Maria Perez
Maria is an experienced writer, providing content for Healthcare Industry News since 2021. Working as a senior writer, Maria focuses on news reporting, making the complex healthcare topic comprehensible for readers. Maria’s expertise and dedication to delivering accurate stories make him a trusted source on our site.
by Maria Perez | Feb 26, 2020 | Compliance News
The new Vade Secure report revealed the top 25 frequently impersonated brand names in phishing attacks. The Q4 of 2019 Phishers’ Favorite report confirmed that PayPal continues to be the most often impersonated brand in phishing attacks, having 11,392 recognized phishing URLs in Q4. For two consecutive quarters, PayPal is number one on the list. Detection of PayPal phishing URLs increased 23% year-over-year and the rate of detecting new PayPal phishing URLs is 124 per day.
There was an increase in detecting phishing URLs imitating Facebook. The social media giant jumped to second while Microsoft is 3rd and Netflix is 4th. Facebook phishing URL detections went up by 358.8% in Q4 of 2018.
Though Microsoft is in third place overall, it is the most often impersonated brand in company phishing attacks. Microsoft currently has more than 200 million active Office 365 business users who are targeted by hackers to obtain their Office 365 credentials. Office 365 accounts may consist of loads of sensitive information and may be used to carry out spear-phishing attacks on partners and other staff within the organization.
A very visible change in Q4 was a substantial increase in phishing URLs impersonating WhatsApp, which made the Microsoft-operated instant messaging service to jump to position 5. The 5,020 detected phishing URLs in Q4 represent a 13,467.6% increase compared to Q3 of 2019.
Because of the WhatsApp phishing URL detections, the percentage of phishing URLs for social media companies went up from 13.1% in Q3 to 24.1% in Q4. The brands completing the top ten were Bank of America (6th position), followed by CIBC (7th), Desjardins (8th), Apple (9th), and Amazon (10th). There was additionally a big increase in phishing URLs impersonating Instagram, which grew by 187.1% in Q4.
Organizations in the financial services were the most often impersonated in Q4 for the second successive quarter. Although phishers do impersonate big banking institutions, Vade Secure remarks that phishers are nowadays favoring smaller financial establishments, which may not have strong security controls in place to spot brand impersonation.
Vade Secure states that phishing attacks impersonating note services like OneNote and Evernote markedly increased, besides the increase in phony OneDrive and SharePoint notifications that direct to websites hosting phishing kits.
by Maria Perez | Feb 19, 2020 | Compliance News
The Department of Health and Human Services’ Office of Inspector General (OIG) performed a review, which showed that a lot of pharmacies and other healthcare organizations are wrongly using the information of Medicare beneficiaries.
OIG carried out the audit since the HHS’ Centers for Medicare and Medicaid Services (CMS) asked for it to find out if there was incorrect access and usage of Medicare recipients’ details by mail-order and retail pharmaceuticals and other healthcare organizations, for example, doctors’ offices, treatment centers, hospitals and long-term treatment facilities.
CMS was troubled that a mail-order drugstore and other healthcare organizations were not making use of Medicare Part D Eligibility Verification Transactions (E1 transactions) correctly, which ought to be utilized solely for confirming Medicare recipients’ qualifications for particular policy benefits.
OIG made the review to find out if E1 transactions were merely being employed for their designed intent. Considering that E1 transactions consist of the protected health information (PHI) of Medicare beneficiaries, they may probably be employed for scams or other destructive or wrong intentions.
There are two components in an E1 transaction: a request and a response. The healthcare organization submits an E1 request which consists of an NCPDP provider ID number or NPI, coupled with primary patient demographic details. The request is sent to the transaction facilitator who complements the E1 request details with the information kept in the CMS Eligibility archive. A response is consequently given, which consists of a beneficiary’s Part D coverage details.
CMS picked one mail-order drugstore and 29 companies for the review performed. Of the 30 entities reviewed, 25 utilized E1 transactions for an intent other than invoicing for prescriptions or to know drug coverage order if beneficiaries got a few insurance plans. 98percent of the E1 transactions of those 25 companies weren’t related to prescriptions.
OIG learned that companies were getting coverage details for beneficiaries with no prescription medications. The companies are utilizing E1 transactions for assessing sales prospects, several providers had granted marketing firms to file E1 transactions for sales purposes, companies were getting data pertaining to personal insurance coverage for stuff not included in Part D, long term care facilities had received Part D coverage making use of batch transactions, and E1 transactions were sent by 2 non-pharmacy firms.
The HIPAA covers E1 transactions and implements the basic essential conditions. PHI needs to be safeguarded against unauthorized access whenever it is being digitally stored or sent between covered entities. The review findings indicate that there’s HIPAA violation and that this might well be a countrywide concern. As per the results of the review and evident prevalent incorrect access and usage of PHI, OIG is going to extend the reviews nationally.
OIG thinks these concerns have occurred because CMS hasn’t totally enforced controls to keep an eye on providers who are sending big numbers of E1 transactions compared to prescriptions given; CMS has yet to provide clear direction not to utilize E1 transactions for advertising purposes; and CMS hasn’t limited non-pharmacy access.
Subsequent to the review, CMS took additional steps to keep an eye on violations of the eligibility confirmation system and will be having suitable enforcement actions in instances of misuse are identified. OIG has advised that CMS ought to give clear guidance on E1 transactions and make sure that exclusively pharmacies and other certified businesses file E1 transactions.
by Maria Perez | Feb 13, 2020 | Compliance News
Shields Health Solutions Email Account Breach
Shields Health Solutions located in Stoughton, MA provides covered entities and hospitals with specialty pharmacy services. Unauthorized access of an employee’s email account probably allowed the hacker to view or copy the protected health information (PHI) contained in the account.
Shields Health Solutions spotted dubious activity in the email account of the employee on October 24, 2019. A cybersecurity firm inspected the incident and stated that the account was accessed by an unauthorized individual from October 22 up to October 24, 2019. The breach only affected one email account.
The email messages and attachments in the account contained the names of patients, birth dates, names of providers, medical record numbers, clinical information, prescription information, insurance company names, and minimal claims information. There is no proof that indicates patient data access or copying by the hacker.
Shields Health Solutions upgraded its email security by implementing multi-factor authentication on all employees’ email accounts and mailed notification letters to all affected individuals on December 16, 2019. The HHS’ Office for Civil Rights (OCR) breach portal has not posted about the breach yet thus the actual number of affected individuals is not yet completely identified.
Lafayette Regional Rehabilitation Hospital Email Breach
In July 2019, Lafayette Regional Rehabilitation Hospital located in Lafayette, IN learned about unauthorized access to an employee’s email account resulting in the potential viewing of patients’ PHI.
As soon as the hospital knew about the breach on November 25, 2019, prompt investigation of the incident was started to ascertain if unauthorized persons viewed any patient information. There is no certainty that the hackers viewed or copied patient data, nevertheless, there is a possibility that it happened. The information contained in the compromised email account included names, birth dates, clinical information and treatment details linked to medical services availed at the hospital. The Social Security number of several patients were likewise compromised.
On January 24, 2019, the hospital mailed breach notification letters to affected patients and offered those who had their Social Security numbers compromised free credit monitoring services. Further action taken by Lafayette Regional Rehabilitation Hospital included improving email security and reinforcing employee training on security awareness.
OCR already received the breach report which stated that approximately 1,360 patients were affected.
by Maria Perez | Feb 5, 2020 | Compliance News
Village Senior Services Corporation, also known as VillageCareMAX (VCMAX), and Village Center for Care, also known as VillageCare Rehabilitative and Nursing Center (VRNC), experienced a business email compromise (BEC) attack. During a BEC attack, a threat actor impersonates an executive. It could be by accessing the executive’s real email account that was previously compromised in an attack or it could be spoofing the email address of an executive.
The sensitive data of VCMAX members and VRNC patients was requested by an unauthorized individual pretending to be an executive staff member. An employee thought it was a legitimate request and responded by giving the asked for information. On December 30, 2019, VCMAX and VRNC got a notice that there was a potential BEC attack.
Investigation of the incident confirmed the bogus request and the impermissible disclosure of sensitive information of VCMAX members and VRNC patients. The compromised data in the email account included the Medicaid ID numbers and names of 2,645 VCMAX members and the first and last names, dates of birth, names of the insurer, and Insurance ID numbers of 674 VRNC patients.
No report has been received regarding cases of personal data misuse, nevertheless, the instruction to all impacted persons was to be watchful and keep track of explanation of benefits statements, accounts and credit reports for evidence of bogus activities. A review of the policies and procedures by VCMAX and VRNC is ongoing and improvements will be implemented to avert identical attacks later on.
Phoenix Children’s Hospital Phishing Attack
Phoenix Children’s Hospital had a targeted phishing attack from September 5 to September 20, 2019, which brought about the breach of seven hospital employees’ email accounts.
After knowing that a breach occurred, a well-known computer forensic company was appointed to look into the scope of the breach. On November 15, 2019, it was confirmed that the compromised email accounts contained 1,860 past and present patients’ protected health information (PHI). It’s possible that the attackers have accessed or downloaded the information, which included names, personal information, and Social Security numbers along with some medical information for certain patients.
Phoenix Children’s Hospital mailed breach notification letters to the impacted patients beginning January 14, 2020. The hospital at the same time offered the patients who had potentially compromised Social Security numbers free credit monitoring and identity theft protection services.
by Maria Perez | Jan 29, 2020 | Compliance News
Morning Consult conducted a new survey on behalf of America’s Health Insurance Plans (AHIP), which revealed that what patients want is quick access to their health information that is presented in a brief, quick to understand format. Nonetheless, patients and consumers know very well that the risks of cyberattacks and data breaches could result in the compromise of their private health data. 62% of the surveyed patients and consumers stated that they’re ready to forget about easy access to their health information as long as their health data have greater privacy protections.
Last November 2019, President Trump approved an Executive Order on Improving Price and Quality Transparency in American Healthcare to Put Patients First. Different governing bodies, including the Department of Health and Human Services, the Department of the Treasury and the Department of Labor responded by proposing a new Transparency in Coverage Rule. The rule necessitates employer-based group health plans and medical insurance companies offering group and personal coverage to make known price and cost-sharing details to participants, enrollees, and beneficiaries first.
With that available information, patients become aware of how much they ought to pay to satisfy the deductible of their plan or co-insurance or co-pay prerequisites. Patients can easily compare costs.
The price of healthcare procedures is a major concern for patients. The percentage of poll respondents that stated they were very likely or somewhat likely to research the cost of a medical procedure or service that their medical insurance plan would cover are 52% and 22%, respectively. Those that said it was very likely or somewhat likely that they would choose a cheaper medical procedure than what a physician recommends is 68%. 66% of survey participants said they would think about seeing a specialist as per doctor’s recommendation if care quality is the same at a cheaper price.
Although quick access to cost details and better transparency are welcome, 3 in 4 people who participated in the poll mentioned they won’t support a federal rule that improves transparency, at the same time, increases insurance premiums.
With regards to acquiring details on medical treatments, patients prefer easy to understand data as opposed to complete data. 82% of adults mentioned that they give more value to applications and websites with concise, easy to understand data about medical treatment as opposed to complete data that is unclear.
The survey likewise showed there is good support for federal laws similar to HIPAA for technology organizations that gather or are given health information. 90% of participants said tech firms ought to comply with stringent specifications for privacy and security just like the instance with healthcare providers.
