of the year in terms of the number of records exposed and there was a general downward trend in exposed records throughout the rest of the year. In 2018, there was a general increase in exposed records as the year progressed. The number of exposed records increased...

Read More
ONC and CMS Propose New Rules on Patient Access and Information Blocking
Feb12

ONC and CMS Propose New Rules on Patient Access and Information Blocking

On Monday, February 11, 2019, the HHS’ Office of the National Coordinator for Health Information Technology (ONC) and the Centers for Medicare and Medicaid Services (CMS) released new rules covering patient data access and information blocking. The aim of the new rules is to advance interoperability and support the meaningful exchange and use of health information. The rules are intended to increase competition, encourage innovation, and give patients control over their health data. One of the main goals is to make health information accessible via application programming interfaces (APIs). Currently consumers use a wide range of smartphone apps for paying bills and accessing information. It should be just as easy to gain access to healthcare data through apps and for healthcare data to be provided electronically at no cost. One of the main requirements of the new rules is for healthcare providers and health plans to implement data sharing technologies that support the transition of care to new healthcare providers and health plans. Whenever a patient wishes to start seeing a new...

Read More
HIMSS Cybersecurity Survey: Phishing and Legacy Systems Raise Grave Concerns
Feb12

HIMSS Cybersecurity Survey: Phishing and Legacy Systems Raise Grave Concerns

Each year, HIMSS conducts a survey to gather information about security experiences and cybersecurity practices at healthcare organizations. The survey provides insights into the state of cybersecurity in healthcare and identifies attack trends and common security gaps. 166 health information security professionals were surveyed for the 2019 HIMSS Cybersecurity Survey, which was conducted from November to December 2018. This year’s survey revealed security incidents are a universal phenomenon in healthcare. Almost three quarters (74%) of healthcare organizations experienced a significant security breach in the past 12 months. 22% said they had not experienced a significant security incident in the past year. The figures are in line with the 2018 HIMSS Cybersecurity Survey, when 21% of respondents said they had not experienced a significant security incident. In 2018, 82% of hospital systems reported a significant security incident, as did almost two thirds of non-acute and vendor organizations. The most common actors implicated in security incidents were online scam artists (28%)...

Read More
OCR Settles Cottage Health HIPAA Violation Case for $3 Million
Feb08

OCR Settles Cottage Health HIPAA Violation Case for $3 Million

The Department of Health and Human Services’ Office for Civil Rights (OCR) has agreed to settle a HIPAA violation case with the Santa Barbara, CA-based healthcare provider Cottage Health for $3,000,000. Cottage Health operates four hospitals in California – Santa Barbara Cottage Hospital, Santa Ynez Cottage Hospital, Goleta Valley Cottage Hospital and Cottage Rehabilitation Hospital. In 2013 and 2015, Cottage Health experienced two security incidents that resulted in the exposure of the electronic protected health information (ePHI) of 62,500 patients. In 2013, Cottage Health discovered a server containing patients’ ePHI had not been properly secured. Files containing patients’ ePHI could be accessed over the internet without the need for a username or password. Files on the server contained patient names, addresses, dates of birth, diagnoses, conditions, lab test results and other treatment information. Another server misconfiguration was discovered in 2015. After responding to a troubleshooting ticket, the IT team removed protection on a server which similarly exposed...

Read More
EHR Vendor False Claims Act Violation Case Settled for $57.25 Million
Feb07

EHR Vendor False Claims Act Violation Case Settled for $57.25 Million

The Tampa, FL-based electronic health record (EHR) software developer Greenway Health LLC has agreed to settle violations of the False Claims Act with the Department of Justice for $57.25 million. The case concerns Greenway Health’s EHR product Prime Suite. The DOJ alleged that by misrepresenting the capabilities of the product, users submitted false claims to the U.S. government. Further, Greenway Health was alleged to have provided unlawful remuneration to users to induce them to recommend the EHR product to other healthcare providers. The U.S. government provided incentives to healthcare organizations to encourage them to transition to EHRs from paper records through the Meaningful Use program. Most healthcare providers have now made the change and now rely on EHR systems to support the healthcare decision process. It is therefore essential that EHR products allow patient health information to be recorded and transmitted accurately. In order for healthcare providers to qualify for Meaningful Use payments, they must only use EHR products that have been certified as meeting...

Read More
Settlement Reached in Community Health Systems 4.5 Million-Record Data Breach Case
Feb05

Settlement Reached in Community Health Systems 4.5 Million-Record Data Breach Case

Community Health Systems’ (CHS) patients whose protected health information (PHI) was stolen in a cyberattack in 2014 have been offered compensation for the theft of their PHI. Tennessee-based Community Health Systems operates over 200 hospitals, making it one of the largest healthcare systems in the U.S. In 2014, CHS discovered malware had been installed on its network. The malware allowed unauthorized individuals to gain access to patient information between April and June 2014. The cyberattack is believed to have been conducted by threat actors based in China. An advanced malware variant was used in the attack, which had the sole purpose of obtaining sensitive information. An investigation into the breach confirmed that patient data including names, addresses, phone numbers, dates of birth, and Social Security numbers had been exfiltrated. The PHI of 4.5 million patients was stolen by the attackers. At the time it was the largest healthcare data breach to be reported to the Department of Health and Human Services’ Office for Civil Rights and still ranks as one of the top six...

Read More
Aetna Settles HIV Status Breach Case with California AG for $935,000
Feb01

Aetna Settles HIV Status Breach Case with California AG for $935,000

Hartford, CT-based health insurer Aetna has agreed to pay the California Attorney General $935,000 to resolve alleged violations of state laws related to a 2017 privacy breach that exposed state residents’ HIV status. On July 28, 2017, Aetna’s mailing vendor sent letters to plan members who were receiving HIV medications or pre-exposure prophylaxis to prevent them from contracting HIV. The letters contained instructions for their HIV medications; however, information about the HIV medications was clearly visible through the window of the envelopes, resulting in the impermissible disclosure of highly sensitive information to postal workers, friends, family members, and roommates.  Approximately 12,000 individuals were sent letter, 1,991 of whom lived in California. The privacy breach was a violation of HIPAA Rules, and according to California Attorney General Xavier Becerra, also a violation of several California laws including the Unfair Competition Law, the Confidentiality of Medical Information Act, the Health and Safety Code (section 120980), and the State Constitution. In...

Read More
Oregon Health Information Property Act Proposes Paying Patients to Share Their Healthcare Data
Jan31

Oregon Health Information Property Act Proposes Paying Patients to Share Their Healthcare Data

The Oregon Health Information Property Act proposes patients should be allowed to authorize their healthcare providers to sell their health data and for them to be financially compensated if their health information is sold to a third party. Currently, the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule limits the allowable uses and disclosures of ‘Protected Health Information.’ HIPAA-covered entities are only permitted to use or disclose PHI for purposes related to the provision of treatment, payment for healthcare, or healthcare operations. While there are some exceptions, other uses and disclosures are prohibited unless consent is first obtained from patients. The HIPAA Privacy Rule covers PHI, which is identifiable patient information. If PHI is stripped of information that allow an individual to be identified, it is no longer considered PHI and is no longer subject to Privacy Rule controls. That means that if a HIPAA-covered entity de-identifies PHI, they can then sell that information on for profit. That information can be valuable to research...

Read More
New Cybersecurity Framework for Medical Devices Issued by HSCC
Jan30

New Cybersecurity Framework for Medical Devices Issued by HSCC

The Healthcare and Public Health Sector Coordinating Council (HSCC) has issued a new cybersecurity framework for medical devices. Medical device vendors, healthcare providers, and other healthcare industry stakeholders that adopt the voluntary framework will be able to improve the security of medical devices throughout their lifecycle. The HSCC is a coalition of private sector critical healthcare infrastructure entities that have partnered with the government to identify and mitigate threats and vulnerabilities facing the healthcare sector. The group comprises more than 200 healthcare industry and government organizations. Together they work on developing strategies to address current and emerging cybersecurity challenges faced by the healthcare sector. More than 80 organizations contributed to the development of the Medical Device and Health IT Joint Security Plan (JSP), which builds on recommendations made by the Healthcare Industry Cybersecurity Task Force established by the Department of Health and Human Services following the passing of the Cybersecurity Information Sharing...

Read More
Analysis of 2018 Healthcare Data Breaches
Jan28

Analysis of 2018 Healthcare Data Breaches

Our 2018 healthcare data breach report reveals healthcare data breach trends, details the main causes of 2018 healthcare data breaches, the largest healthcare data breaches of the year, and 2018 healthcare data breach fines. The report was compiled using data from the Department of Health and Human Services’ Office for Civil Rights (OCR). 2018 Was a Record-Breaking Year for Healthcare Data Breaches Since October 2009, the Department of Health and Human Services’ Office for Civil Rights has been publishing summaries of U.S. healthcare data breaches. In that time frame, 2,545 healthcare data breaches have been reported. Those breaches have resulted in the theft, exposure, or impermissible disclosure of 194,853,404 healthcare records. That equates to the records of 59.8% of the population of the United States. The number of reported healthcare data breaches has been steadily increasing each year. Except for 2015, the number of reported healthcare data breaches has increased every year. In 2018, 365 healthcare data breaches of 500 or more records were reported, up almost 2% from the...

Read More
23,300 Patients Affected by Critical Care, Pulmonary & Sleep Associates Email Hack
Jan28

23,300 Patients Affected by Critical Care, Pulmonary & Sleep Associates Email Hack

Critical Care, Pulmonary & Sleep Associates (CCPSA) in Colorado has experienced a data breach that has impacted more than 23,300 patients. An email account breach was detected by CCPSA on November 23, 2018 when suspicious activity was detected related to an employee’s email account. The account appeared to have been used to send phishing emails to individuals in the employee’s contact list. Those emails attempted to convince the recipients to make fraudulent payments. Action was promptly taken to lock the hacker out of the account and the entire email environment was secured. All users were required to set new, complex passwords. A third-party computer forensics firm was hired to investigate the attack and determine the scale of the breach. That investigation was concluded on December 14, 2018. The investigation revealed the attacker had gained access to multiple email accounts between August 14 and November 23, 2018. The breach was determined to be limited to the email system. Its medical record system was unaffected. An analysis of the compromised email accounts revealed they...

Read More
DHS Issues Emergency Warning About DNS Hijacking Attacks
Jan24

DHS Issues Emergency Warning About DNS Hijacking Attacks

The U.S. Department of Homeland Security (DHS) Cybersecurity and Infrastructure Agency (CISA) has issued an emergency warning about DNS hijacking attacks. All government agencies have been instructed to audit their DNS settings in the next 10 days. CISA reports that hackers have been targeting government agencies and modifying their Domain Name System records. DNS records are used to determine the IP address of a website from the domain name entered into the browser. By modifying the DNS records, web traffic and email traffic can be re-routed. This method of attack allows sensitive data to be stolen without compromising a network and users are unlikely to be aware that their communications have been intercepted. Re-routed emails are likely to go unnoticed and web traffic could be re-routed to identical copies of legitimate sites.  Since those sites have TLS/SSL certificates, no warning would be triggered by browsers. DNS attacks allow hackers to gather information about the websites visited by users and the information could be used in phishing campaigns. The attacks appear to be...

Read More
Alaska Department of Health and Social Services Revises 2018 Breach Victim Total from 501 to 500K-700K
Jan24

Alaska Department of Health and Social Services Revises 2018 Breach Victim Total from 501 to 500K-700K

A laptop computer malware infection discovered by the Alaska Department of Health and Social Services (ADHSS) in April 2018 was initially thought to have potentially allowed hackers to gain access to the electronic protected health information (ePHI) of 501 individuals; however, the breach has been determined to be far more extensive than was initially thought. On January 22, 2019, state officials said the malware potentially allowed the attackers to access and obtain the ePHI of between 500,000 and 700,000 individuals and that notification letters to the additional breach victims people had started to be sent. Two days later, the number of breach victims was revised to 87,000 individuals. The malware variant used in the attack was a variant of the Zeus/Zbot Trojan – An information stealer. The individuals whose ePHI was potentially obtained by the hackers had interacted at some point with the Department of Public Assistance (DPA) through the DPA Northern regional offices. Last year, ADHSS said the laptop had accessed sites in Russia, had unauthorized software installed, and other...

Read More
New Report Reveals Spiraling Cost of Cyberattacks
Jan23

New Report Reveals Spiraling Cost of Cyberattacks

A new report from Radware has provided insights into the threat landscape in 2018 and the spiraling cost of cyberattacks. The report shows there has been a 52% increase in the cost of cyberattacks on businesses in since 2017. For the report, Radware surveyed 790 managers, network engineers, security engineers, CIOs, CISOs, and other professionals in organizations around the globe. Respondents to the survey were asked about the issues they have faced preparing for and mitigating cyberattacks and the estimated cost of those attacks. The 2018 Threat Landscape 93% of surveyed firms said they had experienced a cyberattack in the past 12 months. The biggest threat globally was ransomware and other extortion-based attacks, which accounted for 51% of all attacks. In 2017, 60% of cyberattacks involved ransoms. The reduction has been attributed to cybercriminals switching from ransomware to cryptocurrency mining malware. Political attacks and hacktivism accounted for 31% of attacks, down from 34% in 2017. The motive behind 31% of attacks was unknown, which demonstrates that attackers are now...

Read More
December 2018 Healthcare Data Breach Report
Jan22

December 2018 Healthcare Data Breach Report

November was a particularly bad month for healthcare data breaches, so it is no surprise that there was an improvement in December. November was the worst month of the year in terms of the number of healthcare records exposed (3,230,063) and the second worst for breaches (34). December was the second-best month for healthcare data breaches with 23 incidents reported, only one more than January. In total, 516,370 records were exposed, impermissibly disclosed, or stolen in breaches reported in December: A considerable improvement on November. Were it not for the late reporting of the Adams County breach, December would have been the best month of the year to date in terms of the records exposed. The Adams County breach was experienced in March 2018, confirmed on June 29, yet reporting to OCR was delayed until December 11. Largest Healthcare Data Breaches in December 2018 Rank Name of Covered Entity Covered Entity Type Individuals Affected Type of Breach 1 Adams County Healthcare Provider 258,120 Unauthorized Access/Disclosure 2 JAND Inc. d/b/a Warby Parker Healthcare Provider 177,890...

Read More
Revised Common Rule Now Effective
Jan21

Revised Common Rule Now Effective

The updated Federal Policy for the Protection of Human Subjects (45 CFR part 46), otherwise known as the Common Rule, is now in effect. The compliance date of the revised Common Rule was January 21, 2019. The Common Rule governs federally funded research on human subjects and was introduced in 1991. The Common Rule was amended in 2015 and underwent a major revision in 2017 to improve protections for research subjects while easing the administrative burden on researchers, especially for low-risk research. The compliance date of the revised Common Rule was initially January 19, 2018; however, two days before the compliance date, an interim final rule was published which delayed the compliance date initially for six months, and subsequently for another six months. Regulated entities were required to comply with the pre-2018 version of the Common Rule until January 20, 2019, with the exception of three provisions of the revised Common Rule which aimed to reduce the administrative burden on researchers. Those three provisions, which could be adopted between July 2019 and January 20,...

Read More
State AG Proposes Tougher Data Breach Notification Laws in North Carolina
Jan21

State AG Proposes Tougher Data Breach Notification Laws in North Carolina

Following an increase in data breaches affecting North Carolina residents in 2017, state Attorney General Josh Stein and state representative Jason Saine introduced a bill to update data breach notification laws in North Carolina and increase protections for state residents. The bill, Act to Strengthen Identity Theft Protections, was introduced in January 2018 and proposed changes to state laws that would have made North Carolina breach notification laws some of the toughest in the country. The January 2018 version of the bill proposed an expansion of the definition of a breach, changes to the definition of personal information, and a maximum of 15 days from the discovery of a breach to issue notifications to breach victims. Attorney General Stein and Rep. Saine unveiled a revised version of the bill on January 17, 2019. While some of the proposed updates have been scaled back, new requirements have also been introduced to increase protections for state residents. The updated bill coincides with the release of the state’s annual security breach report for 2018. The report shows...

Read More
Physician Receives Probation for Criminal HIPAA Violation
Jan18

Physician Receives Probation for Criminal HIPAA Violation

A physician who pleaded guilty to a criminal violation of HIPAA Rules has received 6 months’ probation and has escaped a jail term and fine. The case concerned the wrongful disclosure of patients’ PHI to a pharmaceutical firm. The case was prosecuted by the Department of Justice in Massachusetts in conjunction with a case against Massachusetts-based pharma firm Aegerion. In September 2017, the Novelion Therapeutics subsidiary Aegerion agreed to plead guilty to mis-branding the prescription drug Juxtapid. The case also included deferred prosecution related to criminal liability under HIPAA for causing false claims to be submitted to federal healthcare programs for the drug. Aegerion admitted to conspiring to obtain the individually identifiable health information of patients without authorization for financial gain, in violation of 42 U.S.C. §§ 1320d-6(a) and 1320-6(b)(3) and HIPAA Rules. Aegerion agreed to pay more than $35 million in fines to resolve criminal and civil liability. The DOJ also charged a Georgia-based pediatric cardiologist with criminal violations of HIPAA Rules...

Read More
New Massachusetts Data Breach Notification Law Enacted
Jan16

New Massachusetts Data Breach Notification Law Enacted

A new Massachusetts data breach notification law has been enacted. The new legislation was signed into law by Massachusetts governor Charlie Baker on January 10, 2019 and will come into effect on April 11, 2019. The new legislation updates existing Massachusetts data breach notification law and introduces new requirements for notifications. Under Massachusetts law, a breach is defined as the unauthorized acquisition or use of sensitive personal information that carries a substantial risk of identity theft or fraud. Notifications must be issued if one or more of the following data elements are obtained by an unauthorized individual along with an individual’s first name and last name or first initial and last name. Social Security number Driver’s license number State issued ID card number Financial account number, or credit/ debit card number, with or without any required security code, access code, personal identification number or password, that would permit access to a resident’s financial account. As with the previous law, there is no set timescale for issuing breach...

Read More
OCR Seeks Permanent Deputy Director for Health Information Privacy
Jan15

OCR Seeks Permanent Deputy Director for Health Information Privacy

The U.S. Department of Health and Human Services’ Office for Civil Rights has advertised for a permanent Deputy Director for Health Information Privacy. The position was posted on USAJOBS on January 14, 2019. The last permanent Deputy Director was Deven McGraw, who left OCR in October 2017 for the private sector. Iliana Peters, OCR’s Senior Advisor for Compliance and Enforcement, took on the role of acting Deputy Director for Health Information Privacy but also left the post for the private sector in February 2018. Timothy Noonan, the former regional manager for the HHS Office for Civil Rights in Atlanta, replaced Peters in February 2018. The role involves leading OCR’s day-to-day HIPAA privacy and security program operations, development of privacy and security policies, administrative rulemaking, interpretation of current regulations, providing technical assistance to the department’s regional offices, and coordinating HIPAA Privacy and Security Rule compliance activities to ensure consistent application of policies across all regional offices. The Deputy Director for Health...

Read More
10 Year Jail Term for Boston Children’s Hospital Hacker
Jan14

10 Year Jail Term for Boston Children’s Hospital Hacker

The hacker behind a Distributed Denial of Service (DDoS) attack on Boston Children’s Hospital in 2014 has been handed a jail term of 10 years and must pay $443,000 in restitution. Martin Gottesfeld, 34, of Somerville, MA, launched attacks on the Framingham, MA, Wayside Youth and Family Support Network and Boston Children’s Hospital in 2014 as a protest over the handling of a case of suspected child abuse. In 2013, teenager Justina Pelletier was admitted to Boston Children’s Hospital after a physician at Tufts Medical Center recommended she was transferred in order for her to see her longtime gastroenterologist. Justina suffered from mitochondrial disease; however, Boston Children’s Hospital believed Justina’s condition was psychological rather than physical. Justina’s parents tried to get their daughter transferred back to Tufts Medical Center but the hospital believed the actions of the parents and interference in their daughter’s care amounted to medical abuse. In the subsequent custody case, the parents lost custody of their daughter to the state of Massachusetts. Justina spent...

Read More
Feds Launch Campaign to Raise Awareness of Cyber Risks Faced by Private Sector Firms
Jan08

Feds Launch Campaign to Raise Awareness of Cyber Risks Faced by Private Sector Firms

A new public awareness campaign has been launched to raise awareness of cyber risks and to get businesses in all industry sectors to improve their information security practices and cyber defenses. The “Know the Risk, Raise your Shield” campaign is being run by the National Counterintelligence and Security Center (NCSC) at the Office of the Director of National Intelligence. The campaign advises businesses to strengthen passwords, protect social media accounts, implement safeguards to protect against phishing and spear phishing, establish who is calling before any sensitive information is disclosed over the telephone, and not to expect privacy when travelling overseas as electronic equipment can be subject to interference and surveillance. The aim of the campaign is to provide U.S. companies with information to help them understand the cyber threats they now face and to help them take steps to improve their defense against those threats. Well-financed nation-state backed threat actors are targeting private sector firms in the United States to gain access to sensitive information,...

Read More
Advertising Expenditures Increase 64% Following a Healthcare Data Breach
Jan07

Advertising Expenditures Increase 64% Following a Healthcare Data Breach

A recent study has explored the relationship between advertising expenditures and healthcare data breaches. The study shows hospitals significantly increase advertising spending following a data breach. Healthcare Data Breaches Are the Costliest to Mitigate Healthcare data breaches are the most expensive to mitigate, far higher than breaches in other industry sectors. According to the Ponemon Institute/IBM Security’s 2018 cost of a data breach study, healthcare data breaches cost, on average, $408 per lost or stolen record. The costs are double, or in some cases almost triple, those in other industry sectors. Healthcare data breaches are the most expensive to mitigate, far higher than breaches in other industry sectors. Click To Tweet In addition to the high costs of mitigating the breaches, the same study confirmed that loss of patients to competitors is a very real threat. Data breaches cause damage to a brand and trust in an organization can be easily lost when confidential personal information is exposed or stolen. The Ponemon Institute study revealed healthcare organizations...

Read More
Summary of 2018 HIPAA Fines and Settlements
Jan03

Summary of 2018 HIPAA Fines and Settlements

This post summarizes the 2018 HIPAA fines and settlements that have resulted from the enforcement activities of the Department of Health and Human Services’ Office for Civil Rights (OCR) and state attorneys general. Another Year of Heavy OCR HIPAA Enforcement In 2016, there was a significant increase in HIPAA files and settlements compared to the previous year. In 2016, one civil monetary penalty was issued by OCR and 12 settlements were agreed with HIPAA covered entities and their business associates. In 2015, OCR only issued 6 financial penalties. The high level of HIPAA enforcement continued in 2017 with 9 settlements agreed and one civil monetary penalty issued. While there were two settlements agreed in February 2018 to resolve HIPAA violations, there were no further settlements or penalties until June. By the end of the summer it was looking like OCR had eased up on healthcare organizations that failed to comply with HIPAA Rules. However, in September, a trio of settlements were agreed with hospitals that had allowed a film crew to record footage of patients without first...

Read More
IT Service Providers and Customers Warned of Increase in Chinese Malicious Cyber Activity
Jan03

IT Service Providers and Customers Warned of Increase in Chinese Malicious Cyber Activity

The Department of Homeland Security (DHS) United States Computer Emergency Readiness Team (US-CERT) has issued an alert about increased Chinese malicious cyber activity targeting IT service providers such as Managed Service Provider (MSPs), Managed Security Service Providers (MSSPs), Cloud Service Providers (CSPs) and their customers. The attacks take advantage of trust relationships between IT service providers and their customers. A successful cyberattack on a CSP, MSP or MSSP can give the attackers access to healthcare networks and sensitive patient data. The DHS Cybersecurity and Infrastructure Security Agency (CISA) has issued technical details on the tactics and techniques used by Chinese threat actors to gain access to services providers’ networks and the systems of their customers. The information has been shared to allow network defenders to take action to block the threats and reduce exposure to the Chinese threat actors’ activities. Guidance has been released for IT service providers and their customers on the steps that should be taken to improve security to prevent...

Read More
HHS Publishes Cybersecurity Best Practices for Healthcare Organizations
Jan02

HHS Publishes Cybersecurity Best Practices for Healthcare Organizations

The U.S. Department of Health and Human Services has issued voluntary cybersecurity best practices for healthcare organizations and guidelines for managing cyber threats and protecting patients. Healthcare technologies are essential for providing care to patients, yet those technologies introduce risks. If those risks are not properly managed they can result in disruption to healthcare operations, costly data breaches, and harm to patients. The HHS notes that $6.2 billion was lost by the U.S. Health Care System in 2016 as a result of data breaches and 4 out of 5 physicians in the United States have experienced some form of cyberattack. The average cost of a data breach for a healthcare organization is now $2.2 million. “Cybersecurity is everyone’s responsibility. It is the responsibility of every organization working in healthcare and public health,” said Janet Vogel, HHS Acting Chief Information Security Officer. “In all of our efforts, we must recognize and leverage the value of partnerships among government and industry stakeholders to tackle the shared problems...

Read More
Most Common Security Weaknesses in Healthcare Identified
Dec28

Most Common Security Weaknesses in Healthcare Identified

The most common security weaknesses in healthcare have been identified by Clearwater. Clearwater analyzed data from IRM analyses conducted over the past six years. Millions of risk records were assessed from hospitals, Integrated Delivery Networks, and business associates of those entities to identify the most common security vulnerabilities in healthcare. The analysis revealed almost 37% of high and critical risks were in three areas: User authentication Endpoint leakage Excessive user permissions The most common security weaknesses in healthcare were deficiencies in user authentication. These are failures to correctly authenticate users and verify the level of access that users should have to an organization’s resources. These deficiencies include the use of default passwords and generic user IDs, writing down passwords and posting them on computer monitors or hiding them under keyboards, and the transmission of user credentials via email in plain text. User authentication deficiencies were most commonly associated with servers and SaaS solutions. Clearwater also notes that more...

Read More
Largest Healthcare Data Breaches of 2018
Dec27

Largest Healthcare Data Breaches of 2018

This post summarizes the largest healthcare data breaches of 2018: Healthcare data breaches that have resulted in the loss, theft, unauthorized accessing, impermissible disclosure, or improper disposal of 100,000 or more healthcare records. 2018 has seen 18 data breaches that have exposed 100,000 or more healthcare records. 8 of those breaches saw more than half a million healthcare records exposed, and three of those breaches exposed more than 1 million healthcare records. A Bad Year for Healthcare Data Breaches As of December 27, 2018, the Department of Health and Human Services’ Office for Civil Rights (OCR) has received notifications of 351 data breaches of 500 or more healthcare records. Those breaches have resulted in the exposure of 13,020,821 healthcare records. It is likely that the year will finish on a par with 2017 in terms of the number of reported healthcare data breaches; however, more than twice as many healthcare records have been exposed in 2018 than in 2017. In 2017, there were 359 data breaches of 500 or more records reported to OCR. Those breaches resulted in...

Read More
Data of More Than 500,000 Staff and Students Compromised in San Diego School District Phishing Attack
Dec27

Data of More Than 500,000 Staff and Students Compromised in San Diego School District Phishing Attack

The San Diego School District has announced it has suffered a major phishing attack that has resulted in the exposure of the personal data, including health information, of more than 500,000 staff and students. The phishing attack was detected in October 2018; however, an investigation into the breach revealed the hacker had network access for almost a year. Access to the network was first gained in January 2018 and the attacker continued to access the network until November 2018. The decision was taken not to alert the hacker to the discovery of the breach immediately. Instead, the school district first investigated the breach to determine the nature of the attack and the extent to which its network had been compromised. Access was only terminated when the initial phase of the investigation was completed. San Diego School District conducted the investigation in conjunction with the San Diego Unified Police and has identified the hacker responsible for the attack. All compromised accounts have now been reset and unauthorized access to staff and student data is no longer possible....

Read More
Massachusetts Attorney General Issues $75,000 HIPAA Violation Fine to McLean Hospital
Dec21

Massachusetts Attorney General Issues $75,000 HIPAA Violation Fine to McLean Hospital

Massachusetts Attorney General Maura Healey has issued a $75,000 HIPAA violation fine to McLean Hospital over a 2015 data breach that exposed the protected health information (PHI) of approximately 1,500 patients. McLean Hospital, a psychiatric hospital in Belmont, MA, allowed an employee to regularly take 8 backup tapes home. When the employee was terminated in May 2015, McLean Hospital was only able to recover four of the backup tapes. The backup tapes were unencrypted and contained the PHI of approximately 1,500 patients, employees, and deceased donors of the Harvard Brain Tissue Resource Center. The lost backup tapes included clinical and demographic information such as names, Social Security numbers, medical diagnoses, and family histories. In addition to the exposure of PHI, the state AG’s investigation revealed there had been employee training failures and McLean Hospital had not identified, assessed, and planned for security risks. The loss of the tapes was also not reported in a timely manner and the hospital had failed to encrypt PHI stored on portable devices or use an...

Read More
November 2018 Healthcare Data Breach Report
Dec20

November 2018 Healthcare Data Breach Report

For the second consecutive month there has been an increase in both the number of reported healthcare data breaches and the number of records exposed, stolen, or impermissibly disclosed. November was the worst month of the year to date for healthcare data breaches in terms of the number of exposed healthcare records. 3,230,063 records were exposed, stolen, or impermissibly disclosed in the breaches reported in November. To put that figure into perspective, that’s more records than were exposed in all 180 data breaches reported to the HHS’ Office for Civil Rights (OCR) in the first half of 2018. There were 34 healthcare data breaches reported to OCR in November, making it the second worst month of the year to date for breaches, behind June when 41 breaches were reported. Largest Healthcare Data Breaches in November 2018 The largest healthcare data breach of 2018 was reported in November by Accudoc Solutions, a business associate of Atrium Health that provides healthcare billing services. That single breach resulted in the exposure of more than 2.65 million healthcare records....

Read More
27% of Healthcare Organizations Have Experienced a Ransomware Attack in the Past Year
Dec19

27% of Healthcare Organizations Have Experienced a Ransomware Attack in the Past Year

According to a new report from Kaspersky Lab, 27% of healthcare employees said their organization had experienced at least one ransomware attack in the past year and 33% of those respondents said their organization had experienced multiple ransomware attacks. In its report – Cyber Pulse: The State of Cybersecurity in Healthcare – Kaspersky lab explained that up until January 1, 2018, the U.S. Department of Health and Human Services’ Office for Civil Rights has been notified of more than 110 hacking/IT-related data breaches that have affected more than 500 individuals. The impact of those breaches can be serious for the organizations concerned. Not only can breaches result in millions of dollars in costs, they can permanently damage the reputation of a healthcare organization and can result in harm being caused to patients. To investigate the state of cybersecurity in healthcare, Kaspersky Lab commissioned market research firm Opinion Matters to conduct a survey of healthcare employees in the United States and Canada to explore the perceptions of healthcare employees regarding...

Read More
Vulnerability Identified in Medtronic Encore and Carelink Programmers
Dec18

Vulnerability Identified in Medtronic Encore and Carelink Programmers

ICS-CERT has issued an advisory about a vulnerability that has been identified in certain Medtronic CareLink and Encore Programmers. Some personally identifiable information (PII) and protected health information (PHI) stored on the devices could potentially be accessed due to a lack of encryption for data at rest. The programmers are used in hospitals to program and manage Medtronic cardiac devices and may store reports containing patients’ PII/PHI. An attacker with physical access to one of the vulnerable programmers could access the reports and view patients PII/PHI. The vulnerability would require a low level of skill to exploit. The vulnerability, tracked as CVE-2018-18984 (CWE-311), was identified by security researchers Billy Rios and Jonathan Butts of Whitescope LLC who discovered encryption was either missing or stored PII/PHI was not sufficiently encrypted. The vulnerability has been assigned a CVSS V3 base score of 4.6. The vulnerability is present in all versions of CareLink 2090 Programmers, CareLink 9790 Programmers, and the 29901 Encore Programmers. Medtronic has...

Read More
Up to 32,000 Patients Impacted by Elizabethtown Community Hospital Email Account Breach
Dec18

Up to 32,000 Patients Impacted by Elizabethtown Community Hospital Email Account Breach

Approximately 32,000 patients of the University of Vermont Health Network’s Elizabethtown Community Hospital are being notified that some of their protected health information (PHI) has been exposed as a result of email account breach. On October 18, 2018, Elizabethtown Community Hospital discovered an unauthorized individual had gained access to an employee’s email account. The password for the compromised email account was immediately changed and a leading forensic security firm was retained to conduct an investigation into the breach. The investigation, which lasted 60 days, confirmed that a single email account was compromised on October 9, 2018. The hospital’s information technology systems were not accessed and medical records remained secure at all times. An analysis of the breached email account revealed it contained the PHI of around 32,000 patients. The types of information that were exposed differed from patient to patient and may have included names, addresses, dates of birth, primary information such as medical record numbers, dates of service, summaries of services...

Read More
Federal GDPR-Style Data Privacy Bill Introduced
Dec17

Federal GDPR-Style Data Privacy Bill Introduced

Data privacy laws have been implemented at the state level, but currently there is no federal data privacy law covering all 50 states; however, that could soon change. On Wednesday December 12, 2018, a group of 15 U.S. senators, led by Brian Schatz, (D-Hawai’i), introduced the Data Care Act. The Data Care Act would require all companies that collect personal data of users to take reasonable steps to ensure that information is safeguarded and protected from unauthorized access. Additionally, companies would be required to only use personal data for specific purposes and not in any way that could result in consumers coming to harm. The bill was introduced almost 7 months after the E.U. introduced the General Data Protection Regulation (GDPR). While the Data Care Act does not go as far as GDPR, it does include several GDPR-like provisions. As with GDPR, the bill places limits on the use, collection, and sharing of personal information and introduces new rights for individuals to allow them to access, correct, delete, and port their personal data. The bill would also require companies...

Read More
OCR Issues Request for Information on Potential Updates to HIPAA Rules to Improve Data Sharing
Dec13

OCR Issues Request for Information on Potential Updates to HIPAA Rules to Improve Data Sharing

The Department of Health and Human Services’ Office for Civil Rights (OCR) has issued a request for information (RFI) seeking comments from the public on potential modifications to Health Insurance Portability and Accountability Act (HIPAA) Rules to promote coordinated, value-based healthcare. OCR is seeking suggestions about changes to aspects of the HIPAA Privacy and Security Rules that are impeding the transformation to value-based healthcare and provisions of HIPAA Rules that are discouraging coordinated care between individuals and their healthcare providers. HIPAA was first enacted 22 years ago at a time when few healthcare providers were using digital health records. While there have been updates to HIPAA over the years, many industry stakeholders believe further updates are necessary now that the majority of healthcare organizations have transitioned to digital health records. Recently, the American Medical Informatics Association (AMIA) and American Health Information Management Association (AHIMA) explained to Congress that changes to HIPAA are required to improve...

Read More
30% of Healthcare Databases Misconfigured and Accessible Online
Dec12

30% of Healthcare Databases Misconfigured and Accessible Online

A recent study by the enterprise threat management platform provider Intsights has revealed an alarming amount of healthcare data is freely accessible online as a result of exposed and misconfigured databases. While a great deal of attention is being focused on the threat of cyberattacks on medical devices and ransomware attacks, one of the primary reasons why hackers target healthcare organizations is to steal patient data. Healthcare data is extremely valuable as it can be used for a multitude of nefarious purposes such as identity theft, tax fraud and medical identity theft. Healthcare data also has a long lifespan – far longer than credit card information. The failure to adequately protect healthcare data is making it far too easy for hackers to succeed. Healthcare Organizations Have Increased the Attack Surface The cloud offers healthcare organizations the opportunity to cut back on the costs of expensive in-house data centers. While cloud service providers have all the necessary safeguards in place to keep sensitive data secure, those safeguards need to be activated and...

Read More
Failure to Terminate Former Employee’s PHI Access Costs Colorado Hospital $111,400
Dec12

Failure to Terminate Former Employee’s PHI Access Costs Colorado Hospital $111,400

OCR has fined a Colorado hospital $111,400 for the failure to terminate a former employee’s access to a web-based scheduling calendar, which resulted in an impermissible disclosure of 557 patients’ ePHI. Pagosa Springs Medical Center (PSMC) is a critical access hospital, part of the Upper San Juan Health Service District, which provides more than 17,000 hospital and clinic visits a year. As a HIPAA-covered entity, PSMC is required to comply with the HIPAA Privacy, Security, and Breach Notification Rules. One of the provisions of the HIPAA Privacy Rule is to limit access to protected health information to authorized individuals. When an employee is terminated, leaves the organization, or changes job role and is no longer required to have access to PHI, access rights must be terminated. The failure to terminate remote access is a violation of HIPAA Rules and could potentially result in an impermissible disclosure of ePHI. On June 7, 2013, OCR received a complaint about a former employee of PSMC who continued to have remote access to a web-based scheduling calendar after leaving PSMC....

Read More
EmblemHealth Pays $100,000 HIPAA Violation Penalty to New Jersey for 2016 Data Breach
Dec11

EmblemHealth Pays $100,000 HIPAA Violation Penalty to New Jersey for 2016 Data Breach

The health insurance provider EmblemHealth has been fined $100,000 by New Jersey for a 2016 data breach that exposed the protected health information (PHI) of more than 6,000 New Jersey plan members. On October 3, 2016, EmblemHealth sent Medicare Part D Prescription Drug Plan Evidence of Coverage documents to its members. The mailing labels included beneficiary identification codes and Medicare Health Insurance Claim Numbers (HCIN), which mirror Social Security numbers. The documents were sent to more than 81,000 policy members, 6,443 of whom were New Jersey residents. The New Jersey Division of Consumer Affairs investigated the breach and identified policy, procedural, and training failures. Previous mailings of Evidence of Coverage documents were handled by a trained employee, but when that individual left EmblemHealth, mailing duties were handed to a team manager who had only been given minimal task-specific training and worked unsupervised. That individual sent a data file to EmblemHealth’s mailing vendor without first removing HCINs, which resulted in the HCINs being printed...

Read More
DHS/FBI Issue Fresh Alert About SamSam Ransomware
Dec10

DHS/FBI Issue Fresh Alert About SamSam Ransomware

In late November, the Department of Justice indicted two Iranians over the use of SamSam ransomware, but there is unlikely to be any let up in attacks. Due to the high risk of continued SamSam ransomware attacks in the United States, the Department of Homeland Security (DHS) and the FBI have issued a fresh alert to critical infrastructure organizations about SamSam ransomware. To date, there have been more than 200 SamSam ransomware attacks, most of which have been on organizations and businesses in the United States. The threat actors behind SamSam ransomware have received approximately $6 million in ransom payments and the attacks have resulted in more than $30 million in financial losses from computer system downtime. The main methods of attack have been the use of the JexBoss Exploit Kit on vulnerable systems, and more recently, the use of Remote Desktop Protocol (RDP) to gain persistent access to systems. Access through RDP is achieved through the purchase of stolen credentials or brute force attacks. Once access is gained, privileges are escalated to gain administrator...

Read More
AMIA and AHIMA Call for Changes to HIPAA to Improve Access and Portability of Health Data
Dec06

AMIA and AHIMA Call for Changes to HIPAA to Improve Access and Portability of Health Data

The American Medical Informatics Association (AMIA) and the American Health Information Management Association (AHIMA) have called for changes to HIPAA to be made to improve patients’ access to their health information, make health data more portable, and to better protect health data in the app ecosystem. At a Wednesday, December 5, 2018, Capitol Hill briefing session, titled “Unlocking Patient Data – Pulling the Linchpin of Data Exchange and Patient Empowerment,” leaders from AMIA and AHIMA joined other industry experts in a discussion about the impact federal policies are having on the ability of patients to access and use their health information. Currently, consumers have access to their personal information and integrate and use that information to book travel, find out about prices of products and services from different providers, and conduct reviews and comparisons. However, while many industries have improved access to consumer information, the healthcare industry is behind the times and has so far failed to implement a comparable, patient-centric system. “Congress has...

Read More
12 State Attorneys General File HIPAA Breach Lawsuit Against Medical Informatics Engineering
Dec05

12 State Attorneys General File HIPAA Breach Lawsuit Against Medical Informatics Engineering

A multi-state federal lawsuit has been filed against Medical Informatics Engineering and NoMoreClipboard over the 2015 data breach that exposed the data of 3.9 million individuals. Indiana Attorney General Curtis Hill is leading the lawsuit and 11 other states are participating – Arizona, Arkansas, Florida, Iowa, Kansas, Kentucky, Louisiana, Minnesota, Nebraska, North Carolina and Wisconsin. This is the first time that state attorneys general have joined forces in a federal lawsuit over a data breach caused by violations of the Health Insurance Portability and Accountability Act. The lawsuit seeks a financial judgement, civil penalties, and the adoption of a corrective action plan to address all compliance failures. A Failure to Implement Adequate Security Controls The lawsuit alleges Medical Informatics Engineering failed to implement appropriate security to protect its computer systems and sensitive patient data and, as a result of those failures, a preventable data breach occurred. According to the lawsuit, “Defendants failed to implement basic industry-accepted data...

Read More
OCR Fines Florida Contractor Physicians’ Group $500,000 for Multiple HIPAA Compliance Failures
Dec04

OCR Fines Florida Contractor Physicians’ Group $500,000 for Multiple HIPAA Compliance Failures

An HHS’ Office for Civil Rights (OCR) investigation into an impermissible disclosure of PHI by a business associate of a HIPAA-covered entity revealed serious HIPAA compliance failures. Advanced Care Hospitalists (ACH) is a Lakeland, FL-based contractor physicians’ group that provides internal medicine physicians to nursing homes and hospitals in West Florida. ACH falls under the definition of a HIPAA-covered entity and is required to comply with the HIPAA Privacy, Security, and Breach Notification Rules. ACH serves approximately 20,000 patients a year and employed between 39 and 46 staff members per year during the time frame under investigation. Between November 2011 and June 2012, ACH engaged the services of an individual who claimed to be a representative of Doctor’s First Choice billings Inc., a Florida-based provider of medical billing services. That individual used First Choice’s company name and website, but according to the owner of First Choice, those services were provided without the knowledge or permission of First Choice. A local hospital notified ACH on February 11,...

Read More
ONC Announces Winners of Easy EHR Issues Reporting Challenge
Dec03

ONC Announces Winners of Easy EHR Issues Reporting Challenge

The Department of Health and Human Services’ Office of the National Coordinator for Health Information Technology (ONC) has announced the winners of its Easy EHR Issues Reporting Challenge. Currently, reporting EHR safety concerns is cumbersome and causes disruption to clinical workflows. A more efficient and user-friendly mechanism is required to allow EHR users to quickly identify, document, and report issues to their IT teams. Fast reporting of potential safety issues will allow the root causes of problems to be found more quickly and for feedback to be provided to EHR developers rapidly to ensure problems are resolved in the shortest possible timeframe. The aim of the challenge was to encourage software developers to create solutions that would help clinicians report EHR usability and safety issues more quickly and efficiently in alignment with their usual clinical workflows and make the reporting of EHR safety issues less burdensome. After assessing all submissions, ONC chose three winners: 1st Place and $45,000 was awarded to James Madison Advisory Group, which developed a...

Read More
OIG Identified Serious Security Failures at Arizona Managed Care Organizations
Nov30

OIG Identified Serious Security Failures at Arizona Managed Care Organizations

The Department of Health and Human Services’ Office of Inspector General (OIG) has issued a report on the findings of security audits at two managed care organizations (MCOs) in Arizona. OIG discovered serious security flaws in information systems that placed the confidentiality, integrity, and availability of Medicaid data and systems used to process Medicaid managed care claims at risk. OIG conducted the audits to determine whether the Arizona Medicaid MCOs were adequately protecting their information systems and Medicaid data, and whether they were in compliance with Health Insurance Portability and Accountability Act (HIPAA) security requirements. OIG discovered 19 security vulnerabilities in access controls and configuration management spanning 9 security control areas. 5 vulnerabilities were identified in the access controls category and 14 vulnerabilities were identified in the configuration management category. They included vulnerabilities in access controls, administrative controls, patch management, antivirus management, database management, server management, website...

Read More
DOJ Indicts Two Iranian Hackers for Role in SamSam Ransomware Attacks
Nov29

DOJ Indicts Two Iranian Hackers for Role in SamSam Ransomware Attacks

The U.S. Department of Justice has announced significant progress has been made in the investigation of the threat actors behind the SamSam ransomware attacks that have plagued the healthcare industry over the past couple of years. The DOJ, assisted the Royal Canadian Mounted Police, Calgary Police Service, and the UK’s National Crime Agency and West Yorkshire Police, have identified two Iranians who are believed to be behind the SamSam ransomware attacks. Both individuals – Faramarz Shahi Savandi and Mohammad Mehdi Shah Mansouri – have been operating out of Iran since 2016 and have been indicted on four charges: Conspiracy to commit fraud and related computer activity Conspiracy to commit wire fraud Intentional damage to a protected computer Transmitting a demand in relation to damaging a protected computer The DOJ reports that this is the first ever U.S. indictment against criminals over a for-profit ransomware, hacking, and extortion scheme. In contrast to many threat actors who use ransomware for extortion, the SamSam ransomware group conducts targeted, manual attacks on...

Read More
2.65 Million Atrium Health Patients Impacted by Business Associate Data Breach
Nov28

2.65 Million Atrium Health Patients Impacted by Business Associate Data Breach

AccuDoc Solutions Inc., a provider of healthcare billing services, has experienced a major data breach in which the protected health information of 2,650,000 patients of Atrium Health was exposed. Morrisville, NC-based AccuDoc Solutions prepares bills for patients and operates the online payment system used by Atrium Health, a network of 44 hospitals throughout North Carolina, South Carolina and Georgia. On October 1, 2018, AccuDoc Solutions notified Atrium Health that some of its databases had been compromised. The breach investigation revealed hackers had gained access to AccuDoc Solutions databases between September 22 and September 29, 2018. An extensive forensic investigation into the attack confirmed that patient information had been compromised, but the information stored in its databases could only be viewed. No PHI was downloaded by the attackers nor distributed via other channels. AccuDoc Solutions reports that the breach was due to a security vulnerability at a third-party vendor. The business relationship with that vendor has now been terminated. AccuDoc Systems has...

Read More
Ransomware Attack Results in Partial Closure of Emergency Rooms at Two Hospitals
Nov28

Ransomware Attack Results in Partial Closure of Emergency Rooms at Two Hospitals

Computer systems used by East Ohio Regional Hospital (EORH) in Martins Ferry, OH, and Ohio Valley Medical Center (OVMC) in Wheeling, WV, were taken out of action over the weekend of 24/25 November as a result of a ransomware attack. The ransomware started encrypting files on the evening of Friday, November 23. While the attackers succeeded in gaining access to certain systems by penetrating the first layer of security, the subsequent layer was not breached, and the protected health information of its patients was not compromised. Even so, the attack resulted in disruption to certain medical services at both hospitals. Patients walking into the emergency room could still be processed and treated, but the hospitals were unable to accept patients from emergency squads. During the attack the hospitals switched to paper charts to ensure data protection and e-squad patients were diverted to other hospitals. Several hospital systems were taken offline to protect the integrity of information and IT teams have been working around the clock to eradicate the ransomware, restore files, and...

Read More
OCR Fines Allergy Practice $125,000 for Impermissible PHI Disclosure
Nov26

OCR Fines Allergy Practice $125,000 for Impermissible PHI Disclosure

The Department of Health and Human Services’ Office for Civil Rights (OCR) has fined a Hartford allergy practice $125,000 over alleged violations of the HIPAA Privacy Rule. On October 6, 2015, OCR received a copy of a civil rights complaint that had been filed with the Department of Justice (DOJ). The complainant alleged Allergy Associates of Hartford – A Connecticut healthcare provider that specializes in treating patients with allergies – had impermissibly disclosed her protected health information to a TV reporter. The complainant had previously contacted a local TV station after she had been turned away from the allergy practice because of her service animal. The TV reporter subsequently contacted the practice seeking comment. A physician at the practice spoke to the reporter and impermissibly disclosed some of the patient’s protected health information. OCR’s investigation confirmed there had been an impermissible disclosure of PHI, in violation of the HIPAA Privacy Rule – 45 C.F.R. § 164.502(a). The physician in question had already been advised by the practice’s...

Read More
53% Of Healthcare Data Breaches Due to Insiders and Negligence
Nov22

53% Of Healthcare Data Breaches Due to Insiders and Negligence

The healthcare industry has had more than its fair share of hacking incidents, but the biggest threat comes from within. The actions of healthcare providers, health insurers, and their employees cause more breaches than hacking, malware, and ransomware attacks. Researchers at Michigan State University and Johns Hopkins University analyzed data breaches reported to the Department of Health and Human Services’ Office for Civil Rights (OCR) over the past 7 years and found that more than half of breaches were the result on internal negligence. The research study, which was recently published in the journal JAMA Internal Medicine, is a follow-on from a 2017 study that explored the risk of hospital data breaches and the types of hospitals that were most prone to data breaches. While the previous research cast light on which hospitals were most vulnerable, little information was available on the main causes of the breaches. The latest study addresses that gap in knowledge. The researchers performed a retrospective analysis of the 1,183 healthcare data breaches reported to OCR between...

Read More
October 2018 Healthcare Data Breach Report
Nov21

October 2018 Healthcare Data Breach Report

Our October 2018 healthcare data breach report shows there has been a month-over-month increase in healthcare data breaches with October seeing more than one healthcare data breach reported per day. 31 healthcare data breaches were reported by HIPAA-covered entities and their business associates in October – 6 incidents more than the previous month. It should be noted that one breach at a business associate was reported to OCR as three separate breaches. The number of breached records in September (134,006) was the lowest total for 6 months, but the downward trend did not continue in October. There was a massive increase in exposed protected health information (PHI) in October. 2,109,730 records were exposed, stolen or impermissibly disclosed – 1,474% more than the previous month. In October, the average breach size was 68,055 records and the median was 4,058 records. Largest Healthcare Data Breaches in October 2018 There were 11 healthcare data breaches of more than 10,000 records reported in October – A 120% increases from the five 10,000+ record breaches in September. The...

Read More
AMIA Calls for Greater Alignment of Federal Data Privacy Rules
Nov20

AMIA Calls for Greater Alignment of Federal Data Privacy Rules

The American Medical Informatics Association (AMIA) is calling for the Trump Administration to tighten data privacy rules through greater alignment of HIPAA and the Common Rule and recommends adoption of a more integrated approach to privacy that includes both the healthcare and consumer sectors. The call follows a request for comment by the NTIA to initiate a conversation about consumer privacy. In a letter to the National Telecommunications and Information Administration (NTIA), a division of the Department of Commerce, AMIA explained that its comments are informed by extensive experience of dealing with both the Health Insurance Portability and Accountability Act and the Federal Protections for Human Subjects Research (Common Rule). Currently, there is a patchwork of federal and state regulations that complicates compliance and creates information sharing challenges which results in ‘perverse outcomes’ due to different interpretations of existing privacy policies. AMIA illustrated the problem of the current patchwork of privacy policies using Pennsylvania and New Jersey as an...

Read More
Do HIPAA Rules Create Barriers That Prevent Information Sharing?
Nov19

Do HIPAA Rules Create Barriers That Prevent Information Sharing?

The HHS has drafted a Request for Information (RFI) to discover how HIPAA Rules are hampering patient information sharing and are making it difficult for healthcare providers to coordinate patient care. HHS wants comments from the public and healthcare industry stakeholders on any provisions of HIPAA Rules which are discouraging or limiting coordinated care and case management among hospitals, physicians, patients, and payors. The RFI is part of a new initiative, named Regulatory Sprint to Coordinated Care, the aim of which is to remove barriers that are preventing healthcare organizations from sharing patient information while retaining protections to ensure patient and data privacy are protected. The comments received through the RFI will guide the HHS on how HIPAA can be improved, and which policies should be pursued in rulemaking to help the healthcare industry transition to coordinated, value-based health care. The RFI was passed to the Office of Management and Budget for review on November 13, 2018. It is currently unclear when the RFI will be issued. Certain provisions of...

Read More
Congress Passes CISA Act: New Cybersecurity Agency to be Formed Within DHS
Nov15

Congress Passes CISA Act: New Cybersecurity Agency to be Formed Within DHS

The U.S. Department of Homeland Security will be forming a new agency solely focused on cybersecurity following the passing of new legislation by Congress. The Cybersecurity and Infrastructure Security Agency Act of 2018 (CISA Act) amends the Homeland Security Act of 2002 can calls for DHS to form a new Cybersecurity and Infrastructure Security Agency. The CISA Act was unanimously passed by the House of Representatives and just awaits the president’s signature. The new agency will be formed through the reorganization of the National Protection and Programs Directorate (NPPD) and will have the same status as other DHS agencies such as the U.S. Secret Service. The NPPD is already responsible for reducing and eliminating threats to U.S. critical physical and cyber infrastructure, with cybersecurity elements covered by the Office of Cybersecurity and Communications and the National Risk Management Center. NPPD currently coordinates IT security initiatives with other entities, local, state, tribal and territorial governments and the private sector and oversees cybersecurity at federal...

Read More
HealthCare.gov Data Breach Exposed Personal Information of 94,000 Individuals
Nov15

HealthCare.gov Data Breach Exposed Personal Information of 94,000 Individuals

Last month, the Centers for Medicare & Medicaid Services (CMS) announced that the HealthCare.gov website had been hacked and the sensitive data of approximately 75,000 individuals had potentially been compromised. This week, the CMS issued an update on the breach confirming more people had been affected than was initially thought. The revised estimate has seen the number of breach victims increased to 93,689. The initial breach announcement was light on details about the exact nature of the breach and the types of information that had potentially been compromised. In the initial announcement the CMS explained that suspicious activity was detected on the site on October 13 and on October 16 a breach was confirmed. Steps were immediately taken to secure the site and prevent any further data access or data theft. The CMS started sending out breach notification letters on November 7 which explain the breach in more detail, including the types of information that were potentially accessed. CMS explained that the ‘suspicious activity’ it detected was certain agent and broker accounts...

Read More
30,000 Patients Impacted by May Eye Care Center Ransomware Attack
Nov14

30,000 Patients Impacted by May Eye Care Center Ransomware Attack

A July 2018 ransomware attack on May Eye Care Center in Hanover, PA saw a range of sensitive patient information encrypted, including data in its electronic medical record system. The ransomware attack was discovered by May Eye Care on July 29, 2018. The ransomware was downloaded on a server that contained patients’ names, addresses, dates of birth, insurance information, diagnoses, treatment information, clinical information, and a limited number of Social Security numbers. May Eye Care Center called in a leading computer forensics company to investigate the breach and an IT firms that specializes in data security was engaged to conduct a full review of security systems and protocols. Security has now been improved to prevent further attacks. A ransom demand was received, but no payment was made. May Eye Care Center was able to recover all of the files encrypted by the ransomware from backups without any loss of data. Al patients impacted by the incident have been notified and the breach was reported to the Department of Health and Human Services’ Office for Civil Rights on...

Read More
OIG Finds Deficiencies in FDA’s Policies and Procedures to Address Cybersecurity Risk to Postmarket Medical Devices
Nov08

OIG Finds Deficiencies in FDA’s Policies and Procedures to Address Cybersecurity Risk to Postmarket Medical Devices

The HHS’ Office of Inspector General (OIG) has published the findings of an audit of the FDA’s policies and procedures for addressing medical device cybersecurity in the postmarket phase.  Several deficiencies in FDA policies and procedures were identified by OIG auditors. Ensuring the safety, security, and effectiveness of medical devices is a key management challenge for the Department of Health and Human Services. It is the responsibility of the U.S. Food and Drug Administration (FDA) to ensure all medical devices that come to market are secure and incorporate cybersecurity protections to prevent cyberattacks that could alter the functionality of the devices which could cause harm to patients. The FDA has developed policies and procedures to ensure that cybersecurity protections are reviewed before medical devices come to market and the agency has plans and processes for addressing medical device issues, such as cybersecurity incidents, in the postmarket stage. However, OIG determined that those plans and practices are insufficient in several areas. One area of weakness concerns...

Read More
Q3 Healthcare Data Breach Report: 4.39 Million Records Exposed in 117 Breaches
Nov07

Q3 Healthcare Data Breach Report: 4.39 Million Records Exposed in 117 Breaches

The latest installment of the Breach Barometer Report from Protenus shows there was a quarterly fall in the number of healthcare data breaches compared to Q2, 2018; however, the number of healthcare records exposed, stolen, or impermissibly disclosed increased in Q3. In each quarter of 2018, the number of healthcare records exposed in data breaches has risen. Between January and March 1,129,744 healthcare records were exposed in 110 breaches. Between April and June, 3,143,642 records were exposed in 142 breaches, and 4,390,512 healthcare records were exposed, stolen, or impermissibly disclosed between July and September in 117 breaches. The largest healthcare data breach in Q3 was reported by the Iowa Health System UnityPoint Health. The breach was due to a phishing attack that saw multiple email accounts compromised. Those accounts contained the protected health information of more than 1.4 million patients. That breach was the second phishing attack experienced by UnityPoint Health. An earlier phishing attack resulted in the exposure of 16,400 healthcare records. In Q3, hacking...

Read More
Fewer Than One Third of Healthcare Organizations Have a Comprehensive Cybersecurity Program
Nov06

Fewer Than One Third of Healthcare Organizations Have a Comprehensive Cybersecurity Program

An alarming number of healthcare organizations do not have comprehensive cybersecurity programs in place, according to the recently published 2018 CHIME Healthcare’s Most Wired survey. The annual CHIME survey explores the extent to which healthcare organizations have adopted health information technology and draws attention to those that are ‘Most Wired’ and have the broadest, deepest IT infrastructure. This year’s report highlights gaps in foundational technologies and strategies for security and disaster recovery. “Before provider organizations can achieve outcomes with their strategies for population health management, value-based care, patient engagement, and telehealth, they must first ensure that foundational pieces such as integration, interoperability, security, and disaster recovery are in place,” explained CHIME. The attack surface has grown considerably in recent years due to increased adoption of networked medical devices and IoT technology. Threats to the privacy of sensitive information and security of systems and devices have grown and security is now a major...

Read More
$200,000 Settlement Agreed with Business Associate Behind Virtua Medical Data Breach
Nov05

$200,000 Settlement Agreed with Business Associate Behind Virtua Medical Data Breach

New Jersey Attorney General Gurbir S. Grewal has announced a $200,000 settlement has been agreed with Best Medical Transcription to resolve violations of the Health Insurance Portability and Accountability Act that were discovered during an investigation of a 2016 breach of 1,650 individuals’ protected health information. Protected Health Information of 1,654 Patients Was Accessible Through Search Engines Best Medical Transcription was a business associate of Virtua Medical Group, a network of medical and surgical practices in southern New Jersey. Best Medical Transcription was provided with dictated medical notes, letters, and reports which were transcribed for Virtua Medical Group physicians. In January 2016, it was discovered that transcribed documents had been uploaded to File Transfer Protocol (FTP) website that was accessible over the Internet without the need for any authentication. The files had been indexed by Google and could be found using search terms including information contained in the files. Password-protection had been removed when software on the website was...

Read More
Ransomware Attacks Increase: Healthcare Industry Most Heavily Targeted
Nov02

Ransomware Attacks Increase: Healthcare Industry Most Heavily Targeted

Ransomware attacks are on the rise once again and healthcare is the most targeted industry, according to the recently published Beazley’s Q3 Breach Insights Report. 37% of ransomware attacks managed by Beazley Breach Response (BBR) Services affected healthcare organizations – more than three times the number of attacks as the second most targeted industry: Professional services (11%). Kaspersky Lab, McAfee, and Malwarebytes have all released reports in 2018 that suggest ransomware attacks are in decline; however, Beazley’s figures show monthly increases in attacks in August and September, with twice the number of attacks in September compared to the previous month. It is too early to tell if this is just a blip or if attacks will continue to rise. The report highlights a growing trend in cyberattacks involving multiple malware variants. One example of which was a campaign over the summer that saw the Emotet banking Trojan downloaded as the primary payload with a secondary payload of ransomware. Emotet is used to steal bank credentials and has the capability to download further...

Read More
HHS Officially Opens its New Health Sector Cybersecurity Coordination Center
Nov01

HHS Officially Opens its New Health Sector Cybersecurity Coordination Center

The U.S. Department of Health and Human Services (HHS) has officially opened its Health Sector Cybersecurity Coordination Center (HC3). HC3, located in the Hubert H. Humphrey building at HHS headquarters in Washington D.C., was officially opened on October 29, 2018 by Deputy Secretary of the HHS, Eric Hargan. HC3’s mission is to strengthen coordination and improve information sharing within the healthcare industry. HC3 will work closely with healthcare industry stakeholders, including practitioners, organizations, and cybersecurity information sharing organizations, to gain an understanding of current threats, patterns and attack trends. Information about current and emerging threats will be shared with healthcare organizations together with details of actions that can be taken to protect healthcare systems, medical devices and patient data. The Department of Homeland Security (DHS) is the primary agency for dealing with cyber threats in the United States and is responsible for developing strategies to combat those threats. HC3 will work closely with DHS but will be solely focused...

Read More
Cybersecurity Best Practices for Healthcare Organizations
Nov01

Cybersecurity Best Practices for Healthcare Organizations

The Department of Health and Human Services’ Office for Civil Rights has drawn attention to basic cybersecurity safeguards that can be adopted by healthcare organizations to improve cyber resilience and reduce the impact of attempted cyberattacks. The advice comes at the end of cybersecurity awareness month – a four-week coordinated effort between government and industry organizations to raise awareness of the importance of cybersecurity. While all organizations need to implement policies, procedures, and technical solutions to make it harder for hackers to gain access to their systems and data, this is especially important in the healthcare industry. Hackers are actively targeting healthcare organizations as they store large quantities of highly sensitive and valuable data. Healthcare organization need to ensure that their systems are well protected against cyberattacks, which means investing in technologies to secure the network perimeter, detect intrusions, and block malware and phishing threats. Large healthcare organizations have the resources to invest heavily in...

Read More
OCR Launches Campaign to Raise Awareness of Civil Rights Protections for Patients Being Treated for Opioid Use Disorder
Oct29

OCR Launches Campaign to Raise Awareness of Civil Rights Protections for Patients Being Treated for Opioid Use Disorder

On October 26, 2017, President Donald Trump declared the opioid crisis a national public health emergency. The one-year anniversary of that declaration has seen a new opioid bill signed into law. On October 24, 2018, President Donald Trump added his signature to the Substance Use–Disorder Prevention that Promotes Opioid Recovery and Treatment for Patients and Communities Act – or “SUPPORT for Patients and Communities Act” for short. The Act will help strengthen the government’s response to the opioid crisis, improve access to addiction treatment services, and expand data sharing in cases of opioid abuse. There have been calls for changes to be made to 42 CFR Part 2 to align the legislation with the HIPAA Privacy Rule and allow the sharing of information about a patient’s substance abuse treatment, without consent, for the purposes of treatment, payment or healthcare operations. The SUPPORT for Patients and Communities Act does go that far, although the new law does allow information relating to opioid use disorder and treatment – and details of treatment for abuse of other...

Read More
September 2018 Healthcare Data Breach Report
Oct23

September 2018 Healthcare Data Breach Report

For the second consecutive month there has been a reduction in both the number of reported healthcare data breaches and the number of exposed healthcare records. In September, there were 25 breaches of 500 or more records reported to the Department of Health and Human Services’ Office for Civil Rights – the lowest breach tally since February. There was also a substantial reduction in the number of exposed/stolen healthcare records in September. Only 134,000 healthcare records were exposed/stolen in September – A 78.5% reduction in compared to August. Fewer records were exposed in September than in any other month in 2018. Causes of September 2018 Healthcare Data Breaches In August, hacking/IT incidents dominated the healthcare breach reports, but there was a major increase (55.55%) in unauthorized access/disclosure breaches in September, most of which involved paper records. There were no reported cases of lost paperwork or electronic devices containing ePHI, nor any improper disposal incidents. While there were fewer hacking/IT incidents than unauthorized access/disclosure...

Read More
OIG Publishes 2016 Medicaid Data Breach Report
Oct23

OIG Publishes 2016 Medicaid Data Breach Report

A new report released by the Department of Health and Human Services’ Office of Inspector General (OIG) has revealed the vast majority of Medicaid data breaches are relatively minor and only affect an extremely limited number of individuals. For the study, OIG assessed all breaches reported by Medicaid agencies and their contractors in 2016. According to the report, the records of 515,000 Medicaid beneficiaries were exposed in 2016, spread across 1,260 data breaches. Almost two thirds of Medicaid data breaches reported in 2016 affected a single person with a further 29% of breaches affecting between 1 and 9 individuals. Large-scale breaches, which resulted in the data of 500 or more beneficiaries being exposed, accounted for 1% of the annual total. While the breach causes were highly varied, the majority of incidents were the result of simple errors such as misaddressing a letter, fax, or email. Those breaches only resulted in a very limited amount of PHI being exposed, such as a beneficiary name and Medicaid or other ID number. Out of the 1,260 breaches only 303 resulted in the...

Read More
1.25 Million Records Exposed in Employees Retirement System of Texas Data Breach
Oct23

1.25 Million Records Exposed in Employees Retirement System of Texas Data Breach

The Employees Retirement System of Texas (ERS) has discovered a flaw in its ERS OnLine portal allowed certain individuals to view information of other members after logging into the portal. ERS explained that a coding error, introduced on January 1, 2018, affected the “Annual Out-of-Pocket Premium” function of its ERS OnLine system. The function is used by some retirees, direct-pay members, employees on leave without pay and COBRA participants. The function “allows participants who pay their Texas Employees Group Benefits Program (GBP) premiums with after-tax dollars to see their own premium payment information.” However, the flaw meant that certain ERS members were displayed information about other members and in some cases, certain beneficiaries – if those beneficiaries had received some form of payment from ERS and had information in the ERS OnLine system. ERS notes that the coding error only returned other members’ information when individuals performed a modified search via the affected function and therefore it is “very unlikely” than most members information was...

Read More
CMS Investigating 75,000-Record Breach of Federally Facilitated Exchanges Direct Enrollment System
Oct22

CMS Investigating 75,000-Record Breach of Federally Facilitated Exchanges Direct Enrollment System

The Centers for Medicaid & Medicare Services (CMS) has discovered hackers have gained access to a health insurance system that interacts with the HealthCare.gov website and accessed files containing the sensitive information of approximately 75,000 individuals. On October 13, 2018, CMS staff discovered anomalous activity in the Federally Facilitated Exchanges system and the Direct enrollment pathway used by agents and brokers to sign their customers up for health insurance coverage. On October 16, the CMS confirmed there had been a data breach and a public announcement about the cyberattack was made on Friday October 19, 2018. While the number of files accessed only represents a small fraction of the total number of consumer records stored in the system, it is still a sizable and serious data breach. The files contained information supplied by consumers when they apply for healthcare plans through agents and brokers, including names, telephone numbers, addresses, Social Security numbers, and income details. While the CMS has confirmed that the files have been accessed by...

Read More
The HIPAA Risk Analysis: Guidance and Tools for HIPAA Covered Entities and Business Associates
Oct17

The HIPAA Risk Analysis: Guidance and Tools for HIPAA Covered Entities and Business Associates

The HIPAA Risk analysis is a foundational element of HIPAA compliance, yet it is something that many healthcare organizations and business associates get wrong. That places them at risk of experiencing a costly data breach and a receiving a substantial financial penalty for noncompliance. The HIPAA Risk Analysis The administrative safeguards of the HIPAA Security Rule require all HIPAA-covered entities to “conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information.” See 45 C.F.R. § 164.308(u)(1)(ii)(A). The risk analysis is a foundational element of HIPAA compliance and is the first step that must be taken when implementing safeguards that comply with and meet the standards and implementation specifications of the HIPAA Security Rule. If a risk analysis is not conducted or is only partially completed, risks are likely to remain and will therefore not be addresses through an organization’s risk management process – See § 164.308(u)(1)(ii)(B) – and will not be...

Read More
$16 Million Anthem HIPAA Breach Settlement Takes OCR HIPAA Penalties Past $100 Million Mark
Oct16

$16 Million Anthem HIPAA Breach Settlement Takes OCR HIPAA Penalties Past $100 Million Mark

OCR has announced that an Anthem HIPAA breach settlement has been reached to resolve potential HIPAA violations discovered during the investigation of its colossal 2015 data breach that saw the records of 78.8 million of its members stolen by cybercriminals. Anthem has agreed to pay OCR $16 million and will undertake a robust corrective action plan to address the compliance issues discovered by OCR during the investigation. The previous largest ever HIPAA breach settlement was $5.55 million, which was agreed with Advocate Health Care in 2016. “The largest health data breach in U.S. history fully merits the largest HIPAA settlement in history,” said OCR Director Roger Severino. Anthem Inc., an independent licensee of the Blue Cross and Blue Shield Association, is America’s second largest health insurer. In January 2015, Anthem discovered cybercriminals had breached its defenses and had gained access to its systems and members’ sensitive data. With assistance from cybersecurity firm Mandiant, Anthem determined this was an advanced persistent threat attack – a continuous and targeted...

Read More
Most Common Healthcare Phishing Emails Identified
Oct16

Most Common Healthcare Phishing Emails Identified

A new report by Cofense has revealed the most common healthcare phishing emails and which messages are most likely to attract a click. The 2018 Cofense State of Phishing Defense Report provides insights into susceptibility, resiliency, and responses to phishing attacks, highlights how serious the threat from phishing has become, and how leading companies are managing risk. The high cost of phishing has been highlighted this week with the announcement of a settlement between the HHS’ Office for Civil Rights and Anthem Inc. The $16 million settlement resolved violations of HIPAA Rules that led to Anthem’s 78.8 million record data breach of 2015. That cyberattack started with spear phishing emails. In addition to the considerable cost of breach remediation, Anthem also settled a class action lawsuit related to the breach for $115 million. Even an average sized breach now costs $3.86 million to resolve (Ponemon/IBM Security, 2018). Previous Cofense research suggests that 91% of all data breaches start with a phishing email and research by Verizon suggests 92% of malware infections...

Read More
Aetna Settles HIPAA Violation Case with State AGs
Oct15

Aetna Settles HIPAA Violation Case with State AGs

In 2017, errors occurred with two Aetna mailings that resulted in the impermissible disclosure of the protected health information of plan members, including HIV statuses and AFib diagnoses. A class action lawsuit was filed on behalf of the victims of the HIV status breach which was settled for $17 million in January. Now Aetna has reached settlements with the attorneys general for New Jersey, Connecticut, and the District of Columbia to resolve the alleged HIPAA violations discovered during an investigation into the privacy breaches. The first mailing was sent on July 28, 2017 by an Aetna business associate. Over-sized windowed envelopes were used for the mailing, through which it was possible to see the names and addresses of plan members along with the words “HIV Medications.” Approximately 12,000 individuals received the mailing. In September, a second mailing was sent on behalf of Aetna to 1,600 individuals. This similarly resulted in an impermissible disclosure of PHI. In addition to names and addresses, the logo of an IMPACT AFib study was visible, which suggested the...

Read More
HSS Secretary Issues Limited Waiver of HIPAA Penalties Following Declaration of Public Health Emergency in Florida and Georgia
Oct12

HSS Secretary Issues Limited Waiver of HIPAA Penalties Following Declaration of Public Health Emergency in Florida and Georgia

Following the presidential declaration of public health emergencies in the states of Florida and Georgia in the wake of hurricane Michael, secretary of the Department of Health and Human Services (HHS) Alex Azar has followed suit in both states and has exercised his authority to waive HIPAA sanctions and penalties for certain provisions of the HIPAA Privacy Rule in the disaster areas. The HHS announced the public health emergency in Florida on October 9, and Georgia on October 11. The HIPAA Privacy Rule does permit healthcare providers to share protected health information during disasters to assist patients and ensure they receive the care they need, including sharing information with friends, family members and other individuals directly involved in a patient’s care. The HIPAA Privacy Rule allows the sharing of PHI for public health activities and to prevent or reduce a serious and imminent threat to health or safety. HIPAA-covered entities are also permitted to share information with disaster relief organizations that have been authorized by law to assist with disaster relief...

Read More
Hospitals Failing to Fully Comply with HIPAA Requirement for Providing Patients with Copies of Medical Records
Oct10

Hospitals Failing to Fully Comply with HIPAA Requirement for Providing Patients with Copies of Medical Records

The HIPAA Privacy Rule gave patients the right to obtain a copy of their medical records from their healthcare providers. Under HIPAA, copies of medical records should be provided to patients as soon as possible, but no later than 30 days from when the request is made. Even though compliance with the HIPAA Privacy Rule has been mandatory since April 14, 2003, there have been several cases of hospitals failing to provide patients with copies of their medical records. In 2011, the Department of Health and Human Services’ Office for Civil Rights (OCR) sent a message to healthcare providers about this aspect of HIPAA compliance when it issued a $4,300,000 civil monetary penalty to Cignet Health of Prince George’s County. Even though it has now been 15 years since compliance with the HIPAA Privacy Rule became mandatory, there is still widespread noncompliance when it comes to providing patients with copies of their medical records. According to a new study published in JAMA Network Open, healthcare providers are not providing patients with copies of their full medical records,...

Read More
Cybersecurity Best Practices for Device Manufacturers and Healthcare Providers to be Issued by HSCC
Oct08

Cybersecurity Best Practices for Device Manufacturers and Healthcare Providers to be Issued by HSCC

The Healthcare & Public Health Sector Coordinating Council (HSCC) has announced it will shortly issue voluntary cybersecurity best practices for medical device manufacturers and healthcare provider organizations to help them improve their security posture. HSCC will also publish a voluntary curriculum that can be adopted by medical schools to help them train clinicians how to manage electronic health records, medical devices, and IT systems in a secure and responsible way. The announcement coincides with National Cyber Security Awareness Month and includes an update on the progress that has been made over the past 12 months and the work that the HSCC still intends to complete. HSCC explained that the global cyberattacks of 2017 involving WannaCry and NotPetya malware served as a wake-up call to the healthcare industry and demonstrated the potential harm that could be caused if an attack proved successful. Many large companies were crippled by the attacks for weeks. Fortunately, the healthcare industry in the United States escaped the attacks relatively unscathed, although the...

Read More
FDA Issues Medical Device Cybersecurity Regional Incident Preparedness and Response Playbook
Oct03

FDA Issues Medical Device Cybersecurity Regional Incident Preparedness and Response Playbook

On October 1, 2018, the U.S. Food and Drug Administration released a Medical Device Cybersecurity Regional Incident Preparedness and Response Playbook for healthcare delivery organizations to help them prepare for and respond to medical device cybersecurity incidents. The playbook is intended to help healthcare delivery organizations develop a preparedness and response framework to ensure they are prepared for medical device security incidents, can detect and analyze security breaches quickly, contain incidents, and rapidly recover from attacks. The playbook was developed by MITRE Corp., which worked closely with the FDA, healthcare delivery organizations, researchers, state health departments, medical device manufacturers and regional healthcare groups when developing the document. The past 12 months have seen many vulnerabilities identified in medical devices which could potentially be exploited by hackers to gain access to healthcare networks, patient health information, or to cause harm to patients. While the FDA has not received any reports to suggest an attack has been...

Read More
Healthcare Industry Highly Susceptible to Phishing Attacks and Lags Other Industries for Phishing Resiliency
Oct02

Healthcare Industry Highly Susceptible to Phishing Attacks and Lags Other Industries for Phishing Resiliency

The healthcare industry is extensively targeted by phishers who frequently gain access to healthcare data stored in email accounts. In some cases, those email accounts contain considerable volumes of highly sensitive protected health information. Phishing is one of the leading causes of healthcare data breaches. In August 2018, Augusta University Healthcare System announced that it was the victim of a phishing attack that saw multiple email accounts compromised. The breached email accounts contained the PHI of 417,000 patients. The incident stood out due to the number of individuals impacted by the breach, but it was just one of several healthcare organizations to fall victim to phishing attacks in August. Data from the HHS’ Office for Civil Rights shows email is the most common location of breached PHI. In July, 14 healthcare data breaches out of 28 involved email, compared to 6 network server PHI breaches – The second most common location of breached PHI. It was a similar story in May and June with 9 and 11 email breaches reported respectively. Cofense Research Shows Healthcare...

Read More
NIST Releases Guidance on Managing IoT Cybersecurity and Privacy
Oct01

NIST Releases Guidance on Managing IoT Cybersecurity and Privacy

The National Institute of Standards and Technology (NIST) has released a draft guidance document that aims to help federal agencies and other organizations understand the challenges associated with securing Internet of Things (IoT) devices and manage the cybersecurity and privacy risks that IoT devices can introduce. The guidance document – Considerations for Managing Internet of Things (IoT) Cybersecurity and Privacy Risks (NIST IR 8228) is the first in a series of new publications address cybersecurity and privacy together and the document is the foundation for a series of further publications that will explore IoT device cybersecurity and privacy in more detail. “IoT is a rapidly evolving and expanding collection of diverse technologies that interact with the physical world. Many organizations are not necessarily aware of the large number of IoT devices they are already using and how IoT devices may affect cybersecurity and privacy risks differently than conventional information technology devices,” explained NIST. In the guidance document, NIST identifies three high-level...

Read More
Study Reveals 70% Increase in Healthcare Data Breaches Between 2010 and 2017
Sep28

Study Reveals 70% Increase in Healthcare Data Breaches Between 2010 and 2017

There has been a 70% increase in healthcare data breaches between 2010 and 2017, according to a study conducted by two physicians at the Massachusetts General Hospital Center for Quantitative Health. The study, published in the Journal of the American Medical Association on September 25, involved a review of 2,149 healthcare data breaches reported to the Department of Health and Human Services’ Office for Civil Rights between 2010 and 2017. “While we conduct scientific programs designed to recognize the enormous research potential of large, centralized electronic health record databases, we designed this study to better understand the potential downsides for our patients – in this case the risk of data disclosure,” said Dr. Thomas McCoy Jr, director of research at Massachusetts General Hospital’s Center for Quantitative Health in Boston and lead author of the study. Every year, with the exception of 2015, the number of healthcare data breaches has increased, rising from 199 breaches in 2010 to 344 breaches in 2017. Those breaches have resulted in the loss, theft, exposure, or...

Read More
HIPAA Quiz Launched by Compliancy Group
Sep26

HIPAA Quiz Launched by Compliancy Group

A new HIPAA Quiz has been launched by the Compliancy Group, which serves as a quick and easy free tool to assess the current state of HIPAA compliance in an organization.   Healthcare organizations that have implemented policies and procedures to comply with the Health Insurance Portability and Accountability Act (HIPAA) Rules may think that they are fully compliant with all provisions of the HIPAA Privacy, Security, and Breach Notification Rules. However, HHS’ Office for Civil Rights (OCR) compliance audits and investigations into data breaches and complaints often reveal certain requirements of HIPAA have been missed or misinterpreted. OCR investigates all breaches of more than 500 records and so far in 2018, six financial penalties have been issued to HIPAA covered entities to resolve HIPAA violations. The average settlement/civil monetary penalty in 2018 is $1,491,166. State attorneys general also investigate data breaches and complaints and can also issue fines for noncompliance with HIPAA Rules. There have been five fines issued by state attorneys general in 2018 to resolve...

Read More
UMass Memorial Health Care Pays $230,000 to Resolve Alleged HIPAA Violations
Sep24

UMass Memorial Health Care Pays $230,000 to Resolve Alleged HIPAA Violations

Mass Memorial Health Care has been fined $230,000 by the Massachusetts attorney general for HIPAA failures related to two data breaches that exposed the protected health information (PHI) of more than 15,000 state residents. A lawsuit was filed against UMass Memorial Health Care in which attorney general Maura Healey claimed UMass Memorial Medical Group Inc., and UMass Memorial Medical Center Inc., failed to implement sufficient measures to protect patients’ sensitive health information. In two separate incidents, employees accessed and copied patient health information without authorization and used that information to open cell phone and credit card accounts in the victims’ names. It was also alleged that UMass Memorial Medical Group Inc., and UMass Memorial Medical Center Inc., were both aware of employee misconduct, yet failed to properly investigate complaints related to data breaches and discipline the employees concerned in a timely manner. Both entities also failed to ensure that patients’ PHI was properly safeguarded. These failures violated Massachusetts data security...

Read More
August 2018 Healthcare Data Breach Report
Sep21

August 2018 Healthcare Data Breach Report

August was a much better month for the healthcare industry with fewer data breaches reported than in July. In August, 28 healthcare data breaches were reported to the HHS’ Office for Civil Rights, a 17.86% month-over-month reduction in data breaches. There was also a major reduction in the number of healthcare records that were exposed or stolen. In August, 623,688 healthcare records were exposed or stolen – A 267.56% reduction from August, when 2,292,522 healthcare records were breached. Causes of Healthcare Data Breaches in August 2018 Hacking incidents dominated the breach reports in August, accounting for 53.57% of all reported data breaches and 95.73% of all records exposed or disclosed in August. Eight of the top ten breaches were the result of hacks, malware, or ransomware attacks. Insider breaches are a major problem in the healthcare industry, more so than other verticals. In August there were nine insider breaches – 32.14% of the healthcare data breaches in August. Those breaches involved the unauthorized access or impermissible disclosure of 18,488 healthcare...

Read More
$999,000 in HIPAA Penalties for Three Hospitals for Boston Med HIPAA Violations
Sep20

$999,000 in HIPAA Penalties for Three Hospitals for Boston Med HIPAA Violations

Three hospitals that allowed an ABC film crew to record footage of patients as part of the Boston Med TV series have been fined $999,000 by the Department of Health and Human Services’ Office for Civil Rights (OCR) for violating Health Insurance Portability and Accountability Act (HIPAA) Rules. This is the second HIPAA violation case investigated by OCR related to the Boston Med TV series. On April 16, 2016, New York Presbyterian Hospital settled its HIPAA violation case with OCR for $2.2 million to resolve the impermissible disclosure of PHI to the ABC film crew during the recording of the series and for failing to obtain consent from patients. Fines for Boston Medical Center, Brigham and Women’s Hospital, & Massachusetts General Hospital Boston Medical Center (BMC) settled its HIPAA violations with OCR for $100,000. OCR investigators determined that BMC had impermissibly disclosed the PHI of patients to ABC employees during production and filming of the TV series, violating 45 C.F.R. § 164.502(a). Brigham and Women’s Hospital (BWH) settled its HIPAA violations...

Read More
California Consumer Privacy Act Amendment Confirms HIPAA-Covered Entities Exempt
Sep19

California Consumer Privacy Act Amendment Confirms HIPAA-Covered Entities Exempt

In June 2018, the legislature in California passed the California Consumer Privacy Act (CCPA) which introduced major changes to state law to protect the privacy of consumers. CCPA introduced new privacy protections and rights for consumers, several of which are similar to those introduced in Europe in the General Data Protection Regulation (GDPR). The CCPA does not go as far as GDPR and only applies to for-profit companies that hold the data of more than 50,000 individuals, but many of the new rights are similar, including the right to request access to personal data stored by a business, the right to be informed about the data that will be collected, the right to be informed whether personal data will be sold or disclosed, the right to have personal data deleted and to prevent personal data from being sold. The CCPA has been heavily criticized, especially by tech firms such as Facebook, Google and PayPal. A 38-page letter was sent to lawmakers in California by 38 trade groups who have voiced considerable concerns over the requirements of the CCPA, including sections of the law...

Read More
Final Participation Request: Emergency Preparedness Survey
Sep17

Final Participation Request: Emergency Preparedness Survey

Do you want to help determine the state of emergency preparedness in healthcare? Over 100 HIPAA Journal readers have already participated in this survey and this is the last chance to contribute by completing this short anonymous survey on emergency preparedness and security communications trends. This is an opportunity for you to find out how your healthcare industry colleagues nationwide communicate in emergency preparedness and security matters and where they expect to take these practices next. After you complete the survey, you will have the chance to enter into a raffle for a $150 gift card from the survey sponsor (RaveMobileSafety). If you provide your email address, you’ll receive the published (anonymous) results before they are released. HIPAA Journal will eventually publish the results. Note: HIPAA Journal is not conducting this survey and HIPAA Journal does not receive any payment for promoting this survey.  If your organization is running a survey that is interesting to healthcare professionals, you can contact us with the...

Read More
Texas Nurse Fired for Social Media HIPAA Violation
Sep13

Texas Nurse Fired for Social Media HIPAA Violation

A nurse at a Texas children’s hospital has been fired for violating Health Insurance Portability and Accountability Act (HIPAA) Rules by posting protected health information on a social media website. The pediatric ICU/ER nurse worked at Texas Children’s Hospital and posted a series of comments on Facebook about a rare case of measles at the hospital. The nurse was an anti-vaxxer and posted about the experience of seeing a boy at the hospital suffering from the disease – a disease that could have been prevented through vaccination. Her comments explained how the disease was much worse that she expected it to be, having not encountered anyone with the measles in the past.  She explained that it was a “rough” experience seeing the boy suffering from the disease. She also explained in her posts, “I think it’s easy for us non-vaxxers to make assumptions, but most of us have never and will never see one of these diseases,” and “By no means have I changed my vax stance, and I never will. But this poor kid was bad off and as a parent, I could see vaccinating out of fear,” as reported by...

Read More
Hurricane Florence: OCR Issues Guidance on Appropriate Sharing of Health Information
Sep13

Hurricane Florence: OCR Issues Guidance on Appropriate Sharing of Health Information

On Wednesday, September 12, 2018, President Trump approved a request for a federal emergency declaration in the state of Virginia and made FEMA resources available for the state. The Secretary of the U.S. Department of Health and Human Services, Alex Azar, has also declared a Public Health Emergency in Virginia, North Carolina, and South Carolina. The Secretarial declaration eases certain HIPAA restrictions and helps Centers for Medicare & Medicaid Services’ (CMS) beneficiaries and their healthcare providers prepare for the possible impact of Hurricane Florence and provides greater flexibility to meet emergency health needs. During severe disasters and public emergencies healthcare providers face increased challenges and may struggle to continue to meet all requirements of the HIPAA Privacy Rule. In emergency situations, such as during hurricanes, the HIPAA Privacy Rule still applies; however, Alex Azar’s declaration of a Public Health Emergency means certain provisions of the Privacy Rule have been relaxed under the Project Bioshield Act of 2004 (PL 108-276) and section...

Read More
NIST to Launch Privacy Framework to Help Companies Protect the Privacy of Customers and Employees
Sep12

NIST to Launch Privacy Framework to Help Companies Protect the Privacy of Customers and Employees

In 2014, the National Institute of Standards and Technology (NIST) published its Cybersecurity Framework – A framework of computer security guidance to help private sector companies assess their security policies and improve their ability to prevent, detect, and respond to cyberattacks. The Framework has been a huge success. Figures from Gartner suggest it has already been adopted by 30% of companies, and adoption of the Framework is mandatory for all federal agencies. Now NIST plans to start working on a new Framework to help companies protect the privacy of employees and customers in what has become an increasingly connected and complex environment. The NIST Privacy Framework will be a voluntary enterprise-level tool that will detail privacy outcomes and approaches to help organizations develop strategies for implementing flexible privacy protection solutions. The aim is to ensure that individuals can benefit from the use of innovative technologies such as IoT an AI, with the confidence that their privacy will be protected. Adopting the Privacy Framework will help organizations...

Read More
Medical Records from New Mexico Hospital Found Scattered in Street
Sep07

Medical Records from New Mexico Hospital Found Scattered in Street

The New Mexico Department of Health is currently investigating how the private medical records of some of its patients came to fall from a truck during transportation from the hospital to a secure storage facility. The records came from Turquoise Lodge Hospital, a rehabilitation center run by the New Mexico Department of Health that specializes in the treatment of parents and pregnant women who are recovering from substance abuse. The hospital had arranged for patients’ medical records to be collected and transported to a new location for storage. The paperwork was collected from the hospital on Thursday August 30; however, during transit some of those records fell out of the delivery truck onto a busy Albuquerque street. KRQE News 13 sent reporters to the scene who discovered medical records strewn along Avenida Cesar Chavez at I-25. Some of the paperwork had been collected by members of the public. The paperwork contained highly sensitive personally identifiable information (PII) and protected health information (PHI), including patients’ names, their medical histories, billing...

Read More
Healthcare Organizations Reminded of Importance of Securing Electronic Media and Devices Containing ePHI
Sep06

Healthcare Organizations Reminded of Importance of Securing Electronic Media and Devices Containing ePHI

In its August 2018 cybersecurity newsletter, the Department of Health and Human Services’ Office for Civil Rights has reminded HIPAA-covered entities of the importance of implementing physical, technical, and administrative safeguards to ensure the confidentiality, integrity, and availability of electronic protected health information (ePHI) that is processed, transmitted, or stored on electronic media and devices. Electronic devices such as desktop computers, laptops, servers, smartphones, and tablets play a vital role in the healthcare, as do electronic media such as hard drives, zip drives, tapes, memory cards, and CDs/DVDs. However, the portability of many of those devices/media means they can easily be misplaced, lost, or stolen. Physical controls are therefore essential. Anyone with physical access to electronic devices or media, whether healthcare employees or malicious actors, potentially have the ability to view, change, or delete data. Device configurations could be altered or malicious software such as ransomware or malware could be installed. All of these actions...

Read More
NY Attorney General Fines Arc of Erie County $200,000 for Security Breach
Sep04

NY Attorney General Fines Arc of Erie County $200,000 for Security Breach

The Arc of Erie County has been fined $200,000 by the New York Attorney General for violating HIPAA Rules by failing to secure the electronic protected health information (ePHI) of its clients. In February 2018, The Arc of Erie County, a nonprofit social services agency and chapter of the The Arc Of New York, was notified by a member of the public that some of its clients’ sensitive personal information was accessible through its website. The information could also be found through search engines. The investigation into the security breach revealed sensitive information had been accessible online for two and a half years, from July 2015 to February 2018 when the error was corrected. The forensic investigation into the security incident revealed multiple individuals from outside the United States had accessed the information on several occasions. The webpage should only have been accessible internally by staff authorized to view ePHI and should have required a username and password to be entered before access to the data could be gained. In total, 3,751 clients in New York had...

Read More
ICS-CERT Issues Advisory After Nine Vulnerabilities Discovered in Philips E-Alert Units
Sep03

ICS-CERT Issues Advisory After Nine Vulnerabilities Discovered in Philips E-Alert Units

The Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) has issued a further advisory about Philips healthcare devices after nine vulnerabilities were self-reported to the National Cybersecurity & Communications Integration Center (NCCIC) by the Amsterdam-based technology company. This is the fourth advisory issued by ICS-CERT in the past month. Previous advisories have been issued over cybersecurity vulnerabilities in its central patient monitoring system – Philips IntelliVue Information Center iX (1 vulnerability), Philips PageWriter Cardiographs (2 vulnerabilities), and Philips IntelliSpace Cardiovascular cardiac image and information management software (2 vulnerabilities). The latest advisory concerns nine vulnerabilities discovered in Philips eAlert units – These are non-medical devices that monitor imaging systems such as MRI machines to identify issues rapidly before they escalate. The devices are used by healthcare providers around the world. One of the vulnerabilities is rated critical, five are high severity,...

Read More