Ransomware Attack Disables Campbell County Health Services
A ransomware attack at Campbell County Health has disrupted hospital services and left the organization unable to access patient information. Campbell County Health, based in Gillette, Wyoming, stated that the ransomware attack began at 3:30 am on Friday, September 20, 2019. The attack caused ‘serious computer issues’ and left the hospital unable to offer many of its services, including respiratory therapy or radiology exams. ...
Data Security Incident at SSCPG Affects 10,000 Patients
A data security incident at Shore Speciality Consultants Pulmonology Group (SSCPG) has potentially compromised the protected health information (PHI) of 10,000 patients. SSCPG, based in New Jersey and part of the Shore Physicians Group, released a bulletin outlining the breach. According to the report, on July 8, 2019, SSCPG discovered suspicious activity on their network. IT security staff immediately took action to revoke...
NCCoE Issues Guidance for Corporate-Owned Personally Enabled Devices
The National Cybersecurity Center of Excellence (NCCoE) has issued new draft NIST mobile device security guidance to help organizations mitigate the risks introduced by corporate-owned personally enabled (COPE) devices. Mobile devices are now ubiquitous in the workforce due to the vast range of benefits offered to employers. They allow individuals to readily communicate with each other and access resources, even if they are not...
Vulnerabilities Identified in Philips IntelliVue Firmware
Cybersecurity researchers have identified vulnerabilities in Philips IntelliVue WLAN firmware which could be exploited by hackers to install malware. Two vulnerabilities affect specific IntelliVue MP monitors. Hackers could use the vulnerabilities to install malicious firmware which could impact data flow and lead to an inoperable condition alert at the device and Central Station. Shawn Loveric, of Finite State, Inc., warned Philips...
Phishing Attack at East Central Indiana School Trust Affects 3,200 Individuals
East Central Indiana School Trust (ECIST) is notifying more than 3,200 individuals that a phishing attack may have compromised their protected health information (PHI). On May 22, 2019, the organization noticed suspicious activity on an employee email account. ECIST immediately took steps to secure the account and revoke the unauthorized access. ECIST launched an investigation into the incident and discovered that on May 19, 2019, an...
Irish Internet Browser Claims Google is Operating GDPR ‘Workaround’
Irish Internet browser Brave has claimed that they have offered new information to the Data Protection Commission (DPC) in Ireland which proves that Google has been trying to bypass General Data Protection Regulation (GDPR) legislation. Brave claims that Google has implemented this workaround to share the data of Google users with a network of advertising and marketing companies. Johnny Ryan, chief policy and industry relations...
Hurricane Dorian Triggers Limited HIPAA Waiver in Puerto Rico, Florida, Georgia and the Carolinas
The Secretary of the Department of Health and Human Services (HHS), has declared a public health emergency in Puerto Rico and the states of Florida, Georgia, and South Carolina due to Hurricane Dorian. On September 4, the Secretary, Alex Azar, also declared in North Carolina, retroactive to September 1, 2019. Secretary Azar’s announcement comes as the US mainland prepares for Hurricane Dorian to make landfall. The declaration was...
Over 70 Employee Email Accounts Compromised in Phishing Attack on NCH Healthcare System
NCH Healthcare System is preparing to notify patients that their protected health information may have been compromised in a phishing attack. On June 14, 2019, NCH Healthcare System, based in Bonita Springs, Florida, noticed suspicious email activity on its payroll database. NCH immediately investigated the incident and discovered that 73 employees had replied to a phishing email and therefore had disclosed their account credentials...
Software Vulnerability Identified in Change Healthcare Cardiology Devices
Cybersecurity researchers have identified a flaw in Change Healthcare Cardiology, McKesson Cardiology, and Horizon Cardiology devices. Locally authenticated users could exploit the flaw to insert files that could allow the attacker to execute arbitrary code on a vulnerable device. Alfonso Powers and Bradley Shubin of Asante Information Security identified the flaw (CVE-2019-18630) and reported the vulnerability to Change Healthcare....
Swedish High School Issued GDPR Fine
A high school in Sweden has become the first organization to be issued a General Data Protection Regulation fine by Sweden’s Data Protection Authority (DPA). The school in Skellefteå, in the north-east of Sweden, was fined 200,000 SEK (€19,000/$21,000) for using facial recognition technology in classrooms for three weeks in early 2018. The study, run in conjunction with IT company Tieto, saw the school use CCTV cameras and facial...
Irish DPC Releases GDPR Breach Notification Guidance
The supervisory authority for the General Data Protection Regulations (GDPR) in Ireland has released a set of guidelines on issuing GDPR breach notifications. The Irish Data Protection Commission (DPC) has stated that the guidelines aim to help data controllers understand GDPR’s stringent requirements for sending notifications to the data protection authority and subjects whose personal data has been compromised or exposed. The DPC...
Western Connecticut Health Network Patient Information Exposed in Mailing Incident
Western Connecticut Health Network is sending breach notification letters to patients whose protected health information (PHI) may have been exposed in a postal incidence. On June 11, 2019, Western Connecticut Health Network (WCHN), now known as Nuvance Health, sent a box containing medical records to the Connecticut State Department of Public Health using the U.S. Postal Service (USPS). On June 21, WCHN was notified that the box had...
Kaspersky Lab Report Reveals Deficiencies in Healthcare Employee Cybersecurity Training
Kaspersky Labs has released a report revealing significant deficiencies in the cybersecurity training provided to healthcare employees. The study was conducted by surveying 1,758 healthcare employees in the United States and Canada. Kaspersky Lab, a vendor of cybersecurity software, instigated the study to investigate potential causes for the substantial increase in cybersecurity breaches in recent years. Since January, there have...
Monzo Contacts 500,000 Customers Following PIN Security Breach
Monzo has contacted 500,000 customers following a data breach which saw customer PINs accessible to employees of the digital bank for more than a year. The incident, which may constitute a breach of the EU’s General Data Protection Regulation (GDPR) breach, has prompted Monzo to advise them to change their PINs. On August 2, Monzo discovered that nearly a quarter of all of its UK customers PINs weren’t being securely stored. The PINs...
Hackers Targeting US Utilities Sector with Spear Phishing Campaign
Hackers impersonating the US National Council of Examiners for Engineering and Surveying (NCEES) are targeting business in the US utility sector through a new phishing campaign. Between July 19 and July 25 2019, the hackers sent phishing emails to three utility companies in the US. In each case, the hackers attempted to infect the organization’s computers with a new malware variant called LookBack. The email has many of the...
Department of Veteran Affairs Office of Inspector General Uncovers Security Failings at Californian VA Center
The Department of Veteran Affairs Office of Inspector General (VA OIG) has discovered severe security failings at the Tibor Rubin VA Medical Center in Long Beach, California. A recent inspection by the VA OIG uncovered security vulnerabilities related to medical device workarounds and multiple compliance issues with the Veterans Health Administration (VHA) and VA policies. The vulnerabilities were first identified following an...
Perry County Medical Center Notifying Patients Following Phishing Attack
Perry County Medical Center, Inc. d/b/a Three Rivers Community Health Group, has announced that it is notifying patients following a phishing attack which saw patient data compromised. Perry Country Medical Center, a health care centre based in Linden, Tennessee, noticed suspicious activity on an employee email account on May 28, 2019. The IT department were quickly notified, and it was discovered that an unauthorized individual had...
Presbyterian Healthcare Services Notifies 183,000 Patients Following Data Breach
Presbyterian Healthcare Services is notifying 183,000 patients that an unauthorised individual accessed their personal data. The hackers gained access to the patient data after successfully fooling several employees into handing over their login credentials through a phishing campaign. The attack occurred on May 6, 2019, and the unauthorised access was not noticed until June 9, giving the hacker over a month of access to the...
Ransomware Attack at Imperial Health Affects 110,000 Patients
A ransomware attack at Imperial Health has compromised the protected health information of more than 116,000 patients. On May 19, 2019, Imperial Health, a physicians’ network in Southwest Louisiana, discovered that an unauthorized party had installed ransomware onto the network, encrypting files and a database used by the Imperial Health’s Center for Orthopaedics (CFO). Ransomware is malware variant which blocks access devices,...
Philadelphia DBHIDS Notifies Patients of Lost Laptop HIPAA Breach
The Philadelphia Department of Behavioral Health and Intellectual Disability Services (DBHIDS) is notifying 1,500 individuals that their private information may have been exposed after an employee lost an unencrypted laptop. The employee has been carrying the laptop in a briefcase which they misplaced on public transport. The laptop was password-protected, but not encrypted, so there is a chance that an individual with sufficient...
Wise Health Phishing Attack Affects 36,000 Patients
Wise Health System is sending breach notification letters to 36,000 patients following a phishing attack on their system. Wise Health System is a health care system with over 1,900 employees based in Decatur, Texas. The breach occurred on March 14, 2019, when a hacker sent phishing emails to employees of the organization. Several employees were fooled by the spoof emails and responded, allowing the hacker to harvest their login...
Phishing Attack at St. Croix Hospital Compromises PHI of 21,000 Patients
St. Croix Hospice is notifying 21,000 patients that their protected health information (PHI) may have been compromised in a phishing attack. St. Croix Hospice is a provider of hospice care in Minnesota and Wisconsin. On May 10, suspicious email activity was detected on an employee’s email account. St. Croix Hospice contracted a third-party cybersecurity firm to assist with an investigation into the email account. Investigators...
HHS Issues Limited Waiver of HIPAA Sanctions and Penalties in Louisiana
In response to the Tropical Storm Barry that made landfall in Louisiana on July 13, the Secretary of the US Department of Health and Human Services has issued a limited waiver of HIPAA sanctions and penalties. The HHS announced a public health emergencies in the areas affected by the storm on July 12, 2019. The waiver only applies to covered entities in areas where a public health emergency has been declared. Furthermore, the waiver...
Marriott Fined £99 Million for Breach Affecting 7 Million UK Residents
The UK Information Commissioner’s Office has fined Marriott International Inc £99 million under GDPR for a data breach that affected seven million UK residents. The ICO released the statement for intention to fine Marriott on July 9, only a few days after the announcement that BA was given a record-breaking £183 million for a data breach affected 500,000 people. BA’s data breach was also related to violations of the EU’s General Data...
City of Griffin Officials Lose $800,000 Business Email Compromise Attack
The City of Griffin, Georgia, has revealed that it made two payments totalling $800,000 to scammers following a series of business email compromise attacks. BEC campaigns are a form of a phishing attack in which the cybercriminal impersonates a high-ranking member of an organisation, such as CEO or CFO, to obtain sensitive information from the employees at the company. These credentials, often login details or financial information,...
Microsoft July 2019 Patch Tuesday
Microsoft has issued patches for 77 vulnerabilities this Patch Tuesday. Of the vulnerabilities, 15 were rated critical and two were actively exploited zero day vulnerabilities. Six of the vulnerabilities patched this month had been previously disclosed to the public. The two actively exploited zero-days are both privilege escalation vulnerabilities. The first – CVE-2019-0880 – affects the call-handling abilities of a 64-bit printer...
ICO Hits BA with £183.39 million GDPR Fine for 2018 Data Breach
British Airways (BA) has been hit by a GDPR fine of £183.39 million by the UK Information Commissioners Office (ICO) for a 2018 data breach. The ICO investigation revealed that hackers stole the data of more than half a million BA customers, including sensitive information such as login credentials, payment card numbers, names, and addresses. The ICO stated that BA had ‘poor security arrangements’ in place and did not adequately...
Dominion Health Data Breach Affects 3 Million Members
Dominion National is notifying patients of a data security incident that first stated in 2010 and has affected nearly 3 million members. Dominion National is a health insurer, health plan administrator, and administrator of dental and vision benefits based in Virginia. Staff at the organization discovered the breach after an internal alert on their system notified them of suspicious activity. After an initial investigation, Dominion...
UChicago Faces Lawsuit for Sharing Patient Data with Google
UChicago Medicine faces a potential class-action lawsuit for allegedly sharing patient information with Google with having the correct authorization to do so. The lawsuit names UChicago Medicine, UChicago Medical Center, and Google, and was filed by Matt Dinerstein, a former patient of UChicago Medicine. The suit claims patient information that still had personal identifiers attached was shared with Google without patient...
Summa Health Notifies 10,000 Patients of Data Security Incident
Summa Health is in the process of notifying 10,000 patients of a data security incident which resulted in sensitive data being compromised. On May 1, 2019, Summa Health, based in Akron, Ohio, noticed suspicious activity on its email platform and immediately investigated the situation. They quickly discovered that an unauthorised individual had gained access to the several employee email accounts and therefore potentially could access...
Flaw in Dell SupportAssist Leaves Millions of PCs vulnerable
A newly-identified privilege escalation flaw in Dell SupportAssist could leave millions of Dell PCs and laptops vulnerable attack. Threat actors could employ malicious software to elevate their privileges to administrator level and hijack the device for their nefarious purposes. The flaw affects both the home 9 (v 3.2.1 and prior) and business (v 2.0) versions of the SupportAssist utility, previously known as Dell System Detect. This...
Kingman Regional Medical Center Notifies Patients Following Website Data Breach
Kingman Regional Medical Center (KRMC) is in the process of notifying patients that their sensitive data may have been compromised following the discovery of a flaw on its website which may have allowed unauthorized users to access patient data. KRMC became aware of the security issue on April 8, 2019. Their IT team immediately took steps to shut down the website. An investigation was launched into how such a flaw was introduced to...
Boxes of Patient Medical Records found Abandoned in Chicago
Boxes of patient medical records have been found abandoned in a former medical centre in the Chatham area of Chicago, Illinois. Clean-up crews have been brought in to assist in the clean-up operation which started hours after Ald. Roderick Sawyer (6th) requested the emergency clearing of the documents, which contain a wealth of sensitive patient information. The medical records were dumped outside the former Medical Professional Home...
Franciscan Health Patient Data Compromised in Incident Involving Former Employee
Franciscan Health is notifying 2,200 patients that their sensitive data may have been compromised in a security incident involving a former employee. Franciscan Health, a health system operating 14 hospitals in Indiana and Illinois, discovered a former employee was accessing the data of 2,200 patients without the appropriate authorization to do so during a routine privacy audit. On May 24, 2019, Franciscan Health publicly confirmed...
What is a GDPR DPO?
The appointment of a data protection officer (DPO) is an essential part of complying with the EU’s General Data Protection Regulations. However, what exactly is the role of a DPO? Moreover, who needs to hire one? In this article, we explore the role of a DPO in helping an organisation achieve their compliance goals. DPO: An introduction GDPR requires data controllers and processors who run processing operations which require regular...
Union Labor Life Insurance Phishing Attack Affects 87,000 Individuals
A phishing attack at Union Labor Life Insurance (ULLI) has compromised the protected health information (PHI) of more than 87,000 individuals. ULLI, a subsidiary The Ullico Inc., discovered the attack shortly after it commenced on April 1, 2019. The IT department successfully managed to revoke unauthorized access within 90 minutes of the account being compromised. The attack was attributed to an employee responding to a compelling...
Alabama Woman Awarded $300,000 for Privacy Breach at Medical Center Enterprise
A jury has awarded a woman $300,000 in damages following a privacy breach at Medical Center Enterprise (MCE), Alabama. Amy Pertuit’s patient rights were violated when a physician at MCE accessed and disclosed her protected health information to a third party without the proper authorization or consent to do so. This is a breach of HIPAA’s Privacy Rule, which addresses how sensitive patient data may be accessed and disclosed by covered...
Microsoft June 2019 Patch Tuesday
Microsoft has issued patches for 88 vulnerabilities this patch Tuesday. Of the vulnerabilities, 20 were rated critical. One servicing stack and 4 advisories were also released in the update. Microsoft stated that there was no evidence to suggest that threat actors had been actively exploiting the vulnerabilities in the wild. SandboxEscaper, a security researcher, identified four of the vulnerabilities and made the public aware of...
THH Paediatrics Fires Nurse for Accessing Data of 16,500 Patients without Authorization
Takai, Hoover & Hsu has terminated a nurse for accessing the protected health information (PHI) of 16,542 without the correct authorization to do so. The healthcare provider, owned by Takai, Hoover & Hsu and based in Germantown, MD, has stated that the information may have been passed on to a third-party and used for fraud and other criminal activities. On April 10, 2019, Takai, Hoover & Hsu, P.A. was notified by county...
ICO Declares HMRC Voice Recordings to be ‘Unlawfully Obtained’
Her Majesty’s Revenue and Customs (HMRC) has agreed to delete more than five million voice recordings after the UK Information Commissioner’s Office (ICO) declared the data had been unlawfully obtained. HMRC collected for use in a voice authentication service, introduced in 2017. The callers were asked to repeat the phrase ‘my voice is my password’, which HMRC would then use to authenticate the identity of...
Today’s Vision Medical Records Found in Texas Dumpster
The medical records of Today’s Vision patients have been found in a dumpster in Tomball, Texas. Today’s Vision is an optometry services provider with over 50 independently owned clinics. More than 20 boxes of records patients and employees were found in a dump behind the strip mall in Tomball. Soon after the discovery of the boxes, Tomball police retrieved the records from the dumpster. They are now securely stored in the...
Medical Informatics Engineering Settles with OCR for $100,000 for 2015 Data Breach
Medical Informatics Engineering Inc (MIE) has agreed to a $100,000 settlement with HHS’s Office for Civil Rights for a 2015 data breach affecting 3.5 million individuals. MIE, an Indiana-based provider of electronic medical record software and services, experienced the data breach when hackers compromised the server of its NoMoreClipboard subsidiary. The hackers had access to the server for 19 days between May 7 and May 26, 2015. The...
HHS Issues Clarification On Business Associates Liability
On May 24, 2019, the Department of Health and Human Services issued a clarification on business associates liability for violations of the Health Insurance Portability and Accountability Act. HHS Office for Civil Rights released information on what violations could result in a HIPAA fine for business associates of HIPAA covered entities. According to the HHS Fact Sheet on direct liability of business associates, fines can be incurred...
Microsoft May 2019 Patch Tuesday
Microsoft has issued patches for 79 vulnerabilities this May 2019 Patch Tuesday. Of the vulnerabilities, 22 were rated critical. Adobe also issued patches for 84 vulnerabilities, 50 of which were critical. One critical flaw addressed by Microsoft left affected users vulnerable to WannaCry-style malware attacks. This vulnerability (CVE-2019-0708) is in Remote Desktop Services and can be exploited by sending specially crafted requests...
Businesses Still Using Unencrypted USB Devices to Store Data One Year After GDPR
It has been revealed that businesses are still storing data on unencrypted USB devices despite the risk of incurring significant GDPR fines for doing so. ESET, an IT security company, and Kingston Technology, a leading provider of technological solutions, surveyed over 500 businesses based in the United Kingdom for the report. The data revealed that 55% of business surveyed don’t encrypt devices such as USBs. Jake Moore, a...
Oracle WebLogic Server Vulnerability Exploited Using Sodinokibi Ransomware
A vulnerability in Oracle WebLogic Server is being exploited in the wild by a new ransomware variant named Sodinokibi. On April 26, Oracle released an out-of-band patch to address the vulnerability (CVE-2019-2725). There have been several reported cases of the vulnerability being exploited in the wild. Oracle WebLogic Server is part of Oracle Middleware, a widely-used digital business platform. Despite the threat posed by the...
Touchstone Medical Imaging Agrees to £3 million Settlement with OCR
The Department of Health and Human Services’ Office for Civil Rights (OCR) has reached a $3 million settlement with Touchstone Medical Imaging following a 2014 data breach. The Franklin, TN-based diagnostic medical imaging services company agreed to the settlement to resolves multiple violations of HIPAA Rules. They have further agreed to adopt a corrective action plan to rectify its compliance issues. However, the settlement comes...
Inmediata Breach Notification Letters Sent to Incorrect Addresses
A mailing error at Inmediata has seen breach notification letters being sent to the incorrect addresses. Inmediata was sending the breach notification letters after it was discovered that a webpage that should have only been accessible to Inmediata employees was indexed by search engines and therefore publicly available. This security breach was the result of misconfigured security settings. The compromised webpage contained patient...
Maximum Penalties for HIPAA Violations Changed by HHS
The Department of Health and Humans Services has issued a notification of enforcement discretion in which they have reduced the maximum financial penalty for three of the four HIPAA violation tiers. The notification, entitled ‘Notification of Enforcement Discretion Regarding HIPAA Civil Money Penalties’, was published on April 20th. In 2009, the Health Information Technology for Economic and Clinical Health (HITECH) Act increased the...
Denmark’s DPA Recommends Fine for Taxi Company GDPR Violation
Denmark’s Data Protection Authority Datatilsynet has recommended that taxi company Taxa 4×35 be fined for violating the General Data Protection Regulations (GDPR). The DPA approved a fine of 2.8% of the company’s revenue, amounting to €160,754, for the violation. The maximum fine that can be levied against an organisation for a GDPR violation is 4.5%. While the fine issued was less than this maximum (which would have equated to...