HIPAA has the advantage of safeguarding individuals’ medical information, ensuring their privacy, and promoting standardized electronic transactions in the healthcare industry, while its drawbacks include administrative burdens, potential barriers to efficient healthcare communication, and the risk of hindering certain forms of medical research due to stringent data protection measures. HIPAA stands as a crucial guardian … Read more
Under the HIPAA Breach Notification Rule, covered entities must provide notification to affected individuals without unreasonable delay and in no case later than 60 days following the discovery of a breach of unsecured PHI. According to HIPAA, covered entities (such as healthcare providers, health plans, and healthcare clearinghouses) and their business associates must notify individuals … Read more
The HIPAA law, enacted by the United States Congress to modernize the flow of healthcare information, ensure the security and privacy of patient data, and set guidelines for the handling of electronic protected health information, went into effect on April 14, 2003. HIPAA has its roots in the need for reform in the healthcare sector, … Read more
When a breach in PHI security has been discovered, you should initially report it internally within your organization, typically to your supervisor or the designated privacy officer, and if the breach occurred at a business associate, it should also be reported to the covered entity, then, depending on the scale of the breach, it needs … Read more
HIPAA awareness should be promoted on an ongoing basis to ensure compliance and foster a culture of privacy and security within organizations that handle Protected Health Information (PHI). HIPAA awareness should be promoted during employee onboarding, through regular training and education sessions, when updating policies and procedures, during annual refreshers, in incident response situations, when … Read more
HIPAA was created to address several critical objectives in the healthcare sector, including enhancing health insurance portability, safeguarding the privacy and security of protected health information (PHI), improving healthcare administration efficiency, and combating fraud and abuse. Enacted by the U.S. Congress in 1996, HIPAA encompasses a wide range of provisions and requirements aimed at protecting … Read more
The enforcement of the HIPAA is carried out by the Office for Civil Rights (OCR) under the U.S. Department of Health and Human Services (HHS), with the OCR responsible for investigating HIPAA complaints, conducting compliance reviews, performing education and outreach to foster compliance, and imposing civil monetary penalties or corrective action plans for violations. HIPAA … Read more
The acronym HITECH stands for the Health Information Technology for Economic and Clinical Health Act, a comprehensive legislation passed in 2009 as part of the American Recovery and Reinvestment Act (ARRA), which aimed to promote the widespread adoption and meaningful use of health information technology (IT) systems, improve the quality of healthcare delivery, enhance patient … Read more
In non-criminal cases, the enforcement of HIPAA is primarily handled by the Office for Civil Rights (OCR) within the U.S. Department of Health and Human Services (HHS). The OCR plays a vital role in ensuring compliance with HIPAA regulations and safeguarding individuals’ privacy rights in the healthcare industry. Its mission is to protect and enhance … Read more
HIPAA training is important because it ensures compliance with the Health Insurance Portability and Accountability Act (HIPAA), protects patient privacy and confidentiality, promotes data security and breach prevention, and fosters a culture of legal and ethical compliance in healthcare organizations. HIPAA training is a fundamental requirement for healthcare professionals and organizations to ensure HIPAA compliance. … Read more
A ransomware attack at Campbell County Health has disrupted hospital services and left the organization unable to access patient information. Campbell County Health, based in Gillette, Wyoming, stated that the ransomware attack began at 3:30 am on Friday, September 20, 2019. The attack caused ‘serious computer issues’ and left the hospital unable to offer many … Read more
A data security incident at Shore Speciality Consultants Pulmonology Group (SSCPG) has potentially compromised the protected health information (PHI) of 10,000 patients. SSCPG, based in New Jersey and part of the Shore Physicians Group, released a bulletin outlining the breach. According to the report, on July 8, 2019, SSCPG discovered suspicious activity on their network. … Read more
The National Cybersecurity Center of Excellence (NCCoE) has issued new draft NIST mobile device security guidance to help organizations mitigate the risks introduced by corporate-owned personally enabled (COPE) devices. Mobile devices are now ubiquitous in the workforce due to the vast range of benefits offered to employers. They allow individuals to readily communicate with each … Read more
Cybersecurity researchers have identified vulnerabilities in Philips IntelliVue WLAN firmware which could be exploited by hackers to install malware. Two vulnerabilities affect specific IntelliVue MP monitors. Hackers could use the vulnerabilities to install malicious firmware which could impact data flow and lead to an inoperable condition alert at the device and Central Station. Shawn Loveric, … Read more
East Central Indiana School Trust (ECIST) is notifying more than 3,200 individuals that a phishing attack may have compromised their protected health information (PHI). On May 22, 2019, the organization noticed suspicious activity on an employee email account. ECIST immediately took steps to secure the account and revoke the unauthorized access. ECIST launched an investigation … Read more
Irish Internet browser Brave has claimed that they have offered new information to the Data Protection Commission (DPC) in Ireland which proves that Google has been trying to bypass General Data Protection Regulation (GDPR) legislation. Brave claims that Google has implemented this workaround to share the data of Google users with a network of advertising … Read more
The Secretary of the Department of Health and Human Services (HHS), has declared a public health emergency in Puerto Rico and the states of Florida, Georgia, and South Carolina due to Hurricane Dorian. On September 4, the Secretary, Alex Azar, also declared in North Carolina, retroactive to September 1, 2019. Secretary Azar’s announcement comes as … Read more
NCH Healthcare System is preparing to notify patients that their protected health information may have been compromised in a phishing attack. On June 14, 2019, NCH Healthcare System, based in Bonita Springs, Florida, noticed suspicious email activity on its payroll database. NCH immediately investigated the incident and discovered that 73 employees had replied to a … Read more
Cybersecurity researchers have identified a flaw in Change Healthcare Cardiology, McKesson Cardiology, and Horizon Cardiology devices. Locally authenticated users could exploit the flaw to insert files that could allow the attacker to execute arbitrary code on a vulnerable device. Alfonso Powers and Bradley Shubin of Asante Information Security identified the flaw (CVE-2019-18630) and reported the … Read more
A high school in Sweden has become the first organization to be issued a General Data Protection Regulation fine by Sweden’s Data Protection Authority (DPA). The school in Skellefteå, in the north-east of Sweden, was fined 200,000 SEK (€19,000/$21,000) for using facial recognition technology in classrooms for three weeks in early 2018. The study, run … Read more
The supervisory authority for the General Data Protection Regulations (GDPR) in Ireland has released a set of guidelines on issuing GDPR breach notifications. The Irish Data Protection Commission (DPC) has stated that the guidelines aim to help data controllers understand GDPR’s stringent requirements for sending notifications to the data protection authority and subjects whose personal … Read more
Western Connecticut Health Network is sending breach notification letters to patients whose protected health information (PHI) may have been exposed in a postal incidence. On June 11, 2019, Western Connecticut Health Network (WCHN), now known as Nuvance Health, sent a box containing medical records to the Connecticut State Department of Public Health using the U.S. … Read more
Kaspersky Labs has released a report revealing significant deficiencies in the cybersecurity training provided to healthcare employees. The study was conducted by surveying 1,758 healthcare employees in the United States and Canada. Kaspersky Lab, a vendor of cybersecurity software, instigated the study to investigate potential causes for the substantial increase in cybersecurity breaches in recent … Read more
Monzo has contacted 500,000 customers following a data breach which saw customer PINs accessible to employees of the digital bank for more than a year. The incident, which may constitute a breach of the EU’s General Data Protection Regulation (GDPR) breach, has prompted Monzo to advise them to change their PINs. On August 2, Monzo … Read more
Hackers impersonating the US National Council of Examiners for Engineering and Surveying (NCEES) are targeting business in the US utility sector through a new phishing campaign. Between July 19 and July 25 2019, the hackers sent phishing emails to three utility companies in the US. In each case, the hackers attempted to infect the organization’s … Read more
The Department of Veteran Affairs Office of Inspector General (VA OIG) has discovered severe security failings at the Tibor Rubin VA Medical Center in Long Beach, California. A recent inspection by the VA OIG uncovered security vulnerabilities related to medical device workarounds and multiple compliance issues with the Veterans Health Administration (VHA) and VA policies. The … Read more
Perry County Medical Center, Inc. d/b/a Three Rivers Community Health Group, has announced that it is notifying patients following a phishing attack which saw patient data compromised. Perry Country Medical Center, a health care centre based in Linden, Tennessee, noticed suspicious activity on an employee email account on May 28, 2019. The IT department were … Read more
Presbyterian Healthcare Services is notifying 183,000 patients that an unauthorised individual accessed their personal data. The hackers gained access to the patient data after successfully fooling several employees into handing over their login credentials through a phishing campaign. The attack occurred on May 6, 2019, and the unauthorised access was not noticed until June … Read more
A ransomware attack at Imperial Health has compromised the protected health information of more than 116,000 patients. On May 19, 2019, Imperial Health, a physicians’ network in Southwest Louisiana, discovered that an unauthorized party had installed ransomware onto the network, encrypting files and a database used by the Imperial Health’s Center for Orthopaedics (CFO). … Read more
The Philadelphia Department of Behavioral Health and Intellectual Disability Services (DBHIDS) is notifying 1,500 individuals that their private information may have been exposed after an employee lost an unencrypted laptop. The employee has been carrying the laptop in a briefcase which they misplaced on public transport. The laptop was password-protected, but not encrypted, so there … Read more
Wise Health System is sending breach notification letters to 36,000 patients following a phishing attack on their system. Wise Health System is a health care system with over 1,900 employees based in Decatur, Texas. The breach occurred on March 14, 2019, when a hacker sent phishing emails to employees of the organization. Several employees were … Read more
St. Croix Hospice is notifying 21,000 patients that their protected health information (PHI) may have been compromised in a phishing attack. St. Croix Hospice is a provider of hospice care in Minnesota and Wisconsin. On May 10, suspicious email activity was detected on an employee’s email account. St. Croix Hospice contracted a third-party cybersecurity firm … Read more
In response to the Tropical Storm Barry that made landfall in Louisiana on July 13, the Secretary of the US Department of Health and Human Services has issued a limited waiver of HIPAA sanctions and penalties. The HHS announced a public health emergencies in the areas affected by the storm on July 12, 2019. The … Read more
The UK Information Commissioner’s Office has fined Marriott International Inc £99 million under GDPR for a data breach that affected seven million UK residents. The ICO released the statement for intention to fine Marriott on July 9, only a few days after the announcement that BA was given a record-breaking £183 million for a data … Read more
The City of Griffin, Georgia, has revealed that it made two payments totalling $800,000 to scammers following a series of business email compromise attacks. BEC campaigns are a form of a phishing attack in which the cybercriminal impersonates a high-ranking member of an organisation, such as CEO or CFO, to obtain sensitive information from the … Read more
Microsoft has issued patches for 77 vulnerabilities this Patch Tuesday. Of the vulnerabilities, 15 were rated critical and two were actively exploited zero day vulnerabilities. Six of the vulnerabilities patched this month had been previously disclosed to the public. The two actively exploited zero-days are both privilege escalation vulnerabilities. The first – CVE-2019-0880 – affects … Read more
British Airways (BA) has been hit by a GDPR fine of £183.39 million by the UK Information Commissioners Office (ICO) for a 2018 data breach. The ICO investigation revealed that hackers stole the data of more than half a million BA customers, including sensitive information such as login credentials, payment card numbers, names, and addresses. … Read more
Dominion National is notifying patients of a data security incident that first stated in 2010 and has affected nearly 3 million members. Dominion National is a health insurer, health plan administrator, and administrator of dental and vision benefits based in Virginia. Staff at the organization discovered the breach after an internal alert on their system … Read more
UChicago Medicine faces a potential class-action lawsuit for allegedly sharing patient information with Google with having the correct authorization to do so. The lawsuit names UChicago Medicine, UChicago Medical Center, and Google, and was filed by Matt Dinerstein, a former patient of UChicago Medicine. The suit claims patient information that still had personal identifiers attached … Read more
Summa Health is in the process of notifying 10,000 patients of a data security incident which resulted in sensitive data being compromised. On May 1, 2019, Summa Health, based in Akron, Ohio, noticed suspicious activity on its email platform and immediately investigated the situation. They quickly discovered that an unauthorised individual had gained access to … Read more
A newly-identified privilege escalation flaw in Dell SupportAssist could leave millions of Dell PCs and laptops vulnerable attack. Threat actors could employ malicious software to elevate their privileges to administrator level and hijack the device for their nefarious purposes. The flaw affects both the home 9 (v 3.2.1 and prior) and business (v 2.0) versions … Read more
Kingman Regional Medical Center (KRMC) is in the process of notifying patients that their sensitive data may have been compromised following the discovery of a flaw on its website which may have allowed unauthorized users to access patient data. KRMC became aware of the security issue on April 8, 2019. Their IT team immediately took … Read more
Boxes of patient medical records have been found abandoned in a former medical centre in the Chatham area of Chicago, Illinois. Clean-up crews have been brought in to assist in the clean-up operation which started hours after Ald. Roderick Sawyer (6th) requested the emergency clearing of the documents, which contain a wealth of sensitive patient information. … Read more
Franciscan Health is notifying 2,200 patients that their sensitive data may have been compromised in a security incident involving a former employee. Franciscan Health, a health system operating 14 hospitals in Indiana and Illinois, discovered a former employee was accessing the data of 2,200 patients without the appropriate authorization to do so during a routine … Read more
The appointment of a data protection officer (DPO) is an essential part of complying with the EU’s General Data Protection Regulations. However, what exactly is the role of a DPO? Moreover, who needs to hire one? In this article, we explore the role of a DPO in helping an organisation achieve their compliance goals. DPO: … Read more
A phishing attack at Union Labor Life Insurance (ULLI) has compromised the protected health information (PHI) of more than 87,000 individuals. ULLI, a subsidiary The Ullico Inc., discovered the attack shortly after it commenced on April 1, 2019. The IT department successfully managed to revoke unauthorized access within 90 minutes of the account being compromised. … Read more
A jury has awarded a woman $300,000 in damages following a privacy breach at Medical Center Enterprise (MCE), Alabama. Amy Pertuit’s patient rights were violated when a physician at MCE accessed and disclosed her protected health information to a third party without the proper authorization or consent to do so. This is a breach of … Read more
Microsoft has issued patches for 88 vulnerabilities this patch Tuesday. Of the vulnerabilities, 20 were rated critical. One servicing stack and 4 advisories were also released in the update. Microsoft stated that there was no evidence to suggest that threat actors had been actively exploiting the vulnerabilities in the wild. SandboxEscaper, a security researcher, identified … Read more
Takai, Hoover & Hsu has terminated a nurse for accessing the protected health information (PHI) of 16,542 without the correct authorization to do so. The healthcare provider, owned by Takai, Hoover & Hsu and based in Germantown, MD, has stated that the information may have been passed on to a third-party and used for fraud … Read more
Her Majesty’s Revenue and Customs (HMRC) has agreed to delete more than five million voice recordings after the UK Information Commissioner’s Office (ICO) declared the data had been unlawfully obtained. HMRC collected for use in a voice authentication service, introduced in 2017. The callers were asked to repeat the phrase ‘my voice is my password’, … Read more