Archive for September, 2016

Email error leads to data breach

September 29th, 2016

St. Elizabeth Physicians recently announced data breach. Disclosed information included email addresses. Social Security numbers, phone numbers, addresses, and any other personal health or identification information were not affected.

“St. Elizabeth Physicians is the multi-specialty physician organization of St. Elizabeth Healthcare, one of the oldest, largest, and most respected medical providers in the Greater Cincinnati region. “

According to the statement, “It inadvertently released the email addresses of 674 individuals in an email sent by its Weight Management Center inviting the recipients to a vitamin presentation and open forum meeting.”

The incident was the result of human error when the email sender did not blind copy the recipients. It allowed all email addresses to be visible by all recipients.

Facility mentioned that it is offering affected individuals one year of complimentary identity theft monitoring.

“St. Elizabeth Physicians has promptly and thoroughly investigated the matter and has reviewed its procedures,” the statement read. “Corrective action has been pursued to avoid this from happening in the future.”

“St. Elizabeth Physicians takes patient confidentiality very seriously and is committed to maintaining the privacy and security of all patient information. St. Elizabeth Physicians regrets that this incident has occurred and is committed to preventing future occurrences. “

Email mistakes leads to data breaches. Below are the few examples which involve emails.

A Goldman Sachs contractor accidentally sent a message to a gmail.com email address which was meant to be sent at gs.com. The email contained a confidential document. As per the statement by the Goldman Sachs, “ document contained highly confidential brokerage account information” and it has asked Google to help it prevent a “needless and massive” data breach.

Another example includes insurance brokerage firm Willis North America accidentally sending a spreadsheet to a group of employees enrolled in the company medical plan’s Healthy Rewards Program. Affected confidential information, including employees’ names, email addresses, birthdates, Social Security numbers, employee ID numbers, office locations, and the details of their medical insurance plans.

____________________________________________________________________________________________

Alertsec has created a web based encryption service that radically simplifies deployment and management of PC encryption by using industry leading Check Point Full Disk Encryption software.

Data breach due to printing error

September 26th, 2016

A California health system recently announced data breach due to internal printing error. It may have exposed a limited amount of patient information. Facility is notifying 1,000 members affected by the incident.

Facility mentioned that the printing error took place on October 7, 2015 which involved “CalOptima MediCal members with diabetes receiving a health incentive survey that may have included an extra survey meant for another member.”

CalOptima found about the incident on October 8, 2015. It has stopped all printing work but the surveys which were already mailed were unable to be retrieved. As per the OCR list,  around 1,000 individuals as having been affected.

Affected information included the member’s first and last name, Client Identification Number (CIN) and, in some cases, information about the member’s diabetes diagnosis. Data such as Social Security numbers, driver’s license numbers or financial account numbers were not present in the survey.

“Your privacy is very important to us, and we apologize for this mistake,” CalOptima stated. “We have reviewed and changed our procedures and practices to minimize the risk of this event happening again. Extra training was provided to the business unit where the error occurred.”

Role of human error in security data breach:

The threats of human error by insider mistakes is real. Many incidents occur due to mistakes which can be avoided. Double checking and making the process fool proof can help to avoid security incidents. These mistakes are costly because it involves sensitive data. The greatest impact of human error is introduction of malware in the system.

According to the recent research, around 59 percent agree that most security threats are the outcome of innocent mistakes of employees instead of malicious abuse of privileges. Many tools are available in the market. It avoids such incidents which can lead to catastrophic events for the company.

____________________________________________________________________________________________

Alertsec is the full disk encryption service that delivers a mobile data protection system for all information stored on laptops used throughout your organization.

Ransomeware attack

September 23rd, 2016

Oklahoma-based Saint Francis Health System recently announced data breach when its server was accessed by an unauthorized party. The reports suggests that patient information was accessed by the outside intruder. The facility also mentioned it received an email on September 7, 2016 that the incident took place. Spokesperson Sevan Roberts said that there was a demand for payment for the information by the anonymous individuals/individual.

“Saint Francis decided not to act on the demand because payment does not guarantee or prevent data from being disclosed,” said a Saint Francis statement. “The health system understands the importance of protecting our patients’ information, and deeply regrets that this occurred.”

Roberts also added that the information on the server affected approximately 6,000 names and addresses. Social Security numbers, driver’s license and financial information were not present on the server. After the incident, the server has been disabled. Facility is working with local law enforcement.

“Saint Francis has also been working with a leading forensics firm to investigate this incident and look for ways to enhance our existing security measures,” the statement read. “Notification letters are being mailed to those individuals who may have been affected and complimentary participation in identity monitoring service is provided.”

Is it a good idea to negotiate the ransom?

Ransomware is one of the threat looming over different sectors of industries. All types of malware attack make the news. Malware is a piece of software that encrypts your data. Data is unencrypted when ransom demand is met. The intruder provides the  key to decrypt their data generally after the payment.

Many facilities pay ransom because it is safest and quickest way. The example includes many facilities like Hollywood Presbyterian Medical Centre. Allen Stefanek, the Chief Operating Officer said that the ransom was paid, stating that “the quickest and most efficient way to restore our systems and administrative functions was to pay the ransom and obtain the decryption key. In the best interest of restoring normal operations, we did this.”

____________________________________________________________________________________________

Alertsec customers range from single-user sole traders and consultants to multinational companies with a large number of offices around the globe. Over 4 million users worldwide use Alertsec Check Point Full Disk Encryption.

Health Centre Data breach

September 20th, 2016

Codman Square Health Center which is based in Massachusetts suffered data breach recently. It is notifying patients about the incident which exposed some of their information due to unauthorized HIE access.

“Codman Square Health Center is a community-based, outpatient health care and multi-service centre which opened the facility in 1979. The facility started with two-physician staff. Today, a staff of 280 multi-lingual and multi-cultural expert clinicians, medical staff and employees, most of whom reside in the neighborhoods surrounding Codman Square take care of 115,000 client contacts each year. It also has developed an astounding depth and breadth of community programs, as well as strong partnerships with other organizations.”

On July 13, 2016 facility mentioned that an employee had accessed the New England Healthcare Exchange Network (NEHEN) without authorization. It also mentioned that the conduct of the employee was against Codman policies. As per the OCR data breach reporting tool, 3,840 individuals were affected.

Facility website mentioned that some access information may have included that of non-Codman patients.

Affected information included names, addresses, dates of birth, gender, medical services payer information, and medical insurance coverage information. Social Security numbers may have been included in some cases. Codman said that there is no indication that the information was misused.

Facility will send notification via mail. Only those individuals will receive a letter who were affected by the data security incident.

“Those Codman patients who do not receive a letter have not been affected,” Codman explained.

“For affected individuals who are not Codman patients, those directly affected will be notified by mail if contact information is provided. The health center has suspended or terminated all employees involved in the incident.  Codman Square has also retrained all employees.”

____________________________________________________________________________________________

Alertsec is used by organizations that have recognized the need to protect their information.

Missing binder data breach

September 18th, 2016

An Oberlin, Kansas facility suffered data breach when its binder went missing. It reported a PHI breach. Facility found out that a CAT scan log binder was not in its regular place. According to the Decatur Health Systems (DHS), mentioned in an online statement that the binder went missing from DHS between 5pm on July 22, 2016 and 7am on July 25, 2016.  The incident caused data breach for 707 patients.

Affected information included patient names, dates of birth, dates of exams, diagnoses leading to the CAT scan, ordering providers, and x-ray exposure levels. Social Security numbers were not included.

As per the Privacy Officer Erica Forti, potentially affected individuals will receive a notification letter.

Facility mentioned that it is working with local and federal law enforcement agencies to retrieve the binder. It wants to find who removed it. Also, know the patient information misuse.

DHS knows the importance of keeping protected health information private and sincerely apologizes to the patients whose names were in the binder. They are working to ensure all patient information contained in other hard copy records and other sources of patient information are secure. They have changed key locks within the facility, conducted audits, and implemented new policies and processes. DHS employees have received additional training on security beyond their annual education and training.

According to the website:

Decatur Health Systems, Inc. is a rural health organization which works as critical access hospital and a rural family practice clinic.  Facility also manage a independent living complex.  It mentioned that it is committed to providing quality health care to the rural population.

Preventative Services: 

General Health Maintenance

Management of Chronic Medical Conditions

Same Day Appointments

New Patients Welcome

Routine Physicals

Routine Well Child Checks

Work, School and Sports Physicals

Pap Smears and Routine Gynecological Care

Immunizations

Screening

Pregnancy Testing

Acute Care Services:

Chronic and Acute Childhood Illnesses

Chronic and Acute Adult Illnesses

Minor Injuries

Family Planning and Education

Minor Lacerations

Fracture Care

____________________________________________________________________________________________

Alertsec is the full disk encryption service that delivers a mobile data protection system for all information stored on laptops used throughout your organization.

Members affected by data breach

September 16th, 2016

Geisinger Health Plan (GHP) suffered data breach due to unauthorized PHI disclosure which  affected 2,814 members from 220 employers. The incident occurred due to processing error. Facility learned about the incident on August 4. According to the statement, the error may have led to PHI being mistakenly mailed to other citizens.

“Geisinger Health Plan has received national attention for its ability to foster innovation, while uniquely and effectively managing medical costs and improving outcomes.” As mentioned on the website.

Affected information due to this data breach included Member name, date of birth, health insurance premium information, member identification number and smoking status. Medical treatment or financial information like Social Security numbers, were not included in the mail.

“We have contacted both the affected members and businesses regarding the processing error and the possibility of a disclosure,” Geisinger Privacy Officer John Gildersleeve said in a statement. “In addition, we have requested that the invoices be returned so they can be properly destroyed in compliance with Geisinger Health System policies and procedures.”

As per the Gildersleeve, only affected individuals by this incident will receive notification letter.

“We take our responsibility to protect personal information seriously,” he said. “We apologize for any inconvenience and remain dedicated to safeguarding member information.”

According to the statement:

Our roots evolved from a rural, prepaid health plan offered as a pilot program in 1972 to Geisinger Medical Center employees and residents of the five counties that surrounded the hospital. In 1985, the Health Plan received its Certificate of Authority to operate an HMO under the authority of the Pennsylvania Health Maintenance Act of 1973. The Health Plan had a significant premium advantage during the period of escalating healthcare costs in the 1980s and ’90s. Membership grew rapidly, and in 1990, the Health Plan reached its 100,000-member milestone.

 ___________________________________________________________________________________________

Alertsec is used by organizations that have recognized the need to protect their information.Customers range from single-user sole traders and consultants to multinational companies with a large number of offices around the globe.

Stolen laptop and data breach

September 14th, 2016

A U.S. HealthWorks employee’s laptop was stolen which resulted in data breach. It contained patient information which affected 1,400 US HealthWorks patients. As per the reports, the device was encrypted but the laptop’s password was also stolen. Hence thief can access the information on the device.

Facility mentioned that emails on the computer had information for a limited number of individuals.It do not include Financial or account information. But full names and possibly some limited medical information, including diagnoses and visit dates, and limited health insurance information may have been affected.

U.S. Healthcare also specialise in urgent healthcare. It mentioned that there convenient Urgent Care centers offers quality medical care, excellent customer service, and a knowledgeable staff to the  patients.

Facility has established a dedicated call center to answer patients queries related to data breach.

“To help prevent something like this from happening again, we are enhancing our existing procedures related to the security of laptops and user passwords, as well as providing additional information security training for all U.S. HealthWorks employees,” the statement  mentioned.

According to the OCR reports, 1,400 individuals may have had their information compromised.

“We sincerely regret any inconvenience or concern about this incident. We began mailing letters to affected individuals on September 2, 2016, and have established a dedicated call center to answer any questions they may have. If you believe you may be affected and have not received a letter by September 17, 2016.”

As mentioned on the website:

U.S. HealthWorks, a subsidiary of Dignity Health, was founded in 1995 and is the leading national provider of occupational medicine and urgent care services. With more than 200 locations in 21 states, and more than 4,000 employees, including approximately 800 medical providers, U.S. HealthWorks serves more than 13,000 patients each day. U.S. HealthWorks Medical Group offers programs and services that can help prevent illnesses, maintain good health and provide early intervention and rehabilitation whenever injuries or health problems occur.

 ___________________________________________________________________________________________

Alertsec is the full disk encryption service that delivers a mobile data protection system for all information stored on laptops used throughout your organization.

Burrell Behavioral Health data breach

September 10th, 2016

Missouri-based Burrell Behavioral Health recently suffered data breach. Facility faced cybersecurity attack after unauthorized party accessed employee’s email account. It discovered the breach on on July 7, 2016. Internal investigation was launched immediately and the account was secured. According to the reports, unauthorized access occurred from July 6, 2016 to July 7, 2016.

“Burrell Behavioral Health has established a dedicated assistance line for anyone seeking additional information regarding this incident, as well as steps to better protect against identity theft. “

Affected information included clients’ names, addresses, dates of birth, Social Security numbers, doctor’s names, diagnoses, disability code, health insurance number, treatments, treatment locations and medical record numbers.

“We take any threat to the security of information entrusted to us very seriously,” Burrell Presdent and CEO Dr. Todd Schaible said in a statement. “Once the attack was discovered, we immediately took counter measures and also hired nationally-renowned computer forensic investigators to determine exactly what happened and what information was at risk. We apologize for any inconvenience or concern this incident may cause our community.”

As per the OCR data breach reporting tool, in total 7,748 individuals may have been affected. Burrell mentioned that the patient PHI in the email account was accessed, but that “information at risk varies for each individual.”

One year of complimentary credit monitoring and identity restoration is provided for the affected people. Facility asked people to remain vigil to avoid identity theft which includes-

Reviewing account statements, medical bills, and health insurance statements regularly for suspicious activity, to ensure that no one has submitted fraudulent medical claims using your name and address. Report all suspicious or fraudulent charges to your account and insurance providers. If you do not receive regular Explanation of Benefits statements, you can contact your health plan and request them to send such statements following the provision of services.

 ___________________________________________________________________________________

Alertsec is used by organizations that have recognized the need to protect their information.Customers range from single-user sole traders and consultants to multinational companies with a large number of offices around the globe.

Vendor error & data breach

September 8th, 2016

CHI Franciscan Health Highline Medical Center (Highline) recently suffered data breach. Facility  notified certain patients.hqdefault

Vendor R-C Healthcare Management (R-C Healthcare) previously worked with Highline. In 2014,  the medical center was acquired by CHI. R-C Healthcare alerted Highline that files with patient information had been mistakenly been made accessible online.

The affected files were secured till June 13. Affected information included patient names, dates of service, health insurance information and Social Security numbers.According to the reports, potentially affected patients include those involved in account reporting functions from 1993 to 1994 and then from 2008 to 2013.

“We take our responsibility to protect patient privacy very seriously and have taken immediate responsive action,” Highline explained. “We work to continually improve our policies, processes and educational offerings to ensure our patients receive the benefit of proven information security and confidentiality practices.”

Facility has no information of the data being “accessed, viewed, acquired or otherwise compromised by any unauthorized third party,” it is still offering free credit monitoring services to those who were possibly affected.

As per the OCR data breach reporting tool, 18,399 individuals’ information was made online in the incident.

“We deeply regret any concern this may cause our patients. We take our responsibility to protect patient privacy very seriously and have taken immediate responsive action. We work to continually improve our policies, processes and educational offerings to ensure our patients receive the benefit of proven information security and confidentiality practices.”

As mentioned on the website:

The seeds for CHI Franciscan Health were planted in 1891, when the Sisters of St. Francis of Philadelphia established St. Joseph Hospital, now known as St. Joseph Medical Center, in Tacoma. Over the years, our health care ministry has grown with the enduring goal of fulfilling the spiritual, emotional and physical needs of the people we serve.

 ___________________________________________________________________________________________

Alertsec is the full disk encryption service that delivers a mobile data protection system for all information stored on laptops used throughout your organization.

Email error and data breach

September 6th, 2016

Planned Parenthood of Greater Washington and Northern Idaho recently suffered data breach. It notified the affected individuals mentioning the data security incident. According to the reports, emails notifying individuals of an online portal were sent to the wrong addresses. accessible_resources

“Planned Parenthood of Greater Washington and North Idaho (PPGWNI) has been helping women, men, and teens make responsible decisions about their sexual health for nearly 50 years. Dedicated to delivering the highest quality reproductive health care services since 1967, PPGWNI is also committed to providing responsible, age-appropriate sexuality education. Protecting a woman’s fundamental right to choose is a major part of our organization’s underlying philosophy. “

Some individuals received another person’s email. It contained the second individual’s first and last name. Personal or health information was not present in the email.

“Privacy is a top priority for us, and we regret any confusion or concern this error has caused,” the statement reads. “We are reinforcing existing privacy policies and technological protocols internally and with our partners, and are evaluating additional safeguards to prevent any similar incidents from occurring in the future.”

As soon as Planned Parenthood knew about the breach they immediately shut down the portal. Facility didn’t realized there was error. Hence, there is no evidence indicating that any of the data has been misused.

“We are committed to ensuring individuals affected by this incident have the necessary information about this matter.  Those individuals who believe they could have been affected by the incident and would like to obtain more information can do so by calling customer care.”

As per the OCR lists , total 10,700 individuals potentially got affected by this incident.

Below are the simple mistakes which can cause data breach:

Human Error: It is one of the main concern IT department faces. Many companies have to cope with such mistakes when unauthorised people opens the official emails.

Software Error: Sometimes software can have bugs which forces legitimate emails to be sent in unauthorised inbox. People viewing the same can misuse it.

____________________________________________________________________________________________

Alertsec is used by organizations that have recognized the need to protect their information.Customers range from single-user sole traders and consultants to multinational companies with a large number of offices around the globe.