Data breach at North Ottowa Medical Group

July 24th, 2016 by admin No comments »

North Ottowa Medical Group suffered data breach along with many other healthcare facilities due to hacking incident at Bizmatics, an EHR vendor. Bizmatics notified Michigan-based medical group  about the data breach. It mentioned unauthorised user access of its server, but didn’t confirm whether North Ottawa Medical Group data was accessed or not. hacking

According to the reports, about 22,000 individuals were affected by the healthcare data security event. Possible affected data relates to patients at the medical group’s employed physician practices, including the internal medicine, family practice, and women’s health offices.Disclosed information included names, addresses, health visit information, treatments, health insurance information, and Social Security numbers. The incident may have also exposed the last four digits of a credit card number for some patients.

The medical center mentioned that an independent cyber forensics firm, hired by Bizmatics, is working with the vendor. Also, law enforcement officials conducted a criminal investigation.

“These investigations found that there was no reason to believe patient files were the target of the attack,” the press release stated. “Further, investigators could not conclusively determine if there was, in fact, a PHI breach at all.”

North Ottowa Medical Center has notified affected individuals and the Department of Health and Human Services of the incident. Complimentary identity recovery assistance services for a year is also setup.

According to the website:

Nonetheless, out of an abundance of caution, NOCHS has reported this incident to the Department of Health and Human Services (DHHS), and is treating the situation as though an actual breach occurred. Therefore, in accordance with HIPAA law NOCHS has notified DHHS, NOMG patients, and by way of this news release, the community. NOMG patients will also receive identity recovery assistance services for a year, at no cost.

The North Ottawa Medical Group doctors, physician assistants and nurse practitioners work directly for and within the North Ottawa Community Health System and your community hospital. Our mission is to develop a personal, long-term relationship with you, as well as be our community’s most trusted, local partner in creating a healthier future for all.


Alertsec has created a web based encryption service that radically simplifies deployment and management of PC encryption by using industry leading Check Point Full Disk Encryption software.

AK healthcare data breach

July 22nd, 2016 by admin No comments »

Hacking incident at Bizmatics has led to many healthcare data breaches. AK healthcare organization has  reported another data breach due to Bizmatics EHR breach. Medical record information exposed included names, addresses, dates of birth, insurance information, Social Security numbers, and clinical documentation.hacking

Bizmatics has alerted the healthcare organization about the hacking incident and possible data breach. Arkansas Spine and Pain mentioned that some of its patient files were viewed unauthorizedly.

Pain mentioned that the intruders accessed vendor’s system by installing malware. Bizmatics could not confirm if any of the healthcare organization’s EHR files were accessed by the hackers. Facility has notified all potentially affected individuals.

AK healthcare added that Bizmatics was “taking steps to further strengthen its defenses against cyberattacks, including hardening its firewall and network configurations.”

“We have also been assured by Bizmatics that they are committed to ensuring its systems are as secure as they can be in our current environment,” the statement explained.

Earlier Bizmatics has notified many other healthcare providers of potential EHR breaches after hackers accessed its servers containing medical records. One such example include Florida-based Southeast Eye Institute, PA. It has contacted over 87,000 patients of a possible healthcare data breach. Integrated Health Solutions in Pennsylvania also suffered data breach.

According to the website:

Arkansas Spine and Pain (ASAP) is Central Arkansas’ leading program for the management, treatment and rehabilitation for spine and pain relief and sports-related injuries.At Arkansas Spine and Pain we consider the whole person and their family when treating the pain. Pain Clinic staff work with other health care professionals, physical therapists, family physicians and services that might be needed such as social workers, hospice, home care agencies, behavioral health specialists to assist with modification of life styles and to encourage retaining and regaining maximum quality of life.


Alertsec is the full disk encryption service that delivers a mobile data protection system for all information stored on laptops used throughout your organization.

TX clinic data breach

July 20th, 2016 by admin No comments »

The Midland Women’s Clinic in Texas have suffered a PHI breach after a former physician left patient information at his private residence. According to the reports, Mario M. Gross, MD may have made some patient information accessible to unauthorized parties.

Affected information included names and addresses as well as some healthcare data, such as dates of birth, account numbers, diagnoses, medications, procedures, and physician notes. In some cases, patients may have also had their Social Security and Medicare and/or Medicaid numbers disclosed by the incident, reported Midland Women’s Clinic. data theft

As per The Office of Civil Rights(OCR),  717 patients were affected by the incident.

The patient records were secured after facility knew about the incident. It has also launched an internal investigation to identify affected individuals.It has also implemented additional data security measures to stop future incidents.

“The Clinic has reviewed and modified its policies and procedures to prevent future incidents, educated its medical staff about the incident and tasked them with reviewing and updating their own controls over patient records, and reminded its workforce about the rules and procedures for protecting patient records,” stated the press release.

According to the statement:

Midland Women’s Clinic is proactively reaching out to impacted patients to provide guidance on how they can protect themselves.   Impacted patients will be notified shortly by mail.  Impacted patients can also call.

Midland Women’s Clinic announced that it is currently investigating a security incident involving certain patients’ personal information. The Clinic is providing notice to individuals who may have been affected by the incident.  The Clinic regrets any inconvenience or concern this incident may cause.

About Midland Women’s Clinic

Established in 1951, Midland Women’s Clinic is dedicated to providing the highest quality of women’s health services and comprehensive gynecology and obstetric care for every stage of life.  Midland Women’s Clinic has been and continues to be a model for collaborative medical excellence for OB‐GYN care in Midland.


Alertsec has created a web based encryption service that radically simplifies deployment and management of PC encryption by using industry leading Check Point Full Disk Encryption software.

Planned Parenthood data breach

July 18th, 2016 by admin No comments »

Around 2,506 patients were affected after paper records were exposed during the closure of a healthcare center in Iowa. The incident at Planned Parenthood of the Heartland has resulted into possible healthcare data breach. NetworkOperations

According to the reports, patients at the Dubuque location who were treated between August 2008 and April 2014 had their PHI accessed by an unauthorized entity following the closure and sale of the healthcare center. Affected information included names, dates of birth, mailing addresses, insurance information, Social Security numbers, medical record numbers, diagnoses, treatments, and lab results.

The healthcare system has mentioned that it had secured the records. Also, measures are implemented to ensure that patient privacy and confidentiality is being protected.

“PPHeartland’s [Planned Parenthood of the Heartland] standard policy is to conduct ongoing security audits—which already far surpass state and federal regulatory standards—to ensure we remain true to our commitment to patient privacy,” Chief Clinical Officer Penny Dickey said in a statement.

“We have conducted a rigorous review of our processes and revised our facilities relocation protocols. All staff responsible for facility relocation have been apprised of these modifications.”

All affected individuals were notified about the incident.

“PPHeartland is dedicated to securing and maintaining our patients’ trust; this incident is in no way representative of PPHeartland’s stringent privacy standards,” added Dickey. “We will continue to strive toward the highest quality patient care, including stringent confidentiality standards, at all of our health centers.”

According to the statement:

Planned Parenthood of the Heartland (PPHeartland) has served women and men of all ages since the 1930s. Today the organization offers a full range of quality reproductive health care services to residents in Arkansas, Iowa, Nebraska and eastern Oklahoma through 17 health centers and Education Resource Centers in Des Moines, Lincoln and Omaha.

Planned Parenthood is the nation’s leading provider and advocate of high-quality, affordable health care for women, men, and young people, as well as the nation’s largest provider of sex education. With approximately 700 health centers across the country, Planned Parenthood organizations serve all patients with care and compassion, with respect and without judgment. Through health centers, programs in schools and communities, and online resources, Planned Parenthood is a trusted source of reliable health information that allows people to make informed health decisions. We do all this because we care passionately about helping people lead healthier lives.


Alertsec is used by organizations that have recognized the need to protect their information. Customers range from single-user sole traders and consultants to multinational companies with a large number of offices around the globe.

Application Security Improvement

July 15th, 2016 by admin No comments »

The average organization uses and implements around 229,000 open source components for developing software. The research was conducted by Sonatype, a provider of software development lifecycle solutions. It manages a central repository of these components for the Java development community. According to the survey, Thirty one billion requests for downloads from the repository in 2015 was made as compared to 17 billion in 2014. 19

The number “blows people’s minds,” said Derek Weeks, a VP and DevOps advocate at Sonatype. “The perspective of the application security professional or DevOps security professional or open source governance professional is, ‘This really changes the game. If it were 100, I could control that, but if it is 200,000 the world has changed.”

Firm also found certain application security issues related to the use of open source components.

“The application security professional’s usual response to that is ‘that doesn’t mean those vulnerabilities ended up in our applications.’ But when we looked across 25,000 applications we saw an average of 6.8 percent of components across those apps had at least one known vulnerability,” Weeks said. “That tells me that from the beginning of the software supply chain to the end products developed through these supply chains, there isn’t enough control.”

Weeks said that the study was conducted to educate and increase awareness around the massive consumption of open source components.

“By revealing this information, we think we can help change people’s behavior around how they think about and use open source components in wiser, more efficient and safer ways,” he said.

One can also use supply chain best practices to improve application security. Example includes building in quality as early as possible by sourcing fewer and better components.

“From an application security perspective if you are a CISO that has 2,000 developers individually sourcing components, it is very difficult to audit, protect and maintain your organization. If you limit the number of places where components can come in, you can ensure you know what is coming in and can use the opportunity to vet it,” he said. “This is a fundamental supply chain best practice. Toyota has hundreds of thousands of employees but not hundreds of thousands of employees in procurement; the number of employees that is vetting the components in their products is fairly small.”

Weeks also mentioned that managing and vetting open source components is further complicated by the fact there are repositories for different development languages, including PHP, Python and Ruby.

Weeks explained. “You might say, ‘You can’t use any component with a CVSS Level 10 vulnerability anywhere in our organization.’ Your solution can automatically check for that and notify the developer. It’s like a food label on a product on the grocery shelf; it can help make a decision as to whether a component complies with the organization’s standards.”


Alertsec has created a web based encryption service that radically simplifies deployment and management of PC encryption by using industry leading Check Point Full Disk Encryption software.

Securing data from departing employees

July 14th, 2016 by admin No comments »

Employees after leaving a company can take sensitive data with them intentionally or unintentionally. The harm caused by such incidents are huge. Consider example of an employee of the FDIC who exposed 44,000 FDIC customers’ personal information. She had downloaded the data to her personal storage device. More such data breaches can be found across the industry. data data

According to the survey by Veriato, a provider of employee monitoring software, third of participants believe they own or share ownership of the corporate data they work on and more than half feel it’s fine to take corporate data with them when they leave a job.

“The potential damage from even one employee taking confidential and proprietary customer data, software code or login credentials with them to a new job, especially with a competitor, is astronomical,” Veriato COO Mike Tierney said at the time.

Companies can potentially defuse such data threats.

It’s crucial to focus on what really matters in protecting sensitive data, said AvePoint product analyst Ben Oster. “You can have all these policies in place, but if HR lets somebody walk over and plug in a USB drive after they’ve been let go, it doesn’t matter,” he said.

Oster provided the example. “She plugged her drive in and just copied a folder that she thought was her information, and it turns out it wasn’t. The issue is not that she was able to copy that data; the issue is that that data existed outside of anyone’s knowledge of where it was.”

“If we can’t actually break down how to discover it or classify it, we can’t start to put things in place that say, ‘You can’t take this document,’ because we don’t know what’s in it.”

“You really need to get in there and figure out what that is, because if you don’t, you’re going to see things get even fuzzier,” he said.

Companies can take holistic approach to data loss prevention. Michela Menting, research director at ABI Research mentioned that the good data loss prevention (DLP) solution can be key to protecting your data.

“DLP systems act as enforcers of data security policies by performing deep content inspection and a contextual security analysis of transactions,” Menting said. “They provide a centralized management framework designed to detect and prevent the unauthorized use and transmission of confidential information.”

AvePoint’s Oster mentioned that the strong security awareness training program can help to great extent.

“As consumers and employees, we need to be more aware of what we’re doing with data, what that content actually means, and what the privacy and compliance implications are of everything we touch on a daily basis,” he said.

Encryption is the key to the problem. One can start encrypting the content with relevant softwares.

“If you’re encrypting every single piece of information everywhere, the workload becomes larger, it becomes harder for your end users to use that data, and you’re actually more likely to drive them onto a system that’s not under your control,” Oster said.

And once employees start saving corporate data to their own Dropbox or OneDrive, you’ve lost track of it. “So while encryption can protect the data when it’s in motion or at rest, anything that makes it harder for your end users to get their jobs done likely pushes them toward a solution that you don’t want,” Oster said.

“We saw a case once where a company terminated an employee, and then HR walked them back and let them plug in a USB drive — and they promptly took 20 GB worth of information,” Oster said. “It doesn’t matter how good your information security is if HR is letting them do that.”


Alertsec is the full disk encryption service that delivers a mobile data protection system for all information stored on laptops used throughout your organization.

Fake nursing license and data breach

July 12th, 2016 by admin No comments »

California-based medical centre suffered potential data breach after one of its former healthcare care manager was going by a fake name and had a falsified nursing license. Mercy Medical Center Redding, a Dignity Health organization came to know about the data breach when notified by its business associate, naviHealth that patient information was accessed inappropriately. The medical center takes help of naviHealth to help carry out patient support after an individual leaves the medical center. 1414

Former case manager had been working under a fake name and nursing license during the period of June 2015 to May 2016. As part of job responsibility, the individual had access to patient information which included standard clinical information, patient data, and health insurance account information. naviHealth terminated the employee and his computer access after discovering the breach and contacted law enforcement officials.Around 520 individuals were affected by the incident.

Affected information included certain PHI, such as names, addresses, phone numbers, Social Security numbers, dates of birth, emails, medical record numbers, account numbers, and dates of medical services exposed. The former employee may have also accessed diagnoses, lab results, medications, dates of treatment, provider notes, group health plan numbers, and member IDs for some patients.

After the incident, naviHealth has reviewed all calls made by the former case manager to ensure content and clinical accuracy. Verification of nursing licenses and identifications for all its employees were carried out along with implementation of more thorough screening process for potential employees. All affected individuals were notified about the incident and provided resources on identity theft protection.

According to the statement, “As a precaution, you can contact any one of three major credit bureaus and have a “fraud alert” placed on your credit file. A fraud alert lets creditors know to contact you before new accounts are opened in your name. You will also be automatically sent copies of your current credit files.”


Alertsec is used by organizations that have recognized the need to protect their information. Customers range from single-user sole traders and consultants to multinational companies with a large number of offices around the globe.

Data breach at Veterans Affairs Medical Center

July 8th, 2016 by admin No comments »

The Veterans Affairs Medical Center in Washington DC recently suffered possible data breach after an alleged theft incident. Facility has notified 1,062 individuals according to the OCR’s website. Affected information included personal information on veterans, first and last names as well as full and partial Social Security protection

“The Washington DC Veterans Affairs Medical Center realizes the importance of safeguarding Veterans privacy and personal information. Accordingly, the medical center is taking concerted steps to inform affected Veterans of a recent potential breach of privacy information.”

The Department of Veterans Affairs mentioned that it got information of missing controlled substance monthly report on March 31. All affected individuals are notified through mailed correspondence. It also included instructions on credit monitoring and methods for protecting privacy. It also stated that “appropriate actions are being taken to protect their [affected veterans] identities.”

“The Washington DC Veterans Affairs Medical Center takes matters such as this very seriously and has implemented new procedures to reduce the possibility of this type of incident in the future,” explained the statement.


According to the website:

We provide specialized services and care for Veterans such as: invasive and noninvasive cardiology, home based primary care, women’s health, MRI, PET/CT center, interventional radiology, renal care, trauma services, nutritional services, homeless outreach, compensated work therapy, substance abuse treatment, recreation therapy, and alternative therapies as well as a wide variety of Telehealth services. The DC VA Medical Center is also home to the Integrative Health and Wellness (IHW) Program, a patient-centered program that offers services such as acupuncture, yoga, meditation, nutrition and health education, massage, qigong, and t’ai chi.


Alertsec is the full disk encryption service that delivers a mobile data protection system for all information stored on laptops used throughout your organization.