Ransomware Attack Disables Campbell County Health Services

A ransomware attack at Campbell County Health has disrupted hospital services and left the organization unable to access patient information.  Campbell County Health, based in Gillette, Wyoming, stated that the ransomware attack began at 3:30 am on Friday, September 20, 2019. The attack caused ‘serious computer issues’ and left the hospital unable to offer many of its services, including respiratory therapy or radiology exams. ...

Read More

Data Security Incident at SSCPG Affects 10,000 Patients

A data security incident at Shore Speciality Consultants Pulmonology Group (SSCPG) has potentially compromised the protected health information (PHI) of 10,000 patients.  SSCPG, based in New Jersey and part of the Shore Physicians Group, released a bulletin outlining the breach. According to the report, on July 8, 2019, SSCPG discovered suspicious activity on their network. IT security staff immediately took action to revoke...

Read More

NCCoE Issues Guidance for Corporate-Owned Personally Enabled Devices

The National Cybersecurity Center of Excellence (NCCoE) has issued new draft NIST mobile device security guidance to help organizations mitigate the risks introduced by corporate-owned personally enabled (COPE) devices. Mobile devices are now ubiquitous in the workforce due to the vast range of benefits offered to employers. They allow individuals to readily communicate with each other and access resources, even if they are not...

Read More

Vulnerabilities Identified in Philips IntelliVue Firmware

Cybersecurity researchers have identified vulnerabilities in Philips IntelliVue WLAN firmware which could be exploited by hackers to install malware. Two vulnerabilities affect specific IntelliVue MP monitors. Hackers could use the vulnerabilities to install malicious firmware which could impact data flow and lead to an inoperable condition alert at the device and Central Station. Shawn Loveric, of Finite State, Inc., warned Philips...

Read More

Phishing Attack at East Central Indiana School Trust Affects 3,200 Individuals

East Central Indiana School Trust (ECIST) is notifying more than 3,200 individuals that a phishing attack may have compromised their protected health information (PHI). On May 22, 2019, the organization noticed suspicious activity on an employee email account. ECIST immediately took steps to secure the account and revoke the unauthorized access. ECIST launched an investigation into the incident and discovered that on May 19, 2019, an...

Read More

Irish Internet Browser Claims Google is Operating GDPR ‘Workaround’

Irish Internet browser Brave has claimed that they have offered new information to the Data Protection Commission (DPC) in Ireland which proves that Google has been trying to bypass General Data Protection Regulation (GDPR) legislation.  Brave claims that Google has implemented this workaround to share the data of Google users with a network of advertising and marketing companies.  Johnny Ryan, chief policy and industry relations...

Read More

Hurricane Dorian Triggers Limited HIPAA Waiver in Puerto Rico, Florida, Georgia and the Carolinas

The Secretary of the Department of Health and Human Services (HHS), has declared a public health emergency in Puerto Rico and the states of Florida, Georgia, and South Carolina due to Hurricane Dorian. On September 4, the Secretary, Alex Azar, also declared in North Carolina, retroactive to September 1, 2019. Secretary Azar’s announcement comes as the US mainland prepares for Hurricane Dorian to make landfall. The declaration was...

Read More

Over 70 Employee Email Accounts Compromised in Phishing Attack on NCH Healthcare System

NCH Healthcare System is preparing to notify patients that their protected health information may have been compromised in a phishing attack. On June 14, 2019, NCH Healthcare System, based in Bonita Springs, Florida, noticed suspicious email activity on its payroll database. NCH immediately investigated the incident and discovered that 73 employees had replied to a phishing email and therefore had disclosed their account credentials...

Read More

Software Vulnerability Identified in Change Healthcare Cardiology Devices

Cybersecurity researchers have identified a flaw in Change Healthcare Cardiology, McKesson Cardiology, and Horizon Cardiology devices. Locally authenticated users could exploit the flaw to insert files that could allow the attacker to execute arbitrary code on a vulnerable device. Alfonso Powers and Bradley Shubin of Asante Information Security identified the flaw (CVE-2019-18630) and reported the vulnerability to Change Healthcare....

Read More

Swedish High School Issued GDPR Fine

A high school in Sweden has become the first organization to be issued a General Data Protection Regulation fine by Sweden’s Data Protection Authority (DPA). The school in Skellefteå, in the north-east of Sweden, was fined 200,000 SEK (€19,000/$21,000) for using facial recognition technology in classrooms for three weeks in early 2018. The study, run in conjunction with IT company Tieto, saw the school use CCTV cameras and facial...

Read More

Irish DPC Releases GDPR Breach Notification Guidance

The supervisory authority for the General Data Protection Regulations (GDPR) in Ireland has released a set of guidelines on issuing GDPR breach notifications.  The Irish Data Protection Commission (DPC) has stated that the guidelines aim to help data controllers understand GDPR’s stringent requirements for sending notifications to the data protection authority and subjects whose personal data has been compromised or exposed. The DPC...

Read More

Western Connecticut Health Network Patient Information Exposed in Mailing Incident

Western Connecticut Health Network is sending breach notification letters to patients whose protected health information (PHI) may have been exposed in a postal incidence.  On June 11, 2019, Western Connecticut Health Network (WCHN), now known as Nuvance Health, sent a box containing medical records to the Connecticut State Department of Public Health using the U.S. Postal Service (USPS). On June 21, WCHN was notified that the box had...

Read More

Kaspersky Lab Report Reveals Deficiencies in Healthcare Employee Cybersecurity Training

Kaspersky Labs has released a report revealing significant deficiencies in the cybersecurity training provided to healthcare employees.  The study was conducted by surveying 1,758 healthcare employees in the United States and Canada. Kaspersky Lab, a vendor of cybersecurity software, instigated the study to investigate potential causes for the substantial increase in cybersecurity breaches in recent years. Since January, there have...

Read More

Monzo Contacts 500,000 Customers Following PIN Security Breach

Monzo has contacted 500,000 customers following a data breach which saw customer PINs accessible to employees of the digital bank for more than a year.  The incident, which may constitute a breach of the EU’s General Data Protection Regulation (GDPR) breach, has prompted Monzo to advise them to change their PINs. On August 2, Monzo discovered that nearly a quarter of all of its UK customers PINs weren’t being securely stored. The PINs...

Read More

Hackers Targeting US Utilities Sector with Spear Phishing Campaign

Hackers impersonating the US National Council of Examiners for Engineering and Surveying (NCEES) are targeting business in the US utility sector through a new phishing campaign.  Between July 19 and July 25 2019, the hackers sent phishing emails to three utility companies in the US. In each case, the hackers attempted to infect the organization’s computers with a new malware variant called LookBack.  The email has many of the...

Read More

Department of Veteran Affairs Office of Inspector General Uncovers Security Failings at Californian VA Center

The Department of Veteran Affairs Office of Inspector General (VA OIG) has discovered severe security failings at the Tibor Rubin VA Medical Center in Long Beach, California.  A recent inspection by the VA OIG uncovered security vulnerabilities related to medical device workarounds and multiple compliance issues with the Veterans Health Administration (VHA) and VA policies.  The vulnerabilities were first identified following an...

Read More

Perry County Medical Center Notifying Patients Following Phishing Attack

Perry County Medical Center, Inc. d/b/a Three Rivers Community Health Group, has announced that it is notifying patients following a phishing attack which saw patient data compromised.  Perry Country Medical Center, a health care centre based in Linden, Tennessee, noticed suspicious activity on an employee email account on May 28, 2019. The IT department were quickly notified, and it was discovered that an unauthorized individual had...

Read More

Presbyterian Healthcare Services Notifies 183,000 Patients Following Data Breach

Presbyterian Healthcare Services is notifying 183,000 patients that an unauthorised individual accessed their personal data.   The hackers gained access to the patient data after successfully fooling several employees into handing over their login credentials through a phishing campaign. The attack occurred on May 6, 2019, and the unauthorised access was not noticed until June 9, giving the hacker over a month of access to the...

Read More

Ransomware Attack at Imperial Health Affects 110,000 Patients

A ransomware attack at Imperial Health has compromised the protected health information of more than 116,000 patients.   On May 19, 2019, Imperial Health, a physicians’ network in Southwest Louisiana, discovered that an unauthorized party had installed ransomware onto the network, encrypting files and a database used by the Imperial Health’s Center for Orthopaedics (CFO). Ransomware is malware variant which blocks access devices,...

Read More

Philadelphia DBHIDS Notifies Patients of Lost Laptop HIPAA Breach

The Philadelphia Department of Behavioral Health and Intellectual Disability Services (DBHIDS) is notifying 1,500 individuals that their private information may have been exposed after an employee lost an unencrypted laptop.  The employee has been carrying the laptop in a briefcase which they misplaced on public transport. The laptop was password-protected, but not encrypted, so there is a chance that an individual with sufficient...

Read More

Wise Health Phishing Attack Affects 36,000 Patients

Wise Health System is sending breach notification letters to 36,000 patients following a phishing attack on their system. Wise Health System is a health care system with over 1,900 employees based in Decatur, Texas. The breach occurred on March 14, 2019, when a hacker sent phishing emails to employees of the organization. Several employees were fooled by the spoof emails and responded, allowing the hacker to harvest their login...

Read More

Phishing Attack at St. Croix Hospital Compromises PHI of 21,000 Patients

St. Croix Hospice is notifying 21,000 patients that their protected health information (PHI) may have been compromised in a phishing attack. St. Croix Hospice is a provider of hospice care in Minnesota and Wisconsin. On May 10, suspicious email activity was detected on an employee’s email account. St. Croix Hospice contracted a third-party cybersecurity firm to assist with an investigation into the email account. Investigators...

Read More

HHS Issues Limited Waiver of HIPAA Sanctions and Penalties in Louisiana

In response to the Tropical Storm Barry that made landfall in Louisiana on July 13, the Secretary of the US Department of Health and Human Services has issued a limited waiver of HIPAA sanctions and penalties. The HHS announced a public health emergencies in the areas affected by the storm on July 12, 2019. The waiver only applies to covered entities in areas where a public health emergency has been declared. Furthermore, the waiver...

Read More

Marriott Fined £99 Million for Breach Affecting 7 Million UK Residents

The UK Information Commissioner’s Office has fined Marriott International Inc £99 million under GDPR for a data breach that affected seven million UK residents. The ICO released the statement for intention to fine Marriott on July 9, only a few days after the announcement that BA was given a record-breaking £183 million for a data breach affected 500,000 people. BA’s data breach was also related to violations of the EU’s General Data...

Read More

City of Griffin Officials Lose $800,000 Business Email Compromise Attack

The City of Griffin, Georgia, has revealed that it made two payments totalling $800,000 to scammers following a series of business email compromise attacks. BEC campaigns are a form of a phishing attack in which the cybercriminal impersonates a high-ranking member of an organisation, such as CEO or CFO, to obtain sensitive information from the employees at the company. These credentials, often login details or financial information,...

Read More

Microsoft July 2019 Patch Tuesday

Microsoft has issued patches for 77 vulnerabilities this Patch Tuesday. Of the vulnerabilities, 15 were rated critical and two were actively exploited zero day vulnerabilities.  Six of the vulnerabilities patched this month had been previously disclosed to the public. The two actively exploited zero-days are both privilege escalation vulnerabilities. The first – CVE-2019-0880 – affects the call-handling abilities of a 64-bit printer...

Read More

ICO Hits BA with £183.39 million GDPR Fine for 2018 Data Breach

British Airways (BA) has been hit by a GDPR fine of £183.39 million by the UK Information Commissioners Office (ICO) for a 2018 data breach. The ICO investigation revealed that hackers stole the data of more than half a million BA customers, including sensitive information such as login credentials, payment card numbers, names, and addresses. The ICO stated that BA had ‘poor security arrangements’ in place and did not adequately...

Read More

Dominion Health Data Breach Affects 3 Million Members

Dominion National is notifying patients of a data security incident that first stated in 2010 and has affected nearly 3 million members. Dominion National is a health insurer, health plan administrator, and administrator of dental and vision benefits based in Virginia. Staff at the organization discovered the breach after an internal alert on their system notified them of suspicious activity. After an initial investigation, Dominion...

Read More

UChicago Faces Lawsuit for Sharing Patient Data with Google

UChicago Medicine faces a potential class-action lawsuit for allegedly sharing patient information with Google with having the correct authorization to do so. The lawsuit names UChicago Medicine, UChicago Medical Center, and Google, and was filed by Matt Dinerstein, a former patient of UChicago Medicine. The suit claims patient information that still had personal identifiers attached was shared with Google without patient...

Read More

Summa Health Notifies 10,000 Patients of Data Security Incident

Summa Health is in the process of notifying 10,000 patients of a data security incident which resulted in sensitive data being compromised. On May 1, 2019, Summa Health, based in Akron, Ohio, noticed suspicious activity on its email platform and immediately investigated the situation. They quickly discovered that an unauthorised individual had gained access to the several employee email accounts and therefore potentially could access...

Read More

Flaw in Dell SupportAssist Leaves Millions of PCs vulnerable

A newly-identified privilege escalation flaw in Dell SupportAssist could leave millions of Dell PCs and laptops vulnerable attack. Threat actors could employ malicious software to elevate their privileges to administrator level and hijack the device for their nefarious purposes. The flaw affects both the home 9 (v 3.2.1 and prior) and business (v 2.0) versions of the SupportAssist utility, previously known as  Dell System Detect. This...

Read More

Kingman Regional Medical Center Notifies Patients Following Website Data Breach

Kingman Regional Medical Center (KRMC) is in the process of notifying patients that their sensitive data may have been compromised following the discovery of a flaw on its website which may have allowed unauthorized users to access patient data. KRMC became aware of the security issue on April 8, 2019. Their IT team immediately took steps to shut down the website. An investigation was launched into how such a flaw was introduced to...

Read More

Boxes of Patient Medical Records found Abandoned in Chicago

Boxes of patient medical records have been found abandoned in a former medical centre in the Chatham area of Chicago, Illinois. Clean-up crews have been brought in to assist in the clean-up operation which started hours after Ald. Roderick Sawyer (6th) requested the emergency clearing of the documents, which contain a wealth of sensitive patient information. The medical records were dumped outside the former Medical Professional Home...

Read More

Franciscan Health Patient Data Compromised in Incident Involving Former Employee

Franciscan Health is notifying 2,200 patients that their sensitive data may have been compromised in a security incident involving a former employee. Franciscan Health, a health system operating 14 hospitals in Indiana and Illinois, discovered a former employee was accessing the data of 2,200 patients without the appropriate authorization to do so during a routine privacy audit. On May 24, 2019, Franciscan Health publicly confirmed...

Read More

What is a GDPR DPO?

The appointment of a data protection officer (DPO) is an essential part of complying with the EU’s General Data Protection Regulations. However, what exactly is the role of a DPO? Moreover, who needs to hire one? In this article, we explore the role of a DPO in helping an organisation achieve their compliance goals. DPO: An introduction GDPR requires data controllers and processors who run processing operations which require regular...

Read More

Union Labor Life Insurance Phishing Attack Affects 87,000 Individuals

A phishing attack at Union Labor Life Insurance (ULLI) has compromised the protected health information (PHI) of more than 87,000 individuals. ULLI, a subsidiary The Ullico Inc., discovered the attack shortly after it commenced on April 1, 2019. The IT department successfully managed to revoke unauthorized access within 90 minutes of the account being compromised. The attack was attributed to an employee responding to a compelling...

Read More

Alabama Woman Awarded $300,000 for Privacy Breach at Medical Center Enterprise

A jury has awarded a woman $300,000 in damages following a privacy breach at Medical Center Enterprise (MCE), Alabama. Amy Pertuit’s patient rights were violated when a physician at MCE accessed and disclosed her protected health information to a third party without the proper authorization or consent to do so. This is a breach of HIPAA’s Privacy Rule, which addresses how sensitive patient data may be accessed and disclosed by covered...

Read More

Microsoft June 2019 Patch Tuesday

Microsoft has issued patches for 88 vulnerabilities this patch Tuesday. Of the vulnerabilities, 20 were rated critical. One servicing stack and 4 advisories were also released in the update. Microsoft stated that there was no evidence to suggest that threat actors had been actively exploiting the vulnerabilities in the wild. SandboxEscaper, a security researcher, identified four of the vulnerabilities and made the public aware of...

Read More

THH Paediatrics Fires Nurse for Accessing Data of 16,500 Patients without Authorization

Takai, Hoover & Hsu has terminated a nurse for accessing the protected health information (PHI) of 16,542 without the correct authorization to do so. The healthcare provider, owned by Takai, Hoover & Hsu and based in Germantown, MD, has stated that the information may have been passed on to a third-party and used for fraud and other criminal activities. On April 10, 2019, Takai, Hoover & Hsu, P.A. was notified by county...

Read More

ICO Declares HMRC Voice Recordings to be ‘Unlawfully Obtained’

Her Majesty’s Revenue and Customs (HMRC) has agreed to delete more than five million voice recordings after the UK Information Commissioner’s Office (ICO) declared the data had been unlawfully obtained. HMRC collected for use in a voice authentication service, introduced in 2017. The callers were asked to repeat the phrase ‘my voice is my password’, which HMRC would then use to authenticate the identity of...

Read More

Today’s Vision Medical Records Found in Texas Dumpster

The medical records of Today’s Vision patients have been found in a dumpster in Tomball, Texas. Today’s Vision is an optometry services provider with over 50 independently owned clinics. More than 20 boxes of records patients and employees were found in a dump behind the strip mall in Tomball. Soon after the discovery of the boxes, Tomball police retrieved the records from the dumpster. They are now securely stored in the...

Read More

Medical Informatics Engineering Settles with OCR for $100,000 for 2015 Data Breach

Medical Informatics Engineering Inc (MIE) has agreed to a $100,000 settlement with HHS’s Office for Civil Rights for a 2015 data breach affecting 3.5 million individuals. MIE, an Indiana-based provider of electronic medical record software and services, experienced the data breach when hackers compromised the server of its NoMoreClipboard subsidiary. The hackers had access to the server for 19 days between May 7 and May 26, 2015. The...

Read More

HHS Issues Clarification On Business Associates Liability

On May 24, 2019, the Department of Health and Human Services issued a clarification on business associates liability for violations of the Health Insurance Portability and Accountability Act. HHS Office for Civil Rights released information on what violations could result in a HIPAA fine for business associates of HIPAA covered entities. According to the HHS Fact Sheet on direct liability of business associates, fines can be incurred...

Read More

Microsoft May 2019 Patch Tuesday

Microsoft has issued patches for 79 vulnerabilities this May 2019 Patch Tuesday. Of the vulnerabilities, 22 were rated critical. Adobe also issued patches for 84 vulnerabilities, 50 of which were critical. One critical flaw addressed by Microsoft left affected users vulnerable to WannaCry-style malware attacks. This vulnerability (CVE-2019-0708) is in Remote Desktop Services and can be exploited by sending specially crafted requests...

Read More

Businesses Still Using Unencrypted USB Devices to Store Data One Year After GDPR

It has been revealed that businesses are still storing data on unencrypted USB devices despite the risk of incurring significant GDPR fines for doing so. ESET, an IT security company, and Kingston Technology, a leading provider of technological solutions, surveyed over 500 businesses based in the United Kingdom for the report. The data revealed that 55% of business surveyed don’t encrypt devices such as USBs. Jake Moore, a...

Read More

Oracle WebLogic Server Vulnerability Exploited Using Sodinokibi Ransomware

A vulnerability in Oracle WebLogic Server is being exploited in the wild by a new ransomware variant named Sodinokibi. On April 26, Oracle released an out-of-band patch to address the vulnerability (CVE-2019-2725). There have been several reported cases of the vulnerability being exploited in the wild. Oracle WebLogic Server is part of Oracle Middleware, a widely-used digital business platform. Despite the threat posed by the...

Read More

Touchstone Medical Imaging Agrees to £3 million Settlement with OCR

The Department of Health and Human Services’ Office for Civil Rights (OCR) has reached a $3 million settlement with Touchstone Medical Imaging following a 2014 data breach. The Franklin, TN-based diagnostic medical imaging services company agreed to the settlement to resolves multiple violations of HIPAA Rules. They have further agreed to adopt a corrective action plan to rectify its compliance issues. However, the settlement comes...

Read More

Inmediata Breach Notification Letters Sent to Incorrect Addresses

A mailing error at Inmediata has seen breach notification letters being sent to the incorrect addresses. Inmediata was sending the breach notification letters after it was discovered that a webpage that should have only been accessible to Inmediata employees was indexed by search engines and therefore publicly available. This security breach was the result of misconfigured security settings. The compromised webpage contained patient...

Read More

Maximum Penalties for HIPAA Violations Changed by HHS

The Department of Health and Humans Services has issued a notification of enforcement discretion in which they have reduced the maximum financial penalty for three of the four HIPAA violation tiers. The notification, entitled ‘Notification of Enforcement Discretion Regarding HIPAA Civil Money Penalties’, was published on April 20th. In 2009, the Health Information Technology for Economic and Clinical Health (HITECH) Act increased the...

Read More

Denmark’s DPA Recommends Fine for Taxi Company GDPR Violation

Denmark’s Data Protection Authority Datatilsynet has recommended that taxi company Taxa 4×35 be fined for violating the General Data Protection Regulations (GDPR). The DPA approved a fine of 2.8% of the company’s revenue, amounting to €160,754, for the violation. The maximum fine that can be levied against an organisation for a GDPR violation is 4.5%. While the fine issued was less than this maximum (which would have equated to...

Read More