Maria Perez
Maria is an experienced writer, providing content for Healthcare Industry News since 2021. Working as a senior writer, Maria focuses on news reporting, making the complex healthcare topic comprehensible for readers. Maria’s expertise and dedication to delivering accurate stories make him a trusted source on our site.
by Maria Perez | Aug 19, 2020 | Compliance News
The 10-hospital integrated healthcare system called Northern Light Health Foundation, which is located in Brewer, ME, has reported that the latest ransomware attack on Blackbaud Inc. has impacted its databases.
The impacted databases held the data of donors, would-be donors, and persons who might have gone to a fundraising event before. Patient medical information was kept separately and was not affected. The databases comprised the data of 657,392 people.
Blackbaud in South Carolina is one of the biggest companies providing education, fundraising, financial management, and administration software programs. An organization as great as Blackbaud is obviously hunted by cybercriminals. Blackbaud stated it runs into numerous attacks every month but its cybersecurity group excellently protects the corporation against those cyberattacks, even though in May 2020 one attack became successful.
The ransomware attack might have been much worse. Blackbaud became aware of the ransomware attack fairly quickly and took steps to stop the attack. Blackbaud had held back the ransomware from completely encrypting its data, and merely a part of the corporation’s 25,000+ customers was impacted. The attack didn’t have an effect on its online system and most of its self-hosted environment was not impacted.
As is currently well-known in manual ransomware attacks, before encryption of records, the attackers exfiltrated information. Blackbaud explained in its breach notice that the attackers merely copied a part of the information and didn’t steal highly sensitive data including bank account details, Social Security numbers, and credit card data.
Since securing customers’ records is Blackbaud’s number one priority, the company gave the cybercriminal’s demand with a guarantee of destroying the copied data. Based upon the result of the investigation, it is assumed that the cybercriminal had no information, and will not misuse, share, or make it available publicly.
It is at present not clear how many Blackbaud clients were affected by the cyberattack. Northern Light Health Foundation mentioned in its breach notice that it was affected. A few other healthcare institutions in Maine claimed the same. Other healthcare institutions discovered to have been affected include the Cancer Research Institute in New York City and the Prostate Cancer Foundation in Santa Monica, CA.
The BBC reports that around 10 universities in the UK, US, and Canada were affected, such as Emerson College in Boston, Harvard University, and the Rhode Island School of Design, as well as charities, media organizations, and a bunch of private-sector corporations. Though the attack happened in May 2020, the impacted clients did not get notifications until July 16, 2020. It is uncertain why notifying the affected clients was delayed, especially considering a lot of those clients are from the EU. The EU General Data Protection Regulation (GDPR) calls for the issuance of notifications to data protection regulating authorities within 72 hours of a breach occurring. Data controllers should also be notified immediately.
by Maria Perez | Aug 11, 2020 | Compliance News, Telehealth News
Children’s Hospital Colorado is informing 2,553 patients concerning the possible access of their protected health information (PHI) because of unauthorized use of an email account between April 6 and April 12, 2020.
The attacker acquired the username and password to sign into the account following the employee’s response to a phishing email. The hospital discovered the attack on June 22, 2020 and promptly secured the account. An evaluation of the messages and the attachments in the account showed that they had records of patient names, medical record numbers, dates of service, clinical diagnosis details and zip codes.
Since the breach, the hospital implemented measures to fortify email security protection and assessed the platforms for training personnel with regard to cybersecurity. Technical settings linked to email were likewise evaluated.
Laptop That Contains Unencrypted PHI Thieved From Hoag Clinic
On June 5, 2020, a thief stole the laptop computer given to a worker of Hoag Clinic located in Costa Mesa, CA. The laptop computer was left in a vehicle located in the worksite parking lot in Newport Beach. The clinic found out about the thievery immediately and informed the law enforcement, nevertheless, the device was not retrieved.
The IT security team confirmed that the laptop computer comprised the PHI of 738 persons, such as first and last names, middle initial, telephone number, address, email address, birth date, age, medical record number, doctor’s name, if the patient is being observed by case management, whether a COVID-19 test was done, whether the person was moved to case management, whether a telehealth appointment was slated, communication status records, and whether the person was concerned in home health.
The Hoag clinic has re-trained its personnel on security precautions, improved policies that cover the transport of laptops to and from worksites, and an extensive security analysis was done to make sure all suitable cybersecurity measures are set up. The clinic provided the impacted persons with free one-year membership to the Experian IdentityWorks identity theft recognition and resolution service.
by Maria Perez | Aug 5, 2020 | Compliance News
Beaumont Health, which is the leading healthcare organization in Michigan, began informing about 6,000 patients concerning the potential access to their protected health information (PHI) by unauthorized persons.
On June 5, 2020, Beaumont Health found out that unauthorized persons accessed email accounts between January 3, 2020 and January 29, 2020. The email accounts held the protected health information of patients including names, dates of birth, procedure and treatment data, type of treatment delivered, diagnoses, diagnosis codes, prescription details, patient account numbers, and medical record numbers.
Though unauthorized persons accessed the email accounts, there is no evidence determined that implies the hackers viewed or stolen the emails or email attachments in the accounts. There is also no report received that indicate the misuse of patient data.
This is Beaumont Health’s second notification of a phishing-related breach this year. Last April, Beaumont Health began informing 112,211 persons about the breach of their PHI held in email accounts in late 2019.
Beaumont Health already took action to enhance its internal procedures to permit it to know and avert threats a lot quicker later on. More precautions were enforced to better email security, which includes the usage of multi-factor authentication. More training on determining and controlling of malicious emails was also given to personnel.
Samaritan Medical Center Checking out Probable Security Breach
Samaritan Medical Center based in Watertown, NY announced a security event that has caused it to shut down its computer systems. Workers have used pen and paper while the breach is remediated at the same time giving medical care to patients. Patients were not transported to other hospitals, nevertheless, certain non-urgent visits were rebooked. No other details regarding the precise nature of the security breach is provided during this period.
Improper Disposal of Medical Documents by Southcare Minute Clinic
The North Carolina Department of Health and Human Services is examining the Southcare Minute Clinic based in Wilmington, NC concerning the incorrect disposal of medical documents. The Wilmington Police Department took action on a call telling them that sensitive files and unsafe waste were dumped in an ordinary dumpster in the back of the old Southcare Minute Clinic situated at 1506 Market Street.
The dumpster was identified to comprise files with patient data, used needles, and other harmful waste products. The police stated that there was HIPAA Rules violation, however, established that there was no crime undertaken. Since then, the dumpster has been cleaned up and there’s no longer any danger to people’s safety. The North Carolina Department of Health and Human Services is going to decide if it is proper to charge a financial penalty.
by Maria Perez | Jul 30, 2020 | Compliance News
Highpoint Foot and Ankle Center based in New Britain Township, PA encountered a ransomware attack in May 2020 during which the attackers encrypted and probably accessed or exfiltrated patient information. Highpoint Foot and Ankle learned the attack on May 20, 2020 when personnel was kept from getting particular files on the system.
The investigation started and found out that an unauthorized person had downloaded ransomware remotely on its computer networks. There is no evidence obtained that suggest the attacker accessed patient data before encrypting the files. There was also no report received that suggest the misuse of patient data.
A third-party computer forensics agency was engaged to aid with the investigation and confirmed that the possible compromise of files containing the PHI of 25,554 patients. The files comprised names, dates of birth, addresses, social security numbers, treatment information, diagnoses, and release conditions.
Further precautions have now been put in place to secure patient data and all patients impacted by the data breach already received notifications via mail.
Phishing Attack on the University of Utah Affects Up to 10,000 Patients
The University of Utah has suffered a phishing attack that has most likely impacted the protected health information (PHI) of about 10,000 patients. This is the University of Utah’s fourth data breach report to be submitted to the Department of Health and Human Services in 2020. All four incidents are stated as hacking/IT incidents involving email. The previous breach reports were submitted on June 8, 2020 (impacting 1,909 persons), April 3, 2020 (impacting 5,000 persons), and March 21, 2020 (impacting 3,670 persons).
Unauthorized persons got access to personnel email accounts between January 22, 2020 and May 22, 2020, as indicated by the substitute breach notice posted on the University of Utah Health webpage. It is uncertain at this time if the most current breach report also involved getting access to personnel email accounts in an identical time period.
Kathy Wilets, Public Relations Director at the University of Utah Health gave a report to databreaches.net mentioning that the phishing occurrences were being regarded as independent incidents but might have been a part of a synchronized campaign. She explained the most current incident probably involved getting access to some amount of patient information and the number of persons affected of 10,000 is an estimation. The investigation could confirm whether fewer persons were affected. Action has been done to strengthen email security, such as the setup of 2-factor authentication.
by Maria Perez | Jul 21, 2020 | Compliance News
The radiology practice Quantum Imaging and Therapeutic Associates located in Pennsylvania made an announcement that they received reports concerning a non-physician worker who purportedly disclosed to a Facebook group an x-ray image of a male patient’s genitalia.
The disclosure of health-related photos on social communities, with no patient authorization, is a violation of HIPAA and patient privacy. Quantum gave an announcement on Facebook verifying the reports gotten concerning a privacy breach and explained that Quantum is dedicated to keeping its patients’ privacy and is really saddened by the reports. No other details were issued regarding the breach while the investigation is not yet complete. The Fairview Township police were notified regarding the incident and started an investigation, nevertheless, there are no apprehensions yet at this point. Some persons have left a comment on the Facebook posting saying the photo may be seen by ‘thousands’ of individuals.
Delaware Department of Health and Social Services Uncovered Impermissible Disclosure of PHI
The Delaware Department of Health and Social Services found a spreadsheet comprising PHI was disclose to four students by accident.
Four senior students at the University of Delaware asked for the information intended for a project to determine service gaps within the community and received a spreadsheet. The data requested by the senior students included the age groups of persons and their disability state. The identifying data were not deleted before giving the spreadsheet. The senior students had seen the complete names, dates of birth, diagnoses, and county data of 350 persons.
The students presented their report through Zoom on May 8, displaying the listed patients’ PHI also. The Delaware Department of Health and Social Services at once stopped the report upon knowing that PHI was listed. The students were told to remove the information while the person who gave the spreadsheet was put under discipline.
US HealthCenter Uncovered an Email Account Security Breach
The US HealthCenter, a health risk management firm, found out that an unauthorized individual got access to an email account and could have seen or acquired the private and protected health information (PHI) of the Cost Plus World Market’s (Cost Plus) Wellness Program members.
The compromised email inbox was utilized to obtain the members’ accomplished Annual Preventive Screening affidavits. Inquiries from Wellness Program members regarding the program were at the same time forwarded to the email account. US HealthCenter learned about the unapproved access on April 13, 2020 because the hacker employed the email account to transmit phishing emails to participants of the Cost Plus wellness program. At the time the email account was accessed, the unauthorized person could see and send email messages.
The analysis of email messages in the account confirmed they comprised participants’ names, birth dates, employee numbers, doctor signatures, dates of exams, and some medical details.
US HealthCenter protected the account promptly and presently hosted the account on a new Microsoft Office 365 system, which offers better security defenses having multi-factor authentication. There is no proof identified that indicate the improper use of personal data.
