Maria Perez
Maria is an experienced writer, providing content for Healthcare Industry News since 2021. Working as a senior writer, Maria focuses on news reporting, making the complex healthcare topic comprehensible for readers. Maria’s expertise and dedication to delivering accurate stories make him a trusted source on our site.
by Maria Perez | Sep 23, 2020 | Compliance News
The HHS’ Office for Civil Rights made an announcement regarding a settlement it has arrived at with Athens Orthopedic Clinic PA to take care of multiple Health Insurance Portability and Accountability Act (HIPAA) rules violations.
OCR performed an investigation into a data breach that a healthcare provider based in Athens, GA reported on July 29, 2016. On June 26, 2026, Dissent of Databreaches.net notified Athens Orthopedic Clinic that a database that contains the electronic protected health information (ePHI) of its patients had been posted for sale on the internet by a hacking group identified as The Dark Overlord. The hackers are noted for infiltrating systems, data theft, and demanding ransom payments. If the victims don’t pay the ransom, the stolen information is published online.
Athens Orthopedic Clinic looked into the breach and confirmed that the hackers acquired access to its systems on June 14, 2016 by using vendor credentials and stole records from its EHR system. The data of 208,557 patients were taken in the attack, which includes names, Social Security numbers, birth dates, procedures performed, test findings, clinical data, payment details, and medical insurance information.
OCR admits that it’s not possible to stop all cyberattacks, nevertheless when data breaches take place due to the inability to adhere to the HIPAA Rules, financial charges are issued.
Hacking is the top source of big healthcare data breaches. When medical companies are not able to adhere to the HIPAA Security Rule, their patients’ health information become an appealing target for threat actors.
The OCR breach investigation uncovered the following systemic non-adherence with the HIPAA regulations:
Athens Orthopedic Clinic didn’t conduct an appropriate and detailed review of the potential risks and vulnerabilities to the confidentiality, availability, and integrity of ePHI, which violates 45 C.F.R. § 164.308(a)(1)(ii)(B).
Security measures were not put in place to decrease the potential risks to ePHI to a good and suitable level, which infringes 45 C.F.R. § 164.308(a)(1)(ii)(A).
Between September 30, 2015 and December 15, 2016, Athens Orthopedic Clinic was unable to employ the correct hardware, software program, and processes for documenting and examining information system activity, which violates 45 C.F.R. §§ 164.312(b).
The provider took until August 2016 for HIPAA guidelines and procedures to be kept, which infringes
45 C.F.R. § 164.530(i) and (j), and before August 7, 2016, the clinic didn’t enter into business associate agreements with three vendors, which violates 45 C.F.R. § 164.308(b)(3).
Before January 15, 2018, Athens Orthopedic Clinic did not have a HIPAA Privacy Rule training to its existing employees, which infringes 45 C.F.R. § 164.530(b).
Due to the failure to comply, Athens Orthopedic Clinic was unable to avoid hackers from obtaining unauthorized access to the PHI of 208,557 patients, which violates 45 C.F.R. §164.502(a)).
Aside from the financial fine, Athens Orthopedic Clinic has consented to adopt a corrective action plan that covers all areas of noncompliance found in the OCR audit. The clinic resolved the violation without admission of liability.
This is OCR’s 6th HIPAA settlement reported in September and the 9th HIPAA penalty in 2020. Prior to this month, OCR published having five settlements with HIPAA-covered entities in accordance with its HIPAA Right of Access initiative for being unable to provide patients with their health records copy.
by Maria Perez | Sep 17, 2020 | Compliance News
The Department of Health and Human Services’ Office for Civil Rights reported five settlements that resolved HIPAA violations related to patient complaints on getting a copy of their medical records.
The HIPAA Privacy Rule states that individuals have the right to get prompt access to their medical records at a reasonable price. When a person submits a request to obtain a copy of his/her medical records, a healthcare service provider should give those records with no reasonable delay and within 30 days following the date of request.
OCR received several complaints from people who were unable to obtain a copy of their medical records, so in 2019, OCR prioritized its HIPAA right of access enforcement activities.
In 2019, there were two settlements between HIPAA covered entities and OCR over HIPAA right of access violations. Korunda Medical, LLC and Bayfront Health St Petersburg each paid $85,000 as a financial penalty and implemented a corrective action plan to process access requests promptly.
The most recent 5 settlements involved Housing Works, Inc., Beth Israel Lahey Health Behavioral Services, King MD, All Inclusive Medical Services, Inc., and Wise Psychiatry, PC. The entities paid financial penalties ranging from $3,500 to $70,000 depending on a number of factors determined by OCR.
OCR is sending a message to healthcare providers by means of the settlements that compliance with the HIPAA right of access is a must. Whenever OCR receives complaints alleging non-compliance, investigations will be conducted and entities will be penalized as deemed appropriate.
Housing Works
Housing Works, Inc. is a non-profit healthcare organization based in New York City that offers healthcare, advocacy, job training, homeless services, re-entry services, and legal support for men and women residing with and afflicted by HIV/AIDS.
In June 2019, a Housing Works patient submitted a request a copy of his healthcare records. In July 2019, the patient filed a complaint with OCR indicating Housing Works’ failure to provide the records. OCR investigated the complaint, gave the needed technical assistance, then closed the case. But Housing Works still did not provide the patient with a copy of his healthcare records. So, in August 2019, the patient filed a second complaint with OCR.
OCR re-investigated the case and issued Housing Works a financial penalty for violating the HIPAA right of access. In November 2019, Housing Works furnished the complainant his healthcare records and paid $38,000 to resolve the violation. Housing Works also adopted a corrective action plan and is under monitoring by OCR for one year.
Beth Israel Lahey Health Behavioral Services
Beth Israel Lahey Health Behavioral Services (BILHBS) is the biggest mental health and substance use disorder service provider in eastern Massachusetts. In April 2019, OCR got a complaint stating that BILHBS did not respond to a request sent by a personal representative for a copy of her father’s health records. The complainant asked for the information in February 2019, but did not provide even after two months.
OCR investigated the complaint and the patient got the requested health records in October 2019. OCR issued a financial penalty on BILHBS for violating the HIPAA Right of Access. BILHBS paid $70,000 to settle the violation and followed a corrective action plan under the monitoring of OCR for a year.
King MD
King MD is a small psychiatric services provider in Virginia. In October 2018, OCR got a complaint from a patient who did not receive a copy of medical records within two months of filing the request. OCR provided technical assistance on the case but got a second complaint in February 2019 because King MD still did not provide the requested medical records. The patient got the records in July 2020.
King MD paid OCR $3,500 as case settlement. King MD has implemented a corrective action plan under two-year monitoring by OCR.
All Inclusive Medical Services, Inc.
All Inclusive Medical Services, Inc. (AIMS) in Carmichael, CA is a family medicine clinic offering multiple specialty services such as internal medicine, rehabilitation, and pain management.
In January 2018, a patient requested a copy of her medical records, but AIMS did not provide the records. In April 2018, the patient complained to OCR, which prompted an investigation. AIMS was found to have violated the HIPAA right of access. The patient got her copy of the records in August 2020.
OCR received $15,000 from AIMS as a penalty to resolve the HIPAA violation. A corrective action plan was also undertaken to be monitored by OCR for 2 years.
Wise Psychiatry, PC.
Wise Psychiatry is a small psychiatric services provider located in Colorado. In November 2017, a personal representative requested a copy of her young son’s health records. By February 2018, no records were still provided and so she filed a complaint with OCR, which prompted an investigation. OCR gave technical assistance and closed the case.
In October 2018, OCR received a second complaint from the same person. Finally, a copy of the health records was given in May 2019 after OCR’s investigation. Wise Psychiatry paid $10,000 to settle the case and adopted a corrective action plan under OCR’s monitoring for one year.
by Maria Perez | Sep 9, 2020 | Compliance News
The Cybersecurity and Infrastructure Security Agency (CISA) has fairly recently given guidance for network defenders and incident response teams on uncovering malicious activity and mitigating cyberattacks. The guidance specifies recommendations for uncovering malicious activity and comprehensive directions for inspecting at possible security occurrences and safe-guarding compromised systems.
The reason for providing the guidance is to optimize incident response among partners and network staff as well as offer a playbook for researching incidents. The document can guide incident response groups obtain the data required to look into suspicious activity inside the network, host-based artifacts, carry out a host analysis assessment and analysis of network tasks, and take the proper measures to offset a cyberattack.
The guidance document was produced in cooperation with cybersecurity professionals in the United Kingdom, United States, Australia, Canada and New Zealand and comes with technical assistance for security staff to help them determine ongoing malicious attacks and abate attacks while lessening the prospective adverse outcomes.
As soon as incident response teams discover malicious activity, the concentration is usually on blocking the access of threat actors to the network. Though it is vital to stop a threat actor from accessing a device, or system, it is very essential that the right procedure is undertaken to refrain from notifying the attacker regarding the detection of their presence.
While well-intentioned to control the problems of the compromise, a number of those activities could have damaging effects by altering volatile facts that could present a sense of what has been done and notifying the threat actor that the prey organization recognizes the compromise and compelling the threat actor to either cover their tracks or take on more harmful actions (including detonating ransomware.
When reacting to an assumed attack it is initially needed to acquire and take away pertinent artifacts, logs, and records that will enable the detailed scrutiny of the incident. In case these elements aren’t secured before the implementation of any mitigations, the data may readily be gone, which will impede any work to check out the breach. Systems likewise must be secured, as a threat actor may become aware that the breach was seen and adjust their methods. As soon as systems are safeguarded and artifacts gathered, mitigating actions can be done with care so as not to forewarn the threat actor that their presence in the network has been found.
Whenever a suspicious activity is found, CISA advises seeking help from a third-party cybersecurity organization. Cybersecurity organizations have the essential knowledge to get rid of an attacker from a system and make certain that security concerns are prevented that can be taken advantage of in further attacks on the firm as soon as the incident is actually remediated and finished.
Resolving a security breach calls for different technical techniques to discover malicious activity. CISA proposes doing a hunt for identified indicators of compromise (IoCs), employing proven IoCs from a large collection of sources. A frequency study is beneficial for determining anomalous activity. Network defenders have to estimate standard traffic patterns in network and host systems which may be employed to recognize the inconsistent activity. Algorithms could be utilized to discover whenever there is an activity that’s not according to normal patterns and determine disparity in timing, source position, destination place, port use, protocol observance, file storage, integrity using hash, file size, figuring out convention, and other features.
Pattern analysis is valuable for uncovering automatic activity by malicious scripts and malware, and regular reproducing behavior by human threat actors. An analyst review must likewise be carried out according to the security team’s knowledge of system operations to recognize issues in collected artifacts and locate anomalous activity that may be an indicator of hacker activity.
The guidance specifies a number of common blunders that are made if resolving incidents and gives technical measures and recommendations for scrutiny and remediation processes.
CISA likewise makes basic advice on defense tactics and programs that could make it harder for a threat actor to acquire access to the network and continue to be there undiscovered. While these actions may not prohibit a threat actor from compromising a system, they will help to slow the pace of an attack that will grant incident response squads the time they required to know and act in response to an attack.
You can read the CISA guidance Technical Approaches to Uncovering and Remediating Malicious Activity (AA20-245A) on this page.
by Maria Perez | Sep 4, 2020 | Compliance News
1,768 Persons Affected by Cook Children’s Medical Center Breach
Cook Children’s Medical Center based in Fort Worth, TX discovered that a box of radiology images stored in a locked storage room was missing. Despite conducting a search for the missing items, Cook Children’s Medical Center did not succeed in locating them. The storage discs contained the protected health information (PHI) which included names, birth dates, medical record numbers, scan types, service dates, and names of physicians.
To view the images, specialist software is necessary. However, some of the PHI may be viewed even with no specialist software. The images belonged to 1,768 people who had hip and spine scans from 2005 to 2014. There is no report received that indicate the misuse of any data contained on the discs. The medical center already notified all the persons affected by the incident.
PHI of 2,102 People Potentially Compromised Due to a D&S Residential Holdings Phishing Attack
D&S Residential Holdings based in Austin, TX has found out about the unauthorized access by an individual to the email accounts of some employees from April 20, 2020 to June 15, 2020 because employees responded to phishing emails.
D&S Residential Holdings carried out a thorough investigation, with the support of a respected computer security company. However, it was not possible to establish if the attackers viewed or stole any information.
An analysis of the employees’ email accounts showed that they contained protected health information. D&S Residential Holdings offered free credit monitoring and identity theft protection services for 12 months to the individuals who had their Social Security numbers compromised in the attack. The breach report sent to the HHS’ Office for Civil Rights showed that the breach affected 2,102 individuals.
15,000 Lafayette Fire Department Ambulance Users Affected by Ransomware Attack
On July 27, 2020, City of Lafayette, CO suffered a ransomware attack that affected its email, telephone, online billing, and reservation systems so that essential systems data was inaccessible. After assessing the cost and advantages of all feasible solutions, the city opted to pay the attackers $45,000 just to steer clear of the big interruption to its online operations.
Before ransomware deployment, it’s possible that the attackers accessed personal information stored on the computer system of Lafayette, including the usernames and passwords of its online service users and the Social Security numbers of city employees. Moreover, the attackers might have obtained the names and the health insurance identification numbers of 15,000 men and women whom the Lafayette Fire Department ambulance transported prior to January 1, 2018.
The city already removed the ransomware and re-established its network servers and computers. It has also deployed crypto-safe backup systems and enforced extra cybersecurity options to block other ransomware attacks.
by Maria Perez | Aug 26, 2020 | Compliance News
A new peer-to-peer (P2P) botnet was found targeting SSH servers located in IoT devices and routers that allow connections from remote devices. The botnet, known as FritzFrog, propagates like a computer worm by means of brute-forcing credentials.
Guardicore Labs security researchers analyzed the botnet and determined that it has successfully breached over 500 servers, and the number is still growing fast. FritzFrog is multi-threaded, modular, and fileless leaving no clue on its infected devices. FritzFrog sets up and deploys malicious payloads fully in the memory, so infections are difficult to identify.
Whenever a computer is attacked, a backdoor in the form of an SSH public key is produced. This key gives attackers continual device access. More payloads may then be downloaded, for example, a cryptocurrency miner. As soon as a device is compromised, the self-replicating activity begins to deploy the malware all through the host server. The device is put in the P2P network, could acquire and implement commands coming from the P2P network, and is employed to pass on the malware to other SSH servers. Since January 2020, the botnet has been working to target government, education, healthcare, and the finance industries.
Compared with other variants of a botnet, FritzFrog has more resiliency, because the command of the botnet is decentralized amid various nodes, thus there’s no one command and control (C2) server, that means no one point of failure as well. As per Guardicore Labs, FritzFrog used the Golang language, and the P2P protocol was totally exclusive, with practically everything about the botnet unique and not shared with any other P2P botnet.
To evaluate how FritzFrog worked as well as study its functionalities, Guardicore Labs’ researchers created an interceptor written in Golang which permitted them to take part in the malware’s key-swapping process and get and transmit commands. The program named frogger helped them to study the nature and extent of the network. Frogger allowed them to be a part of the network by ‘injecting’ their own nodes and contributing to the P2P traffic. Through frogger, the researchers confirmed that FritzFrog already had brute-forced millions of SSH IP addresses at banks, medical centers, educational organizations, government agencies, and telecom firms.
The malware communicates through port 1234, though not directly. Traffic at port 1234 is simple to recognize, therefore the malware utilizes a netcat utility program that is commonly employed to keep track of network traffic. A command that is transmitted via SSH is going to be utilized as netcat’s input, therefore sent to the malware. FritzFrog likewise communicates through an encrypted channel and could carry out more than 30 commands that include making a backdoor, linking to other corrupted nodes and servers in the FritzFrog network, and checking resources like CPU use.
Though the botnet is presently being utilized for planting cryptocurrency mining malware (XMRig) on products to mine Monero, the botnet can simply be repurposed to deliver other types of malware and can be utilized for many other purposes. Security researcher Ophir Harpaz at Guardicore Labs doesn’t think cryptocurrency mining is the major goal of the botnet, because of the amount of code specific to mining Monero. Harpaz is convinced the main goal is to access the organizations’ networks and sell access to the breached servers or use for other profitable attacks.
It is uncertain who made the botnet or where it came from. It has propagated worldwide, however, the geographic origin of the first attacks is unknown. FritzFrog likewise undergoes active development, as researchers identify over 20 FritzFrog binary versions.
The botnet depends on network protection solutions that impose traffic only through port and protocol, therefore process-based segmentation guidelines are needed. Networks with weak passwords are more prone to brute force attacks, thus it is essential to use strong passwords and to utilize public key authentication. The botnet locates IoT devices and routers that have exposed SSH keys, and so companies can secure themselves by altering their SSH port or deactivating access to SSH whenever not using the service. The researchers additionally suggest that it’s important to take FritzFrog’s public key from the file of authorized_keys to keep the attackers from accessing the device.
Guardicore Labs has released a script on GitHub which could be activated to determine FritzFrog infections, together with known IoCs.
