Maria Perez
Maria is an experienced writer, providing content for Healthcare Industry News since 2021. Working as a senior writer, Maria focuses on news reporting, making the complex healthcare topic comprehensible for readers. Maria’s expertise and dedication to delivering accurate stories make him a trusted source on our site.
by Maria Perez | Dec 21, 2021 | Compliance News
Texas Ear, Nose & Throat Specialists P.A. (Texas ENT Specialists) has reported it experienced a cyberattack that was discovered on October 19, 2021.
As soon as the attack was discovered, quick action was undertaken to avoid further access to the network by unauthorized persons. A third-party cybersecurity company was involved to investigate and identify the nature and scope of the cyberattack. The forensic investigation showed that the attackers initially obtained access to its systems on August 9, 2021, and from then on until August 15, they copied and extracted files from its network.
An analysis of those files established they included the protected health information (PHI) of 535,489 individuals, such as names, birth dates, procedure codes, and health record numbers. A subset of people additionally had their Social Security numbers compromised; nevertheless, its electronic medical record system was not affected.
Texas ENT Specialists sent notification letters to affected persons on December 10, 2021. Patients whose Social Security numbers were compromised were given a free membership to Experian’s identity theft monitoring service.
Texas ENT Specialists reported that it has increased its privacy and data security program and has put in place more technical security procedures to better secure and keep an eye on its systems.
Virginia Department of Behavioral Health and Developmental Services Experiences Second Funding Portal Breach
The Virginia Department of Behavioral Health and Developmental Services (DBHDS) is informing 4,037 people who tried for Individual and Family Support Program (IFSP) financial assistance that their PHI might have been impermissibly exposed. The breach impacted its IFSP Funding Website and took place on October 7, 2021. The breach was noticed in just minutes and the site was promptly taken off the internet to avert continuing unauthorized data access.
In 2019, DBHDS suffered a breach of its IFSP funding webpage that exposed the records of 1,442 persons. In the following 17 months, the internal team and the Virginia Information Technology Agency (VITA) reviewed the attack and tried to duplicate and fix the problem. Considerable testing of the Portal was carried out, and it was confirmed the Portal was clear to run once again. The newest breach looks a lot like the 2019 occurrence and might likewise have made possible the viewing of information by other individuals.
DBHDS mentioned it won’t make an effort to fix the Portal once more, and an alternate solution may be determined for future IFSP application processes. Persons whose application data were compromised could register for zero-cost credit monitoring services for two years.
by Maria Perez | Dec 15, 2021 | Compliance News
Planned Parenthood Los Angeles (PPLA) is confronting a class action lawsuit with regards to a ransomware attack that was uncovered on October 17, 2021. The cyberattack breached the protected health information (PHI) of over 409,759 patients. The notification letters were mailed to the affected people on November 30, 2021, wherein PPLA mentioned the breach of its systems on October 9, 2021. The attackers obtained access to files comprising PHI up to October 17, which is the time they were thrown out from the network.
The records on the impacted systems comprised names, dates of birth, addresses, diagnoses, treatment, and medication details, and certain files were exfiltrated from its system before the encryption of files. PPLA mentioned it didn’t get any proof to suggest patient data has been misused.
A PPLA patient who had his PHI compromised in the security breach has filed a lawsuit regarding the incident. The lawsuit was submitted in the U.S. District Court of Central California and states the patient, as well as class members, were put at impending risk of harm due to the theft of their sensitive health information, which included electronic health records that note the processes conducted by PPLA for instance abortions, treatment of sexually transmitted diseases, emergency contraception medications, cancer screening data, other remarkably sensitive health data.
The lawsuit additionally references the time of the ransomware attack, which synchronized with the Supreme Court discussions on abortion, and claims the compromise of data on abortion treatments at this time makes it very likely that patients will experience problems. Aside from experiencing an upcoming danger of harm, affected people are possible to keep experiencing economic and actual hurt and have lost control of their healthcare records. They have likewise suffered out-of-pocket expenditures because of the data breach for example money and time spent securing their accounts, keeping track of identity theft and fraud, and doing something to stop improper use of their personal data. The lead plaintiff claims she has encountered actual harm because of the breach, which includes stress and anxiety, and has furthermore sustained damage and reduction in the value of her personal details.
Though the Health Insurance Portability and Accountability Act (HIPAA) is without private cause of action, the lawsuit states PPLA has violated HIPAA by its inability to make certain the privacy of patient information and not enough cybersecurity procedures are set up to avert unauthorized PHI access. The legal action furthermore says that this is the third data breach experienced by PPLA in the last 3 years.
Besides the HIPAA violations, the lawsuit says PPLA likewise breached the California Consumer Privacy Act (CCPA) and the California Confidentiality of Medical Information Act (CMIA).
The lawsuit wishes injunctive relief, statutory and compensatory damages, investment in cybersecurity procedures to make sure other breaches don’t happen, and for impacted persons to be given identity theft protection and restoration services and to get an identity theft insurance coverage plan.
by Maria Perez | Dec 7, 2021 | Compliance News
The protected health information (PHI) of an Eskenazi Health patient was compromised in a ransomware attack on August 2021. The patient is currently taking legal action against the healthcare organization over the data breach.
It is now typical for ransomware gangs to copy sensitive information prior to deploying ransomware for encrypting files. The stolen records are employed to pressure victims to make ransom payments, as was the situation in the cyberattack at Eskenazi Health. Eskenazi Health located in Indianapolis, IN uncovered the attack at the beginning of August and promptly turned off its computer programs so as to stop continuing unauthorized access and limit the attack. The healthcare service provider decided to redirect ambulances and postpone selected consultations as a precautionary measure as its electronic medical record system was not accessible.
As per the data breach investigation, Eskenazi Health’s systems were first compromised in May and the threat actors exfiltrated files that contain sensitive patient data. The issuance of notification letters to affected patients began at the beginning of November. Patients were advised with regards to the data breach and were given free identity theft protection and credit monitoring services. When sending notifications, there were no reports involving the misuse of patient information, even though some patient data were released on the gang’s data leak website. The breach report sent to the HHS’ Office for Civil Rights at the start of October reveals the breach impacted 1,515,918 patients.
Eskenazi Health stated the stolen information involved workers, providers, patients, previous patients, and providers and impacted names, addresses, phone numbers, email addresses, dates of birth, patient account numbers, health record numbers, diagnoses, clinical data, physicians’ names, insurance details, medications, passport numbers, driver’s license numbers, face images, credit card data, and Social Security numbers.
Terri Ruehl Young, the Eskenazi Health patient, was among the persons affected by the information breach. According to the lawsuit, Young alleges a bogus charge amounting to $370 was placed on the credit card she utilized for settling her bill and her Equifax credit report revealed there was an effort to alter her name.
The lawsuit claims patients put their trust in Eskenazi Health to safeguard its systems and patient data, nevertheless, the healthcare company betrayed that trust by not being able to use advanced security practices and proper safety measures to secure patient information. The lawsuit states unjust enrichment, negligence, and breach of contract.
The lawsuit likewise brings up the amount of time it had taken Eskenazi Health to alert patients regarding the security breach. The lawsuit says that breach notification letters were provided over 6 months right after the first security breach, and 3 months after the finding out of the breach by Exkenaki Health. The HIPAA Breach Notification Rule necessitates the sending of notifications in 60 days after the discovery of a data breach.
Cohen and Malad and John Steinkamp & Associates submitted the lawsuit wanting class-action status and a trial by jury. A Eskenazi Health representative mentioned the lawsuit is not yet officially served.
by Maria Perez | Dec 1, 2021 | Compliance News
One Community Health based in Sacramento, CA has recently informed patients about the compromise of its systems between April 19 and April 20, 2021. It was discovered that an unauthorized individual has acquired access to systems that contain the personal data and protected health information (PHI) of some workers and patients.
A complete forensic inspection was performed by a third-party cybersecurity agency to find out the nature and magnitude of the attack, and One Community Health was alerted on October 6, 2021, that the attacker had exfiltrated files from its network comprising full names and one or more of the following data elements: telephone number, address, other demographic data, email address, date of birth, driver’s license number, Social Security number, insurance details, diagnosis details, and treatment data.
One Community Health began sending breach notification letters to all affected patients on November 22, 2021. There were no reported incidents of identity theft or fraud; nevertheless, complimentary credit monitoring services have been provided to impacted people as a safety measure against identity theft and fraud.
One Community Health stated it has been working with cybersecurity specialists to improve its security against cyberattacks, and has improved endpoint detection, email protection, and has gotten 24/7 managed detection response.
PHI Disclosure Due to Email Error by Eye Care Product Company
Alcon, a manufacturer of eye care products, has learned that an email error led to the disclosure of some patients’ PHI to healthcare organizations not permitted to view the PHI.
On October 5, 2021, Alcon emailed patients’ protected health information to healthcare companies to assist in billing. The emails were meant to just include details concerning each healthcare company’s patients; nonetheless, a technical problem resulted in the emails containing the information of patients of other healthcare organizations.
The emails included some data regarding patients who had lately got an Alcon intraocular lens implant, specifically, first and last names, dates of implant, device serial numbers, and names of treating physicians.
All healthcare companies who acquired the email were called and informed to erase the email and Alcon has evaluated and updated its policies and processes to avoid identical breaches later on. Because of the nature of the data compromised and the entities that obtained the data, Alcon believes no patient information will be used in the wrong way.
by Maria Perez | Nov 23, 2021 | Compliance News, Healthcare Information Technology
Five vulnerabilities were discovered that can impact these medical devices:
the IntelliBridge EC 80 and EC 40 Hub, Efficia CM Series, and Philips Patient Information Center iX Patient Monitors.
IntelliBride EC 40 and EC 80 Hub
Two vulnerabilities were discovered that have an effect on C.00.04 and previous models of the IntelliBridge EC 40 and EC 80 Hub. An unauthorized person could profitably manipulate the vulnerabilities with success and manage to execute software programs, alter system settings, and update/look at files that could contain unidentifiable patient information.
CVE-2021-32993 – The first vulnerability is caused by the usage of hard-coded credentials inside the applications for its own incoming authentication, outgoing communication to exterior components, or the encryption of internal information.
CVE-2021-33017 – The second vulnerability involves a problem with authentication bypass. Although the normal access path of the device demands authentication, another path was found that doesn’t call for authentication.
The two vulnerabilities were given a CVSS v3 severity rating of 8.1 of 10.
Philips hasn’t given a patch to resolve the vulnerabilities, nevertheless wants to resolve the vulnerabilities before the year ends. Meanwhile, Philips suggests simply utilizing the products within Philips authorized descriptions, and merely making use of Philips-permitted application, software arrangement, security configurations, and system services. The products must be physically singled out from the hospital system.
Efficia CM Series and Patient Information Center iX Patient Monitors
Three vulnerabilities were found to impact the Philips Patient Information Center iX and Efficia CM series patient monitors. The vulnerabilities can be exploited to acquire access to patient files and to carry out a denial-of-service attack. Though exploitation has a low attack complexity, the vulnerabilities may basically be exploited by way of an adjacent network.
The vulnerabilities impact the following Philips devices:
- Efficia CM Series: Revisions A.01 to C.0x and 4.0
- Patient Information Center iX (PIC iX): Versions B.02, C.02, C.03
Vulnerable models of the PIC iX don’t effectively verify input to decide whether or not the input has the components to be processed carefully and accurately. The vulnerability is tagged as CVE-2021-43548 and was given a CVSS severity rating of 6.5 out of 10.
A hard-coded cryptographic key was utilized which suggests encrypted data can be restored from vulnerable versions of the PIC iX. The vulnerability is monitored as CVE-2021-43552 and was assigned a 6.1 CVSS score.
A broken or risky cryptographic algorithm signifies sensitive records can be exposed in communications between PIC iX and Efficia CM Series patient monitors. The vulnerability is tagged as CVE-2-21-43550 with a CVSS rating of 5.9.
CVE-2021-43548 has been resolved in PIC iX C.03.06 and updates to correct the other two vulnerabilities will be released before 2022 ends.
To decrease the probability for exploitation of the flaws, the products must only be employed as per Philips authorized requirements, which involve physically or logically distancing the gadgets from the hospital’s local area network, and employing a firewall or router that can easily use access control lists restraining access in and out of the patient monitoring network for only important IP addresses and ports.
Philips-introduced hardware has Bitlocker Drive Encryption enabled automatically and this should never be disabled. If disposing of, NIST SP 800-88 media sanitization instructions need to be observed. Patient files are not contained in archives by default, and so in case archives are exported that have patient files, the data must be kept safely with tough access controls.
