Archive for May, 2016

Unauthorized access and data breach

May 31st, 2016

The Southeast Eye Institute, PA, or Eye Associates of Pinellas recently suffered a possible healthcare data breach. The incident occurred due to hacking incident.  An unauthorized party accessed patient files which was managed by a third-party vendor.The number of affected patients stands at 87,314 individuals as per Office of Civil Rights (OCR) data breach portal.

“We have learned that Bizmatics became aware of the incident in late 2015, but neither Bizmatics, law enforcement, nor the cyber forensics firm is able to pinpoint the precise date on which the attack began. Bizmatics has communicated to us that it believes the incident began in early 2015.”

Bizmatics Inc, an off-site vendor for Southeast Eye Institute was attacked by hackers. Affected information included names, addresses, telephone numbers, Social Security numbers, dates of birth, and insurance information. The practice reported that medical and financial information was not involved in the event.

Bizmatics Inc mentioned that patient information was segregated into several different files. The purpose was to increase healthcare data security measures. It didn’t mention whether hackers were able to combine all the data. It didn’t confirm the type of patients file which were affected.

Southeast East Institute mentioned that affected patients included who visited the facility an on or before November 16, 2015.

“We have no reason to believe that our patient files were the target of the hackers’ attack on Bizmatics. Due to the nature of the attack, Bizmatics cannot say for certain that PTCOA’s patient files were among the data that was accessed or acquired by the hacker.”

Southeast Eye Institute no longer works with Bizmatics Inc. However, the Bizmatics Inc. contacted the FBI. It also hired a cybersecurity firm to improve its data security measures which includes strengthening firewalls and network configurations.


Alertsec has created a web based encryption service that radically simplifies deployment and management of PC encryption by using industry leading Check Point Full Disk Encryption software.

Hacking incident and data breach

May 24th, 2016

Indiana-based Lafayette Pain Care PC recently suffered probable data breach after an outside entity accessed some patients EHR data. According to the OCR data breach portal, around 7,500 individuals were affected by the possible PHI breach.

As per the statement, “Lafayette Pain Care’s EHR management vendor experienced a hacking incident that could have resulted in some patient files being exposed to intruders. The potential healthcare data breach affected multiple EHR systems across the country, confirmed the statement.”

“All this said, our electronic medical records provider has informed us that it is not aware of any evidence that our patient records were in fact accessed or acquired by any unauthorized persons,” as per the website.

Lafayette Pain Care has notified affected individuals and has asked patients to monitor their credit accounts. It also advised to report any suspicious or inappropriate activity. It has also offered free credit monitoring services to affected and verified patients.

“We do recommend that our patients check with their local credit bureau or credit monitoring agency (such as TransUnion, Experian, or Equifax) for any unauthorized activity with their credit or identity. Patients can also utilize the site to review their credit report annually.”

“If any unauthorized activity is noted, it should be reported appropriately. We recommend that all persons receiving medical or surgical care, regularly review their Explanation of Benefits forms to confirm the accuracy of included listed services.”

According to the statement:

Lafayette Pain Care is pleased to welcome new patients to our practice. As a valued customer of our practice, we maintain complete records on you to ensure that we can always communicate with you promptly, treat you in the most appropriate and effective manner, coordinate with your other doctors where needed, and ensure your care is paid for by insurance or other means.


Alertsec is the full disk encryption service that delivers a mobile data protection system for all information stored on laptops used throughout your organization.

Hacking incident and data breach

May 20th, 2016

Alcohol and substance abuse patients in San Juan County, New Mexico suffered data breach due to hacking incident. According to the official statement, San Juan County mentioned that an outside entity had gained access to a county-owned computer. The device contained PHI and was accessible to hacker for half an hour. Affected information included names, addresses, health assessments, treatment information, and medication information.

Health information of participants in two treatment programs that collected PHI was viewed by hackers. Both the programs were created to help individuals in the criminal justice system for the cases related to drunk driving or substance abuse violations. The treatment programs support offenders to recover from drug and alcohol addictions.

“We take your privacy and protection very seriously and we deeply regret that this incident occurred,” reported the notice. “We are now in the process of reviewing our internal policies and data-management protocols and will be implementing enhanced security measures to help prevent this type of incident from recurring in the future.”

According to the statement, no other information other than mentioned above was disclosed in the possible healthcare data breach.

“Upon learning of the incident, SJC immediately took steps to investigate the incident and to ensure that no additional information may have been put at risk. SJC completed a forensic computer investigation and has found no evidence that this information was accessed by the intruder or removed from the computer.”

Healthcare data security measures and patient privacy policies are analysed and improved after the incident.

SJC advised patients for following –

Contact SJC at the phone number provided below. SJC will determine if your information was potentially affected. SJC can then provide complimentary identity repair and protection services, at no cost to you. 

Although financial account details were not affected by this incident, as a general precaution we recommend that you review your credit and debit card account statements as soon as possible to determine if there are any discrepancies or unusual activity listed.


Alertsec is the full disk encryption service that delivers a mobile data protection system for all information stored on laptops used throughout your organization.

Malware attack and Data Breach

May 19th, 2016

Michigan-based Complete Chiropractic and Bodywork Therapies may have suffered potential data breach after its  server was accessed by an unauthorized entity. As per the OCR’s data breach portal, around 4,082 individuals were affected by the incident.

According to the statement, an outside entity gained access to a server which stored PHI information. The facility found the intrusion when its server malfunctioned. Afterwards malware infected its systems. Malware probably have scanned its systems to acquire login and password information.Affected information includes patient data, including treatment, billing and EHR information.

“Out of an abundance of caution, we notified all affected patients, offered them one-year of free identity theft protection through LifeLock, and provided them with recommended actions they can take to protect their information from identity theft. For example, we recommend that any affected patients obtain their credit reports from one or more of the major credit reporting agencies, and monitoring financial and bank accounts for unauthorized activity.”

According to EHR systems PHI which includes names, dates of birth, addresses, Social Security numbers, health information, and diagnosis information was encrypted and thus was not breached.

“However, there is no indication that this information was actually taken or inappropriately used – only that there was an opportunity for the same,” explained Complete Chiropractic and Bodywork Therapies.

Practice secured the server by disabling its connection to the internet. Passwords for all workstation and vendor profiles were changed. It also implemented additional security safeguards, such as adding an extra external firewall to track incoming and outgoing traffic. The chiropractic office has notified all affected individuals.

“CCBT [Complete Chiropractic and Bodyworks Therapies] deeply regrets that this incident occurred,” explained the statement. “We are taking this matter very seriously and are working hard to make sure this does not happen again. CCBT hired new IT professionals who come highly recommended based on their HIPAA compliance experience. With the guidance of our new IT professionals, we are adding to the IT safeguards that CCBT already maintained.”


Alertsec has created a web based encryption service that radically simplifies deployment and management of PC encryption by using industry leading Check Point Full Disk Encryption software.

Theft exposed PHI information

May 16th, 2016

Some incarcerated patients at the California Correctional Healthcare Services are affected by the potential healthcare data breach. Affected information included PHI or personally identifiable information such as medical, mental health, and custodial information.

Facility did not mention number of affected individuals by the security incident. But it said that PHI may have been affected for patients who were incarcerated between 1996 and 2014 in the California Department of Corrections and Rehabilitation.

As per the statement, “We regret this incident occurred and take these events seriously. CCHCS has taken steps to mitigate these types of events including information security training for staff and we are reinforcing information security practices. We are also taking steps to ensure that all CCHCS mobile devices include appropriate technology protections.”

The possible PHI breach incident occurred after work laptop was stolen from an employee’s personal vehicle. According to the reports, laptop was not encrypted.But the facility said that laptop was password protected.

“Under current federal regulations, an entity shall, following the discovery of a breach of unsecured protected health information, notify each individual whose unsecured protected health information has been, or is reasonably believed by the covered entity to have been, accessed, acquired, used, or disclosed as a result of such breach.”

Officials are still not sure the the extent of breach as it failed to analyse the total information contained in the laptop. California Correctional Healthcare Services cannot identify specific individuals. But it has attempted to contact each individual affected by the incident. It is possible that some patients will not receive any notification from facility, so notice is uploaded on its website and information  of the event is sent to the media.

“CCHCS [California Correctional Healthcare Services] is committed to protecting the personal information of our patients,” said Director of Communications and Legislation Joyce Hayhoe in the press release. “Appropriate actions were immediately implemented and shall continue to occur. This includes, but is not limited to, corrective discipline, information security training, procedural amendments, process changes and technology controls and safeguards. As necessary, policies, risk assessments and contracts shall be reviewed and updated.”


Alertsec has created a web based encryption service that radically simplifies deployment and management of PC encryption by using industry leading Check Point Full Disk Encryption software.

A medical group suffers data breach

May 13th, 2016

Hacking incident may have affected medical group in Texas. The incident may have exposed patient and employee information. According to the reports, approximately 50,000 individuals were affected by the healthcare data security breach at the Medical Colleagues of Texas, LLP. Affected information included employee and patient information, such as names, addresses, Social Security numbers, and health insurance information.

“It’s a lot of records,” stated Dallas attorney Lindsay B. Nickle, who signifies the audience, Medical Co-workers of Texas.

According to the statement,

‘We sincerely regret any inconvenience or concern this matter may cause and remain dedicated to protecting patients’ information.’

The Medical Colleagues of Texas, LLP mentioned that it discovered an outside element accessing its computer network. The relevant network stored EHR and personnel data. After it came to know about the breach, the healthcare system conducted an internal investigation. It also hired an independent forensic expert  who will examine and secure the network.

“We do not know who, we do not know where,” she stated. “We simply realize that online hackers experienced the network.”

The healthcare system has notified affected individuals  through mail. It also established a call center to address any questions or concerns. Free credit monitoring services for impacted patients are created.

“In addition, since this event was discovered, we have taken steps to prevent this type of event from happening again, including updating our computer network, strengthening our firewalls, and implementing two factor authorization measures for remote access,” explained Medical Colleagues of Texas, LLP in the notice. “We are also providing additional training and strengthening our policies and procedures in regards to the protection of sensitive personal information.”

“Medical Colleagues of Texas takes the privacy and security of protected information very seriously, and although we are not aware of the misuse of any information”


Alertsec is the full disk encryption service that delivers a mobile data protection system for all information stored on laptops used throughout your organization.

Internet and PHI breach

May 12th, 2016

The Children’s National Medical Center in Washington DC may have recently suffered data breach as few of its document where available on the internet. The incident may have occurred in February. According to the reports, due to Ascend Healthcare Systems mistake, a former business associate of the healthcare system, data related to 4,107 patients of Children’s National Medical Center was accessible via the Internet.

“Due to changes and upgrades to systems, a system that is secure today could become vulnerable with the next change – thus the need to repeat the vulnerability scan periodically,” says Mark Dill, former longtime CISO at the Cleveland Clinic who is now a principal consultant at tw-Security.

PHI could have been found using a search engine, like Google. Affected information includes names, dates of births, medications lists, and physicians’ notes on diagnosis and treatment. The incident occurred as the File Transfer Protocol site was misconfigured. Facility mentioned that the site was a standard network for storing and transferring files.

According to the Children’s National Medical Center, Ascend Healthcare Systems violated its contract who was required to delete all patient information as per the separation agreement.  After the incident, Ascend is advised by the Children’s Hospital Medical Center’s to delete transcription documents from its servers and secure the site.

Medical center didn’t receive any reports about inappropriate access or misuse of patient information. It has sent notification letters to affected individuals. Also, a dedicated call center was created to answer queries. Children’s National regrets any concern this incident may cause.

According to the statement:

Children’s National Health System, based in Washington, DC, has been serving the nation’s children since 1870. Children’s National is a Leapfrog Group Top Hospital, Magnet® designated, and was ranked among the top 10 pediatric hospitals by U.S. News & World Report 2015-16. Home to the Children’s Research Institute and the Sheikh Zayed Institute for Pediatric Surgical Innovation, Children’s National is one of the nation’s top NIH-funded pediatric institutions. With a community-based pediatric network, seven regional outpatient centers, an ambulatory surgery center, two emergency rooms, an acute care hospital, and collaborations throughout the region, Children’s National is recognized for its expertise and innovation in pediatric care and as an advocate for all children.


Alertsec has created a web based encryption service that radically simplifies deployment and management of PC encryption by using industry leading Check Point Full Disk Encryption software.

Malicious email and data breach

May 11th, 2016

Mayfield Brain and Spine may have suffered data breach due to malicious emails. It has notified some patients about the healthcare ransomware incident. According to OCR reporting tool, the breach has affected 23,341 individuals.

According to the statement, Mayfield Brain and Spine medical center mentioned that an unauthorized entity accessed its account related to outside vendor. After accessing the database it has sent a fraudulent email. The modus operand was simple. When email recipients opened the attachment, malware gets downloaded.

“The vendor receives only email addresses from Mayfield,” said Mayfield Clinic Inc.’s Vice President of Communications Thomas Rosenberger. “No other health or financial information is shared. In this incident, no Mayfield systems were involved, and no patient health or financial information was compromised.

Facility works with vendor to email Mayfield information, such as newsletters, educational information, invitations, and announcements. The vendors also send the emails to patients, business associates, event attendees, website contacts, and other people associated with Mayfield Clinic Inc.

“Mayfield’s first priority is always the well-being of our patients. Once we learned of the incident, we immediately communicated with recipients by email, by social media, and on our website, including both notification and instructions on how to remove the virus.”

Mayfield Brain and Spine guided recipients to resolve the issue by downloading free software to eliminate the malware.  Also, it has collaborated with the vendor’s compliance office to analyze the situation. The facility is also working with computer virus protection service to nullify the virus.

“We are continuously monitoring the situation,” continued Rosenberger. “With all of the action taken to date, we do not believe that recipients of the fraudulent email need to take any additional steps at this time.”

According to the statement:

Mayfield Brain & Spine is the full-service patient care provider of the Mayfield Clinic, one of the nation’s leading physician organizations for neurosurgical treatment, education, and research. With more than 20 specialists in neurosurgery, interventional neuroradiology, physical medicine and rehabilitation, and pain management, Mayfield Brain & Spine treats 20,000 patients from 35 states and 13 countries in a typical year. Mayfield physicians specialize in the treatment of back and neck pain, sciatica, Parkinson’s disease, essential tremor, NPH, epilepsy, brain and spinal tumors, stroke, moyamoya, brain aneurysms, Chiari malformation, scoliosis, kyphosis, facial pain, facial twitch, trauma, concussion, spinal cord injury, and carpal tunnel. As leading innovators in their field, Mayfield physicians have pioneered surgical procedures and instrumentation that have revolutionized the medical art of neurosurgery for spinal diseases and disorders, brain tumors, and neurovascular diseases and disorders.


Alertsec is the full disk encryption service that delivers a mobile data protection system for all information stored on laptops used throughout your organization.

Identity and Access Management

May 9th, 2016

Research director Felix Gaehtgens at the Gartner Identity and Access Management (IAM) Conference in London mentioned that issuing one-time password (OTP) tokens to third-party organizations can cause many problems. He mentioned that some third-party organizations even hang one-time password tokens on a wall with the name of the companies they belong to, facing a webcam.

“For employees or contractors working internally who need privileged access, having OTP is great. But not for external third party workers,” he said. “Why? Because third parties leave OTPs on their desks; when they go on holiday they leave them for other people to use. It happens all the time.”

Also with shared password comes the biggest risk of accountability. Companies can take various steps to secure there data.


He suggested to call instead of OTP tokens.

“What you need to do is choose something that is hideous to share, like something linked to a particular mobile phone,” he said. “That’s because a worker isn’t going to leave his phone behind when he goes away on holiday.”

Many Phone-based authentication systems are available in the market.

Dedicated person for IAM

He suggested sponsorship approach where internal employees act as sponsors for external workers and keeps track of them.

“When I suggest this people say ‘Ooh, are you going to delegate third-party privileged access to a third party?’ said Gaehtgens. “The answer is ‘no.’ They have to make a request to your organization for access for a particular employee. But they can de-authorize their own people (for example when they leave the organization).”

Third Party Access

Providing short term access for related resources will secure the data after the work is done.

“So you need to be able to say ‘You can access this system for four hours’ and give out privileges in small chunks,” Gaehtgens said. “Instead of the general sys admin model, you need to give them just what they need.”

Access Management

One can use privilege access management (PAM) and shared account password management (SAPM) tools. to manage third-party access privileges.

IAM on the Record

When third parties have privileged access to your systems, Gaehtgens said it’s important to record at least some of their sessions. “You should let everyone know they are being recorded; at the very least this should make people less sloppy,” he advised.

“Every so often you will see a complete idiot who you never want on your systems again, as they clearly don’t know what they are doing,” he said. “But you may also learn something. Third parties may do something better than you, so you can watch what they do and use it to build up your best practices.”


Alertsec is the full disk encryption service that delivers a mobile data protection system for all information stored on laptops used throughout your organization.

Lab Results and Data Breach

May 6th, 2016

BioReference Laboratories in New Jersey may have suffered possible data breach when  photographs containing PHI were sent in an unsecured email. According to the reports, some of its phlebotomists took pictures of lab test results with help of their smartphones. Later employees send emails attaching the photos to the laboratories through unsecured email. The pictures stored in the phone were present without any necessary safeguards.

According to the BioReference Laboratories, “BioReference is the third largest full service clinical diagnostic laboratory in the U.S. providing testing and related services to physician offices, clinics, hospitals, long term care facilities, employers, governmental units and correctional institutions. We offer a comprehensive test list focusing on molecular diagnostics, anatomical pathology, genetics, and women’s health. Moreover, through its GeneDx subsidiary, BioReference has an international presence in more than 50 countries around the world.”

Affected information includes including names, dates of birth, addresses, admission and discharge dates, medical record numbers, Social Security numbers, insurance information, diagnosis codes, and descriptions of lab tests, may be at risk of being improperly accessed, stated the company. Photos didn’t contain passwords, security codes, or financial information.

Company stated that this type of photo sharing incident may have occurred  earlier multiple times. The statement failed to mention the number of patients affected by the incident.  But the OCR data breach reporting tool mentioned that 3,563 individuals were potentially affected.

An internal investigation is launched along with upgrade in healthcare data security measures and internal safeguards. Affected individuals are contacted by facility officials for the possible healthcare data breach,. They are offered free credit monitoring service.

BioReference Information –

BioReference has more than 5000 people working for them. It is contracted with virtually all national health plans (UHC, Cigna, Aetna, Humana, Coventry and most Blues Plans). It has laboratory locations in nine states: New York, New Jersey, Maryland, Massachusetts, Rhode Island, Ohio, Florida, Texas and California.


Alertsec has created a web based encryption service that radically simplifies deployment and management of PC encryption by using industry leading Check Point Full Disk Encryption software.