Maria Perez
Maria is an experienced writer, providing content for Healthcare Industry News since 2021. Working as a senior writer, Maria focuses on news reporting, making the complex healthcare topic comprehensible for readers. Maria’s expertise and dedication to delivering accurate stories make him a trusted source on our site.
by Maria Perez | Jan 6, 2021 | Compliance News, EHR & Interoperability
2020 was a really bad year when it comes to healthcare industry data breaches. There were 616 data breaches involving 500 or more health records documented by the HHS’ Office for Civil Rights. Those breaches had 28,756,445 healthcare records compromised, or impermissibly disclosed that makes 2020 the third worst year when it comes to the quantity of breached healthcare records.
2020’s Biggest Healthcare Data Breaches
In case a breach occurs at a business associate of a HIPAA-covered entity, the covered entity typically reports the incident and not the business associate. In 2020, the cloud service provider Blackbaud Inc. had suffered a huge data breach. Hackers obtained access to its network systems and stole its customer’s fundraising databases prior to deploying ransomware. Blackbaud got a ransom demand as well as a threat that if the ransom is not paid, the stolen records would be published to the public. Blackbaud opted to pay the ransom to avert exposing client data. Blackbaud was guarantees that the stolen files were completely disposed of and was not exposed.
The actual number of people affected individuals by the Blackbaud ransomware attack may never be reported correctly, nevertheless over 6 dozen healthcare companies have confirmed being affected thus far and above 8 million healthcare records were possibly exposed. That breach clearly is on top of the listing of the largest 2020’s healthcare data breaches and is one of the biggest healthcare data breaches in history.
Below is the list of the reported data breaches in 2020 involving 500,000 healthcare records. In some instances, the actual data breach took place prior to 2020, but was just uncovered and reported in 2020.
- Trinity Health – 3,320,726 people impacted
Trinity Health was the most severely affected healthcare organization of the Blackbaud ransomware attack. The hackers likely got the philanthropy data bank of the Catholic health system based in Livonia, Michigan which comprised patient and donor records from 2000 to 2020. - MEDNAX Services, Inc. – 1,290,670 people impacted
MEDNAX Services Inc based in Sunrise, Florida experienced a security breach of its Office 365 account in June 2020 because staff members responded to phishing email messages. The substantial breach involved patient and guarantor data including driver’s license numbers, Social Security numbers, and health insurance and financial data. - Inova Health System – 1,045,270 people impacted
Inova Health System based in Virginia was also impacted by the Blackbaud ransomware attack. Inova’s fundraising data bank that comprised patient and donor records was possibly compromised. - Magellan Health Inc. 1,013,956 persons affected
Magellan Health based in Arizona experienced a ransomware attack in April 2020 that lead to the potential compromise of the protected health information (PHI) of patients. The ransomware attack actually started with a spear phishing email. A number of of its affiliated entities were likewise impacted by the breach as well. - Dental Care Alliance – 1,004,304 persons impacted
Dental Care Alliance, LLC in Sarasota, Florida reported a security breach of its networks in December. The nature of the breach is still uncertain as the investigation is still ongoing. The breach impacted a lot of its affiliated dental practices. - Luxottica of America Inc. – 829,454 persons impacted
Luxottica of America Inc. is a vision care company that is popular throughout the United States for the eyewear brands Oakley, Ray-Ban, and Persol. It experienced a cyberattack in August 2020 and hackers gained access to its online appointment scheduling system that stored the PHI its eye care partners’ of patients. - Northern Light Health – 657,392 persons impacted
Northern Light Health in Maine was also affected by the Blackbaud ransomware attack. The hackers likely acquired access to its fundraising repository that comprised patient and donor records. - Health Share of Oregon – 654,362 Individuals
In May 2020, Health Share of Oregon submitted a report of the theft of a laptop from its vendor of non-emergent medical transport. The stolen laptop lacked encryption, which likely permitted the crook to obtain access to patients’ contact details, Social Security numbers, and Health Share ID numbers. - Florida Orthopaedic Institute – 640,000 people affected
Florida Orthopaedic Institute encountered a ransomware attack in April that resulted in the encryption of patient data kept on its servers. Prior to the use of ransomware, the attackers could have viewed or acquired patient records. - Elkhart Emergency Physicians – 550,000 persons affected
Elkhart Emergency Physicians submitted a breach report in May 2020 regarding the incorrect disposal of patient documents by Central Files Inc., a third-party storage supplier. Elkhart Emergency Physicians was the worst impacted entity, nonetheless a number of other clients of the provider were likewise impacted by the breach. The documents were thrown out without shredding after the permanent closing of the storage center.
by Maria Perez | Dec 30, 2020 | Compliance News
Agency for Community Treatment Services, Inc. (ACTS) in Tampa, FL is notifying a number of patients regarding the potential compromise of their protected health information (PHI) because of a cyberattack in October 21, 2020.
The security breach was uncovered on October 23 when deployment of the ransomware (|occurred}. The hackers obtained access to sections of the ACTS server and data system and performed file encryption to avert access. Systems had to be taken down to avert unauthorized access. To know the extent of the breach, third-party computer forensic professionals looked into the occurrence.
Even though it’s likely that there was unauthorized data access, the investigators didn’t get any particular information to suggest the access or exfiltration of patient information. ACTS stated that this was a result of the attackers making substantial efforts to cover up their malicious actions. The attackers could thus have viewed or taken data kept on the breached systems.
The evaluation of the breached systems showed that they comprised patient names, dates of birth, Social Security numbers, and health files with information like diagnoses, treatment details, and health insurance information connected to the services given to patients from 2000 and 2013.
ACTS could recover the encrypted data from backup copies and didn’t pay the ransom demand. It took action after the breach to fortify security and avert more attacks. Considering that patient information might have been exposed, ACTS is offering all affected people free credit monitoring and identity theft protection services.
Proliance Surgeons Reports Company Website Breach
The company website of Proliance Surgeons based in Seattle, WA encountered a breach causing the likely theft of payment card data. The practice mentioned in a December 23, 2020 breach notice that attackers got access to the webpage between November 13, 2019 and June 24, 2020. In that period, the attackers likely accessed and acquired cardholder names, card numbers, zip codes and expiration dates. No other PHI was compromised. The breach just impacted persons who paid for services on the web, not persons who paid personally or over the telephone.
The cause of the breach has been identified and addressed and a new website with a different payment platform has been implemented, which has superior security protections. Proliance has coordinated with the major payment card providers to prevent unauthorized charges on the affected cards. Individuals affected by the breach have been advised to check their statements carefully and to report any unauthorized charges to their card provider.
Conti Ransomware at Leon Medical Centers Attacked
Leon Medical Centers, a group of 8 medical facilities in Hialeah And Miami in Florida, suffered a Conti ransomware attack. The attackers stole the PHI of patients prior to ransomware deployment and given a ransom demand with a warning to expose the stolen data of patients.
The attackers said the stolen data included patient names, addresses, diagnoses, treatment details, medical insurance data, patient photos and Social Security numbers. They claim to have gotten the PHI of about 1 million patients, even though Leon Medical Centers refuted that claim and explained the number of stolen information was highly overstated.
The attack took place before December 22, 2020 and Leon Medical Centers is still checking out the incident. At this point, it is uncertain specifically what information was taken and how many patients were affected.
by Maria Perez | Dec 23, 2020 | Compliance News
The National Cybersecurity Center of Excellence (NCCoE) at the National Institute of Standards and Technology (NIST) has issued a final guidance for healthcare delivery businesses on safeguarding the Picture Archiving and Communication System (PACS) ecosystem.
PACS is a medical imaging solution that is utilized to safely hold and electronically send medical pictures, for example, CT scans, X-rays And MRIs and connected clinical reports, and is common in healthcare. These systems do away with the requirement to save, send out, and get medical images manually, and aid healthcare delivery companies by enabling the secure and inexpensive storage of images offsite online. PACS enables easy retrieval of medical images making use of PACS application anywhere.
By design, PACS cannot function on its own. In healthcare delivery businesses, PACS is normally incorporated into highly complicated settings and interfaces with numerous interconnected systems. The sophistication of those settings means that protecting the PACS ecosystem will be a serious process and it is very easy for cybersecurity threats to be brought in that can readily damage the confidentiality, integrity, and availability of protected health information (PHI), the PACS ecosystem, and any devices linked to PACS.
In September 2019, a ProPublica document discovered 187 unsecured servers that were employed to hold and get medical photos. Those servers saved the medical images and PHI of over 5 million people in the U.S.A. In many cases, the images are accessible by utilizing a regular web browser and read employing a free software program.
This 2020, the analyst group at CyberAngel inspected around 4.3 billion IP addresses across the world and discovered 2,140 unprotected servers in 67 countries. Those servers consist of about 45 million medical photos. The images included as many as 200 lines of metadata that enclosed personally identifiable information and PHI. In the CyberAngel “Full Body Exposure” report, those images may be viewed on the web via a typical web browser. In several cases, there were login pages but they authorized blank username and password fields.
NIST published draft guidance on safeguarding the PACS ecosystem soon after the release of the ProPublica report to aid healthcare delivery companies discover cybersecurity problems linked with PACS and employ better security controls as well as reducing the impact and access to PACS and other elements.
The final version of the guidance consists of a detailed set of cybersecurity specifications and best practices to undertake to better the PACS ecosystem safety, with the guidance dealing with access control, asset management, user recognition and verification, data security, security uninterrupted checking, and response planning, and restoration.
The final practice guide included responses from the people and other stakeholders and put in remote storage functions into the PACS design. This effort provides a more thorough security alternative that showcases real-world HDO networking conditions.
HIPAA covered entities and their business associates can use this practice guide to use existing cybersecurity criteria and best practices to lessen their cybersecurity risk, at the same time retaining the overall efficiency and functionality of PACS.
NIST Cybersecurity Special Publication 1800-24, Securing Picture Archiving and Communication System (PACS): Cybersecurity for the Healthcare Sector is accessible on this page.
NIST/NCCoE created the guidance in cooperation with DigiCert, Cisco, Forescout, Clearwater Compliance, Hyland, Microsoft, Philips, Symantec, Tempered Networks, TDI Technologies, Tripwire, Virtua Labs, and Zingbox.
by Maria Perez | Dec 18, 2020 | Compliance News
A seasonal worker at a tech firm based in Virginia was sentenced to 42 months in prison for accessing patient files, stealing personally identifiable information (PII), and employed the PII for financial gain. The tech company provides support to the Centers for Medicare & Medicaid Services (CMS) by managing contact centers that offered assistance with Medicare enrollment and other services.
While Colbi Trent Defiore, age 27, of Carriere, MS worked at a call center located in Bogalusa, LA, he accessed the protected health information (PHI) of about 8,000 people saved in the HHS healthcare.gov database without valid work reason, stole the information, and utilized it for criminal activity, such as opening credit lines in the names of other individuals.
Defiore was employed by the organization three times in 2014, 2017, and 2018. He was discovered to have viewed data without authorization the last time he was employed at the company. The firm already took steps to ensure personally identifiable information (PII) was secured and had trained all workers on how to handle that data securely.
In November 2018, Defiore carried out bulk lookups of the database, which were not allowed, and duplicated that information to a virtual clipboard. The data was then copied into his work email account and was routed to his email account. The stolen information was then used to fraudulently sign up for no less than 6 credit cards and loan products and to get lines of credit for personal monetary gain.
The tech organization identified the unauthorized access and reported the incident to the authorities. The firm supplied law enforcement with video and audio recordings of Defiore while having a phone call with a customer on November 6, 2018. The recordings revealed Defiore performing a bulk lookup of the database utilizing first and last names not related to the call he was on. A data loss prevention application additionally identified suspicious activity connected to PII data.
It was found that Defiore has remotely used his company email account outside of his work period on several occasions to get the data. Prosecutors discussed that the data center of the company was based in Virginia, therefore when Defiore transmitted the PII to his work email account, the data crossed state lines and that makes this a federal crime.
Based on court records, Defiore’s employer had enforced security measures to stop customer service staff like Defiore from remotely accessing work email accounts. A single sign-on, multi-factor authentication program was implemented for remote access, which may be accessed from a computer or mobile app. A software token was needed to confirm a user to complete the remote login process.
Defiore utilized the multifactor authentication on a mobile phone by means of a Virtual Private Network in October 2018 and acquired the software token that would enable him to remotely gain his work email account on his personal cellular phone or PC. The investigation uncovered an IP address linked to Defiore was employed to remotely access his company email account.
Because of Defiore’s actions, his employer suffered $587,000 in losses that included breach notification expenses and providing identity theft protection services to the persons whose PII was exposed.
Defiore pleaded guilty to one count of deliberately accessing a protected computer with no permission for the intent of commercial advantage and private financial profit. Besides the 42-month in jail, Defiore must go through 3-years of monitored release and needs to pay a $100 special assessment cost. A hearing was slated for January 12, 2021 to decide the sum of restitution Defiore should pay.
by Maria Perez | Dec 9, 2020 | Compliance News
Mercy Health And Montefiore Medical Center have reported insider data breaches recently. In the two occurrences, an employee viewed patient information although there was no legit work -associated reason to do so.
Mercy Health Detects Unauthorized Access of PHI by Former Worker
Mercy Health in Cincinnati, OH began informing some patients concerning the access of their protected health information (PHI) by personnel for reasons apart from delivering patient care.
Mercy Health identified the insider breach on October 7, 2020. The investigation discovered the employee had viewed patient data on a number of instances when it wasn’t needed for giving care to patients. The reason behind the unauthorized access was not disclosed with the public.
Patients affected by the breach were instructed to keep track of their credit reports and billing/accounts transactions and to report any unauthorized transactions. As a preventative measure against identity theft and fraud, Mercy Health provided the impacted patients with free membership to IDX identity theft protection services for one year.
For most of the affected patients, the data accessed was restricted to name, address, demographic details, birth date, medical record number, clinical details, radiological photos and/or treatment data. The ex-employee also accessed the medical insurance ID numbers of a few patients.
Since that time, Mercy Health upgraded processes to avert identical incidents later on and the personnel were re-trained on compliance with the guidelines and procedures of Mercy Health.
When this was penned, the breach is not yet appearing on the HHS’ Office for Civil Rights breach site thus the number of impacted patients is still uncertain.
Montefiore Medical Center Ex-Employee Viewed Patient Information for Billing Fraud
Montefiore Medical Center located in New York City has uncovered that a past employee acquired access to patient data and used it for a billing scam. The employee accessed patient names, medical record numbers, and surgery schedules and utilized them to make invoices for untouched surgical items, in association with a vendor.
Montefiore Medical Center learned about the scam after it paid for the invoices and started an investigation that showed the unauthorized access of the ex-worker. Around 4,000 patients’ information was accessed with no authorization between January 2018 and July 2020.
The ex-employee didn’t view Social Security numbers, medical records, and financial data. The investigators found no proof that indicates that patients or their insurance agencies were conned. The fraud report was submitted to the police and the investigation is in progress.
Montefiore Medical Center stated the former worker died at the time of the investigation and the supplier has been barred from going into all Montefiore campuses.
Montefiore Medical Center took steps to avoid comparable occurrences later on. The paper documents involved in the fraud aren’t used any longer and the way of processing invoices for medical merchandise is being evaluated.
Criminal background verifications are now performed before an appointment and all staff get instruction on privacy policies and are advised that the medical center doesn’t tolerate employees who access health records except when there is a legitimate work-associated reason for doing this.
