James Keogh

An Iranian hacking group, known as Pioneer Kitten (also referred to as Fox Kitten, Rubidium, Parisite, and Lemon Sandstorm), has been working together with ransomware groups to exploit and extort businesses across various sectors, including defense, finance, education, and healthcare. Active since 2017, Pioneer Kitten is assumed to operate under the auspices of the Iranian … Read more

McLaren Health Care has updated the status of a recent cyberattack, confirming the use of ransomware to encrypt files in its network. The attack has disrupted the IT systems at 13 of its hospitals, including the Karmanos surgery centers, cancer centers, and clinics. Although the attack has been contained, system access is still limited, and … Read more

The Federal Bureau of Investigation (FBI) and the U.S. Cybersecurity and Infrastructure Security Agency (CISA) have released an alert concerning the BlackSuit ransomware group, which they have identified as a rebranded version of the Royal ransomware. This group has been behind numerous attacks on healthcare companies. The FBI and CISA initially alerted about the Royal … Read more

United of Omaha Life Insurance Company located in Nebraska submitted a phishing attack report that indicated the compromise of the protected health information (PHI) of 107,894 people. The insurer discovered the breach on April 23, 2024 after identifying suspicious activity in an employee’s email account. United of Omaha noticed that a third party accessed the … Read more

The healthcare provider, Aveanna Healthcare, based in Georgia recently reported the unauthorized access of the email accounts of 11 personnel by a third party, who acquired access to 10,482 patients’ protected health information (PHI). This is Aveanna Healthcare’s second email breach report this year. On March 15, 2024, Aveanna Healthcare submitted to the HHS’ Office … Read more

The software company, MCG Health, based in Seattle, WA offered to pay $8.8 million to resolve a class action lawsuit associated with a data breach in February 2020 that affected the protected health information (PHI) of 793,283 individuals. Two years after the data breach, on March 25, 2022, MCG Health discovered that a threat actor … Read more

UnitedHealth Group (UHG) has given an update about the response costs associated with the February 2024 ransomware attack involving Change Healthcare. The overall response cost is forecasted to be $2.3 billion to $2.45 billion this 2024, over $1 billion more than the figure reported earlier. UHG already paid more or less $2 billion handling the … Read more

DaVita has discovered that tracking tools used on its web pages and mobile app might have transmitted user information to third-party providers. On July 2, 2024, kidney dialysis service provider DaVita Inc. based in Denver, CO informed 67,443 patients concerning a pixel-related data breach. With the 2,800+ outpatient dialysis centers in the U.S., DaVita serves … Read more

A California-based dental practice has been issued with a $23,000 fine after it published a patient’s Protected Health Information (PHI) on the Yelp review website. This unauthorized use of PHI resulted in a complaint to the Office for Civil Rights, who then launched an investigation into the incident.  On November 29, 2017, the OCR received … Read more

Empress EMS, a New York-based ambulance service, is facing multiple class-action lawsuits after patient data was stolen during a ransomware attack. The attack was carried out by the Hive ransomware group, which gained access to Empress EMS’ network, stole files, and then encrypted them. Though the criminals gained access on May 26, 2022, the attack … Read more

CommonSpirit Health, the second-largest non-profit hospital chain operating in the United States of America, has confirmed that patient data was accessed during a recent ransomware attack. The attack occurred between September 16, 2022, and October 3, 2022; it was detected in October. Upon detection of the attack, CommonSpirit Health immediately took some of its systems … Read more

The San Juan Regional Medical Center (SJRMC) has proposed a settlement to a class-action lawsuit. The lawsuit, Henderson et al. vs San Juan Regional Medical Center, concerned a data breach that affected 68,792 patients. On September 8, 2020, the New Mexico-based medical center was targeted by hackers who subsequently gained access to their network. While … Read more

In May 2019, Microsoft announced a critical remote code execution vulnerability in Windows Remote Desktop Services referred to as BlueKeep – CVE-2019-0708. The cybersecurity community expected the development of this weaponized exploit and use in large-scale attacks. The foremost wide-scale attacks utilizing a BlueKeep exploit were identified over the weekend. Right after Microsoft mentioned about … Read more

A security breach has been announced by Brooklyn Hospital Center in New York. The incident that transpired in late July 2019 involved the installation of malware on some servers of the hospital. The prompt discovery of the attack limited the harm caused as safety action steps were taken. However, a number of files were still … Read more

The Department of Health and Human Services’ Office for Civil Rights charged Jackson Health System (JHS) with a civil monetary penalty amounting to $2.15 million. JHS is a nonprofit academic medical system located in Miami, FL, which has violated HIPAA Security Rule, Privacy Rule, and Breach Notification Rule in multiple cases. OCR learned in July … Read more

Due to a data breach on the Palmetto Health website, Prisma Health Midlands is sending breach notifications to around 19,000 patients and 3,000 employees. Prisma Health – previously called Palmetto Health – discovered on August 29, 2019 that a suspicious individual got the login information of a Prisma Health employee. The attacker used the stolen … Read more

Healthcare data breaches bring about a lower quality of patient care, as per a study just posted in Health Services Research. Researchers studied data from Medicare Compare which highlights quality measures employed at hospitals. Information from 2012 to 2016 was assessed and compared with records from the HHS’ Office for Civil Rights on data breaches … Read more

Roger Severino, the HHS’ Office for Civil Rights Director, gave a report on the priorities of OCR’s HIPAA enforcement during the OCR/NIST 11th Annual HIPAA Conference held in Washington D.C. Severino stated that a top policy initiative of OCR is still the enforcement of patient rights under the HIPAA Privacy Rule and the provision of … Read more

The password manager provider LastPass recently conducted a study, which revealed that only 57% of companies make use of multi-factor authentication, despite the fact that it is a very good way to prevent the use of stolen credentials to access email accounts and company networks. With multi-factor authentication, a second factor to verify users is … Read more

The Federal Bureau of Investigation gave an alert regarding e-skimming threats, after attacks on SMBs and government institutions increased. E-skimming refers to the adding of malicious code on online payment processing websites. The code steals the debit and credit card details of users as they enter the information into the payment websites. The attacker gets … Read more

Because nine companies failed to keep their medical databases secure, the sensitive health information of millions of patients were exposed online. The security researchers at WizeCase discovered the exposed patient information. The research team, under the leadership of Avishai Efrat, looked for exposed information that are accessible without requiring any usernames or passwords using freely … Read more

There were 36 healthcare data breaches involving over 500 records reported to the Department of Health and Human Services’ Office for Civil Rights in September. This figure presents a 26.53% reduction in breaches compared to the last month. The September breaches had exposed a total of 1,957,168 medical records, which represents a 168.11% rise from … Read more

South Texas Dermatopathology is the last identified casualty of the American Medical Collection Agency (AMCA) data breach. It has reported the data breach to the Department of Health and Human Services Office for Civil Rights (OCR) and informed the affected patients. The OCR breach portal has published information about the breach on October 7, 2019 … Read more

Malicious code was found installed on the e-commerce website of Mission Health in Western North Carolina. The malicious code can capture the payment information entered by patients purchasing health products on the website. Then, the data can be routed to an unauthorized third party. Mission Health discovered the breach in June 2019. But according to … Read more

A recent Proofpoint report gives information on the cyber threats that healthcare organizations encounter and the most common attacks that result in healthcare data breaches. Proofpoint’s 2019 Healthcare Threat Report shows the constantly changing threat landscape and how the strategies utilized by cybercriminals are in a consistent state of flux. The study, which was conducted … Read more

Due to a phishing attack on August 7, 2019, UAB Medicine is informing its patients regarding the potential access of a number of employee email accounts of UAB Medical Center in Birmingham, AL. When UAB became aware of the breach, the security team modified the passwords of the breached email accounts to block further unauthorized … Read more

S.4119/A.230 is a new legislation signed into law on October 7, 2019 by New York Governor Andrew Cuomo. This law forbids first response and ambulance service employees to sell or share patient information to third parties for the purpose of marketing or raising money. New York Assembly Member Edward Braunstein originally introduced the bill in … Read more

The Medical Imaging & Technology Alliance (MITA) has published a new medical device security standard that offers healthcare delivery organizations (HDOs) crucial data regarding risk management and medical device security controls to secure the medical devices against suspicious access and cyberattacks. The new voluntary standard, known as Manufacturer Disclosure Statement for Medical Device Security (MDS2) … Read more

The Philadelphia Department of Public Health (PDPH) found that sensitive data of patients suffering from hepatitis B and hepatitis C were exposed over the web and any person could access it without having authentication. PDPH knew about the breach on October 12, 2019 after getting notification from one The Philadelphia Inquirer correspondent. The matter was … Read more

Advanced persistent threat (APT) actors are taking advantage of flaws in widely used VPN products provided by FortiGuard, Palo Alto and Pulse Secure to obtain control of vulnerable Internal networks and VPNs. The DHS’ Cybersecurity and Infrastructure Security Agency (CISA) together with other cybersecurity institutions published security alerts regarding a number of vulnerabilities in VPN … Read more

Cancer Treatment Centers of America (CTCA) sent notifications to some of its patients after their protected health information (PHI) were exposed due to a phishing attack and email security breach on July 2019 at its Southeastern Regional Medical Center. CTCA knew about the phishing attack on July 29, 2019 when there was suspicious activity identified … Read more

A recent B2B International survey undertaken on behalf of Kaspersky Lab showed the rise in the average cost of an enterprise-level data breach from $1.23 million (2018) to $1.41 million. The elevated risk of a data breach and the growing costs of remediation has prompted enterprises to put in more money in cybersecurity. According to … Read more

9,160 patients from Goshen Health in Indiana received notification about its phishing-related email breach in August 2018 that could have resulted in the potential exposure of their protected health information (PHI). Goshen Health took steps to secure the compromised email accounts upon discovery of the breach and immediately had the incident investigated. Initially, it was … Read more

There has been a rise in the volume of business email compromise (BEC) attacks in the U.S. As per Symantec, about 6,029 businesses got BEC emails in the last year and the FBI’s statistics show that losses of attacked businesses resulting from this scam totals $1,297,803,489 in 2018. In BEC attacks, attackers get access to … Read more

A ransomware attack on Sarrell Dental in Alabama, is non-profit Children’s dental and optical services provider resulted in the potential compromise of the protected health information (PHI) of its patients. Sarrell Dental is the biggest dental services provider in the state of Alabama with 17 clinics in operation. In July 2019, cyberattackers deployed ransomware on … Read more

North Florida OB-GYN in Jacksonville, FL learned that hackers got access to particular portions of its computer system that contain personal and medical data of patients and attacked the system with a virus that encrypted the data. Once the breach was uncovered on July 27, 2019, the provider deactivated the networked computer systems and started … Read more

Sen. Rand Paul, M.D., (R-Kentucky) has presented a new bill that attempts to permanently remove the national patient identifier provision of HIPAA because of the privacy issues in implementing such a system. At this time, HIPAA is most widely known for its healthcare data privacy and security rules, however, the national patient identifier system was … Read more

Sen. Mark Warner (D-Virginia) wrote a letter to TridentUSA asking for an explanation concerning a breach involving sensitive medical images at MobileXUSA, one of its affiliates. Sen. Warner is one of the founders of the Senate Cybersecurity Caucus (SCC) that was created to be a bipartisan educational resource for the Senate to effectively engage on … Read more

In August, more than 1.5 healthcare data breaches were reported per day. This is the second consecutive month that there are a lot of reported breaches. Though the number of breaches is not significantly different from last month (49 versus 50), the number of exposed records went down substantially. There were 729,975 healthcare records breached … Read more

Beginning October 1, 2019, health insurance providers and associated services have to notify the Maryland Insurance Administration (MIA) whenever a breach of insureds’ personal information occurs. The change in rules covers health plans, health insurance companies, HMOs, managed general agents, managed care institutions, and third-party health insurance administrators. MIA’s Compliance & Enforcement Unit ought to … Read more

Dr. Ulrich Klopfer from Indiana operated three abortion clinics until his license was suspended in 2015. He was found to have taken away fetal remains from his abortion clinics. His family members discovered the remains among his personal stuff at his Illinois house after his demise on September 3, 2019. Authorities handling the investigation of … Read more

The managed care firm Magellan Health based in Scottsville, AZScottsville, AZ learned that phishing attacks on two of its subsidiaries caused the compromise of the protected health information (PHI) of Presbyterian Health Plan members from Albuquerque, NM. Two service vendors to Presbyterian Health Plan, specifically Magellan Healthcare and National Imaging Associates, encountered the phishing attacks. … Read more

Ramsey County has learned that the phishing attack on August 2018 has impacted considerably more persons than originally believed. The number of affected individuals went up from 599 to 117,905. The first breach report mentioned about the compromise of 26 workers’ email accounts in a phishing attack some time in August 9. Ramsey County uncovered … Read more

The National Cybersecurity Center of Excellence (NCCoE) published the latest draft NIST mobile device security guidance to aid institutions to reduce the risks brought in by corporate-owned personally enabled (COPE) gadgets. Mobile gadgets enable workers to access information required to perform their job, regardless of where those persons are found. So, the devices enable organizations … Read more

The draft NIST guidelines for securing the picture archiving and communications system (PACS) ecosystem was issued by the National Cybersecurity Center of Excellence (NCCoE). The guidelines called NIST Cybersecurity Practice Guide, SP 1800-24 were penned for health healthcare delivery organizations (HDOs) to help protect their PACS and minimize the likelihood of a data breach or … Read more

A phishing attack on East Central Indiana School Trust (ECIST) is the reason for the compromise of some protected health information (PHI) of more than 3,200 men and women. On May 19, 2019, an ECIST staff was tricked into revealing his/her email account credentials that an attacker employed to access that person’s email account. ECIST … Read more

The healthcare sector runs into a lot of phishing attacks. Every week, healthcare organizations report a number of phishing attacks resulting in protected health information (PHI) exposure or theft. In most cases, the attacks are preventable by adhering to fundamental cybersecurity guidelines. Cyberattacks are now more complex, though most of the attacks aren’t. They entail … Read more

The Healthcare and Public Health Sector Coordinating Council (HSCC) released guidance on cybersecurity information sharing for healthcare organizations. HSCC is a partnership of over 200 public-private companies and organizations, such as health IT organizations, healthcare device manufacturers, pharmaceutical firms, laboratories, health plans, payers and government institutions. Its purpose is to deliver collaborative solutions to aid … Read more

A new investigation by ProPublica has showcased a growing concern that is encouraging the existing ransomware problem. Insurance providers are preferring to pay ransom demands since it is the least expensive solution for settling claims. A substantial ransom may be required, yet paying the ransom is still less costly than paying for the price of … Read more

Premier Family Medicine, which is a physician group located in Utah, notified 320,000 patients concerning the potential exposure of their protected health information (PHI) caused by a ransomware attack that affected ten facilities located in Utah County. On July 8, 2019, the ransomware attack occurred and prevented the Family Medicine’s staff from accessing patient files … Read more

Massachusetts General Hospital (MGH) found lately that the computer applications used by the researchers of its Department of Neurology was accessed without authorization. The individual behind the breach may possibly access approximately 10,000 patients’ protected health information (PHI). MGH became aware of the breach on June 24, 2019 and immediately blocked the software and databases … Read more

The Department of Health and Human Services’ Office for Civil Rights (OCR) made an announcement early this year that HIPAA enforcement in 2019 would primarily be in the area of HIPAA right of access failures, such as the delayed responses to access requests and charging too much for copies of healthcare records. The HIPAA right … Read more

The Secretary of the Department of Health and Human Services (HHS), Alex Azar, has made an announcement placing Puerto Rico and the states of Georgia, Florida, and South Carolina in a public health emergency (PHE) because of Hurricane Dorian. The announcement of the presidential PHE in the previously mentioned areas was made while the states … Read more

A phishing attack on NCH Healthcare System, Bonita Springs located in Florida, highlighted how critical it is to train healthcare employees on security awareness. On June 14, 2019, Bonita Springs tracked down the phishing attack upon seeing suspicious email activity connected with its payroll system. The investigation confirmed that 73 employees surprisingly disclosed their account … Read more

The Swedish software firm Irdeto conducted the Global Connected Industries Cybersecurity Survey, which showed that 82% of healthcare organizations using Internet-of-Things (IoT) devices have encountered a cyberattack on no less than one of those devices in the last 12 months. Irdeto asked 700 security leaders of healthcare providers and companies in the manufacturing, IT and … Read more

There is a vulnerability identified in Philips HDI 4000 Ultrasound systems that attackers could exploit to access ultrasound images. Besides stealing information, an attacker could tamper with ultrasound images to hinder the diagnosis of a possibly deadly health ailment. Philips HDI 4000 Ultrasound systems run on legacy operating systems like Windows 2000 which aren’t supported … Read more

Devices of Change Healthcare Cardiology, Horizon Cardiology and McKesson Cardiology were found to have a vulnerability, which a locally authenticated user could exploit to add files that can enable the attacker to implement arbitrary code on a device. Asante Information Security’s Alfonso Powers and Bradley Shubin identified vulnerability CVE-2019-18630 and reported it to Change Healthcare. … Read more

May 2019 had 46 breaches with over 500 records exposed making it the worst month ever since the HHS’ Office for Civil Rights began reporting breach summaries on its web portal in 2009. But that record was broken last July, which had 50 healthcare data breaches with over 500 records reported. July had 13 more … Read more

Mount Sinai Hospital discovered the compromise of 33,730 patients’ protected health information (PHI) as a result of the American Medical Collection Agency (AMCA) cyberattack. This hospital is number 24 in the list of AMCA breach victims, which has impacted nearly 25 million individuals. On June 4, 2019, AMCA informed Mount Sinai Hospital about the unauthorized … Read more

The number of victims of the American Medical Collection Agency (AMCA) data breach has gone up to about 25 million with one more healthcare organization announcing that it was impacted by the breach. Wisconsin Diagnostic Laboratories (WDL) runs 13 medical testing facilities in the area of Milwaukee. Around 114,985 of its patients were notified about … Read more

The Office of Management and Budget (OMB) sent in its yearly audit report to Congress about the status of federal agencies’ cybersecurity, as demanded by the Federal Information Security Modernization Act of 2014 (FISMA). OMB evaluated 4 of the 12 Department of Health and Human Services (HHS) operating divisions to determine their compliance with FISMA. … Read more

University of California Berkeley, University of San Diego, and Barracuda Networks conducted a recent study, which showed the increasing threat of lateral phishing to healthcare organizations. In a typical phishing attack, the attacker sends an email with an embedded hyperlink going to a malicious web page that harvests login credentials . The emails include a … Read more

Rhode Island Ear, Nose and Throat Physicians Inc. (RIENT) is informing 2,943 patients regarding the unauthorized access of a server that contained some of their health data. A hacker accessed RIENT’s network on June 19, 2019. The provider detected the breach on the same day and secured its network. A hired third-party computer forensics company … Read more

Since January, about 200 breaches involving over 500 records were reported and it seems that 2019 will be another record year when it comes to healthcare data breaches. Because of the increase in data breaches, Kaspersky Lab conducted a survey to get more understanding about the healthcare industry’s state of cybersecurity. Kaspersky Lab recently published … Read more

Florida-based Integrated Regional Laboratories (IRL) notified around 30,000 patients concerning the potential compromise of their protected health information (PHI) due to the American Medical Collection Agency (AMCA) data breach, which was identified on March 20, 2019. AMCA advised IRL on June 3, 2019 that it had a data breach and confirmed on June 13 that … Read more

Michigan Medicine notified about 5,500 of its patients regarding the exposure of some of their protected health information (PHI) because of a phishing attack recently. In July, Michigan Medicine was hit by a phishing attack. About 3,200 employees got phishing emails that have a hyperlink going to a legit-looking web site, which asked for the … Read more

The National Association of Attorneys General (NAAG) told the House and Senate leaders to make improvements to Confidentiality of Substance Use Disorder Patient Records regulations referred to as 42 CFR Part 2. NAAG tagged the regulations under consideration as cumbersome [and] out-of-date and they limit the substance abuse treatment records uses and disclosures. The HIPAA … Read more

Renown Health, which is Northern Nevada’s biggest healthcare provider, has begun notifying some patients about the potential compromise of some of their protected health information (PHI). On June 30, 2019, a portable storage device (thumb drive) containing files with patient data was found missing. A thorough search for the thumb drive was conducted in the … Read more

From 2011 to 2018, the New York Fire Department (FDNY) had used its ambulance to bring over 10,000 EMS patients to the hospital. Due to a breach of data security, the protected health information (PHI) of some patients were exposed. Myles Miller, FDNY’s spokesperson, said that an employee did not observe the appropriate data security … Read more

The University of Missouri Health Care (MU Health) is facing a lawsuit over the phishing attack on April 2019. MU Health discovered on May 1, 2019 that two employees’ email accounts were accessed without authorization beginning on April 23, 2019 up to a period of one week. The email accounts contained a variety of sensitive … Read more

A Seattle, WA provider of accredited outpatient, counseling services and mental health treatment, Community Psychiatric Clinic, has encountered two security breaches resulting in the compromise of patient information. In the two instances, an unauthorized person accessed the Microsoft Office 365 account of an employee. Community Psychiatric Clinic detected the first security breach on March 12, … Read more

A database that contains the personal data of people who were interested in Vascepa®, Amarin Pharma’s cholesterol drug, was exposed on the internet. A third party vendor maintained the database, which contained data including full names, email addresses, addresses, phone numbers, interest in a copay card for Vascepa® and medications information. Amarin discovered the breach … Read more

The National Institute of Standards and Technology (NIST) has published its latest guide for companies manufacturing Internet of Things (IoT) devices so that they can integrate proper cybersecurity controls to ensure the devices are secured against risks when connected to the Internet. This is the second in the series of published security of IoT devices … Read more

Edgepark Medical Supplies (EMS) learned on May 13, 2019 about the access of an unauthorized person into some accounts of its clients. That person modified their addresses in the account so that their orders will be redirected to other delivery addresses. When EMS discovered the potential breach, it deactivated the compromised accounts of its clients … Read more

Presbyterian Healthcare Services in New Mexico is informing about 183,000 patients and health plan members about the exposure of some of their protected health information (PHI) as a result of a recent security breach. A number of Presbyterian Healthcare Services employees got phishing emails some time on May 6, 2019. Some employees replied to the … Read more

Imperial Health in Southwest Louisiana is a physicians’ network that is announcing the potential compromise of over 111,000 patients’ protected health information (PHI) because of a recent ransomware attack, which was discovered on May 19, 2019. An unauthorized party was able to download ransomware into the network so that files and the Imperial Health’s Center … Read more

Cloud service provider Atlantic.Net, which offers HIPAA-compliant hosting to healthcare businesses, is remembering its 25th year anniversary. The company started as an internet service provider in 1994. It adapted with the changing technology trends and offered cloud services in 2009. The company continued to develop it its hosting platform and related services over the next … Read more

Armin’s security researchers discovered 11 vulnerabilities in the real-time operating system of VxWorks, which is widely used in close to 2 billion IoT devices, control systems and medical devices. Six vulnerabilities are rated critical and have been collectively called “Urgent/11.” A hacker could remotely exploit them with no need for user interaction. If successful, a … Read more

The National Institute of Standards and Technology’s (NIST) National Cybersecurity Center of Excellence (NCCoE) released a draft of a mobile device security guidance that aims to help companies strengthen the security of corporately-owned personally-enabled (COPE) mobile gadgets and lower network security risks that may arise because of the devices. Modern businesses need mobile gadgets to … Read more

Park DuValle Community Health Center in Louisville, KY encountered a ransomware attack on June 7, 2019. The hackers successfully accessed its network and installed ransomware so that the center’s appointment scheduling platform and medical record system became inaccessible. The non-profit health center offers healthcare services to low-income patients in the western Louisville area who have … Read more

The Treasury Department released statistics that show a continual increase of business email compromise (BEC) attacks throughout the last two years. The number of reported successful BEC attacks in 2018 is more than double the number in 2016. Losses in operations and breach responses as a result of these scams are soaring. Business email compromise … Read more

June is a better month than the last two months in terms of data breaches reported. Compared to the 1.5 healthcare data breaches per day reported in April and May, June only had 30 breaches involving over 500 healthcare records. That is 31.8% less than the reports in May. Although there is a drop in … Read more

More healthcare providers have confirmed that they were affected by American Medical Collection Agency (AMCA) data breach over the last few days. To date, there are 18 healthcare providers who were affected and over 25 million were considered victims. Retrieval Masters Credit Bureau (RMCB), AMCA’s parent company, discovered the AMCA breach on March 21, 2019. … Read more

Ransomware attacks increased in the Q2 of 2019, according to Coveware’s new report. Coveware is a ransomware recovery service provider, which helps businesses recover their data in the event of a ransomware attack. The method used to recover their data may be through free remediation or through negotiation with the attackers. Coveware analyzed anonymized information … Read more

St. Croix Hospice, provides hospice care across the Midwest, discovered that an unauthorized person accessed an employee’s email account and could have viewed patient data. The hospice detected the breach on May 10, 2019 upon seeing suspicious email activity in the account. Investigation went underway with the help of a third-party computer forensics company. It … Read more

Clinical Pathology Laboratories based in Texas recently learned that the data breach at American Medical Collection Agency (AMCA) affected its 2.2 million patients potentially compromising their protected health information (PHI). AMCA is a company that provides a lot of healthcare companies with debt collection services. As a provider of this service, AMCA receives the PHI … Read more

Premera Blue Cross consented to pay $10 million to resolve a multi-state data breach lawsuit. The 2014 breach impacting 10.4 million records was allegedly due to violations of state and federal laws. Premera Health’s system got hacked on May 5, 2014 and remained accessible to the hacker without being detected until March 6, 2015. Compromised … Read more

An improper authentication vulnerability was found in the devices GE Aestiva and Aespire Anesthesia. Many hospitals all across American generally use these devices. The CVE-2019-10966 vulnerability could make it possible for an attacker to remotely alter the parameters of a vulnerable device and silence the alarms. Possible changes include adjusting the parameters of gas composition … Read more

Vitagene is a health tech firm based in San Francisco, CA that offers services of direct-to-consumer DNA-testing. Vitagene accidentally exposed the private and genealogy data of a large number of its customers because of unauthorized access on the web. The Vitagene DNA testing service is one componenet of a DNA-based individualized health and wellness program. … Read more

Adirondack Health in Vermont is informing roughly 25,000 patients about the potential access of some of their protected health information (PHI) by a hacker. The information that were potentially compromised include the names of patients, birth dates, Medicare ID numbers or medical insurance member numbers, and some information on treatment and/or clinical results. The Social … Read more

A medical university student filed a legal case against Cabell Huntington Hospital and Marshall University because of the impermissible disclosure of some of his protected health information (PHI) to a group of students. J.M.A, the medical student named in the lawsuit, stated that a Marshall University Joan C. Edwards School of Medicine professor used his … Read more

Several patients of Pardee UNC Health Care are being notified about the potential exposure of their protected health information (PHI) as a result of a break in at its facility in 2029 Asheville Hwy, Hendersonville, NC. The thieves also stole electronic equipment. The incident was discovered on May 9, 2019. Pardee believes that electronic PHI … Read more

A Government Accountability Office (GAO) audit recently conducted showed that the Department of Health and Human Services’ Centers for Medicare and Medicaid Services (CMS) uses a remote ID verification process that is poor and outdated. Consequently, it likely gives limited security against fraud. The CMS site can help users find government financial assistance that is … Read more

Some Sandia National Laboratories researchers discovered that the open software utilized by genomic researchers had a vulnerability. If an attacker exploits this vulnerability, he could access and modify sensitive genetic data. There are two steps involved in DNA screening. The first step is the sequencing of a patient’s DNA and the mapping of their genome. … Read more

Summa Health in Akron, Ohio discovered an unauthorized person had accessed four employee email accounts that contain the protected health information (PHI) of patients. Summa Health knew about the breach on May 1, 2019 and started an investigation showing the breach of 2 email accounts in August 2018, and the breach of two more accounts … Read more

A data security incident at Dominion National involved the personal data of their clients. Dominion National is an insurance provider, health plan administrator, and administrator of dental and vision benefits primarily based in Virginia. Hackers initially accessed the provider’s servers in 2010. Dominion National started an internal investigation after being alerted about the incident and … Read more

A patient care coordinator who worked at the University of Pittsburgh Medical Center (UPMC) in the past was sentenced to a one-year jail term for accessing the health records of patients and carrying out malicious damages using the data. Sue Kalina, 62, a resident in Butler, PA, worked at UPMC Tri Rivers Musculoskeletal and Allegheny … Read more

The Senate Health, Education, Labor and Pensions (HELP) Committee has okayed a very important bill to HIPAA-covered entities – the Lower Health Care Costs (LHCC) Act of 2019. One key objective of the bill is to enhance the transparency of medical care costs and quality of service. The bill is meant to stop surprise medical … Read more

The personal data of approximately 5 million people contained in a MongoDB database were exposed on the web. MedicareSupplement.com owns the database containing personal and health data. TZ Insurance Solutions operates the website and use it for helping people look for a Medigap insurance plan. People in search of coverage could go to the website … Read more

The Department of Health and Human Services’ Office for Civil Rights published new HIPAA guidance for health plans about the proper sharing of protected health information to assist patient care coordination and continuity of patient care. The guidance is written in the format of an FAQ. It answers two questions that health plans frequently ask: … Read more

Franciscan Health based in Mishawaka, IN learned that a former employee accessed the protected health information (PHI) of about 2,200 patients without authorization. During a scheduled privacy audit, Franciscan Health discovered the privacy breach. On May 24, 2019, it was confirmed that Franciscan Health that an employee assigned in the quality research department accessed patients’ … Read more

A former staff at a healthcare provider located in Germantown, MD allegedly accessed the protected health information (PHI) of roughly 16,542 patients. The data was purportedly provided to a third party and utilized for bogus transactions. On April 10, 2019, County and state law enforcement informed Takai, Hoover & Hsu, P.A., the owner of THH … Read more

April had more healthcare data breaches reported when compared with any other month so far. May continued to have a high number of data breaches, with 44 breaches reported. The number of exposed records in May, which is 1,988,376 healthcare records, increased by 186% compared to April. The average number of healthcare data breaches reported … Read more

The Quantum Vision Centers and Eye Surgery Center located in Illinois is notifying its patients about the potential compromise of some of their protected health information (PHI) because of a ransomware attack in April 2019. An unauthorized person accessed Quantum systems on April 18, 2019 and installed ransomware, which encrypted files. The information contained in … Read more

A potential breach at Meditab Software Inc. affects two healthcare companies in Maryland. Meditab is a business associate of the two companies providing EMR and practice management software. As such, its systems include patient protected health information (PHI). Meditab discovered in March 2019 that some PHI were left unsecured. Meditab had developed a website to … Read more

Becton Dickinson (BD) discovered two vulnerabilities in some of its infusion pumps. One vulnerability is rated critical severity with a maximum CVSS v3 rating of 10 of 10. BD is known for proactively searching vulnerabilities, responding to cybersecurity concerns, and announcing specifics of vulnerabilities promptly. BD readily announced the two vulnerabilities and discussed information about … Read more

Union Labor Life Insurance (ULLI), a subsidiary of Ullico Inc., encountered a phishing attack, which caused the protected health information (PHI) of 87,000 plan members to be exposed. A ULLI employee responded to a phishing email believing it was a legitimate request by a business partner. The email contained a hyperlink, which the employee clicked. … Read more

Amy Pertuit from Alabama received $300,000 in damages for the illegal access and disclosure of her protected health information (PHI) to a third party by a physician . Plaintiff Pertuit filed a legal case against Alabama-based Medical Center Enterprise (MCE), a former MCE doctor, and a lawyer over her privacy violation in January 2015. The … Read more

The Government Accountability Office (GAO) just published the results of an audit involving all federal government systems running on legacy operating systems. The purpose of the audit was to find out the extent of using legacy software programs and systems, and to identify the departments that need modernization the most. GAO reviewed a total of … Read more

Healthcare Cyber Heists in 2019 had compiled information from 20 industry leading CISOs, which include the cyberattacks they experienced in the past year, the strategies employed in the attacks, and changes of the threat landscape. Healthcare data breaches in 2018 was at a record high and cyberattacks continue at an unparalleled level. April 2019, which … Read more

Since the news about the huge data breach at American Medical Collection Agency (AMCA) went out, there is now over a dozen lawsuits filed by breach victims. Quest Diagnostics officially announced the breach on June 3, 2019 via a 8-K filing with the Securities and Exchange Commission (SEC). LabCorp followed with a SEC filing on … Read more

Mercy Health found out that some of its patient data were uploaded to a private server used for online appointment scheduling, electronic doctor’s office check-ins and other online activities. Because of this, unauthorized people could have accessed the patient information. Mercy Health already corrected the issue and secured all patient data on March 25, 2019. … Read more

The American Medical Collections Agency (AMCA) data breach victims has now gone over 20 million with the confirmation of another healthcare organization that it was affected by the incident. BioReference Laboratories, a laboratory and clinical testing company based in New Jersey, lately confirmed the exposure of roughly 422,600 of its clients’ personal information because of … Read more

An updated Oregon breach notification laws had been approved. The update included the following: expanded definition of consumer data, modified the meaning of covered entity, and extended the law to include vendors. Senate Bill 684 changed the name of The Oregon Consumer Identity Theft Protection Act to The Oregon Consumer Information Protection Act and its … Read more

Coffey Health System agreed to settle alleged violations of the False Claims and HITECH Acts by paying $250,000 to the U.S. Department of Justice. The health system based in Kansas say it satisfied the HITECH Act risk analysis requirements for the 2012 and 2013 reporting time period in claims to Medicaid and Medicare under the … Read more

There have been massive data breaches recently including the 11.9 million records breach at Quest Diagnostics and the 7.7 million records breach at LabCorp. Now, University of Chicago Medicine reported the exposure of over 1.68 million records. The ElasticSearch server that store the records was misconfigured removing protections by mistake and giving anyone unauthenticated access … Read more

A hacker accessed the systems of American Medical Collection Agency (AMCA) based in Elmsford, NY, a billing collections company. The breach may have resulted to the viewing and copying of the protected health information (PHI) of 11.9 million Quest Diagnostics patients. Quest Diagnostics is a large blood testing laboratory in America that uses AMCA services. … Read more

A phishing attack on Health Quest resulted to the exposure of the protected health information (PHI) of some patients. The affiliates of Health Quest, namely Health Quest Medical Practice, Hudson Valley Newborn Physician Services and Health Quest Urgent Care were affected by the breach. The patients of the mentioned affiliates who received medical services had … Read more

Microsoft issued a patch to correct a critical, wormable flaw found in Remote Desktop Services about two weaks earlier. Yet approximately 1 million devices are still vulnerable because of not applying the patch nor the recommended mitigations to decrease the threat of exploitation. The CVE-2019-0708 flaw could be remotely exploited with no need of user … Read more

There are six security advisories involving Siemens Healthineers products. The vulnerabilities have a CVSS v3 score of 9.8 out of 10 and may be linked to CVE-2019-0708, the Microsoft BlueKeep RDS vulnerability. The vulnerability CVE-2019-0708 may be remotely exploited without user interaction. An attacker can exploit the vulnerability and take control of a vulnerable device … Read more

TriHealth, a health system based in Cincinnati, is notifying 2,433 patients because their protected health information (PHI) was impermissibly disclosed to a student mentee. A former TriHealth doctor was supervising the student, who accessed patient data for a prospective research project. On June 8 to June 9, 2018, the student obtained patient information such as … Read more

Medford Patients’ PHI Exposed Medford, a Hematology Oncology Associates located in Oregon, had a phishing attack, which caused the email accounts of several Medford employees to be compromised. The first time an email account was breached happened on December 18, 2018. The attacker accessed the other accounts until February 22, 2019. Medford became aware of … Read more

Health records of Today’s Vision patients and employees were found in boxes abandoned in a Texas public dumpster. The documents include highly sensitive information. The Today’s Vision network in Texas consist of around 50 optometry clinics, which are owned and operated by independent owners. The bulk of records seem to be from the Today’s Vision … Read more

A recent report from the HHS’ Office of the National Coordinator for Health Information Technology (ONC) revealed that even though majority of hospitals and doctors are now using electronic medical records, only 50% of patients are being offered medical records access online. The two objectives of the 21st Century Cures Act were to give patients … Read more

Inmediata, a clearinghouse service provider to healthcare organizations, notified some of its patients in April that their protected health information (PHI) were exposed on the web because of a misconfiguration of an internal webpage. The Department of Health and Human Services’ Office for Civil Rights already received the breach report, which indicated that the PHI … Read more

Siemens has identified one critical vulnerability and a number of high-severity vulnerabilities in the direct access point of Scalance W1750D. Attackers with a low level of skill could exploit the vulnerabilities remotely. An attacker exploiting the vulnerability could access the W1750D device to execute arbitrary code in its base operating system, access sensitive data, do … Read more

Cancer Treatment Centers of America (CTCA) experienced another breach of the email account of an employee belonging to its Southeastern Regional Medical Center after responding to a phishing email. This happened on March 10, 2019 after the employee responded to what looks like a legitimate internal email and disclosed network login details. CTCA found out … Read more

A phishing attack on American Medical Response, a provider of emergency and patient relocation services in Greenwood Village, CO resulted to the access by an unauthorized person of the protected health information (PHI) of 4,300 patients who availed its ambulance service in the past. The compromised information contained in the email accounts of an employee … Read more

The sensitive data of 24 female HIV patients were accessed by unauthorized individuals. Even if it’s been over 7 months since the breach was discovered, the affected women have not received breach notifications yet. 4 women took part in an EmPower Women research at the University of California San Diego (UCSD). They were diagnosed with … Read more

On May 14, 2019, Microsoft issued a patch to correct a ‘wormable’ vulnerability in Windows, which is identical to the vulnerability that attackers exploited in the May 2017 WannaCry ransomware attacks. The vulnerability involved a remote code execution in Remote Desktop Services – previously Terminal Services – that could be exploited through RDP. The CVE-2019-0708 … Read more

Facebook is implementing a few changes to Facebook Group Communities talking about medical conditions. This decision was deemed necessary considering the complaint on Facebook Groups that even though it is being presented as an exclusive and confidential community, third parties are able to access the information of health group members and use it for advertising. … Read more

The second Senate HELP Committee hearing this week was about the proposed rules for the implementation of the electronic health records provisions of the 21st Century Cures Act. The Committee listened to Donald Rucker, the National Coordinator for Health IT, and Kate Goodrich, M.D., the Director and Chief Medical Officer of Center for Medicare And … Read more

The U.S. Department of Justice charged two Chinese nationals for allegedly instigating the 2015 hacking of Anthem Inc. Fujie Wang, 32 years old, and an unnamed guy were charged in a 4-count indictment in connection with the Anthem cyberattack, where in 78.8 million health insurance records were stolen, and three more cyberattacks on U.S. businesses … Read more

This is the second time in two months that Spectrum Health Lakeland announced the occurrence of a breach exposing some patients’ protected health information (PHI). The last breach happened at business associate Wolverine Services Group affecting approximately 60,000 patients. The most recent breach involved the access of an email account by an unauthorized person because … Read more

A former employee of American Indian Health & Services violated HIPAA rules by forwarding to a personal email account the email messages that contain the sensitive information of some employees, patients, and vendors. American Indian Health & Services operates a community health clinic in Santa Barbara, CA. American Indian Health & Services discovered the incident … Read more

The National institute of Standards and Technology (NIST) announced a request for information (RFI) to get industry stakeholders’ comments regarding the formation of new criteria and tools for systems employing artificial intelligence (AI) technologies. An Executive Order on Maintaining American Leadership in Artificial Intelligence calls for NIST to set up a plan for technical criteria … Read more

The owner of Bodybuilding.com, a website on bodybuilding and personal fitness, announced a security incident that potentially resulted in the access of customer and employees information by unauthorized people. Under HIPAA, this type of breach affecting customers is not a reportable ıncident. But HIPAA actually covers group health plans. Therefore, bodybuilding.com had to report the … Read more

After the breach at Inmediata that resulted to PHI exposure, the provider mailed notification letters to the affected people. But a number of folks submitted reports of getting notification letters that were addressed to another person. The breach at Inmediata involved a webpage that company employees used internally, which was accidentally configured to allow its … Read more

A February 2019 phishing attack on Baystate Health led to the compromise of the protected health information (PHI) of 12,000 patients. On April 11 Attorney Kevin Chrisanthopoulos filed on behalf of the people the breach affected a class action lawsuit at the U.S. District Court in Springfield, MA. The lawsuit was filed three days after … Read more

A man from Arizona sued Costco for a privacy violation. The lawsuit was dismissed by the trial court but the Court of Appeals overturned the decision overturned. The Court of Appeals’ ruling allowed the patient to sue the pharmacy for negligence based on a Health Insurance Portability and Accountability Act (HIPAA) violation. The privacy violation … Read more

A vulnerability was discovered in the Philips Tasy EMR information system. An attacker could exploit the vulnerability and send to the system unexpected data that could potentially permit an arbitrary code to be executed, change information flow, influence system integrity, and allow the attacker to have unauthorized access of patient data. Security researcher Rafael Honorato … Read more

Webpage Misconfiguration Inmediata Health Group Corp, a clearinghouse, software program, and business process solutions provider, notified some of its clients’ patients about the accidental exposure of their medical data online. Inmediata discovered in January 2019 the misconfiguration of a webpage that employees use internally, thus allowing search engines to find and index the webpage. There … Read more

The medical billing services provider, Doctors’ Management Service Inc. based in Massachusetts, found out on December 24, 2018 the download of malicious software to its network thus preventing file access. The investigators of the incident discovered that the ransomware GandCrab was used in the attack. Using backups, the provider recovered the files and did not … Read more

The Department of Health and Human Services changed the due date for sending feedback on its proposed guidelines to promote the interoperability of health information technology and electronic protected health information (ePHI) to June 3, 2019. The Office of the National Coordinator for Health IT (ONC) and the Centers for Medicare and Medicaid Services (CMS) … Read more

Three scientists of MD Anderson Cancer Center, the top cancer research center in the world, were recently fired because of espionage fears after the National Institutes of Health (NiH) alerted the center of irregularities relating to grant recipients. Federal officials had instructed NiH, the biggest public funder of biomedical research in the U.S., to investigate … Read more

There were two vulnerabilities found in Fujifilm computed radiography cassette readers. An attacker could exploit these vulnerabilities and access the operating system, implement arbitrary code, make the devices inoperable, change functionality, and bring about loss of images. The following Fujifilm computed radiography cassette readers have been found with the vulnerabilities: CR-IR 357 FCR XC-2 CR-IR … Read more

The King County Superior Court recently approved a $4.7 million settlement to repay people who suffered theft of their personal data from Washington State University in April 2017. Copies of the personal information of 1,193,190 individuals were stored on portable hard drives and Washington State University kept them in a safe in a self-storage locker. … Read more

A security breach on Klaussner Furniture Industries, Inc resulted to the exposure of the protected health information (PHI) of its 9,352 present and past employees as well as a number of the employees’ dependents. Klaussner Furniture discovered that unauthorized individuals accessed its computers in February 2019. A top rated cybersecurity company helped carry out a … Read more

A computer used in the office of Oregon Endodontic Group was installed with malware resulting to the possible email data theft by the attackers. On November 13, 2018, the group became aware of suspicious actions in the email account and started an investigation. A third -party forensic firm helped investigate the nature and severity of … Read more

Centrelake Medical Group, which has 8 medical imaging and oncology centers located in California, is sending notifications to some patients about the exposure of some of their protected health information (PHI) because of a computer virus infection. The medical group discovered the computer virus in February 2019 when it was not able to access its … Read more

The U.S. Department of Health and Human Services (HHS) is quite slow in implementing the recommendations of the Government Accountability Office (GAO). There are 392 recommendations currently not yet addressed. That includes 42 recommendations rated as high priority by GAO. In the last four years, HHS only addressed 75% of GAO’s recommendations. The poor implementation … Read more

At the Dublin Tech Summit in Ireland recently, the chief technology officer of Amazon Web Services, Werner Vogels, dispelled security issues concerning cloud computing. After the news about the exposure of 540 million Facebook records stored on AWS, people have become concerned about the security of information stored in the cloud. Under the General Data Protection … Read more

In 2018, the HHS’ Office for Civil Rights (OCR) issued a $4,348,000 civil monetary penalty (CMP) to University of Texas MD Anderson Cancer Center after discovering several alleged HIPAA violations that resulted to three data breaches in 2012 and 2013. OCR investigated the breaches and found an impermissible disclosure of 34,883 patients’ electronic protected health … Read more

A cyberattack on Hardin Memorial Health located in Kentucky caused EHR downtime and interruption to its IT systems. The cyberattack began on the evening of April 5. According to spokesperson Troutt of Hardin Memorial Health, IT systems were interrupted because of a security breach. The details of the cyberattack was not provided yet, so it … Read more

Burrell Behavioral Health notified 67,493 patients regarding the accidental compromise of their healthcare information because of an error at an unnamed business associate in August 2018 . The business associate stored images that include the protected health information (PHI) of some patients at Burrell Behavioral Health. Because the internet-facing portal used by the business associate … Read more

Amazon not long ago introduced a new system that can mark included protected health information (PHI) in medical photos and redact the PHI automatically to make patient no longer identifiable from the images. Medical images typically contain the PHI of patients like names, birth dates, and related details. The PHI appears as plain text in … Read more

A phishing attack on Main Line Endoscopy Centers, a group of outpatient endoscopy facilities located in the Bala Cynwyd, Malvern and Media regions of Pennsylvania led to the access of its employee’s email account by an unauthorized individual. The breach occurred after the employee responded to a phishing email. The exact date when the breach … Read more

It’s very common to see the use of mobile health apps nowadays. These apps track health metrics to promote healthdul living and so record a variety of sensitive health data. But consumers may have no idea how their data is used and who has access to the information. Any data recorded by an app is … Read more

Sharp HealthCare and Sharp Grossmont Hospital were charged with a lawsuit alleging that the hospital covertly took a video of female patients while undressing and while undergoing gynecological examinations. As per the lawsuit, the hospital had video cameras installed on drug carts in three operating rooms at its facility on Grossmont Center Drive in El … Read more

The eHealth Initiative Foundation and Manatt Health gave a brief that requires introducing a values framework in order to efficiently protect health data that is gathered, stored, and utilized by organizations that the law does not require to conform to the Health Insurance Portability and Accountability Act (HIPAA) Rules. Medical information is being collected more … Read more

The HHS’ Centers for Medicare and Medicaid Services (CMS) introduced a compliance review program for assessing the compliance of HIPAA covered entities with the HIPAA Administrative Simplification Rules for electronic healthcare transactions. The compliance reviews are going to start in April 2019. Why Adopt the HIPAA Administrative Simplification Rules The goal for introducing the HIPAA … Read more

A class action lawsuit has been filed against the University of Connecticut and UConn Health in behalf of patients for the exposure of their protected health information (PHI) due to a phishing attack that was identified on December 24, 2018. The patients are seeking damages, equitable, declaratory, and injunctive relief to avoid a repeat of … Read more

In the past few days, there were three reports of email system breaches that resulted in the unauthorized access of email accounts that contain protected health information (PHI). Navicent Health based in Macon, GA is notifying patients regarding the potential compromise of some of their PHI because of a phishing attack on its email system. … Read more

A phishing attack on the Oregon Department of Human Services (ODHS) potentially resulted to the viewing or access of the protected health information (PHI) of over 350,000 people by unauthorized individuals. ODHS found out on January 28, 2019 that unauthorized persons accessed email accounts that contain the personal information of its clients. The forensics specialists … Read more

Gina Graziano, a patient of Northwestern Medicine Regional Medical Group, is suing the medical group for the disclosure of sensitive medial information on Twitter and Facebook. She discovered that a number of of her sensitive medical data were disclosed on social media platforms and made a complaint to Northwestern Medicine about the privacy breach. Upon … Read more

Security researcher Jeremiah Fowler discovered an unsecured healthcare database containing about 37,000 records on March 1, 2019. A brief review of the database revealed that the records belonged to Home Health Radiology Services LLC, a healthcare provider in New Jersey. The database comprised highly sensitive patient data including names, addresses, telephone numbers, and birth dates … Read more

Meditab Software Inc., a medical software provider based in Sacramento, CA, and MedPharm Services, its affiliate based in San Juan, PR, had an enormous breach of protected health information (PHI). Meditab provides hospitals, doctor’s clinics, and pharmacies with electronic medical record (EMR) and practice management software. The company website claims that it has over 2,200 … Read more

U.S. Sens. Cory Gardner (R-CO) and Mark R. Warner (D-VA) are co-chairs of the Senate Cybersecurity Caucus, and Sens. Steve Daines (R-MT) and Maggie Hassan (D-NH) introduced The Internet of Things Improvement Act. This Act calls for the U.S. government to buy only IoT devices that satisfy minimum security requirements. Reps. Will Hurd (R-TX) and … Read more

Rave Mobile Safety based in Framingham, MA released the findings of its yearly workplace safety and preparedness survey. According to the report, emergency preparedness was better this year than in 2017, but there is still much to be improved, particularly in the healthcare and education sectors. The survey involved the participation of 540 full time … Read more

Check Point researchers demonstrated how it is possible to quickly access IoT medical devices. It serves as a warning not to ignore the security risks of medical devices. There were big technological developments in the last few years that led to the creation of new medical equipment. However, the IT settings where the devices are … Read more

Audits performed by the HHS’ Office of Inspector General (OIG) showed the HHS Operating Divisions (OPDIVs) to have several safety vulnerabilities. From 2016 to 2017, OIG performed a number of audits at eight HHS OPDIVs to find out if enforced security controls were helpful at stopping cyberattacks. OIG additionally examined the capability of HHS OPDIVs … Read more

Michigan Attorney General Dana Nessel issued an alert regarding the potential impact of the ransomware attack on Wolverine Solutions Group in Detroit to over 600,000 residents of Michigan. Nessel has instructed all people who get a breach notification letter to enroll for credit monitoring services, to keep track of their EoB statements and accounts to … Read more

Pasquotank-Camden Emergency Medical Services (PCEMS) found out that hackers gained access to its server where its billing system is located. The protected health information (PHI) of 20,420 patients are contained in this location. Because of the attack, the hackers possibly accessed the highly sensitive data of persons who acquired healthcare services from PCEMS in the … Read more

Emerson Hospital located in Concord, MA, is notifying 6,300 patients about the exposure of some of their protected health information (PHI) because of a security breach that occurred in May 2018 at a third-party vendor. The hospital stated that the unauthorized disclosure incident took place from May 9 to May 17, 2018. An ex-employee of … Read more

The most recent Beazley Breach Insights Report states that healthcare is the industry sector most hit by breach incidents. About 41% of all breach reports received by Beazley Breach Response (BBR) Services were from the healthcare industry. Throughout all industry sectors, the following statistics show the causes of the breaches: #1 hacking and malware attacks … Read more

According to the new Moody’s Investors Service Report, four industry sectors face considerable financial risks from cyberattacks. These include the hospitals, market infrastructure providers, banks and securities companies. Those four sectors were identified to have high cyber risk exposure because they are very much dependent on technology for everyday operations, content distribution and customer engagement. … Read more

Columbia Surgical Specialists of Spokane located in Washington encountered a ransomware attack, which resulted to the potential access of unauthorized persons to the protected health information (PHI) of around 400,000 patients. The Department of Health and Human Services’ Office for Civil Rights received the security breach report on February 18, 2019 and posted the incident … Read more

Rush University Medical Center is informing roughly 45,000 patients about the exposure of their protected health information (PHI) because of a data incident that happened at a financial services vendor. Rush knew about the incident on January 22, 2019. It was discovered that one of the financial services vendor’s employee disclosed a document that contains … Read more

From March 20, 2019, insurance firms based in Ohio will need to follow Senate Bill 273. This new law requires insurance companies to create and enforce a written information security program to protect both business and personal data. The information security program should consist of a complete internal risk assessment to determine the risk and … Read more

UConn Health is informing around 326,000 patients regarding the exposure of some of their personal data because of a phishing attack on several of UConn Health employees. UConn Health discovered the phishing attack on December 24, 2018 and secured all email accounts. An internal investigation confirmed that the breach involved the access of several email … Read more

Rutland Regional Medical Center (RRMC) located in Rutland City is the biggest community hospital in the Vermont state. It was discovered that hackers accessed nine employees’ email accounts and possibly viewed or acquired the protected health information (PHI) of patients. On December 21, 2018, an employee of RRMC discovered that a lot of spam emails … Read more

The FTC received a complaint that was submitted concerning Facebook’s misleading practices. The complaint claims that health-related information disclosed in closed, purportedly anonymous and non-public Facebook groups has been compromised. Congress is asking Facebook to give answers regarding the purported privacy violations concerning the Facebook PHR (Groups) system. The House Committee on Energy & Commerce … Read more

Because businesses and hospitals in Maryland had suffered a large number of ransomware attacks, the new Senate Bill 151 was introduced to increase ransomware attacks penalties. Hopefully, the higher ransomware attacks penalties would dissuade people from doing ransomware attacks in the state. As per the bill, ransomware refers to computer or data contaminant, lock or … Read more

March 1, 2019 is the deadline for sending the Department of Health and Human Services’ Office for Civil Rights all 2018 data breach reports for breaches which affected less than 500 people. The HIPAA Breach Notification Rule calls for all HIPAA-covered entities and business associates to file data breaches with 500 and up healthcare records … Read more

Paper documents containing patient data was stolen from the vehicle of an employee of Anesthesia Associates of Kansas City on December 14, 2018. A bag that contain patient schedules was left by the employee in his car. Information such as names, dates of birth, surgery dates, types of surgical operations and names of surgeons were … Read more

The United Hospital District based in Blue Earth, MN discovered the exposure of patient information and its potential access by an unauthorized person due to a phishing attack in June 2018. One email account was compromised because of the phishing incident. The attacker got the credentials of the email account because an employee responded to … Read more

An attacker got access to an EyeSouth Partners employee’s email account resulting to the potential viewing or theft of the protected health information (ePHI) of about 24,000 patients. EyeSouth Partners, a business associate of Cobb Eye Center, Georgia Ophthalmology Associates, South Georgia Eye Partners and Georgia Eye Associates, knew about the breach of data on … Read more

Amazon Alexa can be used in the healthcare industry but it is limited because of its non-HIPAA compliance. Although that may change in the near future. At this time, AWS, Amazon’s cloud platform, supports HIPAA compliance. Amazon’s voice recognition technology may also be used much more extensively in healthcare. However, before Alexa could reach its … Read more

Wyoming is looking at repealing the Hospital Records Act of 1991, which was passed to ensure that hospitals are taking steps to protect patient data privacy. The law was enacted five years prior to the Health Insurance Portability and Accountability Act (HIPAA) of 1996. It mandated hospitals to employ privacy and security measures that were … Read more

Community Health Systems’ (CHS) is offering compensation to its patients for the theft of their protected health information (PHI) during a cyberattack in 2014. Community Health Systems Tennessee is one of the biggest healthcare systems managing more than 200 hospitals in the U.S. In 2014, CHS found that malware was installed on its systems, which … Read more

The Reproductive Medicine and Infertility Associates network was infected by malware, according to an infertility clinic in Woodbury, MN. Although there’s no proof found that suggest access to or exfiltration of any patient information by the malware. it cannot be ruled out that there’s no data breach. The clinic detected the malware attack on December … Read more

Roper St. Francis Healthcare based in Charleston, SC experienced a large-scale phishing attack, which allowed the attackers to access 13 employees’ email accounts. Roper St. Francis Healthcare discovered the phishing attack on November 30, 2018 and blocked the access to a company email account. Upon investigation, it was found that more email accounts were compromised. … Read more

The Oregon Health Information Property Act is a proposal that allows patients to give consent to their healthcare providers to sell their health information and to get payment in return for permitting third parties to use their data. At present, the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule the allowable uses and disclosures … Read more

Becton, Dickinson and Company (BD) has discovered an access control flaw in its BD FACSLyric flow cytometry solution. If an attacker exploits vulnerability, access to administrative level privileges can be gained on a vulnerable workstation and deploy commands. A low-level skilled attacker can exploit the vulnerability. BD thoroughly checks its software for possible vulnerabilities and … Read more

Verity Health System is a network of 6 hospitals based in Redwood City, California. It has encountered a phishing attack on November 27, 2018 resulting in the potential compromise of the protected health information (PHI) of some patients. A hacker was able to obtain a Verity Health employee’s Office 365 credentials as a consequence of … Read more

The U.S. Department of Homeland Security (DHS) Cybersecurity and Infrastructure Agency (CISA) issued an emergency alert concerning DNS hijacking attacks. CISA instructed all government agencies to audit their DNS configurations within 10 days. CISA’s information claimed that hackers were eyeing on government agencies and changing their Domain Name System (DNS) records. DNS records identify the … Read more

Seven prominent hospital associations, such as the American Hospital Association (AHA), are striving to have better data sharing throughout the healthcare industry. A new report called “Sharing data, Saving Lives: The Hospital Agenda for Interoperability” tries to enlist and broaden the support of the public and private stakeholder to speed up interoperability and help get … Read more