HIPAA Editor

In May 2019, Microsoft announced a critical remote code execution vulnerability in Windows Remote Desktop Services referred to as BlueKeep – CVE-2019-0708. The cybersecurity community expected the development of this weaponized exploit and use in large-scale attacks. The foremost wide-scale attacks utilizing a BlueKeep exploit were identified over the weekend. Right after Microsoft mentioned about … Read more

A security breach has been announced by Brooklyn Hospital Center in New York. The incident that transpired in late July 2019 involved the installation of malware on some servers of the hospital. The prompt discovery of the attack limited the harm caused as safety action steps were taken. However, a number of files were still … Read more

The Department of Health and Human Services’ Office for Civil Rights charged Jackson Health System (JHS) with a civil monetary penalty amounting to $2.15 million. JHS is a nonprofit academic medical system located in Miami, FL, which has violated HIPAA Security Rule, Privacy Rule, and Breach Notification Rule in multiple cases. OCR learned in July … Read more

Due to a data breach on the Palmetto Health website, Prisma Health Midlands is sending breach notifications to around 19,000 patients and 3,000 employees. Prisma Health – previously called Palmetto Health – discovered on August 29, 2019 that a suspicious individual got the login information of a Prisma Health employee. The attacker used the stolen … Read more

Healthcare data breaches bring about a lower quality of patient care, as per a study just posted in Health Services Research. Researchers studied data from Medicare Compare which highlights quality measures employed at hospitals. Information from 2012 to 2016 was assessed and compared with records from the HHS’ Office for Civil Rights on data breaches … Read more

Roger Severino, the HHS’ Office for Civil Rights Director, gave a report on the priorities of OCR’s HIPAA enforcement during the OCR/NIST 11th Annual HIPAA Conference held in Washington D.C. Severino stated that a top policy initiative of OCR is still the enforcement of patient rights under the HIPAA Privacy Rule and the provision of … Read more

The password manager provider LastPass recently conducted a study, which revealed that only 57% of companies make use of multi-factor authentication, despite the fact that it is a very good way to prevent the use of stolen credentials to access email accounts and company networks. With multi-factor authentication, a second factor to verify users is … Read more

The Federal Bureau of Investigation gave an alert regarding e-skimming threats, after attacks on SMBs and government institutions increased. E-skimming refers to the adding of malicious code on online payment processing websites. The code steals the debit and credit card details of users as they enter the information into the payment websites. The attacker gets … Read more

Because nine companies failed to keep their medical databases secure, the sensitive health information of millions of patients were exposed online. The security researchers at WizeCase discovered the exposed patient information. The research team, under the leadership of Avishai Efrat, looked for exposed information that are accessible without requiring any usernames or passwords using freely … Read more

There were 36 healthcare data breaches involving over 500 records reported to the Department of Health and Human Services’ Office for Civil Rights in September. This figure presents a 26.53% reduction in breaches compared to the last month. The September breaches had exposed a total of 1,957,168 medical records, which represents a 168.11% rise from … Read more

South Texas Dermatopathology is the last identified casualty of the American Medical Collection Agency (AMCA) data breach. It has reported the data breach to the Department of Health and Human Services Office for Civil Rights (OCR) and informed the affected patients. The OCR breach portal has published information about the breach on October 7, 2019 … Read more

Malicious code was found installed on the e-commerce website of Mission Health in Western North Carolina. The malicious code can capture the payment information entered by patients purchasing health products on the website. Then, the data can be routed to an unauthorized third party. Mission Health discovered the breach in June 2019. But according to … Read more

A recent Proofpoint report gives information on the cyber threats that healthcare organizations encounter and the most common attacks that result in healthcare data breaches. Proofpoint’s 2019 Healthcare Threat Report shows the constantly changing threat landscape and how the strategies utilized by cybercriminals are in a consistent state of flux. The study, which was conducted … Read more

Due to a phishing attack on August 7, 2019, UAB Medicine is informing its patients regarding the potential access of a number of employee email accounts of UAB Medical Center in Birmingham, AL. When UAB became aware of the breach, the security team modified the passwords of the breached email accounts to block further unauthorized … Read more

S.4119/A.230 is a new legislation signed into law on October 7, 2019 by New York Governor Andrew Cuomo. This law forbids first response and ambulance service employees to sell or share patient information to third parties for the purpose of marketing or raising money. New York Assembly Member Edward Braunstein originally introduced the bill in … Read more

The Medical Imaging & Technology Alliance (MITA) has published a new medical device security standard that offers healthcare delivery organizations (HDOs) crucial data regarding risk management and medical device security controls to secure the medical devices against suspicious access and cyberattacks. The new voluntary standard, known as Manufacturer Disclosure Statement for Medical Device Security (MDS2) … Read more

The Philadelphia Department of Public Health (PDPH) found that sensitive data of patients suffering from hepatitis B and hepatitis C were exposed over the web and any person could access it without having authentication. PDPH knew about the breach on October 12, 2019 after getting notification from one The Philadelphia Inquirer correspondent. The matter was … Read more

Advanced persistent threat (APT) actors are taking advantage of flaws in widely used VPN products provided by FortiGuard, Palo Alto and Pulse Secure to obtain control of vulnerable Internal networks and VPNs. The DHS’ Cybersecurity and Infrastructure Security Agency (CISA) together with other cybersecurity institutions published security alerts regarding a number of vulnerabilities in VPN … Read more

Cancer Treatment Centers of America (CTCA) sent notifications to some of its patients after their protected health information (PHI) were exposed due to a phishing attack and email security breach on July 2019 at its Southeastern Regional Medical Center. CTCA knew about the phishing attack on July 29, 2019 when there was suspicious activity identified … Read more

A recent B2B International survey undertaken on behalf of Kaspersky Lab showed the rise in the average cost of an enterprise-level data breach from $1.23 million (2018) to $1.41 million. The elevated risk of a data breach and the growing costs of remediation has prompted enterprises to put in more money in cybersecurity. According to … Read more

9,160 patients from Goshen Health in Indiana received notification about its phishing-related email breach in August 2018 that could have resulted in the potential exposure of their protected health information (PHI). Goshen Health took steps to secure the compromised email accounts upon discovery of the breach and immediately had the incident investigated. Initially, it was … Read more

There has been a rise in the volume of business email compromise (BEC) attacks in the U.S. As per Symantec, about 6,029 businesses got BEC emails in the last year and the FBI’s statistics show that losses of attacked businesses resulting from this scam totals $1,297,803,489 in 2018. In BEC attacks, attackers get access to … Read more

A ransomware attack on Sarrell Dental in Alabama, is non-profit Children’s dental and optical services provider resulted in the potential compromise of the protected health information (PHI) of its patients. Sarrell Dental is the biggest dental services provider in the state of Alabama with 17 clinics in operation. In July 2019, cyberattackers deployed ransomware on … Read more

North Florida OB-GYN in Jacksonville, FL learned that hackers got access to particular portions of its computer system that contain personal and medical data of patients and attacked the system with a virus that encrypted the data. Once the breach was uncovered on July 27, 2019, the provider deactivated the networked computer systems and started … Read more

Atlantic.net is a HIPAA-compliant hosting company that teamed up with Compliancy Group and its HIPAA-compliance specialists in conducting a webinar on Cybersecurity and HIPAA Compliance. In the webinar, healthcare organizations can learn a few quick-to-implement steps to easily enhance their security standing, be more resistant to cyberattacks, and guarantee continued compliance with HIPAA rules. Cybercriminals … Read more

Sen. Rand Paul, M.D., (R-Kentucky) has presented a new bill that attempts to permanently remove the national patient identifier provision of HIPAA because of the privacy issues in implementing such a system. At this time, HIPAA is most widely known for its healthcare data privacy and security rules, however, the national patient identifier system was … Read more

Sen. Mark Warner (D-Virginia) wrote a letter to TridentUSA asking for an explanation concerning a breach involving sensitive medical images at MobileXUSA, one of its affiliates. Sen. Warner is one of the founders of the Senate Cybersecurity Caucus (SCC) that was created to be a bipartisan educational resource for the Senate to effectively engage on … Read more

Integration Link, LLC is a provider of virtual Chief Information Security Officers and cybersecurity consultancy services to businesses of varying sizes — small, medium and large. It recently completed Compliancy Group’s 6-Stage HIPAA Risk Analysis and remediation process, which proves that it is fully compliant with all the requirements of the HITECH Act, the Omnibus … Read more

In August, more than 1.5 healthcare data breaches were reported per day. This is the second consecutive month that there are a lot of reported breaches. Though the number of breaches is not significantly different from last month (49 versus 50), the number of exposed records went down substantially. There were 729,975 healthcare records breached … Read more

Beginning October 1, 2019, health insurance providers and associated services have to notify the Maryland Insurance Administration (MIA) whenever a breach of insureds’ personal information occurs. The change in rules covers health plans, health insurance companies, HMOs, managed general agents, managed care institutions, and third-party health insurance administrators. MIA’s Compliance & Enforcement Unit ought to … Read more

Dr. Ulrich Klopfer from Indiana operated three abortion clinics until his license was suspended in 2015. He was found to have taken away fetal remains from his abortion clinics. His family members discovered the remains among his personal stuff at his Illinois house after his demise on September 3, 2019. Authorities handling the investigation of … Read more

The managed care firm Magellan Health based in Scottsville, AZScottsville, AZ learned that phishing attacks on two of its subsidiaries caused the compromise of the protected health information (PHI) of Presbyterian Health Plan members from Albuquerque, NM. Two service vendors to Presbyterian Health Plan, specifically Magellan Healthcare and National Imaging Associates, encountered the phishing attacks. … Read more

Ramsey County has learned that the phishing attack on August 2018 has impacted considerably more persons than originally believed. The number of affected individuals went up from 599 to 117,905. The first breach report mentioned about the compromise of 26 workers’ email accounts in a phishing attack some time in August 9. Ramsey County uncovered … Read more

The National Cybersecurity Center of Excellence (NCCoE) published the latest draft NIST mobile device security guidance to aid institutions to reduce the risks brought in by corporate-owned personally enabled (COPE) gadgets. Mobile gadgets enable workers to access information required to perform their job, regardless of where those persons are found. So, the devices enable organizations … Read more

The draft NIST guidelines for securing the picture archiving and communications system (PACS) ecosystem was issued by the National Cybersecurity Center of Excellence (NCCoE). The guidelines called NIST Cybersecurity Practice Guide, SP 1800-24 were penned for health healthcare delivery organizations (HDOs) to help protect their PACS and minimize the likelihood of a data breach or … Read more

A phishing attack on East Central Indiana School Trust (ECIST) is the reason for the compromise of some protected health information (PHI) of more than 3,200 men and women. On May 19, 2019, an ECIST staff was tricked into revealing his/her email account credentials that an attacker employed to access that person’s email account. ECIST … Read more

The healthcare sector runs into a lot of phishing attacks. Every week, healthcare organizations report a number of phishing attacks resulting in protected health information (PHI) exposure or theft. In most cases, the attacks are preventable by adhering to fundamental cybersecurity guidelines. Cyberattacks are now more complex, though most of the attacks aren’t. They entail … Read more

The Healthcare and Public Health Sector Coordinating Council (HSCC) released guidance on cybersecurity information sharing for healthcare organizations. HSCC is a partnership of over 200 public-private companies and organizations, such as health IT organizations, healthcare device manufacturers, pharmaceutical firms, laboratories, health plans, payers and government institutions. Its purpose is to deliver collaborative solutions to aid … Read more

A new investigation by ProPublica has showcased a growing concern that is encouraging the existing ransomware problem. Insurance providers are preferring to pay ransom demands since it is the least expensive solution for settling claims. A substantial ransom may be required, yet paying the ransom is still less costly than paying for the price of … Read more

Premier Family Medicine, which is a physician group located in Utah, notified 320,000 patients concerning the potential exposure of their protected health information (PHI) caused by a ransomware attack that affected ten facilities located in Utah County. On July 8, 2019, the ransomware attack occurred and prevented the Family Medicine’s staff from accessing patient files … Read more

Massachusetts General Hospital (MGH) found lately that the computer applications used by the researchers of its Department of Neurology was accessed without authorization. The individual behind the breach may possibly access approximately 10,000 patients’ protected health information (PHI). MGH became aware of the breach on June 24, 2019 and immediately blocked the software and databases … Read more

The Department of Health and Human Services’ Office for Civil Rights (OCR) made an announcement early this year that HIPAA enforcement in 2019 would primarily be in the area of HIPAA right of access failures, such as the delayed responses to access requests and charging too much for copies of healthcare records. The HIPAA right … Read more

The Secretary of the Department of Health and Human Services (HHS), Alex Azar, has made an announcement placing Puerto Rico and the states of Georgia, Florida, and South Carolina in a public health emergency (PHE) because of Hurricane Dorian. The announcement of the presidential PHE in the previously mentioned areas was made while the states … Read more

A phishing attack on NCH Healthcare System, Bonita Springs located in Florida, highlighted how critical it is to train healthcare employees on security awareness. On June 14, 2019, Bonita Springs tracked down the phishing attack upon seeing suspicious email activity connected with its payroll system. The investigation confirmed that 73 employees surprisingly disclosed their account … Read more

The Swedish software firm Irdeto conducted the Global Connected Industries Cybersecurity Survey, which showed that 82% of healthcare organizations using Internet-of-Things (IoT) devices have encountered a cyberattack on no less than one of those devices in the last 12 months. Irdeto asked 700 security leaders of healthcare providers and companies in the manufacturing, IT and … Read more

There is a vulnerability identified in Philips HDI 4000 Ultrasound systems that attackers could exploit to access ultrasound images. Besides stealing information, an attacker could tamper with ultrasound images to hinder the diagnosis of a possibly deadly health ailment. Philips HDI 4000 Ultrasound systems run on legacy operating systems like Windows 2000 which aren’t supported … Read more

Devices of Change Healthcare Cardiology, Horizon Cardiology and McKesson Cardiology were found to have a vulnerability, which a locally authenticated user could exploit to add files that can enable the attacker to implement arbitrary code on a device. Asante Information Security’s Alfonso Powers and Bradley Shubin identified vulnerability CVE-2019-18630 and reported it to Change Healthcare. … Read more

May 2019 had 46 breaches with over 500 records exposed making it the worst month ever since the HHS’ Office for Civil Rights began reporting breach summaries on its web portal in 2009. But that record was broken last July, which had 50 healthcare data breaches with over 500 records reported. July had 13 more … Read more

Mount Sinai Hospital discovered the compromise of 33,730 patients’ protected health information (PHI) as a result of the American Medical Collection Agency (AMCA) cyberattack. This hospital is number 24 in the list of AMCA breach victims, which has impacted nearly 25 million individuals. On June 4, 2019, AMCA informed Mount Sinai Hospital about the unauthorized … Read more

The number of victims of the American Medical Collection Agency (AMCA) data breach has gone up to about 25 million with one more healthcare organization announcing that it was impacted by the breach. Wisconsin Diagnostic Laboratories (WDL) runs 13 medical testing facilities in the area of Milwaukee. Around 114,985 of its patients were notified about … Read more

The Office of Management and Budget (OMB) sent in its yearly audit report to Congress about the status of federal agencies’ cybersecurity, as demanded by the Federal Information Security Modernization Act of 2014 (FISMA). OMB evaluated 4 of the 12 Department of Health and Human Services (HHS) operating divisions to determine their compliance with FISMA. … Read more

University of California Berkeley, University of San Diego, and Barracuda Networks conducted a recent study, which showed the increasing threat of lateral phishing to healthcare organizations. In a typical phishing attack, the attacker sends an email with an embedded hyperlink going to a malicious web page that harvests login credentials . The emails include a … Read more

Rhode Island Ear, Nose and Throat Physicians Inc. (RIENT) is informing 2,943 patients regarding the unauthorized access of a server that contained some of their health data. A hacker accessed RIENT’s network on June 19, 2019. The provider detected the breach on the same day and secured its network. A hired third-party computer forensics company … Read more

Since January, about 200 breaches involving over 500 records were reported and it seems that 2019 will be another record year when it comes to healthcare data breaches. Because of the increase in data breaches, Kaspersky Lab conducted a survey to get more understanding about the healthcare industry’s state of cybersecurity. Kaspersky Lab recently published … Read more

Florida-based Integrated Regional Laboratories (IRL) notified around 30,000 patients concerning the potential compromise of their protected health information (PHI) due to the American Medical Collection Agency (AMCA) data breach, which was identified on March 20, 2019. AMCA advised IRL on June 3, 2019 that it had a data breach and confirmed on June 13 that … Read more

Michigan Medicine notified about 5,500 of its patients regarding the exposure of some of their protected health information (PHI) because of a phishing attack recently. In July, Michigan Medicine was hit by a phishing attack. About 3,200 employees got phishing emails that have a hyperlink going to a legit-looking web site, which asked for the … Read more

Direct Connect Computer Systems, Inc., the technology solution provider based in Cleveland, OH, has proven that it is surely Health Insurance Portability and Accountability Act (HIPAA) compliant. Under HIPAA, firms offering technology solutions and services to healthcare organizations that necessitate access to electronic protected health information (ePHI) are considered as ‘business associates. Business associates of … Read more

The National Association of Attorneys General (NAAG) told the House and Senate leaders to make improvements to Confidentiality of Substance Use Disorder Patient Records regulations referred to as 42 CFR Part 2. NAAG tagged the regulations under consideration as cumbersome [and] out-of-date and they limit the substance abuse treatment records uses and disclosures. The HIPAA … Read more

Renown Health, which is Northern Nevada’s biggest healthcare provider, has begun notifying some patients about the potential compromise of some of their protected health information (PHI). On June 30, 2019, a portable storage device (thumb drive) containing files with patient data was found missing. A thorough search for the thumb drive was conducted in the … Read more

From 2011 to 2018, the New York Fire Department (FDNY) had used its ambulance to bring over 10,000 EMS patients to the hospital. Due to a breach of data security, the protected health information (PHI) of some patients were exposed. Myles Miller, FDNY’s spokesperson, said that an employee did not observe the appropriate data security … Read more

The University of Missouri Health Care (MU Health) is facing a lawsuit over the phishing attack on April 2019. MU Health discovered on May 1, 2019 that two employees’ email accounts were accessed without authorization beginning on April 23, 2019 up to a period of one week. The email accounts contained a variety of sensitive … Read more

A Seattle, WA provider of accredited outpatient, counseling services and mental health treatment, Community Psychiatric Clinic, has encountered two security breaches resulting in the compromise of patient information. In the two instances, an unauthorized person accessed the Microsoft Office 365 account of an employee. Community Psychiatric Clinic detected the first security breach on March 12, … Read more

A database that contains the personal data of people who were interested in Vascepa®, Amarin Pharma’s cholesterol drug, was exposed on the internet. A third party vendor maintained the database, which contained data including full names, email addresses, addresses, phone numbers, interest in a copay card for Vascepa® and medications information. Amarin discovered the breach … Read more

The National Institute of Standards and Technology (NIST) has published its latest guide for companies manufacturing Internet of Things (IoT) devices so that they can integrate proper cybersecurity controls to ensure the devices are secured against risks when connected to the Internet. This is the second in the series of published security of IoT devices … Read more

Edgepark Medical Supplies (EMS) learned on May 13, 2019 about the access of an unauthorized person into some accounts of its clients. That person modified their addresses in the account so that their orders will be redirected to other delivery addresses. When EMS discovered the potential breach, it deactivated the compromised accounts of its clients … Read more

Presbyterian Healthcare Services in New Mexico is informing about 183,000 patients and health plan members about the exposure of some of their protected health information (PHI) as a result of a recent security breach. A number of Presbyterian Healthcare Services employees got phishing emails some time on May 6, 2019. Some employees replied to the … Read more

Imperial Health in Southwest Louisiana is a physicians’ network that is announcing the potential compromise of over 111,000 patients’ protected health information (PHI) because of a recent ransomware attack, which was discovered on May 19, 2019. An unauthorized party was able to download ransomware into the network so that files and the Imperial Health’s Center … Read more

Cloud service provider Atlantic.Net, which offers HIPAA-compliant hosting to healthcare businesses, is remembering its 25th year anniversary. The company started as an internet service provider in 1994. It adapted with the changing technology trends and offered cloud services in 2009. The company continued to develop it its hosting platform and related services over the next … Read more

Armin’s security researchers discovered 11 vulnerabilities in the real-time operating system of VxWorks, which is widely used in close to 2 billion IoT devices, control systems and medical devices. Six vulnerabilities are rated critical and have been collectively called “Urgent/11.” A hacker could remotely exploit them with no need for user interaction. If successful, a … Read more

The National Institute of Standards and Technology’s (NIST) National Cybersecurity Center of Excellence (NCCoE) released a draft of a mobile device security guidance that aims to help companies strengthen the security of corporately-owned personally-enabled (COPE) mobile gadgets and lower network security risks that may arise because of the devices. Modern businesses need mobile gadgets to … Read more

Park DuValle Community Health Center in Louisville, KY encountered a ransomware attack on June 7, 2019. The hackers successfully accessed its network and installed ransomware so that the center’s appointment scheduling platform and medical record system became inaccessible. The non-profit health center offers healthcare services to low-income patients in the western Louisville area who have … Read more

Computer Doc, an IT company based in Indian Trail, NC, is now certified as compliant with the HIPAA Privacy, Security and Breach Notification Rules, the Omnibus Rules and the HITECH Act as announced by the Compliancy Group. Computer Doc has been in business since 1997 providing businesses in the area of Charlotte, NC with IT … Read more

The Treasury Department released statistics that show a continual increase of business email compromise (BEC) attacks throughout the last two years. The number of reported successful BEC attacks in 2018 is more than double the number in 2016. Losses in operations and breach responses as a result of these scams are soaring. Business email compromise … Read more

June is a better month than the last two months in terms of data breaches reported. Compared to the 1.5 healthcare data breaches per day reported in April and May, June only had 30 breaches involving over 500 healthcare records. That is 31.8% less than the reports in May. Although there is a drop in … Read more

More healthcare providers have confirmed that they were affected by American Medical Collection Agency (AMCA) data breach over the last few days. To date, there are 18 healthcare providers who were affected and over 25 million were considered victims. Retrieval Masters Credit Bureau (RMCB), AMCA’s parent company, discovered the AMCA breach on March 21, 2019. … Read more

Ransomware attacks increased in the Q2 of 2019, according to Coveware’s new report. Coveware is a ransomware recovery service provider, which helps businesses recover their data in the event of a ransomware attack. The method used to recover their data may be through free remediation or through negotiation with the attackers. Coveware analyzed anonymized information … Read more

St. Croix Hospice, provides hospice care across the Midwest, discovered that an unauthorized person accessed an employee’s email account and could have viewed patient data. The hospice detected the breach on May 10, 2019 upon seeing suspicious email activity in the account. Investigation went underway with the help of a third-party computer forensics company. It … Read more

Clinical Pathology Laboratories based in Texas recently learned that the data breach at American Medical Collection Agency (AMCA) affected its 2.2 million patients potentially compromising their protected health information (PHI). AMCA is a company that provides a lot of healthcare companies with debt collection services. As a provider of this service, AMCA receives the PHI … Read more

Premera Blue Cross consented to pay $10 million to resolve a multi-state data breach lawsuit. The 2014 breach impacting 10.4 million records was allegedly due to violations of state and federal laws. Premera Health’s system got hacked on May 5, 2014 and remained accessible to the hacker without being detected until March 6, 2015. Compromised … Read more

An improper authentication vulnerability was found in the devices GE Aestiva and Aespire Anesthesia. Many hospitals all across American generally use these devices. The CVE-2019-10966 vulnerability could make it possible for an attacker to remotely alter the parameters of a vulnerable device and silence the alarms. Possible changes include adjusting the parameters of gas composition … Read more

Vitagene is a health tech firm based in San Francisco, CA that offers services of direct-to-consumer DNA-testing. Vitagene accidentally exposed the private and genealogy data of a large number of its customers because of unauthorized access on the web. The Vitagene DNA testing service is one componenet of a DNA-based individualized health and wellness program. … Read more

Adirondack Health in Vermont is informing roughly 25,000 patients about the potential access of some of their protected health information (PHI) by a hacker. The information that were potentially compromised include the names of patients, birth dates, Medicare ID numbers or medical insurance member numbers, and some information on treatment and/or clinical results. The Social … Read more

Compliancy Group is conducting a webinar for healthcare professionals covering the major threats that the healthcare industry is facing. Compliance experts are going to discuss threats like malware, ransomware and phishing in connection with HIPAA and patient data privacy and security. Cybersecurity plays a very important role in healthcare today than ever before. Hackers regard … Read more

A medical university student filed a legal case against Cabell Huntington Hospital and Marshall University because of the impermissible disclosure of some of his protected health information (PHI) to a group of students. J.M.A, the medical student named in the lawsuit, stated that a Marshall University Joan C. Edwards School of Medicine professor used his … Read more

Several patients of Pardee UNC Health Care are being notified about the potential exposure of their protected health information (PHI) as a result of a break in at its facility in 2029 Asheville Hwy, Hendersonville, NC. The thieves also stole electronic equipment. The incident was discovered on May 9, 2019. Pardee believes that electronic PHI … Read more

A Government Accountability Office (GAO) audit recently conducted showed that the Department of Health and Human Services’ Centers for Medicare and Medicaid Services (CMS) uses a remote ID verification process that is poor and outdated. Consequently, it likely gives limited security against fraud. The CMS site can help users find government financial assistance that is … Read more

Some Sandia National Laboratories researchers discovered that the open software utilized by genomic researchers had a vulnerability. If an attacker exploits this vulnerability, he could access and modify sensitive genetic data. There are two steps involved in DNA screening. The first step is the sequencing of a patient’s DNA and the mapping of their genome. … Read more

Summa Health in Akron, Ohio discovered an unauthorized person had accessed four employee email accounts that contain the protected health information (PHI) of patients. Summa Health knew about the breach on May 1, 2019 and started an investigation showing the breach of 2 email accounts in August 2018, and the breach of two more accounts … Read more

A data security incident at Dominion National involved the personal data of their clients. Dominion National is an insurance provider, health plan administrator, and administrator of dental and vision benefits primarily based in Virginia. Hackers initially accessed the provider’s servers in 2010. Dominion National started an internal investigation after being alerted about the incident and … Read more

A patient care coordinator who worked at the University of Pittsburgh Medical Center (UPMC) in the past was sentenced to a one-year jail term for accessing the health records of patients and carrying out malicious damages using the data. Sue Kalina, 62, a resident in Butler, PA, worked at UPMC Tri Rivers Musculoskeletal and Allegheny … Read more

The Senate Health, Education, Labor and Pensions (HELP) Committee has okayed a very important bill to HIPAA-covered entities – the Lower Health Care Costs (LHCC) Act of 2019. One key objective of the bill is to enhance the transparency of medical care costs and quality of service. The bill is meant to stop surprise medical … Read more

The personal data of approximately 5 million people contained in a MongoDB database were exposed on the web. MedicareSupplement.com owns the database containing personal and health data. TZ Insurance Solutions operates the website and use it for helping people look for a Medigap insurance plan. People in search of coverage could go to the website … Read more

The Department of Health and Human Services’ Office for Civil Rights published new HIPAA guidance for health plans about the proper sharing of protected health information to assist patient care coordination and continuity of patient care. The guidance is written in the format of an FAQ. It answers two questions that health plans frequently ask: … Read more

Franciscan Health based in Mishawaka, IN learned that a former employee accessed the protected health information (PHI) of about 2,200 patients without authorization. During a scheduled privacy audit, Franciscan Health discovered the privacy breach. On May 24, 2019, it was confirmed that Franciscan Health that an employee assigned in the quality research department accessed patients’ … Read more

A former staff at a healthcare provider located in Germantown, MD allegedly accessed the protected health information (PHI) of roughly 16,542 patients. The data was purportedly provided to a third party and utilized for bogus transactions. On April 10, 2019, County and state law enforcement informed Takai, Hoover & Hsu, P.A., the owner of THH … Read more

April had more healthcare data breaches reported when compared with any other month so far. May continued to have a high number of data breaches, with 44 breaches reported. The number of exposed records in May, which is 1,988,376 healthcare records, increased by 186% compared to April. The average number of healthcare data breaches reported … Read more

The Quantum Vision Centers and Eye Surgery Center located in Illinois is notifying its patients about the potential compromise of some of their protected health information (PHI) because of a ransomware attack in April 2019. An unauthorized person accessed Quantum systems on April 18, 2019 and installed ransomware, which encrypted files. The information contained in … Read more