Archive for December, 2016

Data breach at Vascular Surgical

December 7th, 2016

Vascular Surgical Associates based in Georgia recently suffered data breach after one of its computer servers was hacked. As per the statement, the attack occurred during the time of a software update. After an initial investigation by the facility, it found out that a compromised vendor password was used in this incident.

As per the FAQ section of Vascular Surgical, it had “hired vendors with national reputations and significant client bases to support the computer system infrastructure we use to maintain our medical records.” Furthermore, the ONC had certified the software.

“A password that was created by one of these vendors and controlled by that vendor was used to access our system inappropriately,” the FAQ read. “The perpetrators installed software on our system to prevent us from seeing the activity, but once that activity was identified by our internal IT staff, the system access was changed to prevent additional access using that password.”

As per the OCR data breach reporting tool, incident affected 36,496 individuals. As per the preliminary reports, it is likely that the hackers reside in other countries. Affected information included medical records and demographic information such as dates of birth and addresses. Social Security numbers and financial data were not present on the compromised server. Facility also mentioned that portal was not involved or affected. Patient care is carried as usual.

“Upon learning of the incident and verifying the unauthorized access through forensic evaluation, we immediately secured the server so that this type of attack could not occur again,” the statement explained. “We are confident that none of our staff had any involvement in this incident, as the compromised password that was used to access the information was only available to our vendors and their staffs.”

____________________________________________________________________________________________

Alertsec’s cloud-based information security service provides an easy and convenient way to protect information on your organization’s laptops and computers.

Data breach due to missing laptop

December 3rd, 2016

Briar Hill Management which is based in Mississippi recently suffered data breach. It has started notifying affected individuals. It mentioned that some of personal information, including health data, was breached. This incident was the outcome of missing company laptop.

As per the OCR data breach reporting tool, incident affected 2,000 individuals. Briar Hill Management of Ridgeland, Mississippi provides management services for skilled nursing facilities in the State.

An employee was unable to locate the laptop. Also, it was found that the employee had violated company policy. Laptop contained resident health information on its hard drive. Also it was not properly secured outside the office.

“We sincerely regret any concern or inconvenience this incident has caused or may cause any of our valued residents and their families,” Briar Hill Management Compliance Officer Sandy Lindsey said in a statement. “We take resident privacy as seriously as we do their care. We want to assure our residents and the community we serve that we will continue to work both to understand this incident and to implement measures to further strengthen our data security.”

Affected information included resident names, addresses, Social Security numbers, dates of birth, dates of service, prescription information, and medical records. Part of the information is affected. Facility is still to find the laptop. It mentioned that there is no sign of data misuse.

“In response to this issue, Briar Hill Management has taken numerous remedial actions, including sanctioning the employee involved, seeking local law enforcement assistance, and implementing additional security measures for all mobile technology used by its personnel,” the statement read.

Hacking, phishing and ransomware is the hot topic. But many of the industry sectors have more implications due to lost or stolen mobile devices.

“This gets at what constitutes a breach – even if a device were lost due to an employee’s carelessness, the organization must still disclose that event because there is some chance that the data may fall into the wrong hands. Given the volume of sensitive data accessed by employees on a daily basis, it’s inevitable that some will find its way onto devices and that some devices will be lost or stolen,” said Salim Hafid, Bitglass product manager.

____________________________________________________________________________________________

Alertsec helps you comply with HIPAA, PCI and SOX requirements. The implemented encryption is powered by CheckPoint and has the highest security certifications: FIPS 140-2, Common Criteria EAL4 and BITS.