Archive for March, 2015

Potential PHI exposure due to phishing scam

March 29th, 2015

Children National Health System (Children’s National) employees fell victim to phishing scam which led to potential PHI breach for some patients. According to the reports, hackers could have gained access to PHI from the employee’s email account. The affected information includes names, addresses, dates of birth, and telephone numbers. Moreover, clinical information such as diagnoses, treatment received, medical record numbers, medical service codes or health insurance information, were also potentially accessed. Few records also included Social Security Numbers.

“We reported the phishing attack to federal law enforcement and continue to work with them in their investigation,” the statement read. “Importantly, neither patient charts nor our electronic medical records system were compromised. Only the discrete information contained in the email accounts was potentially affected.”

After the incident, the company is training the employees to handle the suspicious emails. The facility has enhanced its existing technical safeguards and a review of systems is underway.

According to the statement:

We have no evidence that this information in the emails has been misused or even accessed. However, in an abundance of caution, we began sending letters to affected patients on February 24, 2015, and have established a dedicated call center to answer questions patients may have.

We recommend that affected patients regularly review the explanation of benefits statement that they receive from their health insurer. If you identify services listed on your explanation of benefits that you did not receive, please immediately contact your insurer.

Alertsec strengthens security

Alertsec has created a web based encryption service that radically simplifies deployment and management of PC encryption by using industry leading Check Point Full Disk Encryption (former Pointsec) software.

Organizations, especially corporate giants, have to have an information security policy in place that proves they have taken necessary steps and measures to safeguard the information they gathered. If these policies are not adhered to, the regulators may prosecute.

Alertsec Xpress is used by organizations that have recognized the need to protect their information. Customers range from single-user sole traders and consultants to multinational companies with a large number of offices around the globe. Over 4 million users worldwide use Alertsec Xpress’s Check Point Full Disk Encryption.

HIPAA Compliance and the Cloud

March 26th, 2015

HIPAA compliance is becoming an important topic with the rise of Cloud usage. It is important to secure the patients’ data because there are vulnerabilities in cloud storage. The HIPAA Omnibus Rule had made several changes in terms of handling patient’s data. Now, cloud service providers are considered as business associates and remain accountable in case of breach.

According to the HIPAA rule, patients’ privacy is protected, regardless of where it is being stored which includes cloud storage option.

“For example, a data storage company that has access to protected health information (whether digital or hard copy) qualifies as a business associate, even if the entity does not view the information or only does so on a random or infrequent basis. Thus, document storage companies maintaining protected health information on behalf of covered entities are considered business associates, regardless of whether they actually view the information they hold.”

The Center for Democracy and Technology (CDT) has published Frequently Asked Questions (FAQs) about the Omnibus Rule.

“The obligations of a business associate depend on the extent of services and functions it is performing with PHI on behalf of a covered entity,” the CDT paper states. “A CSP that has no capability to access PHI, that provides storage functionality only, and that adheres to HHS standards with respect to encryption should have little liability risk as a business associate (except to ensure that it properly manages encryption).”

Get your personal as well as office laptops encrypted by Alertsec

Unencrypted laptops present a major risk of data loss. 80% of information theft is due to lost or stolen laptops and other equipment. About 50% of network intrusions are performed with credentials gathered from lost or stolen devices. The penalties for a data breach are severe not only in terms of the monetary fines imposed on the organization, but also the potential loss of trust from customers and suppliers. Encryption software greatly enhances the security of your organization’s data as the information is not compromised if a laptop is lost or stolen.

Alertsec Xpress is the full disk encryption service that delivers a mobile data protection system for all information stored on laptops used throughout your organization.

Healthcare Data Breaches and Patients

March 23rd, 2015

Healthcare breaches affect hospitals and patients alike, says survey by TransUnion. The organization can face huge penalties from the Department of Health and Human Services (HHS) due to data breach. The lost personal information takes time to recover and leads to loss of trust.

According to the recent survey, healthcare data breaches can also push patients away from the affected organization. TransUnion conducted an online survey of around 1200 US adults who received medical care.

“The hours and days immediately following a data breach are crucial for consumers’ perceptions of a healthcare provider,” TransUnion Healthcare President Gerry McCarthy said in a statement. “With the right tools, hospitals and providers can quickly notify consumers of a breach, and change consumer sentiments toward their brand.”

According to the survey-

  • Sixty-five percent of surveyed adults said that they would avoid providers that experience a healthcare data breach
  • Forty-six percent of those surveyed said they expect a notification within one day of the breach
  • Thirty-one percent said that they expect to receive a response or notification within one to three days
  • Seventy-three percent of patients ages 18 to 34 said they were likely to switch healthcare providers after a data breach

“Older consumers may have long-standing loyalties to their current doctors, making them less likely to seek a new health care provider following a data breach,” McCarthy said. “However, younger patients are far more likely to at least consider moving to a new provider if there is a data breach. With more than 80 million millennials recently entering the healthcare market, providers that are not armed with the proper tools to protect and recover from data breaches run the risk of losing potentially long-term customers.”

Get your personal as well as office laptops encrypted by Alertsec

Unencrypted laptops present a major risk of data loss. 80% of information theft is due to lost or stolen laptops and other equipment. About 50% of network intrusions are performed with credentials gathered from lost or stolen devices. The penalties for a data breach are severe not only in terms of the monetary fines imposed on the organization, but also the potential loss of trust from customers and suppliers. Encryption software greatly enhances the security of your organization’s data as the information is not compromised if a laptop is lost or stolen.

Alertsec Xpress is the full disk encryption service that delivers a mobile data protection system for all information stored on laptops used throughout your organization.

Florida Hospital Employees compromise Patient PHI

March 21st, 2015

Two employees are terminated allegedly for printing documents which contained patients’ information. According to the Florida hospital, it was outside their normal job routines.  The affected count is 9000 patients. The employees printed patient facesheets, which are summary cover sheet to a patient’s medical record.

The affected information includes patients’ names, addresses, Social Security numbers, phone numbers, emergency contact information, health insurance information and certain health information such as physician names and diagnoses.

The incident affected below hospitals:

  • Florida Hospital Orlando
  • Florida Hospital Altamonte
  • Florida Hospital Apopka
  • Florida Hospital East Orlando
  • Florida Hospital Kissimmee
  • Celebration Health
  • Winter Park Memorial Hospital
  • Walt Disney Pavilion at Florida Hospital for Children

“This incident should not be a reflection of the collective workforce at Florida Hospital, who work tirelessly to provide the highest quality of care and protect patients’ rights,” Florida Hospital spokeswoman Samantha Kearns O’Lenick told the news source.

Florida hospital mentioned that till now there is no evidence of information being misused. Hospital has set up a dedicated call center to answer individual’s questions or concerns.

“We deeply apologize for the inconvenience this may cause our patients,” the statement read. “Rest assured, we investigated the matter internally and have taken measures to ensure this type of incident does not occur again by continuing to enhance security safeguards and reinforcing education with our staff on the importance of handling patient information.”

Get your personal as well as office laptops encrypted by Alertsec

Unencrypted laptops present a major risk of data loss. 80% of information theft is due to lost or stolen laptops and other equipment. About 50% of network intrusions are performed with credentials gathered from lost or stolen devices. The penalties for a data breach are severe not only in terms of the monetary fines imposed on the organization, but also the potential loss of trust from customers and suppliers. Encryption software greatly enhances the security of your organization’s data as the information is not compromised if a laptop is lost or stolen.

Alertsec Xpress is the full disk encryption service that delivers a mobile data protection system for all information stored on laptops used throughout your organization.

Sacred Heart Health Systems suffers billing data breach

March 19th, 2015

Florida facility of Sacred Heart Health Systems suffered data breach when its third party vendor experienced email hack. The affected information includes patient names, dates of service, dates of birth, diagnoses and procedures, billing account numbers, total charges, and physician names. Along with above information, 40 patients’ Social Security numbers were also compromised.

“Upon notice of the incident, Sacred Heart, in cooperation with our billing vendor, immediately launched a thorough investigation into the matter,” according to the company statement. “Sacred Heart engaged computer forensics experts who were able to conduct an analysis of what information was included in the affected e-mail account.”

According to the reports, third party billing vendor employee’s e-mail username and password were compromised because of this incident. The Facility is trying to solve the loopholes in the email system to avoid such incidents in the future. It is working with email service provider to evaluate how to enhance its “already robust security program.”

According to the statement, Sacred Heart said that it will offer complimentary identity monitoring and protection services for patients whose Social Security number was affected. As soon as the incident came to notice, the access of employee username and password were immediately shut down.

Get your personal as well as office laptops encrypted by Alertsec

Unencrypted laptops present a major risk of data loss. 80% of information theft is due to lost or stolen laptops and other equipment. About 50% of network intrusions are performed with credentials gathered from lost or stolen devices. The penalties for a data breach are severe not only in terms of the monetary fines imposed on the organization, but also the potential loss of trust from customers and suppliers. Encryption software greatly enhances the security of your organization’s data as the information is not compromised if a laptop is lost or stolen.

Alertsec Xpress is the full disk encryption service that delivers a mobile data protection system for all information stored on laptops used throughout your organization.

 

Missing encrypted devices leads to data breach

March 17th, 2015

Home health and hospice company Amedisys suffered data breach when its encrypted devices which consisted of computers and laptops went missing. Amedisys failed to find near about 142 devices. The incident came to notice when risk management process was conducted. The devices were assigned to Amedisys clinicians and other team members who left the company between 2011 and 2014.

The compromised information includes names, addresses, Social Security numbers, dates of birth, insurance ID numbers, medical records and other personally identifiable data.

“The confidentiality and security of patient information has been and will remain a top priority for Amedisys,” Chief Compliance Officer at Amedisys Chief Compliance Officer Jeffrey Jeter explained. “We have worked actively with leading risk management and technology experts to inventory and assess devices that may contain personal or health information and ensure the integrity of our information security systems.”

Amedisys explained the situation on its website statement.

“All of the computers were encrypted, and the vast majority of them were used by licensed Amedisys clinicians to provide care for patients in their homes,” Amedisys stated, adding that it has not been able to rule out “unauthorized access to patient data.”

According to the statement:

We have received no reports of any hacking, fraud, or identity theft. However, as required by law and out of an abundance of caution for our patients, we are providing notice to all patients whose information was on devices because we cannot rule out unauthorized access to patient data on the devices.

Get your personal as well as office laptops encrypted by Alertsec

Unencrypted laptops present a major risk of data loss. 80% of information theft is due to lost or stolen laptops and other equipment. About 50% of network intrusions are performed with credentials gathered from lost or stolen devices. The penalties for a data breach are severe not only in terms of the monetary fines imposed on the organization, but also the potential loss of trust from customers and suppliers. Encryption software greatly enhances the security of your organization’s data as the information is not compromised if a laptop is lost or stolen.

Alertsec Xpress is the full disk encryption service that delivers a mobile data protection system for all information stored on laptops used throughout your organization.

Malware hits Advantage dental database

March 13th, 2015

Oregon based Advantage Dental suffered data breach when its internal database was attacked by malware. The unauthorized access affected 151,626 Advantage patients. The compromised information includes names, dates of birth, phone numbers, Social Security numbers, and home addresses. According to the reports, treatment, payment, and other financial data were not accessed.

“Since terminating the illegal access, Advantage has been reviewing and improving its safeguards, implemented mitigation steps to prevent further access and has been working with law enforcement to properly determine the scope of the incident and any additional steps that might be required,” the statement read. “At this time, Advantage has no indication that the stolen information has been used for criminal activity, to include identity theft.”

Advantage Compliance Manager Jeff Dover told that the theft happened after the malware accessed an Advantage employee’s computer. Username and password that allows access to the membership database was stolen from there. This is a separate database from the one that contains financial and treatment information.

“Unfortunately this happened,” Dover said, adding that Advantage computers are equipped with anti-virus software, but sometimes new variations of a virus are not detected. “What you can do is be as transparent as you can, take responsibility for it, learn from it and then move on.”

After this incident, Advantage is no longer allowing access to its internal patient database from computers that are not within company clinics or its Redmond headquarters.

Get your personal as well as office laptops encrypted by Alertsec

Unencrypted laptops present a major risk of data loss. 80% of information theft is due to lost or stolen laptops and other equipment. About 50% of network intrusions are performed with credentials gathered from lost or stolen devices. The penalties for a data breach are severe not only in terms of the monetary fines imposed on the organization, but also the potential loss of trust from customers and suppliers. Encryption software greatly enhances the security of your organization’s data as the information is not compromised if a laptop is lost or stolen.

Alertsec Xpress is the full disk encryption service that delivers a mobile data protection system for all information stored on laptops used throughout your organization.

11M affected by Premera Health data breach

March 11th, 2015

Sophisticated cyber attack on Premera Blue Cross leads to health data breach affecting 11 million individuals. Company discovered data breach on Jan 29, 2015. Affected entities involve Premera Blue Cross, Premera Blue Cross Blue Shield of Alaska, and the health insurer’s affiliate brands Vivacity and Connexion Insurance Solutions, Inc. Also, members of other Blue Cross Blue Shield plans who sought treatment in Washington or Alaska were also affected by the cyber attack.

The breached information includes Applicants and members’ names, dates of birth, email addresses, addresses, telephone numbers, Social Security numbers, member identification numbers, bank account information, and claims information, including clinical information.

“Individuals who do business with us and provided us with their email address, personal bank account number or social security number are also affected,” according to the Premera statement. “The investigation has not determined that any such data was removed from our systems.  We also have no evidence to date that such data has been used inappropriately.”

According to the statement, letters will be sent to affected individuals, and two years of free credit monitoring and identity protection services will also be offered to those applicants and members.

“As much as possible, we want to make this event our burden, not yours, by making services available to protect you and your information moving forward,” Roe said. “All of us here at Premera have been affected by this attack and we understand and share your concerns. Please know that we’re committed to making sure you get the tools and assistance you need to help protect you.”

Alertsec strengthens security

Alertsec has created a web based encryption service that radically simplifies deployment and management of PC encryption by using industry leading Check Point Full Disk Encryption (former Pointsec) software.

Organizations, especially corporate giants, have to have an information security policy in place that proves they have taken necessary steps and measures to safeguard the information they gathered. If these policies are not adhered to, the regulators may prosecute.

Alertsec Xpress is used by organizations that have recognized the need to protect their information. Customers range from single-user sole traders and consultants to multinational companies with a large number of offices around the globe. Over 4 million users worldwide use Alertsec Xpress’s Check Point Full Disk Encryption.

PHI breach due to break in

March 9th, 2015

Mosaic Medical may have suffered data breach when PHI got exposed due to break-in. The incident took place at a temporary office location for the facility’s Bend, Oregon location. Mosaic is not sure whether the medical record got accessed or not because at prima facie nothing appears to be stolen.

“The personal information that was possibly accessed was on paper documents within the office and included health information, medical insurance information, phone number, and e-mail addresses,” Mosaic said in a statement, according to local news station KTVZ. “A report was filed with the Bend Police Department and they have investigated the break-in.”

Mosiac Medical discovered that a break-in happened at night. According to the reports, the facility has taken steps like moving its HIT office to secure more information. Also, affected patients have been notified via letters.

“We understand the importance of safeguarding our patients’ personal information and take that responsibility very seriously,” Mosaic Medical Chief Operating Officer Allison McCormick said in the statement. “We will do all we can to work with our patients whose personal information may have been compromised.  We regret that this incident occurred, and we are committed to preventing future occurrences.”

Mosaic Medical is a local nonprofit community health center system with primary care clinics in Prineville, Bend, Madras and Redmond.

Alertsec strengthens security

Alertsec has created a web based encryption service that radically simplifies deployment and management of PC encryption by using industry leading Check Point Full Disk Encryption (former Pointsec) software.

Organizations, especially corporate giants, have to have an information security policy in place that proves they have taken necessary steps and measures to safeguard the information they gathered. If these policies are not adhered to, the regulators may prosecute.

Alertsec Xpress is used by organizations that have recognized the need to protect their information. Customers range from single-user sole traders and consultants to multinational companies with a large number of offices around the globe. Over 4 million users worldwide use Alertsec Xpress’s Check Point Full Disk Encryption.

Online application glitch may lead to data breach

March 7th, 2015

A nonprofit organization, Painted Turtle based in California which runs a camp for children with life-threatening diseases and their families free of charge suffered data breach when some personal information may have been exposed because of online application glitch.

The affected information includes names, addresses, Social Security numbers, driver’s license numbers, personal medical information, and employment information.An error in the database of the painted Turtle’s online application server for campers and volunteers caused the data breach. Bank account and credit card information were not present on the server.

“We immediately brought the database offline to prevent anyone from being able to access your records,” Maher wrote. “Also, in an effort to prevent similar data breaches in the future, before bringing the system back online we updated our database’s code to prevent the issue from occurring again.”

According to the statement on the website:

Your information would not have been viewable unless a specific chain of events occurred.

Specifically: (1) you would have had to identify someone as a Reference in your application in 2013–2014, and (2) that person would have had to begin filling out an application as well, and (3) while that person’s application (and your application) was still pending, (4) they would have had to access their pending application and click “show related profiles” and your name. Again, your information would not have been accessible to anyone outside of the persons you listed as References in your application.

We became aware of this issue on January 12, 2015. As soon as this error was brought to our attention, we began taking steps to address and mitigate the risk to you. We immediately brought the database offline to prevent anyone from being able to access your records.

Get your personal as well as office laptops encrypted by Alertsec

Unencrypted laptops present a major risk of data loss. 80% of information theft is due to lost or stolen laptops and other equipment. About 50% of network intrusions are performed with credentials gathered from lost or stolen devices. The penalties for a data breach are severe not only in terms of the monetary fines imposed on the organization, but also the potential loss of trust from customers and suppliers. Encryption software greatly enhances the security of your organization’s data as the information is not compromised if a laptop is lost or stolen.

Alertsec Xpress is the full disk encryption service that delivers a mobile data protection system for all information stored on laptops used throughout your organization.