Maria Perez
Maria is an experienced writer, providing content for Healthcare Industry News since 2021. Working as a senior writer, Maria focuses on news reporting, making the complex healthcare topic comprehensible for readers. Maria’s expertise and dedication to delivering accurate stories make him a trusted source on our site.
by Maria Perez | Dec 17, 2019 | Compliance News
Truman Medical Centers in Kansas City, MO, the city’s biggest inpatient and outpatient services provider, found out that an unencrypted laptop computer containing the protected health information (PHI) of 114,466 patients was stolen from an employee’s vehicle.
The laptop was password-protected, however, the password can be deciphered and the information on the device can be accessed. When issuing the notices, Truman Medical Centers has found no evidence that an unauthorized person has accessed or misused any patient data.
The laptop contained different types of information of each patient, but may have included the names of patients as well as at least one of the following data: birth dates, patient account numbers, Social Security numbers, medical record numbers, health insurance details, and some medical and treatment data, including dates of service, diagnoses, and names of provider.
The theft happened on July 18, 2019, however, the confirmation that the device contained patient data was only on October 29, 2019. Truman Medical Centers already notified by mail all the people whose PHI was kept on the laptop. Those whose Social Security number were potentially compromised got offered free credit monitoring and identity protection services.
Employees received additional training on portable device security. Employee laptops were also installed with additional controls to strengthen security.
Theft of Blackberry Containing the PHI of 2,477 La Clínica de La Raza, Inc. Patients
La Clínica de La Raza, Inc. provides primary health care and other services in Contra Costa, Alameda, and Solano counties in California. It recently discovered the theft of a portable electronic device on August 20, 2019.
The stolen briefcase from an employee’s vehicle contained a Blackberry device issued by La Clínica de La Raza. With the help of a computer forensics company, La Clínica de La Raza confirmed on October 16, 2019 that the device contained the PHI of 2,477 patients.
The data was contained in two email messages that were downloaded to the Blackberry device. The information in the emails included names, dates of birth, non-sensitive test data and medical record numbers.
Although it is possible that unauthorized people could access the information, La Clínica de La Raza stated that it would have been difficult to access the PHI. La Clínica de La Raza notified the affected patients about the breach via mail on December 13, 2019 and offerred them free one-year membership to credit monitoring and identity protection services.
The company is also taking steps now to strengthen the protection of portable electronic devices and gave the employees additional training on portable device security.
by Maria Perez | Dec 11, 2019 | Compliance News
An IT business in Colorado that provides managed IT services to dental offices encountered a ransomware attack. By means of the organization’s systems, 100 other dental practices were similarly attacked by ransomware.
The ransomware attack on Complete Technology Solutions (CTS) located in Englewood, CO began on November 25, 2019. A KrebsonSecurity report mentioned that CTS got a ransom demand worth $700,000 to get the encryption unlock keys. The firm made the decision not to pay off the ransom demand.
In providing dental offices with IT services, systems access is provided to CTS with the use of a remote access device. Hackers appear to have employed that device to gain access to the systems of CTS customers and attack it with Sodinokibi ransomware.
A number of the dental practices affected by the attack had recovered their information by means of their backups, particularly those that had saved a backup of their data offsite. Several dental practices continue to be without access to their information or systems and are declining patients as a result of prolonged system breakdowns.
KrebsonSecurity remarks that a number of those dental practices are seeking to bargain with the attackers to acquire the keys to recover their information.
Because of various file extensions and ransom notes, file recovery has been problematic. And thus, restoration of a number of encrypted data was possible after paying off the demanded ransom. To recover other encrypted data, it needed paying more ransom. Black Talon Security said to KrebsonSecurity the situation of one dental practice which had 50 encrypted devices and was given above 20 ransom demands. There were a number of payments made to retrieve files.
There was an identical attack on the Wisconsin organization PerCSoft, which led to the ransomware attack of close to 400 dental offices in August 2019. PerCSoft is a business providing dental practices with digital data backup services. The hackers deployed the Sodinokibi ransomware.
Ransomware gangs are increasingly attacking managed service providers. By means of just one attack on a managed service provider, the hackers can hit a lot of other organizations, making the profits are a lot higher.
In a Kaspersky Lab’s latest report, it mentioned that ransomware attackers are aiming for backups and Network Attached Storage (NAS) gadgets to make it more difficult for victims to retrieve their files at no cost and not pay the ransom demand.
The newest attack highlights the value of making backups of all critical files. Therefore make sure to at least create one backup copy of data files to be kept safely off-site, on a non-networked gadget that is not connected online.
by Maria Perez | Dec 3, 2019 | Compliance News
Because the devices were stolen from the offices of Main Street Clinical Associates, PA. based in Durham, NC, some patients received notifications concerning the likely compromise of their protected health information (PHI).
The theft transpired after the employees of Main Street evacuated the offices because of a dangerous gas explosion. The employees left the office after being instructed to do so on April 10, 2019 after an adjoining building exploded. The evacuation was so urgent that the employees just abandoned the records and equipment on the tables. They also did not lock the room where the patient records were kept. The property had substantial damages, hence until September 9, 2019, nobody was allowed to go within the building. When the employees went back to their workplaces, they found out that the equipment, which includes two laptop computers, a clinician’s mobile phone, and a printer containing patient data, were stolen by burglars.
Main Street gave a press release not too long ago saying that the laptop computers, the mobile phone and the files with patient information were protected with a password. Nevertheless, the devices had not been encrypted, therefore, an unauthorized person could have accessed the patient data. The data contained in the devices included names, medical insurance information, diagnosis and treatment data, Social Security numbers, and driver’s license numbers.
To stop further unauthorized access to patient data, Main Street already changed all passwords and is looking out for attempts of device misuse. Patients affected by the breach received notification letters via mail. Since there is no way of knowing accurately the affected patients, Main Street informed several media outlets about the security breach.
Autopsy Pictures of Loyola Medicine Patients Stolen
Maywood, IL Loyola Medicine reported that the Loyola University Medical Center camera was stolen. The camera stored the autopsy images of 18 deceased patients. The images of nine individuals were gone for good because they were not yet saved to their respective medical record files.
The photos were not yet saved to the hospital records system because the newly installed camera did not have a cable that connects to the records system to upload the images. Therefore, the photos are merely stored on the camera’s memory card.
A Loyola Medicine representative said that steps had been carried out to avert the same breaches. Employees received extra training and there had been improvements in physical security.
Loyola Medicine informed the patients’ families that the photos were lost and submitted a privacy breach report to the Department of Health and Human Services’ Office for Civil Rights.
by Maria Perez | Nov 27, 2019 | Compliance News
Sunshine Behavioral Health, LLC’s AWS S3 storage bucket was misconfigured resulting in the exposure of sensitive patient information. This network of drug and alcohol addiction rehabilitation centers is established in San Juan Capistrano, CA.
Databreaches.net was the first to receive the report about the misconfigured AWS S3 storage bucket in August 2019. Databreaches.net got in contact with Sunshine Behavioral Health and the addiction center immediately secured the bucket. Sunshine Behavioral Health did not submit the data breach report to the HHS’ Office for Civil Rights nor mentioned the breach on its website, although over 60 days have passed since it had known about the breach. The incident was also not published on the California Attorney General’s website.
Databreaches.net analyzed the incident in November and identified some files that stayed exposed. Anyone with the PDF file URLs could view the files from the bucket without needing a password. If the URLs were obtained simultaneously with the compromise of the bucket, the PDF files URLs of 93,000 patients probably have been accessed and downloaded.
According to Dissent, the PDF files and the 93,000 patients do not match. There were a number of patients with a few files and many files come with test findings or templates. Dissent tried to contact Sunshine Behavioral Health, but there was no reply. But the treatment center has read the email because the URLs are not available anymore.
The correct number of patients impacted, the time frame of the file exposure online, and the unauthorized individuals who accessed the URLs are not known at this time. The files were primarily billing information, that contains complete names, dates of birth, postal and email addresses, telephone numbers, credit card numbers, date of expiry, CVV codes, and health insurance information.
by Maria Perez | Nov 20, 2019 | Compliance News
Greenbone Networks, a German vulnerability analysis and management platform provider, discovered 60 days ago the magnitude of the exposure online of medical images stored in Picture Archiving and Communication Systems (PACS) servers. In a current report, the company revealed the worsening problem.
Healthcare providers use Picture Archiving and Communication Systems (PACS) servers for storing and sharing medical images with doctors for their review. However, a lot of healthcare providers do not use PACS servers that are secured enough. Therefore, medical images (MRI, CT Scans, X-Ray), together with personally identifiable patient data, are exposed online. Anybody who knows where and how to search for the files could find them, access them and, oftentimes, download the medical images without authorization. The images aren’t accessible because of software vulnerabilities. Access to data is possible due to the wrong configuration of the system and PACS servers.
From July to September 2019, Greenbone Networks worked to identify unsecured PACS servers worldwide. The study revealed the enormity of the problem. In the U.S., there were 13.7 million data sets on unsecured PACS servers and 45.8 million of 303.1 million medical images were accessible.
On November 18, Greenbone Networks’ updated report showed that 1.19 billion medical images were already identified globally. The previous total of 737 million increased by 60%. The findings of 35 million medical exams are exposed online, it was 24 million previously.
In the U.S., the researchers identified 21.8 million medical exam results and 786 million medical photos. There were 114.5 million photos accessible from 15 systems that permit unsecured Web/FTP access and directory website listing. In just one PACS, the researchers discovered 1.2 million exam results and 61 million medical photos. The researchers were able to fully access the data, including the images and related personally identifiable information.
In early November, Sen. Mark. R. Warner expressed his concern over the obvious lack of action by OCR regarding the exposed files. It seems that not much is being done to protect the PACS servers and prevent more data exposure.
The types of data exposed in the images include Protected Health Information (PHI) such as names, birth dates, examination dates, the extent of the investigations, imaging techniques done, attending doctors’ names, scanning location, number of images and Social Security numbers for 75% of the exposed images.
Data exposure puts patients vulnerable to identity theft and fraud, though there are actually other risks. In the past, security researchers showed that the DICOM image format is flawed allowing the inclusion of malicious code. Hence, images can be downloaded, contain malicious code, and be uploaded to the PACS without the data owner’s knowledge. In the Greenbone Networks study, only reading access was investigated and not image manipulation or upload.
Access and viewing of images can be done using the RadiAnt DICOM Viewer. There is free information online on setting up the RadiAnt DICOM Viewer to view images, including the viewer and the listing of IPs of the stored images.
It is estimated by Greenbone Networks that the value of exposed medical images and PHI is over $1 billion dollars. The data might be utilized for different nefarious purposes such as social engineering and phishing, identity theft, and blackmail.
Data exposure violates the Health Insurance Portability and Accountability Act (HIPAA), the General Data Protection Regulation (GDPR) of the EU, and other data privacy and security regulations. The data exposure impacts people in over 52 countries.
