Cyberattacks and Data Breaches Reported by Texas Medical Liability Trust, Bloom Health Centers and Other Healthcare Organizations

60,000 People Impacted by Texas Medical Liability Trust Data Breach The Texas Medical Liability Trust (TMLT) submitted a data breach report to the Maine Attorney General representing itself and its affiliate companies, Physicians Insurance Company, Texas Medical Insurance Company, and Lone Star Alliance, Inc., a Risk Retention Group with 59,901 people impacted. TMLT detected suspicious … Read more

Finding the Common Causes of Hacking/IT Incidents

The common source of healthcare data breach data is HHS Office for Civil Rights Breach Report. Although it is an important source of data to know the developments in data breaches, the Breach Report has limited scope since it merely shows data breaches impacting five hundred or more persons. In addition, when covered entities and … Read more

Sentinel Event Alert and State of External Exposure Management

Joint Commission Issues Guidance on Ensuring Patient Safety After a Cyberattack The Joint Commission has published a Sentinel Event Alert offering guidance on keeping patient safety after a cyberattack. There has been an increase in sophisticated healthcare cyberattacks. The question is not if a healthcare provider will be attacked but when. Cyberattacks could result in … Read more

Vulnerabilities Found in 1,900 Citrix NetScaler Devices and Limited Use of Generative AI by Malicious Actors

Malicious Actors Still Limit the Use of Generative AI It is feared that malicious actors will take advantage of generative AI to support their malicious pursuits; nevertheless, the use of generative AI by malicious actors seems to be minimal, definitely for attack campaigns. Mandiant states that it is monitoring the interest of threat actors in … Read more

Data Breaches Reported by Cummins Behavior Health, Redwood Coast Regional Center and Other Healthcare Entities

Data of 4 Million Coloradans Exposed in MOVEit Transfer Attack The Colorado Department of Health Care Policy and Financing (HCPF), which supervises the Medicaid program of the state and the Child Health Plan Plus (CHP+) program, has just reported the compromise of the protected health information (PHI) of 4,091,794 people. The attack happened at IBM, … Read more

Top Industries Targeted by Cyber Threat Actors and 2022’s Most Often Exploited Vulnerabilities

Top Targets for Cyber Threat Actors According to Blackberry’s most recent Global Threat Intelligence Report, the two most attacked sectors are healthcare and financial services. The information for the report was gathered between March and May 2023 from its cybersecurity systems, which stopped over 1.5 million attacks at about 11.5 attacks every minute and discovered … Read more

VUMC and Norton Healthcare Face Class Action Lawsuit

Class Action Lawsuit Filed Against Norton Healthcare Over BlackCat Cyberattack Norton Healthcare based in Kentucky operates over 140 clinics and hospitals all across Kentucky and Southern Indiana. It is confronted with a class action lawsuit in association with a cyberattack and data breach in May 2023. Norton Healthcare has just exposed limited data regarding the … Read more

Approved Information Blocking Penalties and the Mission of OSHA

Approved Final Rule for Information Blocking Penalties of Up to $1 Million for Health IT Companies HHS-OIG already approved the civil monetary penalties for health IT companies that are found engaging in information blocking. Penalties of as much as $1 million may be issued for every violation. In 2016, sharing electronic health data became normal … Read more

Delaware’s Comprehensive Data Privacy Law and HSCC’s Coordinated Healthcare Incident Response Plan Template

Comprehensive Data Privacy Law Passed by the Delaware Legislature The Delaware legislature passed a comprehensive new data privacy law. Delaware Governor John Charles Carney Jr is likely to sign the Personal Data Privacy Act making Delaware the 12th U.S. state to implement a comprehensive data privacy law. Unlike the data privacy laws in the other … Read more

Cyberattacks at Precision Imaging Centers, Atrium Health Wake Forest Baptist, Marshall & Melhorn, and Murfreesboro Medical Clinic & SurgiCenter

Precision Imaging Centers located in Jacksonville, FL recently informed 31,010 patients with regards to a security breach that took place on or about November 2, 2022. Unauthorized persons acquired access to its system and extracted files that contain sensitive patient data. The breached data differed from one patient to another and might have involved first … Read more

Final Rule on Cyber Incident Disclosures and New Nevada Consumer Health Data Bill

SEC Postpones Final Rule on Cyber Incident Disclosures The Securities and Exchange Commission (SEC) was scheduled to release a final rule, mandating publicly traded companies to disclose important cyber breaches in their regulatory filings within four days of discovering a breach. The decision has been postponed until October 2023, prolonging the process. In March 2022, … Read more

New MOVEit Zero-Day Vulnerability, Critical Vulnerability in VMware Aria Operations for Networks, and CISCO AnyConnect Secure Vulnerability

Progress Software Alerts of New MOVEit Zero-Day Vulnerability – Quick Action Necessary Progress Software has released an alert concerning a new vulnerability identified in its MOVEit Transfer file transfer software program. It is an exploit that is available in the public domain. The announcement is given since the Clop ransomware group begins to identify organizations … Read more

Lawsuit Against Blackbaud and the New Limits of the Identity Theft Legislation

Blackbaud Had No Common Law Duty to Protect the Confidentiality of Trinity Health’s Records An Indiana district court judge has decided in support of the plaintiff in a lawsuit that alleged negligence for not preventing a breach of protected health information (PHI), stating that there is no common law duty in Indiana to protect the … Read more

Trends in Data Breaches According to the 2023 Verizon Data Breach Investigations Report

Trends in Data Breaches According to the 2023 Verizon Data Breach Investigations Report Verizon 2023 DBIR: Rising Social Engineering Attacks While Ransomware Plateaus The Verizon 2023 Data Breach Investigations Report (DBIR) was published to offer insights into the present threat landscape and trends in data breaches. This 2023, the report analyzed 16,312 security events, where … Read more

Latest News About Cyberattacks and Email Account Compromise on Healthcare Providers

Ohio Hospital Exposed Nurses and Other Staff to Workplace Violence The Occupational Safety and Health Administration (OSHA) has confirmed that a children’s hospital based in Columbus, Ohio didn’t sufficiently safeguard healthcare staff from violence in the workplace. Patients assaulted nurses and other medical specialists and their kicks, bites, punches, and other attacks resulted in the … Read more

Revised Pennsylvania Breach of Personal Information Notification Act and New StopRansomware Guide

The 2022 change to the Pennsylvania Breach of Personal Information Notification Act (BPINA) is currently in force. The revision extended the definition of personal data adding medical data, medical insurance details, and usernames along with a security question/answer or a password that enables access to an account. The change to BPINA was approved on November … Read more

The BianLian Ransomware Group and Vulnerabilities on Illumina Sequencing InstrumentsIllumina Sequencing Instruments

FBI and CISA Warn About BianLian Ransomware and Extortion Group The Federal Bureau of Investigation (FBI), Australian Cyber Security Centre (ACSC), and Cybersecurity and Infrastructure Security Agency (CISA) issued a joint cybersecurity advisory with regard to the BianLian ransomware and data extortion group. The BianLian group is attacking organizations in America since June 2022 and … Read more

SuperCare’s Proposed Data Breach Settlement and the Lawsuit Against University of Iowa Hospitals and Clinics

SuperCare Offers to Pay $2.25 Million to Resolve Data Breach Lawsuit SuperCare, a home care service provider in California, has offered to pay $2.25 million to settle a class action lawsuit associated with a 2021 hacking incident wherein the protected health information (PHI) of 318,379 patients was exposed. SuperCare noticed a network attack on July … Read more

Lawsuits Against One Brooklyn Health, 90 Degree Benefits, and Lehigh Valley Health Network

One Brooklyn Health Faces Lawsuit Over 235K-Record Data Breach One Brooklyn Health based in New York City manages three acute care hospitals, namely Interfaith Medical Center, Brookdale Hospital Medical Center, and Kingsbrook Jewish Medical Center. A class-action lawsuit has been filed against One Brooklyn Health associated with a data breach that was uncovered in November … Read more

Recent Data Breaches Reported by Santa Clara Family Health Plan and Other Healthcare Organizations

Santa Clara Family Health Plan Encountered a Clop GoAnywhere Hack On March 30, 2023, Santa Clara Family Health Plan reported a 276,993-record data breach to the HHS’ Office for Civil Rights that was a result of a Clop ransomware group hacking incident involving Fortra’s GoAnywhere MFT solution. The group took advantage of an earlier unidentified … Read more

Arizona Veterans’ Healthcare Facility Exposed Staff to Potentially Fatal Conditions and Other Data Breaches Reported

The investigation of an Arizona Department of Veteran Affairs (VA) healthcare facility showed that workers were put at risk because they were exposed to potentially fatal hazards on steam lines. Workers were permitted to do work on the steam lines without making sure the necessary safety protocols are in place. Government agencies like the VA … Read more

Proposed HIPAA Privacy Rule Update and CISA’s Updated Zero Trust Maturity Model

The HHS’ Office for Civil Rights has issued a Notice of Proposed Rulemaking (NPRM) concerning a  HIPAA Privacy Rule update to reinforce the protection of privacy for reproductive health information. The proposed revision is in response to the decision of the Supreme Court in Dobbs v. Jackson Women’s Health Organization as well as the overturning of Roe v. Wade, which … Read more

Health-ISAC Report on Present and Upcoming Cyber Threats to the Healthcare Industry

Ransomware and phishing are still the biggest concerns in terms of cybersecurity for healthcare providers based on Health-ISAC’s Current and Emerging Healthcare Cyber Threat Landscape report for February 2023. The joint report by Booz Allen Hamilton Cyber Threat Intelligence (CTI) and Health-ISAC reveals the major threats to the healthcare industry. It is based on a … Read more

How the Federal Government Can Strengthen Healthcare Cybersecurity

The U.S. Senate Committee on Homeland Security and Governmental Affairs conducted a hearing to look at cybersecurity threats to the healthcare industry, what healthcare companies and the federal government are doing to overcome those risks, and know what the federal government must do to boost defenses against healthcare industry cyberattacks. Committee Chairman, Gary C. Peters … Read more

Lehigh Valley Health Network and Maternal & Family Health Services Face Lawsuit Over Ransomware Attack

Lehigh Valley Health Network (LVHN) is facing a lawsuit om association with its latest BlackCat ransomware attack. The attack resulted in the encryption of files after exfiltrating data as is common in ransomware attacks; nevertheless, the attack was distinct because of the aggressive step of the ransomware group to exert more pressure on LVHN to … Read more

Data Breaches Reported by Dental Health Management Solutions, Nursing Rehab Centre, The Chautauqua Center, Northeast Surgical Group, and White Bird Clinic

Dental Health Management Solutions Alerted Patients About Historic Data Breach Dental Health Management Solutions (DHMS) based in Cedar Park, TX provides the military/government and private individuals with dental services. It recently reported the exposure of the protected health information (PHI) of some patients as a result of a hacking incident in 2021. In the notification … Read more

DoppelPaymer Ransomware Core Members and Medicare Beneficiary Identifier Theft Conspirator Arrested

DoppelPaymer Ransomware Core Members Arrested in Europol-Driven Operation Two persons alleged of being key DoppelPaymer ransomware group members were detained — one by the police in Germany and another by the Ukrainian Police officers and Ukraine German Regional Police. It is This organized law enforcement operation was led by Europol. The Federal Bureau of Investigation … Read more

HPH Sector Warned Against Clop Cyberattacks and MedusaLocker Ransomware Attacks

At the beginning of February, attackers exploited a zero-day vulnerability (CVE-2023-0669) found in Fortra’s GoAnywhere MFT secure file transfer software on over 130 companies, which include a few companies in the healthcare sector, for instance, Community Health Systems (CHS) in Tennessee. That attack impacted around 1 million patients. Fortra released a notification regarding the vulnerability … Read more

Roundup of Recent Data Breaches and Cyber Attacks

mscripts Cloud Storage Misconfiguration Exposed PHI for 6 Years The mobile pharmacy company, mscripts, has just reported that its misconfigured cloud storage environment resulted in the exposure of client information on the internet for the last 6 years. mscripts discovered the misconfiguration and fixed it on November 18, 2022. Since September 30, 2016, the cloud … Read more

GoAnywhere MFT Hack Impacts Up to 1 Million Community Health Systems Patients and Growing Gootloader Attacks

Community Health Systems based in Franklin, TN recently reported being affected by a security incident that happened at cybersecurity firm, Fortra. Unauthorized people acquired access to the protected health information (PHI) of around 1 million of its patients. Community Health Systems is one of the United States’ biggest health systems. It manages 79 hospitals and … Read more

Cyber Attacks on VMware ESXi Servers, Sharp HealthCare, Regal Medical Group, and Southeast Colorado Hospital District

The French Computer Emergency Response Team (CERT-FR) issued a warning regarding a persistent ransomware campaign attacking VMware ESXi hypervisors without patching against the critical heap-overflow vulnerability monitored as CVE-2021-21974. VMware released a patch on February 3, 2021, to resolve the vulnerability; even so, hundreds of VMware ESXi virtual machines remain vulnerable to the exploit and … Read more

Round-up of Cyberattacks and Data Breaches Affecting Healthcare Organizations

Multiple Vulnerabilities Discovered in OpenEMR Health Record and Practice Management Software More than 100,000 healthcare providers across the globe use the open source electronic health record and medical practice management software called OpenEMR. They use it to document and process sensitive patient information. Over 200 million patients utilized the software to book appointments on the … Read more

Ransomware Income Decrease as Victims Decline to Pay Ransoms

Ransomware groups are profiting less from their attacks as fewer victims give ransom payments to get the decryption keys and keep the stolen data from being exposed, according to two newly revealed reports from the ransomware remediation company, Coveware, and blockchain analysis organization, Chainalysis. Coveware revealed that in Quarter 1 of 2019, 85% of ransomware … Read more

Ethics, the Challenge of Using AI in Healthcare

Based on a survey performed by Dataiku in 2020, the main organizational challenge that delays the use of AI in healthcare settings is ethics. Even though particular concerns vary by company, the concerns could typically be classified as informed permission to use information, safety and visibility, algorithmic fairness, and data privacy. These issues aren’t distinct … Read more

Applications of AI in Healthcare

The subject of AI in healthcare frequently gets different responses. Although a number of people believe in the advantages of using AI in healthcare and the substantial rewards to patients, other people have worries concerning the ethics of AI in healthcare and hesitate in the use of AI in healthcare due to insufficient understanding of … Read more

Retreat Behavioral Health, Maternal & Family Health Services, and L. Knife & Son Reported Data Breaches

Maternal & Family Health Services based in Eastern Pennsylvania lately informed a number of patients regarding a ransomware attack on April 4, 2022 that resulted in the exposure of sensitive patient data. As soon as the healthcare provider detected the attack, it secured the systems and engaged a third-party computer forensics company to look into … Read more

Diagnostic Lab Resolves Medical Record Access Case for $16,500

The HHS’ Office for Civil Rights (OCR) made an announcement of its first HIPAA enforcement action for 2023. The OCR is reminding HIPAA-covered entities of their responsibility to provide people and their personal representatives with prompt access to their health documents. Life Hope Labs, LLC, has agreed to pay the $16,500 penalty to resolve the … Read more

2023 Version of HITRUST Cybersecurity Framework Released

The information risk management, standards, and certification agency, HITRUST, made an announcement that it is going to release a new version of its well-known cybersecurity framework this January. HITRUST CSF Version 11 includes a number of enhancements to make sure the framework remains applicable, with enhanced mitigations against changing and arising cybersecurity threats, at the … Read more

HPH Sector Cautioned About Pro-Russian Hacktivist Group’s DDoS Attacks

The healthcare and public health (HPH) industry has been cautioned regarding the likelihood of cyberattacks conducted by a pro-Russian hacktivist gang called KillNet, after a new cyberattack on a U.S. healthcare group. KillNet started its operations during the time when Russia occupied Ukraine, from January to March 2022. From that time on, the hacktivist group … Read more

Around 254,000 Medicare Beneficiaries Impacted by CMS Subcontractor Ransomware Attack

On November 14, 2022, Health Care Management Solutions (HMS) located in Fairmont, WV announced a data breach to the HHS’ Office for Civil Rights that affected approximately 500,000 people. During that time, limited information regarding the breach was revealed. Now, it is affirmed that HMS experienced a ransomware attack last October 8, 2022. As a … Read more

New Proposed Rule by HHS to Enforce HIPAA Standard for Healthcare Attachments and Electronic Signatures

The Secretary of the Department of Health and Human Services (HHS) has a new proposed rule that will call for the use of criteria for healthcare transactions and electronic signatures utilized together with those transactions to support healthcare cases and previous authorization dealings. The new guideline will impose the conditions of the Administrative Simplification Requirements … Read more

Automation Can Aid Network Defenders to Accomplish More Quickly and Be Ahead of Hackers

Automation reduces expenses and enhances productivity. It is vital in cybersecurity just like in manufacturing. A lot of labor-intensive security work may be automated to enable network defenders to accomplish more quicker, such as port scanning, monitoring, scanning vulnerability, and patching. There are different security tools that may be utilized to automate work to enable … Read more

Guide Published for Evaluating and Enhancing Connected Medical Device Security

One of the major cybersecurity issues in healthcare is the safety of medical devices. Hospitals still use a lot of connected healthcare devices and in so doing they considerably expand the attack surface. A new survey identified a connection between the volume of connected healthcare devices in medical centers and the number of cyberattacks they … Read more

Healthcare Sector Impending Risk Due to Cuba Ransomware Attacks

The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have released a joint cybersecurity warning concerning the Cuba Ransomware and have provided information on the tactics, techniques, and procedures (TTPs) utilized by the ransomware group, together with Indicators of Compromise (IoCs) to help system defenders strengthen their defenses against ransomware … Read more

119 Pediatric Practices Impacted by EHR Vendor Breach

Connexin Software Inc., an electronic medical records and practice management software provider to pediatric doctor practice groups has lately reported that it encountered a cyberattack wherein an unauthorized third party acquired access to its internal computer system. Although the electronic medical record system wasn’t viewed in the attack, and there was no access to its … Read more

Forefront Dermatology Negotiates $3.75 Million Settlement to Take Care of Ransomware Lawsuit

The dermatology practice, Forefront Dermatology, based in Wisconsin has decided to settle a class action lawsuit filed on behalf of patients who had their protected health information (PHI) compromised in a ransomware attack in late May 2021. Forefront Dermatology has associate practices in 21 states and Washington D.C. In May 2021, the Cuba ransomware group … Read more

Up to 1.5 Million Patients Affected by Adding a Tracking Code to the Community Health Network Website

Community Health Network in Indiana is the most recent healthcare company to announce the impermissible disclosure of protected health information (PHI) of patients to Google and Meta/Facebook as a result of adding their tracking code on its web pages. Based on the breach report sent to the HHS’ Office for Civil Rights, the PHI of … Read more

Data Exposed at Alta Forest Products, Hilario Marilao, M.D, and Three Rivers Provider Network

Alta Forest Products based in Chehalis, WA has encountered a cyberattack where the protected health information (PHI) of around 2,100 Alta Forest Products Health and Welfare Plan members was compromised. The company detected the security breach on September 1, 2022, and fast action was undertaken to protect its systems and stop continuing unauthorized access. The … Read more

Feds Publish Guidance on Responding and Lowering Impact of DDoS Attacks

The Federal Bureau of Investigation (FBI), the Multi-State Information Sharing and Analysis Center (MS-ISAC), and the Cybersecurity and Infrastructure Security Agency (CISA) just released guidance for government and private institutions on the avoidance and mitigation of distributed Denial of Service (DDoS) attacks. These attacks are performed to overburden programs and sites with traffic, as a … Read more