Enterprise IT security news and advice

Data Breaches at Arizona Asthma and Allergy Institute, Stillwater Medical Center and Nebraska Department of Health and Human Services

Arizona Asthma and Allergy Institute sent breach notification letters to 70,372 patients who obtained services between October 1, 2015 and June 15, 2020. As per the breach notice, a selection of their personal data and protected health information (PHI) such as names, patient ID numbers, healthcare provider names, health insurance data, and treatment cost details were exposed on the internet under the name of another organization for...

Read More

HSCC Requests Biden to Give Financing to Strengthen Cybersecurity Posture of the Medical Industry

The Healthcare and Public Health Sector Coordinating Council (HSCC) has prompted President Biden to give more funds and support to strengthen the cybersecurity posture of the medical care industry to boost toughness against cyberattacks. In the latest letter given to President Biden and replicated to Senate and House party leaders, the HSCC requested additional money to support the healthcare market take care of cyber threats, make...

Read More

Social Media and HIPAA Compliance

Social media platforms including Facebook, Snapchat, Twitter, and Instagram allow healthcare companies to easily promote their services and earn new clients. Healthcare companies could utilize social media platforms to connect with patients, give announcements about their services, and get patients to take on a more dynamic part in their medical care. Although there are a lot of advantages that may result from using social media in...

Read More

Third-Party Phishing Attack Impacts Around 34,862 Lafourche Medical Group Patients

Urgent care center operator Lafourche Medical Group located in Louisiana has informed 34,862 patients regarding a security breach that likely impacted their protected health information (PHI). Lafourche Medical Group discovered on March 30, 2021 that a third-party accountant had clicked a phishing email that imitated one of the business owners of Lafourche Medical Group and shared account information with the threat actor. The exposed...

Read More

Healthcare Organizations Dealing with Higher Cyber Insurance Costs for Less Coverage

The number of cyberattacks currently being reported is greater than ever before. A few years ago, healthcare cyberattack reports are received at a rate of one each day, however, in 2021, there have been months where cyberattacks were reported at double that rate. The seriousness of cyberattacks has likewise become more intense and the cost of dealing with and recovering from attacks is right now much greater. The probability of a...

Read More

420,433 People Affected by Health Plan of San Joaquin Email Security Breach

Health Plan of San Joaquin (HPSJ), which is a not-for-profit service provider of Medi-Cal managed care based in French Camp, CA, learned that an unauthorized individual has obtained access to its email system and likely viewed or obtained sensitive data. HPSJ noticed a likely email breach on or approximately October 12, 2020 after identifying suspicious activity in its email system. The health plan provider affirmed on October 23,...

Read More

Is it a HIPAA Violation to Require Confirmation of Vaccine Status?

There is a lot of misunderstandings concerning the case of questioning a person if they had a COVID-19 vaccine. Is it considered a HIPAA violation, especially pertaining to employers questioning their personnel to give evidence of being vaccinated against COVID-19 to cease using a face mask in the work area? The Health Insurance Portability and Accountability Act (HIPAA) contains terms relevant to personal privacy and uses and...

Read More

Ransomware Gangs Use New Triple Extortion Tactics

After the DarkSide ransomware attack on Colonial Pipeline, a number of ransomware gangs have stopped activity or have executed guidelines that their affiliates are required to follow, which include stopping all attacks on critical infrastructure companies, medical care companies, and government institutions. A few well-known hacking forums are separating themselves from ransomware and have prohibited ransomware gangs from promoting...

Read More

President Biden Signs Expansive Executive Order to Enhance Federal Networks Cybersecurity

On May 13, 2021, President Biden signed a comprehensive Executive Order that seeks to appreciably strengthen cybersecurity protections for federal systems, enhance threat information sharing between the private sector, the government, and law enforcement, and present a cyber threat response playbook to speed up the response to incidents and their mitigation. The 34-page Executive Order consists of short time spans for executing...

Read More

PHI Compromised Because of the University of Florida Health Shands, St. John’s Well Child and Family Center and St. Paul’s PACE Breaches

University of Florida Health Shands has learned that an ex-employee has viewed the health files of 1,562 patients without valid permission. The HIPAA violations were uncovered on April 7, 2021. The provider promptly ended the worker’s access to medical documents pending an investigation. The investigation established that the worker had been accessing patient health records without authorization between March 30, 2019 and April...

Read More

NIST Wants Feedback on Designed Updates to HIPAA Security Rule Implementation Guidance

The National Institute of Standards and Technology (NIST) is preparing to modify and make updates to its guidance on carrying out the HIPAA Security Regulation and is looking for ideas from stakeholders on facets of the guidance that ought to be adjusted. NIST publicized the guidance – NIST Special Publication (SP) 800-66, Revision 1, An Introductory Resource Guide for Implementing the Health Insurance Portability and...

Read More

Three Actively Exploited Zero-Day Vulnerabilities in SonicWall Email Security

Three zero-day vulnerabilities were found in SonicWall Email Security solutions are being actively exploited in the wild by one or more threat actors. The vulnerabilities may be chained to obtain admin access to enterprise systems and do code execution. SonicWall Email Security products are used as a physical machine, virtual appliance, as a hosted SaaS solution or software installation, and offer security from phishing, spear...

Read More

Higher Ransom Payment Due to Accellion FTA Data Exfiltration Extortion Attacks

The latest Coveware Quarterly Ransomware Report states that the growth in ransomware attacks in 2020 has persisted in 2021 as most threat actors target the healthcare industry. 11.6% of all attacks in quarter 1 of 2021 were healthcare ransomware attacks, the same with the public sector attacks. Attacks on professional services companies accounted for 24.9% of all attacks. Although ransom demands dropped in Q4 of 2020, that pattern...

Read More

Data Breaches Reported by the American College of Emergency Physicians, Epilepsy Florida and VEP Healthcare

The American College of Emergency Physicians (ACEP) has commenced notifying some of its members regarding the unauthorized access of their personal data that was located on a server. Besides offering professional company services to its members, ACEP offers management services to companies such as Society for Emergency Medicine Physician Assistants (SEMPA), the Emergency Medicine Residents’ Association (EMRA), and the Emergency...

Read More

Montefiore Medical Center Staff Laid Off and Belden Class Action Lawsuit

Montefiore Medical Center has found out that another employee accessed patient records without having any valid work reason. The report of New York hospital in February 2020 stated that an employee was identified to have accessed patient health records without any authorization for a period of 5 months in 2020, and another employee was identified to have obtained the protected health information (PHI) of around 4,000 patients between...

Read More

Hackers Stole the PHI of Over 200,000 Washington D.C. Health Plan Members

CareFirst BlueCross BlueShield Community Health Plan District of Columbia (CHPDC) is notifying its members with regards to a cyberattack that resulted in the theft of their protected health information (PHI). CHPDC, previously known as Trusted Health Plans, discovered a breach of its computer networks on January 28, 2021. The health plan based in Washington D.C took fast action to separate the impacted computers and safeguarded its...

Read More

What is Texas HB 300?

What is Texas HB 300, who needs to follow the legislation, and what are the fees and penalties for failing to comply? This post talks about these and other vital questions regarding Texas HB 300. What is Texas HB 300? The Health Insurance Portability and Accountability Act (HIPAA) is federal legislation that puts minimum privacy and security criteria for healthcare companies. HIPAA normally covers healthcare companies located in...

Read More

Over 1.2 Million Health Net Members Impacted by Cyberattack on Accellion

A number of healthcare companies have lately affirmed they were impacted by the Accellion cyberattack last December 2020. The attack was connected to the Clop ransomware gang since its leak website had published parts of the stolen data from the attack, though it seems that no ransomware was used. Accellion used a file transfer solution for sending files that were too large to be transmitted through email. Health Net was the platform...

Read More

Data Breaches at Mobile Anesthesiologists Patients, Haven Behavioral Healthcare and Heart of Texas Community Health Center

Mobile Anesthesiologists fairly recently found out about the exposure of a limited amount of patients’ protected health information (PHI) because of a technical misconfiguration. The problem seemed to have occurred prior to December 14, 2020, and allowed public access of PHI like names, health insurance details, date of service, medical procedure, and dates of birth. An investigation of the issue concluded on January 28, 2021 and it...

Read More

UPMC and Charles Hilton and Associates Charged With Class Action Lawsuit Due to 36,000-Record Breach

University of Pittsburgh Medical Center (UPMC) and the law agency Charles Hilton and Associates are dealing with a class-action lawsuit because of a breach of the protected health information (PHI) of 36,000 UPMC patients. Charles Hilton and Associates, which manages UPMC’s collections, reported that attackers had acquired access to the email accounts of a number of its staff from April to June 2020. As per the investigation...

Read More

Data Breaches at California Department of State Hospitals and Eyemart Express

The Department of State Hospitals (DSH) in California has learned a worker obtained access to the protected health information (PHI) of 1,415 present/former patients and 617 personnel without consent. The employee had an Information Technology job and got access to data servers that contain sensitive patient and staff information so as to perform work assignments. DSH found out about the inappropriate access on February 25, 2021 while...

Read More

Data Breaches at New London Hospital, Child Focus and Orlando Health South Lake Hospital

New London Hospital based in central New Hampshire has identified an unauthorized person who accessed a file on its system in July 2020 and may have gotten the protected health information (PHI) of 34,878 patients. A third-party cybersecurity agency helped investigate the incident and confirmed on February 16, 2021 that the person accessed the file for a little while and might have duplicated it. The file included patient names,...

Read More

Phishing Attack on Saint Alphonsus Health System, Saint Agnes Medical Center and Southeastern Minnesota Center for Independent Living

Due to a phishing attack encountered by Saint Alphonsus Health System based in Boise, ID, the information of its patients was potentially compromised, including the data of patients of Saint Agnes Medical Center located in Fresno, CA. Saint Alphonsus detected strange activity in the email account of an employee on January 6, 2021. The provider immediately secured the email account and investigated the incident to determine the source...

Read More

Virginia Consumer Data Protection Act Approved

Governor Ralph Northam has approved the Virginia Consumer Data Protection Act (CDPA). CDPA necessitates individuals running a business in the Commonwealth of Virginia to abide by new data privacy and security conditions. The CDPA will be effective on January 1, 2023. The CDPA has similarities with a number of the privacy and security conditions of the EUs General Data Protection Regulation (GDPR) that was enforced on March 25, 2018,...

Read More

PHI Exposed as a Result of Data Breaches at Pennsylvania Adult & Teen Challenge And Gore Medical Management

Pennsylvania Adult & Teen Challenge located in Rehrersburg, PA announced that an unauthorized individual obtained access to worker email accounts that included the PHI of 7,771 people. This provider operates addiction treatment programs for adults and youngsters. On July 29, 2020, the provider noticed suspicious things in an email account and had taken action to avert continued access and inspect the incident. The investigation...

Read More

Online Storage Vendor Pays Ransom to Retrieve Healthcare Data Stolen During Cyberattack

The protected health information (PHI) of 29,982 patients of Harvard Eye Associates located in Laguna Hills, CA was potentially stolen due to a cyberattack on its cloud storage provider. The medical and surgical eye care services provider received notification on January 15, 2021 that cyber attackers acquired access to the computer network of its storage vendor and exfiltrated data. It’s not sure if the attackers had encrypted...

Read More

100% of Screened mHealth Applications Prone to API Attacks

The personally identifiable health information of a huge number of people is being compromised by means of the Application Programming Interfaces (APIs) employed by mobile health (mHealth) apps, reported by a current study shared by cybersecurity agency Approov. Ethical hacker and researcher Allissa Knight carried out the study to discover how protected famous mHealth apps are and if it’s possible to acquire access to users’...

Read More

$75,000 Paid by Renown Health to Settle its HIPAA Right of Access Case

The Department of Health and Human Services’ Office for Civil Rights (OCR) is moving forward with its campaign to stop noncompliance with the HIPAA Right of Access. OCR reported its fifteenth settlement this week that resolved a HIPAA Right of Access enforcement action. Renown Health, a Northern Nevada non-profit healthcare network, agreed to pay a financial penalty of $75,000 for its HIPAA case with OCR in order to take care of its...

Read More

Ransomware Attacks on Ramsey County and Crisp Regional Health Services and Vulnerability in Vaccine Scheduling Application

The County Manager’s Office of Ramsey County, MN has begun informing 8,700 customers of its Family Health Division regarding the potential access of some of their personal data by unauthorized persons brought about by a ransomware attack on its vendor Netgain Technology LLC. Netgain Technology LLC based in St. Cloud offers technology solutions to Ramsey County, such as an application utilized by the Family Health Division for...

Read More

Brandywine Urology Consultants Data Breach Lawsuit Dismissed Because of Lacking Evidence of Harm

The Delaware Superior Court dismissed a legal action filed on behalf of affected individuals of a Brandywine Urology Consultants data breach because the plaintiffs failed to present proof showing they had experienced harm because of the breach. Brandywine Urology Consultants encountered a ransomware attack on January 27, 2020 The attack was identified after two days and the succeeding investigation affirmed the attackers got access to...

Read More

Philadelphia Department of Public Health Ends Vaccine Distribution Agreement Due to Alleged Privacy Breaches

The contract of Philly Fighting COVID to dispense COVID-19 vaccines in Philadelphia city with the Philadelphia Department of Public Health was terminated because of allegations that the company’s privacy policies possibly made possible the sale of private information to third parties. Philly Fighting COVID started out as a nonprofit company providing coronavirus screening and then switched to supplying COVID-19 vaccinations. The...

Read More

$5.1 Million Penalty Paid by Excellus Health Plan to Settle HIPAA Violation Case

Health insurance company Excellus Health Plan agreed to pay the Department of Health and Human Services’ Office for Civil Rights $5.1 million as a penalty to settle its HIPAA violation case associated with the 2015 data breach that affected 9.3 million individuals. Excellus Health Plan uncovered the data breach in 2015, the same year when the massive data breaches linked to medical insurance companies Anthem Inc. (78.8 million...

Read More

Email Security Breaches at Roper St. Francis Healthcare and Einstein Health Network

Roper St. Francis Healthcare has informed 189,761 patients regarding an unauthorized individual who accessed some of their protected health information (PHI) saved in employee email accounts. The provider detected the email security breach in late October 2020. The subsequent investigation confirmed the compromise of three email accounts from October 14 to October 29, 2020. An evaluation of the email accounts was done to find out if...

Read More

Emisoft Reports No Less Than 560 Ransomware Attacks on U.S. Healthcare Facilities in 2020

Ransomware attacks in 2020 had a huge impact on companies and organizations in America. Ransomware gangs targeted the healthcare and education sectors, the federal, state, and municipal governments and departments. These sectors had no less than 2,354 attacks in 2020 as per the most recent State of Ransomware report of Emsisoft, a cybersecurity company based in New Zealand. There were more ransomware attacks toward the latter part of...

Read More

Twitter Paid $544,000 Penalty for its GDPR Data Breach Violations

Twitter paid a penalty of €450,000 ($544,600) for its General Data Protection Regulation (GDPR) violation. Ireland’s Data Protection Commission (DPC) issued a penalty that is related to the privacy breach report submitted by Twitter last January 2019. On January 8, 2019, Twitter International Company sent to the DPC a breach notification letter. On January 22, 2019, DPC began an investigation of Twitter to determine if it is...

Read More

OCR to Have Enforcement Discretion in Relation to the Use of Internet or Cloud-based Scheduling Software for COVID-19 Vaccination Sessions

The Department of Health and Human Services’ Office for Civil Rights has stated that it is going to implement enforcement discretion and will not issue financial penalties on HIPAA-covered entities or business associates in the event of HIPAA rules violations associated with the honest use of online or web-based scheduling applications (WBSAs) for booking individual visits for COVID-19 shots. The notice of enforcement discretion is...

Read More

M.D. Anderson Cancer Center’s $4.3 Million HIPAA Penalty Revoked on Appeal

The U.S. Court of Appeals for the Fifth Circuit has reversed the $4,348,000 HIPAA violation charges enforced by the Department of Health and Human Services’ Office for Civil Rights on the University of Texas M.D. Anderson Cancer Center. The Civil Monetary Penalty was charged to M.D. Anderson in 2018 after the investigation of three data breaches that were reported to OCR between 2013 and 2014 concerning the loss/stealing of...

Read More

Advantages of Healthcare Text Messaging Emphasized by New Analysis

Additional evidence has appeared presenting the advantages of healthcare written messaging. A recently published study in the Journal of the American Heart Association obviously indicated that an automatic mHealth interference using Smartphone and text messages tracing applications might prove to be a good approach for rising patients’ physical activity stages. The advantages of rising activity stages, particularly for patients with...

Read More

Highmark BCBS of Delaware Probes Data Break Impacting 19K People

Highmark BlueCross BlueShield of Delaware is probing a data break which has affected 19,000 payees of employer-paid health policies. The data break affects 2 contractors of Highmark BCBS – BCS Financial Corporation and Summit Reinsurance Services. Highmark BSBC director of secrecy as well as information supervision, Karen Kane, released a statement stating 16 former and current Highmark self-insured clients have been affected....

Read More

$475K Settlement for Late HIPAA Break Notice

The Division of Health and Human Services’ OCR has publicized the 1st HIPAA payment of current year. This is additionally the 1st settlement so far exclusively based on a needless delay to break notice after the revelation of patients’ safeguarded health info. Presence Health, among the biggest healthcare systems serving people of Illinois, has consented to pay OCR $475K to resolve possible HIPAA Break Notice Law breaches. After a...

Read More

108 L.A. County Workers Impacted by Phishing Attack – 756K Affected

The County of Los Angeles took some time to publicize it was the sufferer of a big phishing attack, particularly bearing in mind the attack was found out within a day of the May, 2016 break. However, the announcement had to be postponed so as not to hamper with a “broad” criminal inquiry. The inquiry into the phishing assault was carried out by county district lawyer Jackie Lacey’s cyber inquiry response group. In several cases,...

Read More

OCR Alerts Protected Bodies of Danger of DDoS Attacks

Over the past few weeks, there has been a rise in Denial of Service (DOS) and Distributed Denial of Service (DDoS) assaults. The assaults include inundating systems with requests and information to affect those systems to collapse. The attacks have led to big parts of the Internet taken off, email systems have stopped, as well as other computer equipment taken out off. DDoS assaults on healthcare companies could avoid sick persons...

Read More

UMass to Pay the Office for Civil Rights $650K to Settle HIPAA Breaches

The Division of Health and Human Services’ OCR has consented to a $650K agreement with University of Massachusetts Amherst (UMass). The agreement solves HIPAA breaches that caused the UMass undergoing a malware contagion in 2013. In early 2013, a malevolent program was set up on a computer terminal in the Center for Speech, Language, and Hearing. The infection led to the forbidden revelation of the electronic safeguarded health...

Read More

Seguin Dermatology Declares Ransomware Assault ePHI Access Possible

Texas-centered Seguin Dermatology has begun notifying patients of a ransomware assault that has likely led to electronic protected health information being wrongly accessed. The assault happened around or on September 12, 2016, and affected a computer network used by the Bureau of Robert J. Magnon, Doctor of Medicine. The ransomware encrypted many file varieties avoiding data access. Although the computer network wasn’t used to save...

Read More

Kaiser Permanente Alerts Members of ePHI Revelation

Kaiser Permanente is alerting a few of its associates of a website formation mistake that led to the revelation of a few of their safeguarded health information. Luckily, the mistake was swiftly known and ePHI was just revealed for about 2 hours. On October 12, 2016, an upgrading to the site, Kp.org was carried out to increase loading speed of webpage; but, a misconfiguration led to revelation of some members’ ePHI to other site...

Read More

Operations Annulled After 3 UK Hospitals are Paralyzed by Computer Infection

Cyberattacks on healthcare suppliers in the U.S. are happening at a frightening speed; nevertheless, it’s not just U.S healthcare companies which are targeted by cybercriminals. During the weekend, a big security case was informed by a National Health Service Trust in the U.K. The case has led to computer systems taken offline and scheduled operations and appointments canceled at 3 U.K. hospitals – Princess of Wales Hospital in...

Read More

Analysis Emphasizes Danger of PHI Revelation from Unencrypted Healthcare Pagers

Several healthcare suppliers have now changed from pagers to more safe types of communication. Safe text messaging platforms permit safeguarded health info to be communicated swiftly and efficiently between doctors and care team associates. Those platforms include the necessary safety features to make sure messages can’t be interrupted and seen by illegal people. However, pagers usually lack safety limits such as encryption. Numerous...

Read More

St. Joseph Health to make Payment of OCR $2.14 Million to Resolve HIPAA Case

The Division of Health and Human Services’ OCR has declared it has decided to resolve possible breaches of the HIPAA Security and Privacy Laws with St. Joseph Health (SJH). St. Joseph Health has to pay $2,140.50 to OCR and implement a corrective action plan (CAP) to bring procedures and policies up to the standard required by HIPAA. St. Joseph Health is a not-for-profit cohesive Catholic health care distribution method backed by the...

Read More

OCR Alerts of FTP Weaknesses in NAS Appliances

The Division of Health and Human Services OCR has released a notice to HIPAA protected bodies as well as their business associates of a surge in assaults on network attached storage (NAS) appliances. The appliances are being assaulted using a type of malware known as Mal/Miner-C, or else called PhotMiner. The assault uses File Transfer Protocol (FTP) weaknesses in Network attached storage appliances. The malevolent program was...

Read More

Assistance on HIPAA as well as Cloud Computing Released by HHS

The Division of Health and Human Services has issued revised advice on cloud computing and HIPAA to assist protected bodies to take benefit of the cloud devoid of endangering a HIPAA breach. The key emphasis of the help is the usage of cloud service providers (CSPs). CSPs which are lawfully independent bodies from a HIPAA-covered body are categorized as business associates as per HIPAA rules if the cloud service provider has to...

Read More