Archive for November, 2016

Data breach due to stolen laptop

November 30th, 2016

Kineto Rehab PHysical Therapy, PLLC based in New York recently suffered data breach due to stolen laptop.  As per the reports, a bag containing a work laptop was stolen by the individual. Facility got hold of the footage which identifies thief. It also found out the bag later without laptop in it. Police are still working to track down the thief.

As per the statement, “We sincerely apologize for this incident and we regret any inconvenience it may cause you. Should you have questions or concerns regarding this matter, please do not hesitate to contact us.”

Affected information includes patient names, dates of birth, addresses, Social Security numbers, insurance information and clinical/physical therapy notes.

“There is no indication that your information has been accessed or used by an unauthorized individual,” read the Kineto statement, which was signed by CEO Shirley Agapito, DPT. “Please be assured that we have taken every step necessary to address the incident, and that we are committed to fully protecting all the information that has been entrusted to us.”

As per the OCR data breach reporting tool, the incident affected 665 individuals. Facility mentioned that affected Individuals will be offered a complimentary one-year membership identity protection services.

Website statement provides guidelines as below:

Fraud Alert

Place fraud alert when someone else tries to open a credit account in your name, get add on card or increase the credit limit.

Security Freeze

One can place security freeze on credit report which will stop lenders and others from accessing credit report completely.

Review Reports

Order free annual credit report and look for any discrepancies and spendings.

Credit providers and tools

Create message /email alerts on credit cards and bank accounts to notify you of any transaction or activity. Report the bank if you have not carried out that activity.


Alertsec helps you comply with HIPAA, PCI and SOX requirements.

OCR sent out warning emails

November 28th, 2016

OCR sent out an email stating that employees of HIPAA covered entities and their business associates should know of an alleged phishing scam which uses Department of Health and Human Services (HHS) letterhead. As per the reports, the email is using a mock HHS department letterhead and OCR Director Jocelyn Samuels’ signature. Efforts are made by the scammers to make phishing emails look like official OCR Audit communication.

“The email prompts recipients to click a link regarding possible inclusion in the HIPAA Privacy, Security, and Breach Rules Audit Program,” OCR warned. “The link directs individuals to a non-governmental website marketing a firm’s cybersecurity services.”

OCR also mentioned that the entity sending the email is not associated with the agency or with HHS.

“We take the unauthorized use of this material by this firm very seriously,” the email read. “In the event that you or your organization has a question as to whether it has received an official communication from our agency regarding a HIPAA audit, please contact us.”

Phishing Scam

Phishing scams involves emails, messages, phone calls, websites to obtain sensitive information such as usernames, passwords, and credit card details. It is done mostly posing as trustworthy entity.

Recent Wombat survey on phishing as below assessment :

Thirteen percent of respondents from healthcare industry clicked on simulated phishing emails

In Manufacturing and energy sector,  nine percent clicked on simulated phishing emails

Clearly, phishing is a focus area across the industry, but the efforts can’t stop there,” Wombat President and CEO Joe Ferrara said in a statement. “To reduce cyber risk in organizations, security education programs must teach and assess end users across many topic areas, like oversharing on social media and proper data handling. Many of these risky behaviors exacerbate the phishing problem.”


Alertsec’s cloud-based information security service provides an easy and convenient way to protect information on your organization’s laptops and computers.

Delaware facility affected by business associate

November 26th, 2016

A remote-monitoring labor service for cardiac devices has resulted in the data breach for Delaware facility. It has also affected another healthcare provider. Wentworth-Douglass Hospital (WDH) had been working with Ambucor Health Solutions. Ambucor recovered thumb drives from one of its former employees which reportedly contained personal information of thousands of patients nationwide. privacy

As per the reports, information of 775 WDH patients was present on the drive. It did no include Social Security numbers, credit card, insurance, Medicaid/Medicare or other financial information. But some personal data may have been exposed which included patients’ names, dates of birth, home addresses, phone numbers, medications, race, testing data, patient identification numbers, medical device information such as the manufacturer, diagnosis, Ambucor enrollment numbers, Ambucor enrollment dates, Ambucor technician names, physician name(s), and the name and address of the practice where the patient was seen.

“While WDH was not directly involved in the breach, it appreciates the importance of protecting the privacy and security of personal information and deeply regrets any inconvenience or concern this incident may cause its patients. Ambucor officials are cooperating with federal investigators and have confirmed they are taking steps to prevent this type of incident from occurring again, including a thorough review of and updates to all HIPAA security processes.”

Ambucor mentioned that there is no indication that the data has been misused. It has offered affected patients with one year of identity protection services. Also, one million of identity theft insurance is offered by Ambucor along with any necessary related recovery services.

Ambucor started investigating activities of a former employee just before his employment ended. It came to know that the former employee had downloaded information to personal storage device from a company-issued computer.


Alertsec Endpoint Encrypt is a cloud-based service that provides password-protected data encryption for all of your business storage devices, whether they are internal to the computer or laptop (like hard drives or Solid State Drives [SSDs]) or external (like thumb drives, external hard drives, writable CDs and DVDs, and memory sticks).

Data breach due to billing service provider

November 24th, 2016

A physical therapy provider recently suffered data breach which involves personal information. The security incident may have affected 1,100 patients at Best Health Physical Therapy. secure-data

Best Health is owned by Travis Lombardi, PT, MSPT.  It provides solution and services to meet rehabilitation goals of individuals. It provides solution for orthopedic and sports medicine, neurological, arthritis, fracture and other issues.

Facility came to know that one of the computer from its billing services provider was inappropriately accessed. The person who got access to the accounts writes blogs on internet security. The individual was reportedly looking for data vulnerabilities. He said that he has no intention of misusing any of the accessed information.

Potentially affected information includes names, addresses, dates of birth, insurance information, driver’s license information and health information. Best Health said that there is no evidence that the data was misused. It also highlighted the fact that the vulnerability was not on its computer system. Billing provider’s system failed to secure its system.

“Best Health took immediate steps to investigate and determine the source and extent of any access to our patients’ information,” Best Health said. “The vulnerability was identified and closed by the billing service provider immediately. Updated access controls are now in place to secure the account. Best Health has terminated its relationship with the billing service provider.”

Best Health did not mention the number of affected individuals but as per the OCR data breach reporting tool,  total 1,100 patients’ information were affected.

“Best Health takes the privacy and protection of its patients very seriously and we sincerely apologize for any concern that this may cause. If you are a patient of Best Health and have questions or concerns regarding this matter and/or the protections available to you, please do not hesitate to call.”


Alertsec Endpoint Encrypt helps you protect your valuable data from falling into the wrong hands by encrypting it at the source.

Data breach due to network error

November 21st, 2016

Kaiser Permanente Health Plan, Inc based in Northern California, Kaiser Permanente Health Plan, Inc of Southern California, and Kaiser Foundation Health Plan of the Northwest recently suffered data breach. It is notifying affected individuals about the PHI breach. The incident may have resulted into PHI being online for approximately two hours.

As per the OCR data breach reporting tool, total 8,020 individuals were potentially affected by the three separately reported incidents.

California Office of the Attorney General’s website contains the post of data breach notification. It mentioned that the website error that caused the information to be exposed has since been fixed. Kaiser also said that it is reviewing its processes and procedures for testing website updates to help prevent any similar incident in the future.

“The error happened during an upgrade to that occurred at 11:26 p.m. Pacific time on October 12th, 2016. We took immediate action to repair the error, preventing any further exposure of member information after 1:43 a.m. Pacific time on October 13th, 2016. The upgrade changed how the website stored data to make loading website pages quicker. However, the upgrade mistakenly allowed confidential data viewed by members who signed in to to potentially be seen by other visitors.”

The statement on the website did not mention the details of breached information but mentioned that Social Security numbers and banking information were not included.

Facility advised affected individuals to follow below guidelines:

“We believe the risk to your information is limited because this was an accidental disclosure, the error was promptly detected and repaired. Even though we believe that the risk of any financial or health care related fraud is minimal, for your protection we urge you to carefully review any explanation of benefits letters you receive and contact us immediately at the number on the back of your card if you spot any suspicious activity. Additionally, you may want to contact one of the national credit reporting agencies to place a fraud alert in your file and to receive a free copy of your credit report. We are informed that the agency you contact will notify the other two agencies.”


Alertsec helps you comply with HIPAA, PCI and SOX requirements.

Horizon Data Breach

November 18th, 2016

Horizon Blue Cross Blue Shield (Horizon) based in New Jersey recently suffered data breach when  one of its vendors potentially exposed the information. The incident has resulted into 70,000 members being potential affected.

Horizon Blue Cross Blue Shield of New Jersey has offered quality health insurance products since 1932. It offers services to New Jersey families and businesses. Facility vision aims at continuing to lead the transformation of health care in New Jersey. It is closely collaborating with hospitals and physicians and improving quality and enhancing patient experience. It also strives for lowering the total cost of care.

Command Marketing Innovations (CMI) works for Horizon BCBSNJ to do printing job. CMI found a printing error which resulted into sending of Explanation of Benefits (EOB) statements and Explanation of Payment (EOP) statements with information intended for a different Horizon BCBSNJ. Printed error affected only EOBs and EOPs.

As per the Horizon spokesman Kevin McArdle, in the last three days, 170,000 envelopes were mailed. He didn’t mention the number of envelopes containing the information of other members. Also, Kevin added that he was not aware of reports of suspicious activity due to this incident.

Affected information includes member name, member ID number, claim number, date of service, limited description of services, service codes or provider/facility name. Social Security numbers, financial information, addresses, and dates of birth were not present in the envelopes.

“The print error was determined to be related to a change in the printing process made by CMI,” the statement explained. “CMI has implemented corrective actions to restore compliance with Horizon BCBSNJ’s strict quality control and privacy standards and assure accurate performance going forward.”

Facility mentioned that it will monitor impacted members’ accounts for any potential fraudulent submission of medical claims.

“Corrected EOBs and EOPs will be reissued within the next week and notifications of the error will be mailed to impacted Horizon BCBSNJ members,” Facility mentioned.


Alertsec’s cloud-based information security service provides an easy and convenient way to protect information on your organization’s laptops and computers.

GHS data breach

November 15th, 2016

South Carolina based facility Greenville Health System (GHS) recently suffered data breach when one of its vendors had inappropriately downloaded patient data. The incident has potentially affected 2,500 patients.

GHS is associated with Ambucor Health Solutions, a remote-monitoring labor service for cardiac devices. As per the reports, one of the Ambucor employee downloaded GHS information just before his employment at Ambucor ended.

Law enforcement handed over two flash drives in July to Ambucur, which had been turned in when the employee left. Facility has began to notify patients about the incident.

Affected information may include the patient’s name, date of birth, home address, phone number, race, diagnosis, medications, testing data, patient identification number, medical device information (such as the manufacturer, identification number and model/serial numbers), Ambucor enrollment number, Ambucor enrollment date, Ambucor technician name, physician name(s) and the name and address of the practice where the patient was seen.

“GHS and Carolina Cardiology Consultants take patient privacy seriously and deeply regret any inconvenience or concern this incident may cause our patients,” Dr. Joseph Manfredi, ambulatory director of electrophysiology, told the news source.

Ambucor announced that it will offer affected patients one year of identity protection services and, if required, related recovery services and $1 million of identity theft insurance at no cost.

“Letters with instructions about activating the free identity protection services will be mailed to affected patients” said Ambucor

Facility mentioned that the affected patients should consider activating the identity protection services. it also said that steps are taken to prevent this type of incident from occurring again. It will  thoroughly review and update it processes as per the HIPAA security standards.

Tips to prevent data theft

Employees must undergo training

Sensitive information must be secured through encryption

Access to the sensitive data should be controlled

Keep software and system up to date

Verify security controls of third parties

Dispose of sensitive data


Alertsec Endpoint Encrypt is the full disk encryption service that delivers a mobile data protection system for all information stored on laptops used throughout your organization.

Data breach at Broward Health

November 12th, 2016

Data breach at Florida-based Broward Health affected 126 former patients. According to the Law enforcement authorities, certain patient information was found in an individual’s home at the time of  routine investigation.

“Broward Health has been working with local and federal law enforcement since May 2016. Our investigation began as quickly as possible while maintaining all appropriate safeguards and precautions.”

Affected information included full names, dates of birth, addresses, phone numbers, Social Security numbers, primary insurance providers, insurance guarantors, reasons for visit, employers, emergency contact/next of kin, and their addresses and phone numbers. Test results and other medical information were not present on the Facesheets.

“We have notified 126 former patients or their listed next of kin of the privacy breach by mailing a letter to their last known address on September 23, 2016.” Facility mentioned.

As per the reports, an individual got hold of registration Facesheets from Broward Health Imperial Point without permission. Information present on the Facesheets was associated with the patients who visited Broward Health Imperial Point between November 2011 and March 2012.

Facility mentioned that it is re-educating staff members and strengthening procedures for the protection of patients’ personal information.

Broward Health’s disclosure said. “We also offered affected patients an identity theft protection service at no cost.”

Broward Health Senior Vice President and CIO Doris Peek told the press about the series of data breach incident in Florida.  List of hospitals suffered by data theft includes Fort Lauderdale’s Holy Cross, Hollywood’s Memorial Regional and the University of Florida’s Shands Hospital in Gainesville. As per Peek, identity theft ring has paid hospital registrars to give them copies of Facesheets.

“This ring of thugs got busted,” said Peek. “They send in tax information to the IRS about persons to get their tax refund. They targeted the older and sick population.


Alertsec’s cloud-based information security service provides an easy and convenient way to protect information on your organization’s laptops and computers.

Data breach due to stolen laptop

November 6th, 2016

MGA Home Healthcare Colorado, Inc. recently suffered data breach  after a laptop was stolen from an employee’s locked vehicle. Facility is notifying 3,119 patients about the incident.

As per the statement, ‘MGA is committed to the privacy of its patients’ and employees’ information and regrets any concerns or inconveniences that this incident may have caused.For further information and assistance, potentially affected individuals may contact MGA’s incident response service provider, AllClear ID.’

Theft reportedly took place sometime between August 19, 2016 and August 20, 2016 while MGA came to know about it on August 20. Facility notified law enforcement.

MGA said that it is conducting a thorough review of the potentially affected records to confirm what information was exposed. Affected information included names, addresses and other demographic information. Information about MGA-provided healthcare services may have also been exposed. for some patients. Also, thirty two patients had their Social Security number or driver’s license number included in the laptop.

“MGA has no evidence that the information on the laptop has been accessed or used,” MGA maintained. “As a precaution, MGA is offering identity theft protection services to affected individuals. MGA is committed to the privacy of its patients’ and employees’ information and regrets any concerns or inconveniences that this incident may have caused.”

Ways to secure your laptop:

Login Password

Provide a login name and password to access your system

Authentication Gestures

Some laptop comes with authentication gestures. It is part of hardware solution which can be utilised to secure your laptop

Encrypted File Systems

First understand what is a file system. Each operating system uses some algorithm to store and retrieve data from your hard disk. Encrypted File Systems layer themselves on top of an existing file system


Through this method encrypting individual files or directories manually is carried out. There are various tools available in the market to do so.

Tracing and Tracking

 With the help of tracking feature/companies you can know the location of the laptop. The laptop must be connected to the internet to send the location pointer.


Alertsec Endpoint Encrypt is the full disk encryption service that delivers a mobile data protection system for all information stored on laptops used throughout your organization.

California based healthcare facility recently suffered data breach

November 5th, 2016

Physical therapy organization recently suffered a data breach. The incident has potentially affected the information of approximately 8,000 individuals.

As per the reports, Silver Creek Fitness & Physical Therapy, Silver Creek Physical Therapy Gilroy, Silver Creek Physical Therapy Sunnyvale, and Silver Creek Physical Therapy Los Gatos (Silver Creek) billing and software companies reported to Silver Creek about the vulnerability of Amazon “S3” storage account.

The incident provided the access to individuals outside of the organization. Various facilities mentioned that the account was vulnerable from May 2016 to September 11, 2016. Facility also said that some PHI was in the storage account.

Affected information includes patient names, Medicare numbers, prescriptions, dates of birth, treatment locations, treatment dates, Social Security numbers for a small subset of individuals, driver’s license numbers, and progress notes. As per the OCR data breach reporting tool, total 8,009 individuals were affected.

“We take any threat to the security of information entrusted to us very seriously,” Co-founder of Silver Creek Fitness & Physical Therapy Todd Jones said in a statement.  “Once the error was discovered, we worked with the billing and software companies to ensure that access to the storage account was restricted and that proper access credentials are in place. We apologize for any inconvenience or concern this incident may cause our patients.”

Facility mentioned that it is unaware of any misuse of client personal information. It is offering credit monitoring and identity restoration services.

Fraud prevention tips for the affected individuals includes:

Review of account statements, medical bills, and health insurance statements

Credit reports monitoring

Placing credit file fraud alert activation

Placing credit file security freeze

It’s also important to educate on identity theft, fraud alerts, and the steps to protect by contacting the Federal Trade Commission or your state Attorney General.


Alertsec’s cloud-based information security service provides an easy and convenient way to protect information on your organization’s laptops and computers.