HIPAA Editor

There is a code vulnerability discovered in Qualcomm Life’s Capsule Datacaptor Terminal Server (DTS). A threat actor could remotely exploit the vulnerability to acquire administrator level rights and remotely implement code. The Datacaptor Terminal Server of Qualcomm Life Capsule is a healthcare gateway device employed by numerous American hospitals to link their healthcare gadgets. The … Read more

Th BD Alaris Plus medical syringe pumps has a crucial wirelessly exploitable vulnerability. When linked to a terminal server through the serial port, the medical syringe pump could be exploited by a threat actor who can change the supposed work of the syringe pump. The vulnerability is an incorrect authentication flaw. The software program falls … Read more

Ovum performed a survey lately for analytics company FICO, which showed there was a significant increase in businesses getting cybersecurity insurance, yet the healthcare sector has been reluctant on the uptake. The last occasion the study was performed in 2017, half U.S. businesses said that they did not take out a cybersecurity insurance coverage. That … Read more

Legacy Health found an unauthorized person has obtained access to its email system as well as the protected health information (PHI) of about 38,000 patients. The Portland, Oregon-based health system manages two regional hospitals, seventy clinics and four local community hospitals in Oregon, Southwest Washington, and in the Mid-Willamette Valley. Legacy Health is the second … Read more

Anthem Inc. offered a $115 million settlement deal in 2017 to take care of the class action legal cases submitted by the victims of a 78.8 million-record security breach in 2015. The proposed settlement was eventually okayed on August 16. The Anthem cyberattack caused the stealing of plan members’ names, birth dates, medical insurance details, … Read more

The Department of Health and Human Services’ Office of Inspector General (OIG) revealed the discoveries of the audit of Maryland’s Medicaid system they carried out. The audit was carried out in line with the HHS OIG’s endeavors to supervise states’ usage of different Federal programs and to figure out if proper security regulations were enforced … Read more

Three Democrat legislators accused the Oklahoma Department of Veteran Affairs of breaking Health Insurance Portability and Accountability Act (HIPAA) Rules. They have likewise called for the termination of two leading Oklahoma VA officials as a result of the incident. The supposed HIPAA violation took place at the time of an appointed web outage. At that … Read more

MedSpring Urgent Care is a group of critical care clinics established in Atlanta, Austin, Chicago, Fort Worth, Dallas, and Houston, which identified an unauthorized individual acquired access to an email account as a consequence of an employee being misled by a phishing scam. The email account was hacked on May 8, 2018 nevertheless MedSpring Urgent … Read more

Approximately 300,000 patients from SSM Health St. Mary’s Hospital based in Jefferson City, Missouri were advised about the exposure of some of their protected health information (PHI) and the potential access of unauthorized individuals. St. Mary’s Hospital transferred to a new space on November 16, 2014. All the patient health records were also transported and … Read more

The HIPAA Security Rule mandates covered entities to consistently safeguard the confidentiality, integrity and availability of protected health information (PHI). The duties of healthcare companies entail maintaining patients’ wellness, safeguarding their personal privacy and not endangering their identities. To protect ePHI saved in web servers or desktop computer systems, there are administrative, physical and technical … Read more

This is a summing up of healthcare data breaches shared as of late to the press and the Department of Health and Human Services’ Office for Civil Rights Pennsylvania Department of Human Services learned that its Compass system seemed to have a system error in its Compass system enabling some persons to look at the … Read more

A survey conducted by the healthcare marketing agency SCOUT revealed that consumers are not as much concerned about the privacy and safety of their medical data as with the privacy and safety of financial information including credit card numbers. As part of a new study series named SCOUT Rare Insights, the Harris Poll survey was … Read more

The protected health information (PHI) of more than 19,000 patients was compromised as a result of a mistake that a transcription service vendor made while upgrading a software on a server. The patients of Orlando Orthopaedic Center in Orlando, Florida who availed healthcare services before January 2018 were impacted by the data breach. The software … Read more

A data security breach took place at Confluence Health, which is a non-profit health system operating Wenatchee Valley Hospital, Central Washington Hospital and other satellite clinics in North and Central Washington. The breach involved the email account of an employee resulting in the access of patients’ protected health information (PHI) by unauthorized individual. When the … Read more

According to the healthcare data breach report for June 2018, healthcare data breaches increased by 13.8% from last month. However the data breaches were not as serious with 42.48% less exposed or stolen healthcare records compared to in May 2018. There were 33 healthcare data breaches reported in June to the Department of Health and … Read more

Two healthcare providers sent in reports of phishing attacks that granted cyber criminals access to patients’ protected health information (PHI). The attackers in both incidents gained access to a couple of email accounts. Sunspire Health manages a national network of addiction treatment facilities. In the latest incident, several email accounts were accessed by unauthorized persons … Read more

The Golden Heart Administrative Professionals located in Fairbanks, AK serves as a business associate to local healthcare providers by providing invoicing as a service. It suffered a ransomware attack lately and is notifying 44,600 people that unauthorized people possibly accessed certain portions of their protected health information (PHI) due to the attack. The ransomware infected … Read more

LabCorp is a clinical laboratory in the United States that had encountered a cyberattack allowing hackers to possibly view or copy the protected health information (PHI) of patients; however it was affirmed later on that it wasn’t a cyberattack instead a ransomware attack hence data theft isn’t the likely intent of the attacker. The attack … Read more

The email account of doctors at UMC Physicians located in Texas was attacked by hackers which brought about the likely compromise of certain protected health information (PHI) of roughly 18,000 patients. The IT staff of UMC Physicians found out about the breach on May 18, 2015 although the hacking occurred on March 15. Consequently, the … Read more

As per a report publicized in Tennessean, one of Metro Health’s personnel made a mistake causing the exposure of the protected health information (PHI) of patients with HIV or AIDS. The employee copied the data held in a database and loaded it to a server giving all Nashville Metro Public Health Department personnel access to … Read more

Law enforcement investigated the involvement of an employee at Arkansas Children’s Hospital in the theft and improper use of patients’ protected health information (PHI). According to the breach report, the PHI of about 4,521 patients was potentially accessed and copied by the employee. The employee worked at Arkansas Children’s Hospital for 15 months from November 7, … Read more

Manitowoc County in Wisconsin suffered a phishing attack which resulted to protected health information (PHI) being stolen. The phishing attack most likely took place on January 14, 2018, however Manitowoc County just found out about the incident and security breach on April 24. Steps to secure the email account was quickly undertaken to keep the … Read more

The American Hospital Association (AHA) members are concerned about the proposed rule by HHS — Centers for Medicare and Medicaid Services’ hospital inpatient prospective payment system for fiscal year 2019. In relation to this, concern is raised on allowing health apps that a patient selects to link to the healthcare providers’ APIs. Mobile health applications … Read more

An ex-employee at the University of Pittsburgh Medical Center, who is the patient information coordinator, was charged by a federal grand jury with criminal violations of HIPAA policies, as stated in the Department of Justice declaration on June 29, 2018. Linda Sue Kalina, 61, who resides in Butler, Pennsylvania, was charged with a six-count indictment … Read more

ICS-CERT has given an announcement concerning two vulnerabilities recently discovered in Medtronic MyCareLink patient monitors. Patients who have implantable cardiac devices use these devices to send the data of their heart rhythm directly to their physicians. The patients monitors are built with safety controls and transfer data over a protected Web connection, however, there’s a … Read more

A breach involving physical protected health information (PHI) was reported by the Associated Dermatology & Skin Cancer Clinic of Helena, MT. The PHI of 1,254 patients was potentially compromised. The breach was due to the theft of a journal left in the vehicle of an employee of Associated Dermatology on May 26, 2018. The vehicle … Read more

The objective of the Overdose Prevention and Patient Safety Act (H.R. 6082) is to ease limitations on the disclosure of medical records of patients suffering from addictions. This Act aligns 42 CFR Part 2, the Confidentiality of Substance Use Disorder Patient Records, with the HIPAA. Presently, 42 CFR Part 2 only allows the sharing of … Read more

Covered entities reported a total of 41 healthcare data breaches in April and 29 in May. Even though the healthcare data breaches decline by 29.27% month-over-month, the breaches documented last May were equally serious as with April. The sum of compromised or stolen medical records in May was 838,587, which was 56,287 less compared to … Read more

Patients of two HIPAA-covered entities got notification letters that their protected health information (PHI) had been compromised because of burglaries. The first breach incident happened on April 16, 2018 affecting two Christus Spohn Hospitals in Corpus Christi. A Christus Spohn employee was burgled, resulting in the theft of PHI, which included the patients’ names, schedule … Read more

Apple presented an application programming interface (API) which app developers could use to make health apps combining patients’ EHR data. Using the Apple Health Records app, patients can add their EHR data, then they can share the data with third-party apps. The objective of the new API is to allow developers to make a variety … Read more

Healthcare companies could implement DMARC, the Domain-based Message Authentication, Reporting and Conformance Standard, to identify email spoofing and prevent it. The thing is only some healthcare companies use DMARC, as reported by Valimail, an email authentication vendor. DMARC operates by ensuring that a domain is being used only by authenticated senders. A company that is … Read more

Steward Healthcare System in Boston terminated Psychiatrist Alexander Lipin for purportedly violating HIPAA rules. But, Lipin rejected the accusation and professed that his dismissal was to get back at him for extending his disability leave. Dr. Lipin asked to extend his disability leave as a result of being infected with pneumonia. Steward Healthcare System granted … Read more

Carolina Insurance Data Security Act on May 14, 2018. The law is comparable to the Insurance Data Security Model law which the National Association of Insurance Commissioners (NAIC) created in 2017. South Carolina is the first state to enjoy a cybersecurity law which addresses the needs of the insurance market. The South Carolina Data Security … Read more

There is a provision in the 2009 Health Information Technology for Economic and Clinical Health (HITECH) Act that HIPAA violations and data breaches victims are to be given a share of the HIPAA settlements received by the Department of Health and Human Services’ Office for Civil Rights. In May, OCR stated its intention to issue … Read more

April was an awful month as the healthcare market got a greater number of health data breaches and individuals affected compared to March 2018. The Department of Health and Human Services got 41 records of healthcare data breach incidents that had 894,874 healthcare data disclosed or stolen. Healthcare data breach incidents had grown month over … Read more

The Department of Homeland Security’s (DHS) Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) has published notices concerning the vulnerabilities in certain medical products manufactured by Silex, GE Healthcare and Phillips. Cyber criminals and unauthorized people could exploit the vulnerabilities and manipulate the devices. Phillips advised the National Cybersecurity and Communications Integration Center (NCCIC) concerning … Read more

The Government Accountability Office (GAO) lately performed an audit which revealed that patients continue to face many difficulties in obtaining copies of their health records. Healthcare companies and insurers are likewise unable to satisfy HIPAA requirements ending up in a breach of HIPAA rules sometimes. The 21st Century Cures Act required the audit to find … Read more

On March 10, 2018, Cerebral Palsy Research Foundation of Kansas (CPRF) found out that the security defense of one of its databases was disabled for 10 months. This vulnerability led to the compromise of 8,300 patients’ protected health information (PHI). After knowing about the unsecure demographic database, CPRF performed the necessary action to secure the … Read more

Capital Digestive Care, gastroenterology group based in Silver Spring, Maryland, found out the mistake made by its business associate. It seems that the BA uploaded data files to a commercial cloud server which does not have the necessary security setting. This lead to the exposure of 17,639 patients’ protected health information (PHI). Capital Digestive Care … Read more

The Protenus’ quarterly breach barometer report is a collection of data breach info supplied by Databreaches.net and the artificial intelligence program created by Protenus.  The collected information enables healthcare organizations to monitor and evaluate employee EHR activities. The report this quarter offers an idea of the magnitude of insider HIPAA Rules violation as well as … Read more

Florida Hospital uses three websites that had been infected with malware. Because of the malware attack, the threat actors potentially had access to the protected health information (PHI) of patients. There is no confirmed report that suggests any PHI access or misuse of PHI. Florida Hospital has informed patients of the breach. Out of an … Read more

Wombat Security recently published Beyond the Phish Report, which revealed the lack of understanding healthcare employees on common security threats. The report was a compilation of data from customers and end users who answered about 85 million questions across 12 categories and 16 industries. The respondents of the Q&A were asked about the best security … Read more

Patients of the Center for Orthopaedic Specialists are being notified because unauthorized individuals potentially accessed some of their protected health information (PHI) when ransomware was installed on its network.  The ransomware attack affected the three facilities of the Center for Orthopaedic Specialists located in Simi Valley, West Hills and Westlake Village in California. Databreaches.net reported … Read more

Healthcare organizations easily become victims of cyberattacks because of continually using outdated software and not patching vulnerabilities promptly. This problem is evident in the WannaCry ransomware attacks in May 2017. U.S. healthcare providers were lucky to have escaped unlike their counterparts in the U.K.  Symantec recently talked about a threat group that has been attacking … Read more

The medical devices that have come out in the market have increased in the past few years. The devices have been very helpful in allowing healthcare providers manage the health of their patients. But there are concerns being raised on the issue of medical device cybersecurity.   When patients use medical devices, sensitive information is … Read more

  The protected health information of 582,174 patients of the California Department of Developmental Services (DDS) was potentially compromised. Thieves broke into the legal and audits offices of DDS in Sacramento, CA on February 11, 2018. They had potential access to the PHI of over half a million patients plus the sensitive information of about … Read more

Chief U.S. District Judge Gina M. Groh sentenced Angela Dawn Roberts, a former employee at Berkeley Medical Center, to 5 years’ probation for being involved in an identity theft scam. Aside from the probation, Angela Dawn Roberts of Stephenson, VA needs to settle a $22,000-restitution. Angela Dawn Lee (another name of Roberts) worked for WVU … Read more

Provider group Texas Health Resources based in Arlington is notifying approximately 4,000 patients that an unauthorized person accessed some of their sensitive information. The security breach happened on October 2017, but Texas Health Resources only knew about it on January 17, 2018 when law enforcement notified them. The attacker accessed the email accounts that contained … Read more

The number of SamSam ransomware attacks on government and healthcare organization increased in recent months. These incidents prompted the Department of Health and Human Service’s Healthcare Cybersecurity and Communications Integration Center or HCCIC to publish a report about the SamSam ransomware attacks. There are tips included in the report to spread awareness on what to … Read more

There were 10 SamSam ransomware attacks since December 2017. The attacks were mostly on government and healthcare providers in the United States. There were other attacks reported in India and Canada. One of the attacks occurred in January 2018 on AllScripts. Since the system of this EHR provider was down for several days, 1,500 medical … Read more

A group of 112 hackers, penetration testers and incident responders were surveyed to find out how fast they can access a targeted system. The survey revealed that majority (61%) of them can get access in less than 15 hours, 54% of the hackers can get access to a system in less than 5 hours, identify … Read more

The Department of Health and Human Services filed a motion to dismiss the lawsuit filed by Ciox Health for lack of standing. Early this year, healthcare information management company Ciox Health filed a lawsuit against HHS to challenge the changes to HIPAA in 2013 and the enforcement guidance they issued in 2016. Ciox Health questioned … Read more

Ponemon Institute conducted a study on behalf of Merlin International involving 627 healthcare executives in the United States and found that healthcare organizations are failing to train their employees on security awareness.  About 52% of respondents confirm that lack of security awareness is the top reason why healthcare organizations are slow in improving their security … Read more

Oregon state governor Kate Brown just signed Senate Bill (SB 1551) last month to update several regulations including Oregon’s Breach Notification Law (O.R.S. 646A.604) and Information Security Law (O.R.S. 646A.622). The update in the law will take effect on June 2018. What are the updates in the recently signed bill? There were several definition updates. … Read more

JAMA recently published a study that highlighted the frequent improper disposal of PHI. Although the study was based in Canada, which is a location not covered by HIPAA, the findings show an important aspect of PHI security that is often ignored. The study was conducted by researchers at St. Michael’s Hospital in Toronto. They checked … Read more

Banner Health issued a financial report mentioning OCR’s investigation of the colossal 2016 Banner Health data breach. In the said breach incident, 27 Banner Health facilities located in Alaska, Arizona, Colorado, California, Nevada, Nebraska, and Wyoming were affected. The protected health information of 3.7 million patients was exposed. Sensitive information such as names, birth dates, … Read more

Finger Lakes Health in Geneva, NY had a ransomware attack that made its computer system inaccessible. The health system did not stop its operations but the staff had to use pen and paper while the IT team worked on removing the malware to restore access to electronic medical data. Finger Lakes Health was attacked on … Read more

Anomali and the National Health Information Sharing and Analysis Center (NH-ISAC) have partnered to provide threat intelligence to healthcare organizations. Anomali can help in several ways: It has the tools and infrastructure needed for collaboration and sharing threat intelligence to others.  It can provide updated threat intelligence on old and new external threats that are … Read more

Ponemon Institute conducted a survey sponsored by Merlin International which revealed that 62% of healthcare organizations experienced data breaches in the past year resulting to data loss. The survey involved the participation of 627 leaders from hospitals and payer organizations. About 67% of the survey participants were from hospitals that have 100-500 beds and about … Read more

The Federal Bureau of Investigation (FBI) warned businesses, educational institutions and healthcare organizations regarding the significant increase in phishing attacks on payroll employees. The phishing attacks aim to copy the W-2 forms of employees and the hackers use the copied data for tax fraud and identity theft. There were also some cases reported that payroll … Read more

Health Net California, a provider of government employees’ benefits, has been marked as not willing to undergo security audits as per the Flash Audit Alert released by the U.S. Office of Personnel Management (OPM) Office of the Inspector General Office of Audits (OIG). Over the past 10 years OPM has been assigned to perform security … Read more

A long-time hacker was able to access medical records of close to 1,900 patients of the University of Virginia Healthcare System using malware infection. How it was done For over 19 months— from May 3, 2015 to December 27, 2016— the hacker was able to view medical records of 1,882 patients through a malware loaded … Read more

The January 2018 Healthcare Data Breach report is now available. Based on the healthcare security incidents reported to the Department of Health and Human Services’ Office for Civil Rights, there were 21 security breaches in January 2018. The number of incidents this January is lesser compared to December 2017 which recorded 39 incidents. The number … Read more

Ayal Hassidim, MD of Hadassah Hebrew University Medical Center in Jerusalem conducted a research in collaboration with researchers from Harvard Medical School, Duke University and Ben Gurion University of the Negev. The study involved the survey of 299 medical students, interns, medical residents and nurses regarding the practice of sharing EHR passwords. The results, which … Read more

The Department of Health and Human Services’ Office for Civil Rights (OCR) announced the first case of HIPAA settlement for 2018. For multiple potential HIPAA violations, Fresenius Medical Care North America (FMCNA) agreed to pay a settlement amount of $3.5 million to OCR. The violations involved five separate data breaches that happened way back in … Read more

The Cyber Incident & Breach Trends Report published by Online Trust Alliance considers 2017 as the worst year ever for cybersecurity incidents. The number of breach reports almost doubled in 2017 compared to the previous year. Aside from knowing the data, Online Trust Alliance also investigates the incidents to understand the trends and to know … Read more

A bipartisan team of legislators in Colorado recommended modifying its privacy and data breach notification laws for Colorado residents to obtain better security. If approved, there’ll be substantial adjustments in the existing state regulations. The proposed legislation is going to include these personally identifying information (PII) to the concept of PII. Full name or last … Read more

Nebraska lawmakers voted 34-0 during the first round of voting on a bill introduced by Senator Adam Morfield. The bill seeks to further protect Nebraska residents when their personal information is exposed during a data breach.  It was introduced after the massive data breach at Equifax in 2014, which compromised the personal information of over … Read more

Aetna took legal action against Kurtzman Carson Consultants (KCC), the administrative support company that handled the July 2017 mailing for Aetna. That mailing project resulted in a data breach disclosing the details of HIV medications through the envelope’s clear plastic window because the letters inside the envelopes slipped. The Legal Action Center, AIDS Law Project … Read more

Documents containing the sensitive information of 842 patients at Western Washington Medical Group were compromised on November 13, 2017. Apparently, the documents were thrown away with regular trash by mistake. The sensitive documents in the shredding bins were supposed to be permanently destroyed in accordance with HIPAA Rules. However, instead of destroying them, the janitorial … Read more