NeoGenomics, Georgia Department of Human Services Suffer Data Breaches

The Georgia Department of Human Services has revealed that employees in Augusta, GA improperly shared of confidential case files that geld the healthcare records of individuals who received services from the Division of Family & Children Services (DFCS) before June 12, 2017 and people who received services from the Division of Aging Services (DAS) before … Read more

Notice of Enforcement Discretion for Business Associates to Allow PHI Disclosures for Public Health and Health Oversight Activities

The Department of Health and Human Services announced, n April 2, 2020, that it will from here on be exercising enforcement discretion and will not sanction HIPAA penalties against healthcare suppliers or their business associates for good faith uses and disclosures of protected health information (PHI) by business associates for public health and health oversight … Read more

OCR Issues Guidance on Permissible Sharing of PHI to First Responders During the COVID-19 Pandemic

The U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) has released additional guidance on HIPAA and COVID-19, the disease caused by the 2019 Novel Coronavirus, SARS-CoV-2. The new guidance document provides examples of allowable disclosures of protected health information (PHI) by covered groups under the HIPAA Privacy Rule to help make … Read more

Coronavirus Pandemic HIPAA Guidance on Telehealth Issued by OCR

After the initial announcement from the HHS’ Office for Civil Rights that enforcement of HIPAA compliance in relation to the good faith provision of telehealth services during the COVID-19 nationwide public health emergency has restrictions removed, OCR has released guidance on telehealth and remote communications. Telehealth is classified by the HHS’ Health Resources and Services … Read more

Healthcare Data Breach Report February 2020

During February there were 39 healthcare data breaches of 500 or more records  reported and 1,531,855 records were breached, which is the same as a 21.9% month-over-month increase in data breaches and a 231% increase in breached records. There was a higher number of records breached in February than in the past three months pu … Read more

Massive Increase in WHO Hacking Attempts During Current Pandemic

Recent reports have indicated that the World Health Organization has been impacted by a spate of cyber attacks where web pages have been established to try and trick staff members into handing over passwords at the height of the COVID-19 Pandemic. An attorney for New York-based cybersecurity experts Blackstone Law Group, Alexander Urbelis, was the … Read more

Multiple Phishing Attacks Reported, Targeting Three Bodies

The Minnesota-based senior care treatment LifeSprk is making contact 9,000 of its clients that some of their protected health information was possibly breach due to a November 2019 phishing attack. On January 17, 2020, Lifesprk found out that an unauthorized person had logged into the email account of one of its employees. The account was … Read more

Five-Year Insider Data Breach Identified at Hawaii Pacific Health

It has been identified that an employee of Hawaii Pacific Health at Straub Medical Center in Honolulu has been snooping on the medical records of patients over a duration longer than five years. Hawaii Pacific Health noticed the unauthorized access on January 17, 2020 and began a review. An analysis of access logs revealed the … Read more

January 2020 Healthcare Data Breach Report

Healthcare data breaches of 500 or more records were reported to the Department of Health and Human Services’ Office for Civil Rights at a rate of more than one a day throughout January. 2019 was a very bad year for healthcare data breaches with 510 data breaches made known by HIPAA-covered entities and their business … Read more

Ransomware Attack Hits NRC Health

NRC Health, a supplier  of patient survey services and software to over 9,000 healthcare group, including 75% of the biggest hospital networks in the United States and Canada, suffered a ransomware attack on February 11, 2020 that impacted some of its computing systems. NRC Health quickly implemented steps to control the harm caused and shut … Read more

Widespread Improper Use of Medicare Part D Eligibility Verification Transactions Discovered in OIG Audit

A Department of Health and Human Services’ Office of Inspector General (OIG) audit has found that a number of pharmacies and other healthcare providers are improperly using Medicare beneficiaries’ private information. The audit was conducted at the behest of the HHS’ Centers for Medicare and Medicaid Services (CMS) in order to ascertain if inappropriate access … Read more

HIPAA Violation Hits 16,167 Patients Patients at Hospital Sisters Health System

Unauthorized individuals have been gaining access to access emails and email attachments containing the protected health information of 16,167 patients within the Hospital Sisters Health System. It was recently discovered that a HIPAA-violating email security breach took place during August 2019. A 15-hospital health system serving patients in Illinois and Wisconsin, Hospital Sisters Health System … Read more

Business Associate Data Breach Impacts 654,000 Members of Health Share of Oregon

Oregon’s Medicaid coordinated-care group, Health Share of Oregon, is getting in touch with around 654,000 current and former subscribers to make them aware that a portion of their protected health information (PHI) was saved on a laptop computer which was illegally taken from its transportation vendor, GridWorks. GridWorks was hired to operate Health Share’s Ride … Read more

Requiring Pharmacies Must Track Partially Filled Prescriptions of Schedule II Drugs Following HHS Issuing Final Rule

The Department of Health and Human Services has released a final rule amending the HIPAA National Council for Prescription Drug Programs (NCPDP) D.0 Telecommunication Standard that requires pharmacies to record partially filled prescriptions for Schedule II drugs. The modification is an element of HHS efforts to control opioid abuse in the United States and will … Read more

Personal and Health Data of LabCorp Patients Breached due to Website Error

Security experts at TechCrunch have discovered a security flaw in a website hosting an internal customer relationship management system deployed the clinical laboratory network LabCorp. While the system was password protected, the experts identified a flaw in the part of the system that extracted patient files from the back-end system. The flaw meant that patient … Read more

Quest Health Systems Locates More Patients Impacted by 2018 Phishing Attack

Health Quest, which now forms part of Nuvance Health, has become aware the phishing attack it experienced in July 2018 was more wide reaching than first thought. Many employees were fooled and shared their email credentials by phishing emails, which allowed unauthorized individuals to access their accounts. A well known cybersecurity firm was engaged to … Read more

Healthcare Data Breach Report December 2019

There were an increase of 8.57%, from the previous month, of healthcare data breaches reported during December. 38 breaches of 500 or greater records were made known to the Department of Health and Human Services’ Office for Civil Rights in December 2019. While the number of breaches was one the rise, there was a major … Read more

Adventist Health Sonora Reports Phishing Attack

Adventist Health Sonora in California has found out that an unauthorized person has obtained access to the email account of a hospital associate and may have seen patient information. The email account breach was first noticed by Adventist Health Sonora’s information security team on September 30, 2019. Swift action was taken to safeguard the compromised … Read more

Further Health Data Exemptions for CCPA Proposed by California Bill

On January 1, 2020, the California Consumer Protection Act (CCPA) came became enforceable. CCPA enhanced privacy security for state residents and gave Californians new rights  in relation to their personal data. Healthcare data governed by the Health Insurance Portability and Accountability Act (HIPAA) Rules and California’s Confidentiality of Medical Information Act (CMIA) were exempted from … Read more

Group Health Plan Sponsors have HIPAA Compliance Issues: Buck Survey

Most group health plan sponsors are not fully adhering to the Health Insurance Portability and Accountability Act Rules, according to a recently published by the integrated HR and advantages consulting, technology, and administration services firm, Buck. The survey uncovered many areas where group health plan sponsors are not complying and showed many group health plan … Read more

Native American Rehabilitation Association of the Northwest Impacted by Malware Attack

Native American Rehabilitation Association of the Northwest, Inc., (NARA) a Portland, OR-based supplier of education, physical and mental health services and substance abuse treatment services to native Americans, is making contact with clients in relation to a malware infection that may have allowed unauthorized people to obtain to gain access to their protected health information. … Read more

49,351 Patients of Alomere Health Hit by Phishing Attack

50,000 patients of Alexandria, MN-based Alomere Health are being contacted to advise them that a portion of their protected health information was potentially accessed by unauthorized people due to a phishing attack. Alomere Health first became aware of out the phishing attack on November 6, 2019 and kicked off an internal investigation which confirmed the … Read more

HIPAA Compliant Gmail

If Gmail is to be deemed HIPAA compliant, Google would have to see to it that the service provided is 100% secure and adheres with the minimum requirements for security laid down in the HIPAA Security Rule. A business associate agreement must have been signed by a covered entity and Google covering Gmail, as Google … Read more

10,000 Medicare Beneficiaries have PHI Exposed by CMS Blue Button 2.0 Coding Bug

  The Centers for Medicare and Medicaid Services (CMS) has found that a vulnerability in its Blue Button 2.0 API that allowed access to the protected health information of 10,000 Medicare beneficiaries. Access to the Blue Button API has been temporarily disabled while the CMS reviews the situation and completes a thorough code review. The … Read more

Conway Medical Center and Equinox Inc. Report Email Security Breaches

The email accounts of several staff members of Conway Medical Center in South Carolina have been obtained by unauthorized persons. The phishing attack was first discovered on October 7, 2019 and impacted email accounts were immediately secured to stop additional unauthorized access. External cybersecurity experts were engaged to review the breach and determine whether patient … Read more

Ransomware Attack Impacts Hackensack Meridian Health

Hackensack Meridian Health, the biggest health network in New Jersey, has revealed it was targeted in a cyberattack recently which resulted in ransomware being deployed on its databases. The attack left files encrypted and took its network offline for a number of days. With no access to computer systems and medical histories, Hackensack Meridian Health … Read more

Korunda Medical fined $85,000 Penalty for HIPAA Right of Access Failures

The Department of Health and Human Services’ Office for Civil Rights has revealed its second enforcement penalty has been applied under its HIPAA Right of Access Initiative. Florida-based Korunda Medical has committed to settling possible breaches of the HIPAA Right of Access and will implement a corrective action plan and bring its policies and procedures … Read more

HIPAA Compliance Can Help Covered Entities Stop, Address and Get Back Online ecover from Ransomware Attacks

Ransomware attacks are often conducted indiscriminately, with the file-encrypting software commonly distributed in mass spam email campaigns. However, since 2017, ransomware attacks have become far more targeted. It is now common for cybercriminals to select targets to attack where there is a higher than average probability of a ransom being paid. Healthcare providers are a … Read more

Microsoft Warning Against BlueKeep Exploit in Real World Attacks

In May 2019, Microsoft announced a critical remote code execution vulnerability in Windows Remote Desktop Services referred to as BlueKeep – CVE-2019-0708. The cybersecurity community expected the development of this weaponized exploit and use in large-scale attacks. The foremost wide-scale attacks utilizing a BlueKeep exploit were identified over the weekend. Right after Microsoft mentioned about … Read more

Brooklyn Hospital Center Malware Attack and Washington University School of Medicine Unauthorized PHI Access

A security breach has been announced by Brooklyn Hospital Center in New York. The incident that transpired in late July 2019 involved the installation of malware on some servers of the hospital. The prompt discovery of the attack limited the harm caused as safety action steps were taken. However, a number of files were still … Read more

Jackson Health System Paid in $2.15 Million Civil Monetary Penalty for Multiple HIPAA Violations

The Department of Health and Human Services’ Office for Civil Rights charged Jackson Health System (JHS) with a civil monetary penalty amounting to $2.15 million. JHS is a nonprofit academic medical system located in Miami, FL, which has violated HIPAA Security Rule, Privacy Rule, and Breach Notification Rule in multiple cases. OCR learned in July … Read more

PHI Potentially Compromised Due to Prisma Health Website Breach and Seattle Cancer Care Alliance Email Error

Due to a data breach on the Palmetto Health website, Prisma Health Midlands is sending breach notifications to around 19,000 patients and 3,000 employees. Prisma Health – previously called Palmetto Health – discovered on August 29, 2019 that a suspicious individual got the login information of a Prisma Health employee. The attacker used the stolen … Read more

Report Reveals Increased Security After a Data Breach Caused a Rise in Patient Mortality Rate

Healthcare data breaches bring about a lower quality of patient care, as per a study just posted in Health Services Research. Researchers studied data from Medicare Compare which highlights quality measures employed at hospitals. Information from 2012 to 2016 was assessed and compared with records from the HHS’ Office for Civil Rights on data breaches … Read more

57% of Companies Use Multi-Factor Authentication For Better Security But It is Not Fail-Proof

The password manager provider LastPass recently conducted a study, which revealed that only 57% of companies make use of multi-factor authentication, despite the fact that it is a very good way to prevent the use of stolen credentials to access email accounts and company networks. With multi-factor authentication, a second factor to verify users is … Read more

FBI Gives An Alert Regarding E-Skimming Threats and Recommendations for Minimizing Risk

The Federal Bureau of Investigation gave an alert regarding e-skimming threats, after attacks on SMBs and government institutions increased. E-skimming refers to the adding of malicious code on online payment processing websites. The code steals the debit and credit card details of users as they enter the information into the payment websites. The attacker gets … Read more

Millions of Patients’ Sensitive Data Were Publicly Accessible Online

Because nine companies failed to keep their medical databases secure, the sensitive health information of millions of patients were exposed online. The security researchers at WizeCase discovered the exposed patient information. The research team, under the leadership of Avishai Efrat, looked for exposed information that are accessible without requiring any usernames or passwords using freely … Read more

September 2019 Healthcare Data Breach Report

There were 36 healthcare data breaches involving over 500 records reported to the Department of Health and Human Services’ Office for Civil Rights in September. This figure presents a 26.53% reduction in breaches compared to the last month. The September breaches had exposed a total of 1,957,168 medical records, which represents a 168.11% rise from … Read more

15,982 Patients of South Texas Dermatopathology Notified About the AMCA Data Breach

South Texas Dermatopathology is the last identified casualty of the American Medical Collection Agency (AMCA) data breach. It has reported the data breach to the Department of Health and Human Services Office for Civil Rights (OCR) and informed the affected patients. The OCR breach portal has published information about the breach on October 7, 2019 … Read more

Mission Health E-Commerce Websites Had a Malicious Code that Allowed Payment Data Theft for 3 Years

Malicious code was found installed on the e-commerce website of Mission Health in Western North Carolina. The malicious code can capture the payment information entered by patients purchasing health products on the website. Then, the data can be routed to an unauthorized third party. Mission Health discovered the breach in June 2019. But according to … Read more

Proofpoint Report Reveals Which Cyber Threat Healthcare Organizations Commonly Encounter

A recent Proofpoint report gives information on the cyber threats that healthcare organizations encounter and the most common attacks that result in healthcare data breaches. Proofpoint’s 2019 Healthcare Threat Report shows the constantly changing threat landscape and how the strategies utilized by cybercriminals are in a consistent state of flux. The study, which was conducted … Read more

UAB Medicine Phishing Attack Impacts 19,000 Patients

Due to a phishing attack on August 7, 2019, UAB Medicine is informing its patients regarding the potential access of a number of employee email accounts of UAB Medical Center in Birmingham, AL. When UAB became aware of the breach, the security team modified the passwords of the breached email accounts to block further unauthorized … Read more

New York Legislation Stops the Selling of Patient Information by First Responders to Third Parties

S.4119/A.230 is a new legislation signed into law on October 7, 2019 by New York Governor Andrew Cuomo. This law forbids first response and ambulance service employees to sell or share patient information to third parties for the purpose of marketing or raising money. New York Assembly Member Edward Braunstein originally introduced the bill in … Read more

MITA Puts Out New Medical Device Security Standard

The Medical Imaging & Technology Alliance (MITA) has published a new medical device security standard that offers healthcare delivery organizations (HDOs) crucial data regarding risk management and medical device security controls to secure the medical devices against suspicious access and cyberattacks. The new voluntary standard, known as Manufacturer Disclosure Statement for Medical Device Security (MDS2) … Read more

Philadelphia Department of Public Health Announced the Exposure of Hepatitis Patients’ Data

The Philadelphia Department of Public Health (PDPH) found that sensitive data of patients suffering from hepatitis B and hepatitis C were exposed over the web and any person could access it without having authentication. PDPH knew about the breach on October 12, 2019 after getting notification from one The Philadelphia Inquirer correspondent. The matter was … Read more

APT Actors Actively Exploiting GlobalProtect, Pulse Connect, Fortigate VPN Vulnerabilities

Advanced persistent threat (APT) actors are taking advantage of flaws in widely used VPN products provided by FortiGuard, Palo Alto and Pulse Secure to obtain control of vulnerable Internal networks and VPNs. The DHS’ Cybersecurity and Infrastructure Security Agency (CISA) together with other cybersecurity institutions published security alerts regarding a number of vulnerabilities in VPN … Read more

Data Breaches at Cancer Treatment Centers of America and Humana

Cancer Treatment Centers of America (CTCA) sent notifications to some of its patients after their protected health information (PHI) were exposed due to a phishing attack and email security breach on July 2019 at its Southeastern Regional Medical Center. CTCA knew about the phishing attack on July 29, 2019 when there was suspicious activity identified … Read more

9,160 Goshen Health Patients Affected by Phishing-Related Email Breach

9,160 patients from Goshen Health in Indiana received notification about its phishing-related email breach in August 2018 that could have resulted in the potential exposure of their protected health information (PHI). Goshen Health took steps to secure the compromised email accounts upon discovery of the breach and immediately had the incident investigated. Initially, it was … Read more

PHI of 391,472 Patients of Sarrell Dental Potentially Compromised Due to a Ransomware Attack

A ransomware attack on Sarrell Dental in Alabama, is non-profit Children’s dental and optical services provider resulted in the potential compromise of the protected health information (PHI) of its patients. Sarrell Dental is the biggest dental services provider in the state of Alabama with 17 clinics in operation. In July 2019, cyberattackers deployed ransomware on … Read more

Potential Compromise of PHI As a Result of North Florida OB-GYN Cybersecurity Breach

North Florida OB-GYN in Jacksonville, FL learned that hackers got access to particular portions of its computer system that contain personal and medical data of patients and attacked the system with a virus that encrypted the data. Once the breach was uncovered on July 27, 2019, the provider deactivated the networked computer systems and started … Read more

Sen. Rand Paul Presents National Patient Identifier Repeal Act

Sen. Rand Paul, M.D., (R-Kentucky) has presented a new bill that attempts to permanently remove the national patient identifier provision of HIPAA because of the privacy issues in implementing such a system. At this time, HIPAA is most widely known for its healthcare data privacy and security rules, however, the national patient identifier system was … Read more

Senator Demands Explanation for the Exposure of Medical Images Stored in Unprotected PACS

Sen. Mark Warner (D-Virginia) wrote a letter to TridentUSA asking for an explanation concerning a breach involving sensitive medical images at MobileXUSA, one of its affiliates. Sen. Warner is one of the founders of the Senate Cybersecurity Caucus (SCC) that was created to be a bipartisan educational resource for the Senate to effectively engage on … Read more

Healthcare Data Breach Report for August 2019

In August, more than 1.5 healthcare data breaches were reported per day. This is the second consecutive month that there are a lot of reported breaches. Though the number of breaches is not significantly different from last month (49 versus 50), the number of exposed records went down substantially. There were 729,975 healthcare records breached … Read more

New Data Breach Notification Regulation for Health Insurers in Maryland

Beginning October 1, 2019, health insurance providers and associated services have to notify the Maryland Insurance Administration (MIA) whenever a breach of insureds’ personal information occurs. The change in rules covers health plans, health insurance companies, HMOs, managed general agents, managed care institutions, and third-party health insurance administrators. MIA’s Compliance & Enforcement Unit ought to … Read more

Phishing Attacks on Magellan Health Subsidiaries Impact 56,226 Presbyterian Health Plan Members

The managed care firm Magellan Health based in Scottsville, AZScottsville, AZ learned that phishing attacks on two of its subsidiaries caused the compromise of the protected health information (PHI) of Presbyterian Health Plan members from Albuquerque, NM. Two service vendors to Presbyterian Health Plan, specifically Magellan Healthcare and National Imaging Associates, encountered the phishing attacks. … Read more

NCCoE Issued a Mobile Device Security Guidance for COPE Gadgets

The National Cybersecurity Center of Excellence (NCCoE) published the latest draft NIST mobile device security guidance to aid institutions to reduce the risks brought in by corporate-owned personally enabled (COPE) gadgets. Mobile gadgets enable workers to access information required to perform their job, regardless of where those persons are found. So, the devices enable organizations … Read more

NCCoE Releases Draft Guidelines for Securing the Picture Archiving and Communication System (PACS) Ecosystem

The draft NIST guidelines for securing the picture archiving and communications system (PACS) ecosystem was issued by the National Cybersecurity Center of Excellence (NCCoE). The guidelines called NIST Cybersecurity Practice Guide, SP 1800-24 were penned for health healthcare delivery organizations (HDOs) to help protect their PACS and minimize the likelihood of a data breach or … Read more

About 6,000 People’s PHI Impacted by Phishing Attacks on East Central Indiana School and Frasier

A phishing attack on East Central Indiana School Trust (ECIST) is the reason for the compromise of some protected health information (PHI) of more than 3,200 men and women. On May 19, 2019, an ECIST staff was tricked into revealing his/her email account credentials that an attacker employed to access that person’s email account. ECIST … Read more

Multi-Factor Authentication Stops 99.9% of Cyberattacks

The healthcare sector runs into a lot of phishing attacks. Every week, healthcare organizations report a number of phishing attacks resulting in protected health information (PHI) exposure or theft. In most cases, the attacks are preventable by adhering to fundamental cybersecurity guidelines. Cyberattacks are now more complex, though most of the attacks aren’t. They entail … Read more

Guidance on Healthcare Information Sharing Organizations Published by HSCC

The Healthcare and Public Health Sector Coordinating Council (HSCC) released guidance on cybersecurity information sharing for healthcare organizations. HSCC is a partnership of over 200 public-private companies and organizations, such as health IT organizations, healthcare device manufacturers, pharmaceutical firms, laboratories, health plans, payers and government institutions. Its purpose is to deliver collaborative solutions to aid … Read more

Utah Ransomware Attack, Alive Hospice Mailing Error and Community Psychiatric Clinic Breaches Compromised Patient Data

Premier Family Medicine, which is a physician group located in Utah, notified 320,000 patients concerning the potential exposure of their protected health information (PHI) caused by a ransomware attack that affected ten facilities located in Utah County. On July 8, 2019, the ransomware attack occurred and prevented the Family Medicine’s staff from accessing patient files … Read more

Patients Impacted by Massachusetts General Hospital Data Breach and Sonoma Valley Hospital Website Hacking

Massachusetts General Hospital (MGH) found lately that the computer applications used by the researchers of its Department of Neurology was accessed without authorization. The individual behind the breach may possibly access approximately 10,000 patients’ protected health information (PHI). MGH became aware of the breach on June 24, 2019 and immediately blocked the software and databases … Read more

Declaration of Limited HIPAA Waiver in Puerto Rico, Florida, Georgia and South Carolina Due to Hurricane Dorian

The Secretary of the Department of Health and Human Services (HHS), Alex Azar, has made an announcement placing Puerto Rico and the states of Georgia, Florida, and South Carolina in a public health emergency (PHE) because of Hurricane Dorian. The announcement of the presidential PHE in the previously mentioned areas was made while the states … Read more

73 Email Accounts of Bonita Springs Employees Compromised Due to Phishing Attack

A phishing attack on NCH Healthcare System, Bonita Springs located in Florida, highlighted how critical it is to train healthcare employees on security awareness. On June 14, 2019, Bonita Springs tracked down the phishing attack upon seeing suspicious email activity connected with its payroll system. The investigation confirmed that 73 employees surprisingly disclosed their account … Read more

Irdeto Survey Reveals 82% of Healthcare Providers Have Encountered a Cyberattack on Their IoT Devices

The Swedish software firm Irdeto conducted the Global Connected Industries Cybersecurity Survey, which showed that 82% of healthcare organizations using Internet-of-Things (IoT) devices have encountered a cyberattack on no less than one of those devices in the last 12 months. Irdeto asked 700 security leaders of healthcare providers and companies in the manufacturing, IT and … Read more

Identified Vulnerability in Philips HDI 4000 Ultrasound Systems

There is a vulnerability identified in Philips HDI 4000 Ultrasound systems that attackers could exploit to access ultrasound images. Besides stealing information, an attacker could tamper with ultrasound images to hinder the diagnosis of a possibly deadly health ailment. Philips HDI 4000 Ultrasound systems run on legacy operating systems like Windows 2000 which aren’t supported … Read more

Code Execution Vulnerability Found in Cardiology Devices of Change Healthcare

Devices of Change Healthcare Cardiology, Horizon Cardiology and McKesson Cardiology were found to have a vulnerability, which a locally authenticated user could exploit to add files that can enable the attacker to implement arbitrary code on a device. Asante Information Security’s Alfonso Powers and Bradley Shubin identified vulnerability CVE-2019-18630 and reported it to Change Healthcare. … Read more

Healthcare Data Breach Report Summary in July 2019

May 2019 had 46 breaches with over 500 records exposed making it the worst month ever since the HHS’ Office for Civil Rights began reporting breach summaries on its web portal in 2009. But that record was broken last July, which had 50 healthcare data breaches with over 500 records reported. July had 13 more … Read more

AMCA Breach Impacts 33,370 Mount Sinai Hospital Patients

Mount Sinai Hospital discovered the compromise of 33,730 patients’ protected health information (PHI) as a result of the American Medical Collection Agency (AMCA) cyberattack. This hospital is number 24 in the list of AMCA breach victims, which has impacted nearly 25 million individuals. On June 4, 2019, AMCA informed Mount Sinai Hospital about the unauthorized … Read more

AMCA Data Breach Impacts Almost 25M To Date

The number of victims of the American Medical Collection Agency (AMCA) data breach has gone up to about 25 million with one more healthcare organization announcing that it was impacted by the breach. Wisconsin Diagnostic Laboratories (WDL) runs 13 medical testing facilities in the area of Milwaukee. Around 114,985 of its patients were notified about … Read more

OMB Audit Report Finds the HHS Information Security Program as Ineffective

The Office of Management and Budget (OMB) sent in its yearly audit report to Congress about the status of federal agencies’ cybersecurity, as demanded by the Federal Information Security Modernization Act of 2014 (FISMA). OMB evaluated 4 of the 12 Department of Health and Human Services (HHS) operating divisions to determine their compliance with FISMA. … Read more

Threat of Lateral Phishing Attacks on Health Care Organizations Increasing

University of California Berkeley, University of San Diego, and Barracuda Networks conducted a recent study, which showed the increasing threat of lateral phishing to healthcare organizations. In a typical phishing attack, the attacker sends an email with an embedded hyperlink going to a malicious web page that harvests login credentials . The emails include a … Read more

Security Breaches at Rhode Island Healthcare Provider and California Hospice Potentially Compromised PHI

Rhode Island Ear, Nose and Throat Physicians Inc. (RIENT) is informing 2,943 patients regarding the unauthorized access of a server that contained some of their health data. A hacker accessed RIENT’s network on June 19, 2019. The provider detected the breach on the same day and secured its network. A hired third-party computer forensics company … Read more

32% of Healthcare Employees Did Not Receive Cybersecurity Training

Since January, about 200 breaches involving over 500 records were reported and it seems that 2019 will be another record year when it comes to healthcare data breaches. Because of the increase in data breaches, Kaspersky Lab conducted a survey to get more understanding about the healthcare industry’s state of cybersecurity. Kaspersky Lab recently published … Read more

45,000 PHI Potentially Exposed Due to Integrated Regional Laboratories, Bayview Dental and Mid-Valley Behavioral Care Network Breaches

Florida-based Integrated Regional Laboratories (IRL) notified around 30,000 patients concerning the potential compromise of their protected health information (PHI) due to the American Medical Collection Agency (AMCA) data breach, which was identified on March 20, 2019. AMCA advised IRL on June 3, 2019 that it had a data breach and confirmed on June 13 that … Read more

Phishing Attacks on Michigan Medicine and Virginia Gay Hospital Potentially Exposed PHI

Michigan Medicine notified about 5,500 of its patients regarding the exposure of some of their protected health information (PHI) because of a phishing attack recently. In July, Michigan Medicine was hit by a phishing attack. About 3,200 employees got phishing emails that have a hyperlink going to a legit-looking web site, which asked for the … Read more

State Attorneys General Call For the Alignment of Part 2 Regulations with HIPAA

The National Association of Attorneys General (NAAG) told the House and Senate leaders to make improvements to Confidentiality of Substance Use Disorder Patient Records regulations referred to as 42 CFR Part 2. NAAG tagged the regulations under consideration as cumbersome [and] out-of-date and they limit the substance abuse treatment records uses and disclosures. The HIPAA … Read more

Renown Health Discovers PHI was Stored on Lost Thumb Drive

Renown Health, which is Northern Nevada’s biggest healthcare provider, has begun notifying some patients about the potential compromise of some of their protected health information (PHI). On June 30, 2019, a portable storage device (thumb drive) containing files with patient data was found missing. A thorough search for the thumb drive was conducted in the … Read more

Exposure of Seattle Community Psychiatric Clinic Patient Data Due to Email Security Breaches

A Seattle, WA provider of accredited outpatient, counseling services and mental health treatment, Community Psychiatric Clinic, has encountered two security breaches resulting in the compromise of patient information. In the two instances, an unauthorized person accessed the Microsoft Office 365 account of an employee. Community Psychiatric Clinic detected the first security breach on March 12, … Read more

Patients’ PHI Compromised Due to Unsecured Amarin and Medico Database

A database that contains the personal data of people who were interested in Vascepa®, Amarin Pharma’s cholesterol drug, was exposed on the internet. A third party vendor maintained the database, which contained data including full names, email addresses, addresses, phone numbers, interest in a copay card for Vascepa® and medications information. Amarin discovered the breach … Read more

NIST Published a New Guidance on Securing IoT Devices

The National Institute of Standards and Technology (NIST) has published its latest guide for companies manufacturing Internet of Things (IoT) devices so that they can integrate proper cybersecurity controls to ensure the devices are secured against risks when connected to the Internet. This is the second in the series of published security of IoT devices … Read more

Presbyterian Healthcare Services and Three Rivers Community Health Group Data Breaches Impact About 184,000 Patients

Presbyterian Healthcare Services in New Mexico is informing about 183,000 patients and health plan members about the exposure of some of their protected health information (PHI) as a result of a recent security breach. A number of Presbyterian Healthcare Services employees got phishing emails some time on May 6, 2019. Some employees replied to the … Read more

Imperial Health Ransomware Attack and Lost Laptop Impacts Patients’ PHI

Imperial Health in Southwest Louisiana is a physicians’ network that is announcing the potential compromise of over 111,000 patients’ protected health information (PHI) because of a recent ransomware attack, which was discovered on May 19, 2019. An unauthorized party was able to download ransomware into the network so that files and the Imperial Health’s Center … Read more

Atlantic.Net’s 25th Year Anniversary as Internet and Cloud Services Provider

Cloud service provider Atlantic.Net, which offers HIPAA-compliant hosting to healthcare businesses, is remembering its 25th year anniversary. The company started as an internet service provider in 1994. It adapted with the changing technology trends and offered cloud services in 2009. The company continued to develop it its hosting platform and related services over the next … Read more

Critical Vulnerabilities Affect 2 Billion VxWorks Devices

Armin’s security researchers discovered 11 vulnerabilities in the real-time operating system of VxWorks, which is widely used in close to 2 billion IoT devices, control systems and medical devices. Six vulnerabilities are rated critical and have been collectively called “Urgent/11.” A hacker could remotely exploit them with no need for user interaction. If successful, a … Read more