Maria Perez
Maria is an experienced writer, providing content for Healthcare Industry News since 2021. Working as a senior writer, Maria focuses on news reporting, making the complex healthcare topic comprehensible for readers. Maria’s expertise and dedication to delivering accurate stories make him a trusted source on our site.
by Maria Perez | Dec 2, 2020 | Compliance News
Fairchild Medical Center located in Yreka, CA, started informing a number of patients about the likely access of their protected health information (PHI) by unauthorized individuals online.
In July 2020, a third-party security company advised Fairchild Medical Center regarding a misconfigured server, which permitted access over the web. With the assistance of third-party computer experts, the medical center confirmed that unauthorized persons
could have accessed patient information.
The server stored medical images that include patient names, dates of birth, exam identification numbers, patient ID numbers, names of ordering provider, and dates of examination. The misconfiguration transpired on December 16, 2015 and was just fixed on July 31, 2020. A third-party security firm validated the security of the server after making the required adjustments.
A forensic investigation cannot ascertain if unauthorized persons accessed patient data in the period the server was open, however, the possibility can’t be eliminated.
Indian Health Council Inc Experiences Ransomware Attack
A ransomware attack on Indian Health Council Inc. in Valley Center, CA happened in September 2020 bringing about file encryption that likely affected the PHI of patients. Indian Health Council discovered the ransomware attack on September 22, 2020 and called in third-party computer forensic specialists to help with the investigation.
An analysis of the files the attacker got access to shows that some files included patient data for instance names, birth dates, health details, and health insurance data and, for some people, details about medical conditions, treatment, or diagnosis data.
After the cyber attack, Indian Health Council Inc altered passwords and toughened security to avert more attacks. It also carried out extra measures or controls such as remote access and multi-factor authentication.
All patients affected by the attack have now gotten notification letters. The breach report sent to the Office for Civil Rights shows that the attack possibly impacted 5,769 persons.
Mismailing Incident At Harvard Pilgrim Health Care
Harvard Pilgrim Health Care is informing 8,022 people concerning a software mistake in its enrollment data management system. The error resulted in the association of an individual’s mailing address with another address linked to the health plan of that individual. Due to the error, certain mailings were misdirected to the address of a subscriber of the person’s health plan or to a past address. Harvard Pilgrim Health Care tracked back the problem to an error that took place in 2013.
The types of information that might have been exposed differed from mailing to mailing and probably involved the name of the member, ID number, date of birth, phone number, provider names, dates of service, treatment data, deductibles, charges for services, co-pay amount, and co-insurance details linked to healthcare coverage.
The matter has already been fixed and the method of system updates has been assessed and improved. Impacted persons were advised to look at their Activity Summaries and to send a report on any shady entries to Harvard Pilgrim without delay.
by Maria Perez | Nov 24, 2020 | Compliance News
Advanced Urgent Care of Florida Keys began sending breach notifications to patients on November 6, 2020 concerning a ransomware attack that transpired on March 1, 2020. Though not mentioned in the breach notice, on March 14, 2020, Databreaches.net documented the stealing of patient information during the attack. The attackers exposed the stolen data on the internet because there was no ransom payment received.
Based on the Advanced Urgent Care breach notice, after the ransomware attack, an investigation to find out whether patient information was compromised proceeded up to September 11, 2020. The attack ended in the encryption of files located on a backup drive that included protected health information (PHI) such as names, dates of birth, medical treatment details, laboratory results, medical diagnostic data, medical insurance data, medical record numbers, Medicaid or Medicare beneficiary numbers, medical billing details, bank account data, credit or debit card details, CHAMPUS ID numbers, driver’s license numbers, Military and/or Veterans Administration numbers, Social Security numbers and signatures.
Advanced Urgent Care provided free credit monitoring services to individuals who had their Social Security numbers potentially exposed and have taken steps to enhance security to protect against more attacks and to detect and remediate potential threats.
Galstan & Ward Family and Cosmetic Dentistry, GA
Galstan & Ward Family and Cosmetic Dentistry based in Suwanee, GA, reported a ransom incident associated with a computer virus that infected one of its servers. This incident is not like ransomware attacks that leave encrypted files and a ransom note on infected computer systems. According to Galstan & Ward, someone contacted the practice via telephone and told about the virus that infected its computer server. That person also demanded a ransom payment over the phone.
Galstan & Ward had already noticed the server’s suspicious activity and had contracted a third-party vendor to clean the server and bring back the data kept in a backup. Galstan & Ward did not pay any ransom and reported no considerable interruption to services or loss of data. But on September 11, 2020, Galstan & Ward found out that there were some stolen files, which the attacker published on a dark web site. Those stolen files, however, didn’t include any patient data.
The contracted IT company affirmed the removal of the malware and said that there was no indication of access of patient information within its dental practice software. More investigations likewise found no proof that suggests the access or acquisition of patient data.
Galstan & Ward issued notifications to patients as a safety precaution given that it wasn’t possible to eliminate the probability of unauthorized access of PHI. In case the attackers got access to the dental software program, they potentially have viewed names, addresses, birth dates, Social Security numbers, and dental files.
The Galstan & Ward comprehensive substitute breach notice stated that it is now using cryptographic technology to secure patient information. More data security measures were added to its web server infrastructure. The practice also offered the affected persons free identity theft protection services via IDX.
by Maria Perez | Nov 17, 2020 | Compliance News
The US District Court in Massachusetts filed a legal action on behalf of the medical device supplier Zoll against its IT service vendor Barracuda Networks in Campbell, CA. Purportedly, Barracuda Networks was at fault for botching a server migration that led to the breach of the protected health information (PHI) of 277,139 individuals.
The breach concerned archived emails that were being moved to a new email storage service. A configuration problem led to the breach of those email messages for over 2 months between November 8, 2018 and December 28, 2020. The settings error was resolved, but Zoll did not get any notification concerning the breach until January 24, 2019. The breach investigation revealed that the exposed emails comprised the following patient information: names, contact details, birth dates, health data, and Social Security numbers for a number of patients.
Zoll partnered with a business called Apptix – presently known as Fusion Connect – in 2012 and signed a business associate agreement to deliver hosted business communication services. Apptix after that contracted with a firm named Sonian to give services that include email archiving. Barracuda Networks got Sonian in 2017.
Based on the lawsuit, Barracuda Networks found out about the email breach on January 1, 2019. The investigation showed that Barracuda Networks made an error that left a data port accessible to anyone, which compromised the email search feature of the migration tool on a small section of the directories. The port continued to be open for more or less 7 weeks before the error was found and the port was secured. While the port was accessible, an unauthorized person accessed email information and did repeated automated search of the archive.
A PHI breach of this type has consequences for patients. Impacted patients sustained injury and problems because of the disclosure and theft of their private and healthcare data. In April 2019, legal action was filed versus Zoll on behalf of individuals impacted by the breach. Zoll sought indemnity from Apptix; but, the business didn’t take action. The legal case has since been resolved.
Along with the settlement and legal charges sustained, Zoll spent internal and external sources for investigation and mitigation actions, sending of breach notification letters to impacted patients, and free access to solutions that take care of patients against loss and damage. The lawsuit attempts to get back those expenses from Baracuda Networks.
Zoll claims that Barracuda Networks was negligent for implementing sensible safeguards to take care of Zoll’s information and that Barracuda Networks failed to totally help with Zoll’s investigation. Zoll states that Barracuda Networks did not provide the investigators with access to its web platform and didn’t respond to lots of the investigators’ issues. Zoll mentioned that Barracuda Networks did not give information about the dates when patient information was compromised, the types of data exposed, and if the hackers exfiltrated any data.
The lawsuit says that Barracuda Networks did answer to the breach and put in place more safety measures, policies and procedures to avert identical occurrences later on, however, breached its responsibilities to apply reasonable protections before the breach to safeguard Zoll data. Zol likewise states a breach of implied warranty of merchantability, because the email archiving solution was warranted to be appropriate for safe email archiving, when security vulnerabilities granted unauthorized people to access sensitive archived information. Zoll moreover claims the email storage service was problematic and not in shape for the purpose and as a result, Barracuda Networks broke the intended guarantee for fitness for a specific reason.
by Maria Perez | Nov 11, 2020 | Compliance News
The number of entities submitting reports of being impacted by the Blackbaud cyberattack and security breach has increased in the past few weeks. The Department of Health and Human Services’ Office for Civil Rights breach site is regularly being kept up to date to record healthcare victims. The entities lately included are OSF HealthCare System, Geisinger and Moffitt Cancer Center. The three organizations reported that the breach has affected a total of 276,600 persons.
Though Blackbaud did not reveal the total number of affected people, no less than 250 healthcare providers, nonprofits, and educational bodies are acknowledged to have been affected. Reports of healthcare companies reveal that the breach impacted over 10 million people.
It is not shocking considering that the breach costs sustained by companies and the number of persons who had their personal data compromised, Blackbaud is looking at a lot of class action lawsuits. About 23 proposed class-action lawsuits were filed thus far in the U.S and Canada, based on its 2020 Q3 Quarterly Report given to the U.S. Securities and Exchange Commission (SEC). Of all the lawsuits, 2 were submitted in Canadian courts, 17 in the United States federal court, and 4 in state courts.
The lawsuits assert that victims have suffered hurt due to the breach and claim that there were a few regulations violations. Hence, the lawsuits want damages, injunctive relief, and attorneys’ fees, and close to 160 claims were obtained from Blackbaud’s clients from the U.S., Canada, and the U.K.
Besides the legal cases, regulators are investigating Blackbaud in relation to violations of data privacy laws violations. The investigating organizations are the Federal Trade Commission, the Department of Health and Human Services, and globally by the UK’s Information Commissioner’s Office and the Office of the Privacy Commissioner of Canada. 43 state attorneys general and the District of Columbia likewise started a joint investigation.
As per the SEC records, Blackbaud has already sustained expenditures of more than $3.2 million in addressing the cyberattack from July to September 2020, and $3.6 million in expenses in the last 9 months. That number is countered by $2.9 million accumulated in insurance recoveries between July and September.
Costs is going to continue to accumulate in resolving the breach and though those expenditures are very likely to be sizeable. But Blackbaud says its cyber insurance protection will cover most of the breach costs.
While cyber insurance protection has actually paid for part of the expenses, there is no assurance that the plans will pay for all expenditures. The likelihood of loss can’t be established yet until a court has eventually decided that a plaintiff has fulfilled the pertinent class action procedural specifications.
In the meeting with financial analysts, Blackbaud mentioned that the forensic investigation discovered just how the hackers became successful in gaining access to its networks. The hackers took advantage of a vulnerability that was found in its early generation products that was repaired by now and steps were already undertaken to solidify security. Blackbaud furthermore mentioned that a huge amount of money was spent in cybersecurity and employees before the breach to prepare for this kind of an attack.
Blackbaud was able to contain the attack yet was unable to avoid the exfiltration of certain customer information. The organization paid the ransom to avert data exposure and is convinced that the payment stopped any more data exposures.
by Maria Perez | Nov 3, 2020 | Compliance News
CoreView published a new report revealing that a lot of Microsoft 365 admins haven’t activated multi-factor authentication to keep their accounts secure from suspicious remote access and are unable to implement other fundamental security procedures. Based on the report, 78% of Microsoft 365 administrators have yet to activate multi-factor authentication while 97% of Microsoft 365 users aren’t using MFA.
This is a big security risk notably when almost all workers are remote. The IT departments should see this concern and correct it to be able to appropriately stop cyberattacks and fortify their organization’s security posture.
The SANS Institute mentions that 99% of data breaches are preventable by employing MFA, whilst Microsoft discussed in an August 2020 blog posting that MFA is the one particularly important measure to carry out to stop unauthorized account access, conveying that 99.9% of account breaches could be avoided by utilizing MFA.
The CoreView study furthermore showed that 1% of Microsoft 365 administrators tend not to use strong passwords, despite the fact that hackers are proficient at breaking passwords with automatic brute force attacks. Even if using strong passwords, there is no promise that a breach will be averted. A strong password provides no security in case a user fall victim to a phishing scam. In the event of stolen passwords, MFA gives security and should keep those passwords from being employed to obtain access to accounts.
The CoreView M365 Application Security, Data Governance, and Shadow IT Report pointed out that Microsoft 365 administrators are provided extreme control and they own access to valuable sensitive information. 57% of Microsoft 365 admins were identified to have substantial permissions to access, alter, and expose business-critical data. In addition, 36% of Microsoft 365 administrators are worldwide administrators. They acquire total command over their organization’s existing Microsoft 365 environment. 17% of Microsoft 365 admins are likewise Exchange admins and possess access to the entire company’s email accounts, as well as C-Suite accounts. In case Microsoft 365 admin accounts are compromised, cyber hackers can access the whole Microsoft 365 environment along with the big volumes of sensitive information. The Microsoft 365 environment doesn’t just consist of a large amount of quickly monetized data, the accounts are at the same time connected to other systems and can be utilized for a much larger attack on the company.
The study additionally showed that firms have spent greatly in productivity and operations programs that authorize personnel to communicate, work together, and work more proficiently, yet there has been a surge in shadow IT, specifically SaaS applications. SaaS programs are frequently employed by personnel without the IT department’s awareness. Many of those SaaS apps lack suitable security and let preventable cyberattacks to occur.
At a basic level, malicious applications can siphon off critical information. Users may furthermore likely be sharing sensitive firm data via these applications to compromised parties so that organizations are in considerable danger of a data breach. It’s crucial that companies adequately keep an eye on these programs for possible security gaps.
Businesses that use Microsoft 365 usually take their security and governance responsibilities too lightly, erroneously believing that Microsoft 365 is safe by default and has the needed protections to stop data breaches. Though Microsoft 365 can be protected, businesses need to be proactive and make sure that security is tackled, there is enough supervision of shadow IT, and appropriate data governance.
