Maria Perez
Maria is an experienced writer, providing content for Healthcare Industry News since 2021. Working as a senior writer, Maria focuses on news reporting, making the complex healthcare topic comprehensible for readers. Maria’s expertise and dedication to delivering accurate stories make him a trusted source on our site.
by Maria Perez | Jan 20, 2020 | Compliance News
Health Quest, which is presently a part of Nuvance Health, learned that the impact of the phishing attack in July 2018 was more extensive than first believed.
Some staff were deceived into revealing their email account details by phishing emails, therefore letting unauthorized persons to access their accounts. A prominent cybersecurity company helped with the investigation to find out if there was a breach of patient data.
In May 2019, Quest Health found out that the email messages and attachments in the breached accounts contained 28,910 patients’ protected health information (PHI) therefore the health system dispatched notification letters to the impacted people. The details contained in the breached accounts included patient names, contact details, claims data, and some medical information.
Another investigation of the breach showed on October 25, 2019 the compromise of yet another email account of an employee containing PHI. As per the substitute breach notification published on the Quest Health site, the compromised details were varied from one patient to another, nevertheless, the names and one or more of these data elements might have been included:
Birth dates, driver’s license numbers, Medicare Health Insurance Claim Numbers (HICNs), Social Security numbers, provider name(s), treatment dates, treatment and diagnosis data, medical insurance plan member and group numbers, medical insurance claims data, financial account data with PIN/security code, and payment card data.
There is no proof uncovered that unauthorized persons viewed patient information. There is likewise no report acquired about the misuse of patient data. For security reasons, on January 10, 2020, Health Quest mailed another notification letter to patients.
As a result of the breach, Quest Health currently implements multi-factor authentication for email accounts and toughened security systems and offered staff more training about phishing and other cybersecurity concerns.
There is no certain statement as to the number of more patients were impacted by the breach. To date, the number of people impacted as stated on the HHS’ Office for Civil Rights breach portal is still 28,910 people.
by Maria Perez | Jan 15, 2020 | Compliance News
Microsoft will not provide support anymore for Windows 7, Windows Server 2008, and Windows Server 2008 R2 starting on January 14, 2020. Microsoft will not release any more patches to correct OS vulnerabilities. Office 2010 will not be supported as well.
Microsoft will update the operating systems on January 14, 2020 and fix all known vulnerabilities, however, it will just be some time before cybercriminals would find exploitable vulnerabilities to steal information and install malware.
Although Microsoft gave notice about the end of life of the operating system long ago, it remained the second most utilized operating system after Windows 10. NetMarketShare reported that in December 2019, 33% of all desktop and laptop computers use Windows 7.
A lot of healthcare companies continue to use Windows 7 on some devices. The persisted use of those devices even without support increases the risk of cyberattacks and consequently HIPAA Security Rule violation.
The obvious resolution is to upgrade Windows 7 to Windows 10, though that might not be easy. Besides buying licenses and updating the OS, hardware might also need upgrading and certain applications might not function on more recent operating systems. The upgrade is consequently a major task that could require a lot of time.
If it’s not possible to update Windows 7 and Windows 2008 systems, steps must be taken to secure the devices and lessen the probability of a compromise and the effect of a cyberattack.
To minimize the odds of a compromise, the following best practices should be observed:
Stop Windows 7 devices from linking to untrusted content. This means that the devices should not be used for browsing the web or accessing email accounts. Avoid using removable media and portable storage devices as well.
Remove local administrator rights from all Windows 7 units and strengthen firewall protection. Don’t use the devices for accessing sensitive information, like protected health information (PHI). Transfer sensitive data found on the devices to devices using supported operating systems.
Malware infection is more likely to occur on devices that run using unsupported operating systems. Be sure to install updated anti-virus software. Scans the devices for malware regularly and monitor the devices for possible cyberattacks.
Microsegmentation may be beneficial in limiting the resulting harm in case of a compromise. All devices using unsupported operating systems must be separated from other systems and the devices must only be permitted to connect to critical services. Remove access to core servers and systems. Review and modify business continuity plans to make sure that critical business operations will go on in case of a compromise. Although extended support is very expensive, it is strongly advised.
These options can minimize risk, however, they won’t remove it. Organizations must consequently speed up their plans to update their operating systems and computer hardware. Using a supported OS is the only means to completely secure devices.
by Maria Perez | Jan 7, 2020 | Compliance News
The U.S. Department of Justice (DOJ) reported that an ex-staff of an unnamed hospital in New York City pleaded guilty to utilizing malicious software programs to get the credentials of fellow-workers, which he later misused for stealing sensitive data.
Richard Liriano, 33 years of age, from Bronx, New York, was a hospital’s IT employee. He enjoyed administrative-level access to the computer systems of the hospital but abused those access rights and copied patient information onto his personal computer.
Liriano employed a keylogger to acquire the credentials of a bunch of hospital co-workers from 2013 to 2018. Those credentials made it possible for Liriano to get access to the coworkers’ PCs or web accounts and acquire sensitive data including tax records, personal photos, videos, and other personal docs and files. He likewise employed other malicious software programs for surveillance of his co-workers.
Liriano took his coworkers’ sign-in data to their private webmail accounts, social network accounts, and other web-based accounts. In addition, he obtained access to the hospital computer systems that contain sensitive patient data. As per the DOJ, Liriano’s computer infiltrations cost his company close to $350,000 to remediate.
From 2013 to 2018, Liriano logged into his coworkers’ PCs and private accounts on various times trying to find sensitive data. Most of his 70+ victims were women. The DOJ information indicates that Liriano performed searches in their individual accounts trying to find sexually explicit photographs and videos.
The uncovering of the computer infiltrations got Liriano detained on November 14, 2019. On December 20, 2019, Richard Liriano pleaded guilty to 1 count of transferring software to a protected PC to purposefully bring about harm.
Geoffrey S. Berman, the U.S. Attorney for the Southern District of New York, explained that Liriano’s crimes did not merely breach the personal privacy of his co-workers; he likewise unlawfully logged into computers holding crucial healthcare and patient data, costing his ex-employer tens of thousands of dollars to fix. He is now going to be made liable for his behavior.
Liriano is due to be sentenced with a maximum jail period of 10 years on April 15, 2020 by U.S. District Judge Lewis A. Kaplan.
by Maria Perez | Jan 2, 2020 | Compliance News
The Department of Health and Human Services Office for Civil Rights (OCR) issued a financial penalty amounting to $65,000 to West Georgia Ambulance, Inc. to settle its multiple Health Insurance Portability and Accountability Act violations.
OCR’s investigation of the ambulance company in Carroll County, GA began after seeing the breach notification submitted on February 11, 2013 concerning the missing unencrypted laptop computer that carries the 500 patients’ protected health information (PHI). The breach report mentioned the failure of the company to retrieve the laptop computer, which fell off the ambulance’s rear bumper.
OCR’s investigation revealed that the company has longstanding noncompliance with some HIPAA Rules. West Georgia Ambulance was found in violation of the following:
- 45 C.F.R. § 164.308(a)(1)(ii)(A) for failure to conduct a complete, company-wide risk analysis
- 45 C.F.R. § 164.308(a)(5) for not giving its employees a security awareness training program
- 45 C.F.R. § 164.316 for not enforcing HIPAA Security Rule policies and procedures
OCR provided technical help to West Georgia Ambulance to make it possible for the company to take care of its compliance problems, but even with that support, OCR claimed that the company did not make any meaningful step to resolve its noncompliance. Consequently, OCR issued a financial penalty.
Aside from the $65,000 financial penalty that should be paid, West Georgia Ambulance must follow a corrective action plan to fix all areas of noncompliance found by OCR. For two years, West Georgia Ambulance’s HIPAA compliance program will be under OCR’s strict monitoring to make sure it complies with the HIPAA Rules.
Patients using an ambulance’s services shouldn’t have any worries about the privacy and security of their medical information. All healthcare providers, whether big or small, should take their HIPAA responsibilities seriously.
This is OCR’s 10th HIPAA financial penalty passed in 2019. OCR got paid a total of $12,274,000 in financial fines for the resolution of noncompliance issues in 2019.
by Maria Perez | Dec 24, 2019 | Compliance News
The Centers for Medicare and Medicaid Services (CMS) uncovered a bug within its Blue Button 2.0 API which affected 10,000 Medicare beneficiaries’ protected health information (PHI). For this reason, CMS for the time being suspended the use of its Blue Button API as investigations and detailed code analysis is in progress. There is no word yet when the Blue Button 2.0 service will be available.
On December 4, 2019, a third-party program partner informed CMS concerning the data anomaly connected to the Blue Button API. The CMS confirmed the data problem and quickly stopped system access while looking into the problem.
The anomaly was due to a coding bug that allowed the sharing of data with the incorrect beneficiaries and Blue Button 2.0 apps. The CMS stated that the bug impacted 30 applications. Medicare beneficiaries utilize the Blue Button platform for permitting third-party apps and services to access their claims data. A CMS identity management system creates a random unique user ID and ensures sharing the correct beneficiary claims data with the appropriate third-party apps. The CMS discovered a coding bug in the Blue Button 2.0 that transforms a 128-bit user ID to a 96-bit user ID. Because a 96-bit user ID lacks randomness, a number of beneficiaries got similar truncated user IDs. That led to the disclosure of the claims information of beneficiaries with identical truncated user ID found within the identity management system to other beneficiaries and applications via the Blue Button 2.0.
Initially, it wasn’t clear how the bug began and why it was not quickly identified to stop sensitive beneficiary information exposure.
There are three things to realize from the investigation findings related to testing, code reviews, and cross-team collaboration.
Based on the CMS investigation findings, the bug came about on January 11, 2018. Usually, the changes introduced are thoroughly reviewed, but there was no detailed review in January. If perhaps a review was done, CMS most likely discovered the bug and remedied it prior to the sharing of sensitive data.
The CMS inspects Blue Button 2.0 using synthetic data to validate functionality to make sure no PHI is jeopardized. This time, integrating Blue Button 2.0 with other programs was not inspected. Subsequently, it was integrated into the identity management system without testing.
The CMS notes that a distinct identity management team works on the code that generates the user ID token. The Blue Button 2.0 team supposed that the token functioned well, and failed to validate it. Perhaps if the two teams had good collaboration, they would have the essential details to make good decisions.
CMS by now had taken the measures to do away with more errors. An improved check and verification process is right now ready and the Blue Button 2.0 team is thoroughly checking all new codes to ensure identification and correction of coding errors before having the live code changes. The Blue Button 2.0 from now on will not truncate user IDs and keep the complete user IDs.
An overall platform and coding review is being done and the API will remain unavailable until the review is done. CMS is likewise doing a comprehensive evaluation to know the likely effect on Medicare beneficiaries and decide the other essential steps to secure the beneficiaries’ data, including providing credit monitoring services.
