Today’s Vision Medical Records Found in Texas Dumpster

The medical records of Today’s Vision patients have been found in a dumpster in Tomball, Texas. Today’s Vision is an optometry services provider with over 50 independently owned clinics. More than 20 boxes of records patients and employees were found in a dump behind the strip mall in Tomball. Soon after the discovery of the boxes, Tomball police retrieved the records from the dumpster. They are now securely stored in the...

Read More

Medical Informatics Engineering Settles with OCR for $100,000 for 2015 Data Breach

Medical Informatics Engineering Inc (MIE) has agreed to a $100,000 settlement with HHS’s Office for Civil Rights for a 2015 data breach affecting 3.5 million individuals. MIE, an Indiana-based provider of electronic medical record software and services, experienced the data breach when hackers compromised the server of its NoMoreClipboard subsidiary. The hackers had access to the server for 19 days between May 7 and May 26, 2015. The...

Read More

HHS Issues Clarification On Business Associates Liability

On May 24, 2019, the Department of Health and Human Services issued a clarification on business associates liability for violations of the Health Insurance Portability and Accountability Act. HHS Office for Civil Rights released information on what violations could result in a HIPAA fine for business associates of HIPAA covered entities. According to the HHS Fact Sheet on direct liability of business associates, fines can be incurred...

Read More

Microsoft May 2019 Patch Tuesday

Microsoft has issued patches for 79 vulnerabilities this May 2019 Patch Tuesday. Of the vulnerabilities, 22 were rated critical. Adobe also issued patches for 84 vulnerabilities, 50 of which were critical. One critical flaw addressed by Microsoft left affected users vulnerable to WannaCry-style malware attacks. This vulnerability (CVE-2019-0708) is in Remote Desktop Services and can be exploited by sending specially crafted requests...

Read More

Businesses Still Using Unencrypted USB Devices to Store Data One Year After GDPR

It has been revealed that businesses are still storing data on unencrypted USB devices despite the risk of incurring significant GDPR fines for doing so. ESET, an IT security company, and Kingston Technology, a leading provider of technological solutions, surveyed over 500 businesses based in the United Kingdom for the report. The data revealed that 55% of business surveyed don’t encrypt devices such as USBs. Jake Moore, a...

Read More

Oracle WebLogic Server Vulnerability Exploited Using Sodinokibi Ransomware

A vulnerability in Oracle WebLogic Server is being exploited in the wild by a new ransomware variant named Sodinokibi. On April 26, Oracle released an out-of-band patch to address the vulnerability (CVE-2019-2725). There have been several reported cases of the vulnerability being exploited in the wild. Oracle WebLogic Server is part of Oracle Middleware, a widely-used digital business platform. Despite the threat posed by the...

Read More

Touchstone Medical Imaging Agrees to £3 million Settlement with OCR

The Department of Health and Human Services’ Office for Civil Rights (OCR) has reached a $3 million settlement with Touchstone Medical Imaging following a 2014 data breach. The Franklin, TN-based diagnostic medical imaging services company agreed to the settlement to resolves multiple violations of HIPAA Rules. They have further agreed to adopt a corrective action plan to rectify its compliance issues. However, the settlement comes...

Read More

Inmediata Breach Notification Letters Sent to Incorrect Addresses

A mailing error at Inmediata has seen breach notification letters being sent to the incorrect addresses. Inmediata was sending the breach notification letters after it was discovered that a webpage that should have only been accessible to Inmediata employees was indexed by search engines and therefore publicly available. This security breach was the result of misconfigured security settings. The compromised webpage contained patient...

Read More

Maximum Penalties for HIPAA Violations Changed by HHS

The Department of Health and Humans Services has issued a notification of enforcement discretion in which they have reduced the maximum financial penalty for three of the four HIPAA violation tiers. The notification, entitled ‘Notification of Enforcement Discretion Regarding HIPAA Civil Money Penalties’, was published on April 20th. In 2009, the Health Information Technology for Economic and Clinical Health (HITECH) Act increased the...

Read More

Denmark’s DPA Recommends Fine for Taxi Company GDPR Violation

Denmark’s Data Protection Authority Datatilsynet has recommended that taxi company Taxa 4×35 be fined for violating the General Data Protection Regulations (GDPR). The DPA approved a fine of 2.8% of the company’s revenue, amounting to €160,754, for the violation. The maximum fine that can be levied against an organisation for a GDPR violation is 4.5%. While the fine issued was less than this maximum (which would have equated to...

Read More

Microsoft Customer Email Information Compromised Following Support Agent Breach

Microsoft has announced that customer email information has potentially been accessed by an unauthorised third-party following a security incident at a support agent. The hacker used compromised support agent credentials to access customer data and is thought to have been able to access the data for three months. During this period, hackers could access affected users’ email addresses, email subject lines, folder names, and email...

Read More

Southern Hills Eye Care Ransomware Attack Reported

Southern Hills Eye Care in Sioux City, Iowa, has announced that a recent ransomware attack on their facility may have compromised patient PHI. Ransomware is a variant of malware that prevents which hackers use to extort victims. The malware prevents the victim from accessing their computer, or files on their computer until a ransom is paid. Hackers often use phishing attacks to deliver malware to the victim’s device. The hacker sends...

Read More

New Sextortion Scams Identified Following Record Numbers Reported in 2018

Sextortion scams have become increasingly common in recent years, with record numbers being reported in 2018. These types of attacks are potentially very lucrative for an attacker, due to the highly embarrassing or compromising nature of the material. In many cases, the hacker holds no sensitive information on the individual in question; however, simply the small possibility that the hacker does indeed have anything compromising is...

Read More

Brookside ENT and Hearing Center Announces Closure Following Ransomware Attack

Michigan-based Brookside ENT and Hearing Center has announced its closure following a ransomware attack on their facility resulted in all of their patient files being permanently destroyed. The practice-run by just two doctors-lost access to patient records, appointment schedules, payment information, and other sensitive after a hacker gained access to their network and infected it with ransomware. As with most ransomware attacks, the...

Read More

DePaul Reports Phishing Compromised Employee Email Account

The assisted living facility provider DePaul has announced that a successful phishing attack on its networks has compromised patient data. DePaul, which operates facilities in New York, North Carolina, and South Carolina, discovered the breach on February 1, 2019. IT security staff immediately took steps to secure the compromised account and block the unauthorised individual’s access. Phishing attacks against health organisations have...

Read More

OpenVPN Study Highlights Risks Posed by Remote Workers

A recent survey conducted by OpenVPN highlights the potential cybersecurity risks posed by remote workers. OpenVPN is a virtual private network solution provider that allows businesses to extend their VPNs securely. They surveyed 250 IT leaders, “from the manager level through the C-suite”, to ascertain whether allowing employees to work remotely posed a risk to the organisation’s cybersecurity and whether the benefits of allowing the...

Read More

DC Attorney General Proposes Stricter Data Breach Notification Laws

Washington D.C. Attorney General Karl. A. Racine has proposed stricter data breach notification laws. He anticipates that the new laws would provide greater protection to DC residents should their data be compromised in a data breach incident. AG Racine introduced the Security Breach Protection Amendment Act on March 21, 2019. This Act updates the definition of ‘personal information’, which means that the types of information for...

Read More

Report Released on Issues of Healthcare Data Collected by Non-HIPAA Covered Entities

The healthcare and fitness tech industry is booming, with millions of users across the US using these devices and apps to track everything from their weight, sleeping habits, heart rate, and food consumption. Some of this information is similar to that collected by healthcare organisations when monitoring their patients. However, there is a vast difference in the responsibilities of these organisations and the healthcare tech industry...

Read More

Microsoft CEO calls for Global GDPR-like Data Privacy Rights

The CEO of Microsoft has called for the implementation of GDPR-legislation worldwide to enhance global attitudes to data privacy rights. Microsoft CEO Satya Nadella made the statement during a live interview at the World Economic Forum in Davos Switzerland. He called for world leaders to treat data privacy as a human right, and legislation should be enacted to protect this right. Commenting on the EU’s recent GDPR legislation, a...

Read More

14,000 Main Line Endoscopy Center Patients Affected by Phishing Attack

A phishing attack at Main Line Endoscopy Centers has compromised the sensitive data of over 14,000 patients. Main Line Endoscopy Centers, a network of outpatient endoscopy facilities in the Malvern, Bala Cynwyd, and Media regions of Pennsylvania discovered the attack on January 30, 2019. Investigators were unable to determine when the attacker first gained access to the account. The attacker appears to have gained access to the email...

Read More

SpamTitan Email Security Solution Now Features Sandboxing and DMARC Authentication

Protecting against zero-day malware and advanced phishing attacks can be a major challenge for SMBs and managed service providers (MSPs). To better protect against these advanced threats, TitanHQ, the leading provider of email security solutions to the SMB market, has added two new features to its award-winning spam filtering solution: SpamTitan. These features were introduced to help SMBs and MSPs serving the SMB market improve their...

Read More

IRS Launches 2019 Dirty Dozen Campaign

The Internal Revenue Service has launched a tax-related phishing awareness campaign. The campaign is designed to inform taxpayers fo the twelve most common tax scams, known as the ‘Dirty Dozen”. Each tax season, the IRS raises awareness of the most common phishing campaigns in an attempt to protect taxpayers, businesses, and tax professionals. Cybercriminals are particularly active in the period from January to April as they attempt...

Read More

Hacker Compromises Employee Email Accounts at Rutland Regional Medical

Rutland Regional Medical has revealed that a hacker compromised nine employee email accounts following a cyber attack on their systems. Rutland Regional Medical, based in Rutland City, is the biggest community hospital in Vermont. A staff member discovered the attack on December 21, 2018, after noticing that their email account had been hijacked to send a large number of spam emails. Rutland Regional Medical’s IT department was...

Read More

Data Breach at Rush University Medical Center Affects 45,000 Patients

Rush University Medical Center has announced that a data breach incident at a financial services vendor has compromised the PHI of 45,000 of their patients. The financial services vendor informed Rush of the incident on January 22, 2019. A member of staff at the vendor was caught sharing a file containing patient PHI with an unauthorised individual in May 2018. Rush has stated that the types of information that individual accessed may...

Read More

Unauthorised Individual Gains Access to St. Francis Health System Patient Data

The Bon Secours St. Francis Health System has announced that unauthorised individual gained access to some of their patients’ protected health information (PHI). The hacker compromised the systems of Milestone Family Medicine, a medical facility based in Greenville, SC. Milestone Family Medicine was affiliated with St. Francis Physicians Services (SFPS) until February 24, 2019. SFPS officials learned of the breach on January 4, 2019....

Read More

Bundeskartellamt Rules on Facebook’s Practices in Germany

Bundeskartellamt has released a ruling outlining its decision on how Facebook operates in Germany. Bundeskartellamt, Germany’s national competition regulator, had been investigating Facebook’s business practices for three years. The organisation has revealed that it has ruled how Facebook obtains, links, authors, and handles user data gives it an ‘unfair advantage’. Bundeskartellamt stated that Facebook could leverage this advantage...

Read More

What is Ransomware?

Ransomware attacks against healthcare organisations are becoming increasingly common. However, many individuals are still uncertain as to what constitutes a ransomware attack, and the potential consequences it has on an organisation. This article provides some background on ransomware attacks, outline how these attacks occur, and offer some guidance on how employees can mitigate the risk of such an attack befalling their organisation....

Read More

Cottage Health Pays $3,000,000 to OCR for HIPAA Violations

Cottage Health has agreed to pay a $3,000,000 settlement to the Department of Health and Human Services’ Office for Civil Rights (OCR) for two data breaches resulting from HIPAA violations. Cottage Health is a non-profit health provider based in Santa Barbara, California. The organisation operates four hospitals-Santa Barbara Cottage Hospital, Santa Ynez Cottage Hospital, Goleta Valley Cottage Hospital, and Cottage Rehabilitation...

Read More

New Trojan Horse Malware Campaign Targeting Linux Servers Identified

Security researchers have discovered a new Trojan horse malware campaign used by hackers to launch attacks on Linux servers. Trojan horses are malware variants that are disguised as benign or useful pieces of software. They are installed under false pretences, as the user if often tricked into believing that they serve a legitimate purpose. Once executed on a server, the hacker can then gain access to the system and steal valuable...

Read More

ICS-CERT Issues Medical Advisory for Vulnerabilities Found in BD FACSLyric Flow Cytometry Solution

The Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) has issued a medical advisory about vulnerabilities found in the BD FACSLyric flow cytometry solution. ICS-CERT is a governmental organisation that works to reduce the risk of cybercrime to US businesses. The medical advisory stated the flaw in the device, manufactured by Becton, Dickinson, and Company (BD) required a low level of skill to exploit. The flaw was...

Read More

HITRUST Incorporates GDPR into the CSF

The Health Information Trust Alliance (HITRUST) has incorporated the European Union’s General Data Protection Regulation (GDPR) into the HITRUST Cybersecurity Framework (HITRUST CSF). HITRUST is a US-based organisation which, in collaboration with the healthcare, technology and information security sectors, has established a Common Security Framework (CSF). The CSF offers guidance to organisations across all industries that create,...

Read More

Mozilla Official Predicts Stricter GDPR Enforcement in 2019

A senior official at Mozilla has predicted that 2019 will see much stricter enforcement of GDPR across Europe. The Senior Policy Manager and European Union Principal for Mozilla, Raegan MacDonald, has said that she believes that 2019 will see enhanced resources dedicated to the enforcement of the European Union’s General Data Protection Regulation (GDPR). Mozilla is a computer software organisation well known for its stance on the...

Read More

FilesLocker Master Key Released, File Decryptor Made Available for Free

Following the leaking of the master key for the FilesLocker ransomware on Pastebin, a decryptor has been made available to allow a victim’s files to be recovered for free. The master key is the key used by those behind a ransomware campaign to decrypt files that have been encrypted by the ransomware. FilesLocker is a ransomware distributed as a Ransomware as a Service, or RaaS; that is to say, even novice cybercrinimals can sign up to...

Read More

HHS Guidelines on Cybersecurity Best Practices for Healthcare Organisations Released

The U.S. Department of Health and Human Services has issued a four-volume publication on voluntary cybersecurity best practices for healthcare organisations. The publication includes guidelines for managing cyber threats and protecting patients. It is hoped that the guidelines will help all organisations that handle the protected health information (PHI) and other sensitive information of patients create a robust cybersecurity...

Read More

Cyberattack Disrupts Printing of Major Newspapers

An investigation has been launched into a recent cyberattack that disrupted the printing of several major newspapers. The cyberattack on Tribune Publishing, attributed to a malware infection, caused disruption to several newspaper print runs including those of the Los Angeles Times, San Diego Tribune, and the west coast editions of the New York Times and Wall Street Journal. The cyberattack occurred on Thursday December 28, 2018, and...

Read More

Global Netflix Phishing Scan Identified

A new global phishing scam has been identified in which hackers target customers of Netflix, the world’s largest streaming organisation. The U.S. Federal Trade Commission, an independent agency of the United States government, issued a warning about the Netflix scam late in December 2018. The phishing scam attempts to fool Netflix subscribers into handing over account information and payment information by telling them that there has...

Read More

Rhode Island and Illinois Healthcare Clinics Hit by Ransomware Attacks

The Center for Vitreo-Retinal Diseases in Libertyville, IL, has announced that it was recently the victim of a ransomware attack. The attack was first noticed on September 18, 2018, and resulted in the encryption of data on the organisation’s servers. The investigation into the breach suggests the attacker may have gained access to the protected health information of 20,371 patients that was stored on the affected servers. Ransomware...

Read More

ICS-CERT Discovers Vulnerability in Philips Health App

The Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) has issued a medical advisory about a vulnerability that has been identified in the Philips HealthSuite Health Android App which would only take a “low level” of skill to exploit. The Philips HealthSuite Health Android App is used by individuals to help them achieve activity targets and health goals. The app collects user...

Read More

Adobe Releases Patch for Flash Player Vulnerability

On Wednesday, December 5, 2018, Adobe issued an update to correct a vulnerability in Adobe Flash Player. The vulnerability had been identified in late November by Gigamon, held network visibility and traffic monitoring technology vendor. Qihoo 360, a Chinese internet security company, recently discovered an advanced persistent threat campaign that was exploiting the vulnerability in Adobe’s software. The vulnerability was being...

Read More

Cancer Centers of America Falls Victim to Phishing Attack

Cancer Centers of America’s Western Regional Medical Center in Bullhead City, Arizona, has recently fallen victim to a phishing attack which has exposed the protected health information (PHI) of over 41,000 individuals. The attack occurred due to one of its employees responding to a phishing email. The email was designed to appear as if it had been sent from the email account of an executive employee of Cancer Treatment Centers of...

Read More

GDPR Violation Penalty Levied Against Hospital for First Time

The Centro Hospitalar Barreiro Montijo, near Lisbon, Portugal, has become the first hospital to be issued a penalty for violating the EU’s new General Data Protection Regulation (GDPR). The Comissão Nacional de Protecção de Dados (CNPD), the body which oversees issues relating to data protection, prosecuted the Barreiro Montijo hospital for failing to ensure that adequate access restrictions were in place to protect the integrity of...

Read More

President Trump Signs Opioid Bill into Law

On October 26, 2017, President Donald Trump declared the opioid crisis a national public health emergency. According to the National Institute on Drug Abuse, over 100 people die every day in the United States from overdosing on opioids. Hundreds more suffer due addiction to opioids, which include drugs such as pain relievers, heroin, and fentanyl (a synthetic opioid). According to the Centers for Disease Control and Prevention, the...

Read More

Ransomware Attack on Jones Eye Clinic Affects 40,000 Patients

The Jones Eye Clinic and its affiliated surgery, CJ Elmwood Partners, based in Sioux City, Iowa, has announced that up to 40,000 patients may have had their data compromised following a ransomware attack on their systems. The ransomeware attack was discovered on August 23, 2018. Ransomware is software which denies the user access to their device, or certain files on the device, until a ransom has been paid to the scammer. The...

Read More

Radisson Hotel Data Breach Response Potentially in Violation of GDPR

The Radisson Hotel Group may be fined for non-compliance with the General Data Protection Regulation (GDPR) following a data breach earlier this year. The Radisson Hotel Group is a chain with over 1,400 hotels in over 70 countries and incorporates hotel brand such as the Park Plaza, Country Inn & Suites, Park Inn, and Radisson Collection. As their headquarters is based in Brussels, Belgium, the group is required to comply...

Read More

Beazley’s Publishes Breach Insights Report for Q3 2018

Beazley’s, a specialist insurance group, has released their quarterly Breach Insight Report for Q3 2018. The report concerned the attacks managed by Beazley Breach Response Services, which deals with the aftermath of an attack, including the investigation and the breach response. One of the most prevalent findings of the report is the huge rise in the number of ransomware incidents seen in comparison to previous months. Q3 saw a total...

Read More

Phishing Attack Causes Breach at Catawba Valley Medical Center

Catawba Valley Medical Center (CVMC), a medical center serving the greater Catawba County area based in Hickory, North Carolina, has recently announced that an unauthorised individual gained access to their systems following a successful phishing attack. It is estimated that up to 20,000 people may have been affected by the breach. The discovery was made on August 13, 2018. The organisation acted quickly to secure the account and...

Read More

Anthem Settles for Record $16 Million with OCR

Anthem, Inc., a health insurance company and the largest for-profit managed health care company in the Blue Cross and Blue Shield Association, has been levied the largest ever fine for a HIPAA violation for the February 2015 attack on their servers which saw over 78.8 million records stolen. The Anthem data breach settlement of $16 million is nearly three times the previous record-holder for largest HIPAA fine ($5.55 million) and...

Read More

ERS Texas Data Breach Caused by Error in Online Portal’s Code

The Employees Retirement System of Texas (ERS) has discovered a flaw in its ERS OnLine portal which allowed some users to view other members’ details upon logging into the portal. Up to 1.25 million records may have been exposed as a result of the error. ERS, a public pension fund with over $21 billion in assets under management, has explained that an error in the website’s code affected the “Annual Out-of-Pocket Premium” function of...

Read More

FirstCare Health Plans Data Breach Caused by Mailing List Error

FirstCare Health Plans, a Texan health insurance organisation, has revealed that more than 8,000 of its members may have had some of their personal data breached due to an email error made by one of its staff. The organisation is in the process of notifying 8,056 plan members plan members that may have had some of their sensitive personal information impermissibly disclosed to an unauthorised individual as a result of automated...

Read More

Twin Phishing Attacks on Children’s Hospital of Philadelphia’s Results in Data Breach

Children’s Hospital of Philadelphia (CHOP) has announced that the email accounts of two employees have been compromised following cyberattacks on two August 23 and August 29, 2018. On August 24, CHOP, a paediatric healthcare facility and primary care provider, discovered an unauthorized individual had gained access to the email account of one of the physicians working at the facility. An investigation was launched into the incident,...

Read More