Archive for the ‘Computer news’ category

Bizmatics and data breach

June 20th, 2016

As per the HIPAA notification letter on the ENT and Allergy Center’s website, yet another medical center suffered potential healthcare data breach due to hacking incident. Affected information included names, addresses, healthcare visit information, and the last four digits of Social Security numbers. The EHR files did not contain credit card numbers or any other financial information.

According to the Office of Civil Rights data breach tool, 16,200 individuals were affected by the healthcare data security incident. Facility mentioned that there EHR vendor’s data servers were attacked by hackers. Servers stored and managed patient files. EHR vendor, Bizmatics discovered the intruder and terminated the access.

Bizmatics mentioned that EHR files may have been viewed or acquired as a result of the possible data breach. It also notified ENT and Allergy Centre but failed to identify which patient files may have been exposed.

Bizmatics reached law enforcement officials and hired a private cybersecurity firm to secure its systems. Investigation is carried by the agency.All affected individuals were notified along with free credit, fraud, and identity-theft monitoring services for a year. A toll-free phone number is also setup to answer questions about the healthcare data security incident. ENT and Allergy Centre mentioned that they are in the process of  implementing safeguards to protect information.

There are several other health care facilities affected by this hacking incident. One example include, Pennsylvania-based Integrated Health Solutions PC incident which affected 19,776 individuals. Also, Southeast Eye Institute PA suffered data breach which affected 87,314 individuals.

According to the ENT and Allergy Center’s website:

We intend to abide by the Final Omnibus Rule of the HIPAA regulations regarding your Protected Health Information, hereafter abbreviated as PHI.  The term PHI refers to your medical records, billing and payment records, your name, address, date of birth, social security number, payment history, the name of your health plan and account number, and other data that identifies you.

We are permitted by law to disclose PHI to you and to anyone who needs it to carry out treatment, payment, or healthcare operations.  We will be required to obtain your signature for authorization to release PHI for most uses unrelated to treatment, payment, and healthcare operations.  We will retain your authorization and provide you a copy if you wish to have it.  PHI will be provided within 30 days of the written request in hard copy form.  Information may be available for transfer onto USB media if the media is provided by the patient.  You may revoke your authorization in writing at any time.

————————————————————————————————————————————————————–

Alertsec has created a web based encryption service that radically simplifies deployment and management of PC encryption by using industry leading Check Point Full Disk Encryption software.

EHR vendor and data breach

June 18th, 2016

Healthcare organization, Vincent Vein Center has notified patients of a potential healthcare data breach. The incident was result of the hacking incident at Bizmatics, a vendor who manages EHR for Vincent. Colorado-based phlebology office of the facility mentioned that some of its EHR files were accessed by the outside entity. Unauthorized access was related to PrognoCIS system, a practice management and EHR system serviced by Bizmatics.

The number of affected individuals stands at 2,250 according to the OCR data breach tool. Affected information included names, addresses, health insurance information, health visit and treatment information, and other identifying data, such as Social Security numbers.The PrognoCIS system use to store complete patient files.

Bizmatics mentioned that there has been no indication that Vincent Vein Center’s files were accessed or obtained by the outside party. Also, there are no available reports of information published online.

As per Bizmatics, “cybersecurity firm is hired to investigate the incident. It found out that that cybercriminals had installed malware on its systems to capture user credentials. Affected individuals are contacted about the possible data breach. Also, the facility has established a toll-free number to answer any questions which included identity theft protection resources for patients.”

As noted in Bizmatics’ letter, we have no reason to believe that our patient files were the target of the hackers’ attack on Bizmatics. VVC is examining Bizmatics’ practices and determining whether a continued relationship with Bizmatics is appropriate. VVC will make every attempt to prevent further breaches.

“We sincerely regret that this incident has occurred and thank you for your understanding.”

————————————————————————————————————————————————————–

Alertsec is used by organizations that have recognized the need to protect their information  Customers range from single-user sole traders and consultants to multinational companies with a large number of offices around the globe. Over 4 million users worldwide use Alertsec Check Point Full Disk Encryption.

EHR system hacked

June 15th, 2016

A Pennsylvania-based healthcare facility suffered potential data breach when unauthorized users hacked into its EHR system. The system was managed by Bizmatics. The incident has potentially affected around 19,776 individuals as per the Office of Civil Rights (OCR).

Bizmatics found out that an outside entity accessed its systems, which resulted some patient files to be exposed. Affected information includes names, addresses, Social Security numbers, and healthcare visit information.

Bizmatics did not specify if patient records from Integrated Health Solutions PC were accessed during the hacking incident. To be on safer side, healthcare has taken measures to strengthen healthcare data security policies.

“Integrated Health Solutions, values your privacy and deeply regrets that this incident occurred and is working closely with its advisors and Bizmatics to ensure the incident is properly addressed, including, a review of our data security measures in order to help prevent a recurrence of such an attack,” reported the statement. “We have also contacted relevant state and federal authorities regarding this issue.”

It had informed several other organizations of potential healthcare data breaches that left EHR files exposed to outside entities. Bizmatics also suffered data breach early this year.

One example includes that of Florida-based Southeast Eye Institute, PA. It notified 87,314 individuals due to hacking incident which was managed by Bizmatics. Another example involved 19,937 patients at the Pain Treatments Center of America (PTCOA) and Interventional Surgery Institute (ISI) in Arkansas which was affected by data breach.

“We have no reason to believe that our patient files were the target of the hackers’ attack on Bizmatics,” wrote PTCOA and ISI. “Due to the nature of the attack, Bizmatics cannot say for certain that PTCOA’s patient files were among the data that was accessed or acquired by the hacker.”

————————————————————————————————————————————————————–

Alertsec is the full disk encryption service that delivers a mobile data protection system for all information stored on laptops used throughout your organization.

Mis-mailing and data breach

June 6th, 2016

Coordinated Health Mutual, Inc. recently suffered data breach which affected around 591 individuals  as per the Office of Civil Rights data breach portal. Facility confirmed the healthcare data security breach. The incident occurred after a vendor experienced an internal, electronic sorting issue. Around 650 incorrect or incomplete 1095-B forms were inadvertently printed and mailed.

A 1095-B form is a healthcare insurance form is used to verify individual’s health insurance coverage for a specific amount of time. Individual needs to enter information like dependents on the policy, and the how long the policy was active.

According to the statement, ‘These incorrect or incomplete forms either do not display a policyholder’s dependents at all, or they have incorrect dependents listed. No medical information was included and this information is not publically available; specifically, one policyholder may have the information on the dependents of another policyholder. ‘

Coordinated Mutual Health, Inc. conducted investigation and found that less than 800 dependents were listed on the incorrect policyholder’s form.

“Following an initial assessment and report by our vendor, we alerted all members and appointed brokers of the issue on April 5 and asked that they contact our Compliance Department if they received an incorrect 1095-B form. We are also encouraging members to destroy or return any incorrect forms they may have received.”

Coordinated Mutual Health, Inc. mentioned in the statement about identity protection services offerings to any impacted dependent. Policyholders will also receive their corrected 1095-B forms with instructions on how to enroll in the services.

As per the company website:

HIPAA, which stands for Health Insurance Portability and Accountability Act, is a set of Federal Regulations originally passed in 1996. One component that HIPAA focuses on is Privacy.

So what is HIPAA Privacy all about? HIPAA Privacy is about protecting the confidential nature of an individual’s health information. It is as simple as that.

The Privacy Regulation protects health information relating to past, present or future physical or mental health of an individual. Any health information that can be directly linked or associated with an individual is referred to as “protected health information” or PHI for short. Protected health information can be in written, electronic or oral form. For more information please visit United States Department of Health & Human Services Website.

————————————————————————————————————————————————————-

Alertsec is the full disk encryption service that delivers a mobile data protection system for all information stored on laptops used throughout your organization.

Employee misuse results in potential healthcare data breach

June 3rd, 2016

Inappropriate access to patient information over seven years has resulted in a possible PHI breach at an Iowan hospital, as per the report.

Around 1,620 patients have been notified by UnityPoint Health-Allen Hospital. Former employee had improperly viewed PHI through the hospital’s EHR system. The employee was allowed access to the EHR system to do her job at that time, but she did not have the authority to view the records for patients who are involved in this healthcare data security event. The employee’s EHR access was terminated as soon as the hospital detected the possible PHI breach and the staff member was disciplined according to hospital policies.

According to the Jim Waterbury, the hospital’s vice president for institutional advancement,  Allen Hospital staff detected inappropriate access to the hospital’s medical records on March 14 and opened an immediate review.

Patients may have had their names, home addresses, dates of birth, health insurance information, and treatment information disclosed in the incident. The report stated that less than 15 percent of affected patients may have had their Social Security numbers viewed.

“We apologize to our affected patients, and we accept our responsibility to keep this event from happening again,” UnityPoint Health-Allen Hospital’s Vice President for Institutional Advancement Jim Waterbury told The Courier.

Steps been taken by hospital to prevent future healthcare data breaches includes additional training on proper access of EHR systems and performing more audits.

Facility has also provided patients with guidance on other precautionary measures they can take to protect their information, including placing a fraud alert, placing a security freeze and/or obtaining a free credit report.

————————————————————————————————————————————————————-

Alertsec is the full disk encryption service that delivers a mobile data protection system for all information stored on laptops used throughout your organization.

Unauthorized access and data breach

May 31st, 2016

The Southeast Eye Institute, PA, or Eye Associates of Pinellas recently suffered a possible healthcare data breach. The incident occurred due to hacking incident.  An unauthorized party accessed patient files which was managed by a third-party vendor.The number of affected patients stands at 87,314 individuals as per Office of Civil Rights (OCR) data breach portal.

“We have learned that Bizmatics became aware of the incident in late 2015, but neither Bizmatics, law enforcement, nor the cyber forensics firm is able to pinpoint the precise date on which the attack began. Bizmatics has communicated to us that it believes the incident began in early 2015.”

Bizmatics Inc, an off-site vendor for Southeast Eye Institute was attacked by hackers. Affected information included names, addresses, telephone numbers, Social Security numbers, dates of birth, and insurance information. The practice reported that medical and financial information was not involved in the event.

Bizmatics Inc mentioned that patient information was segregated into several different files. The purpose was to increase healthcare data security measures. It didn’t mention whether hackers were able to combine all the data. It didn’t confirm the type of patients file which were affected.

Southeast East Institute mentioned that affected patients included who visited the facility an on or before November 16, 2015.

“We have no reason to believe that our patient files were the target of the hackers’ attack on Bizmatics. Due to the nature of the attack, Bizmatics cannot say for certain that PTCOA’s patient files were among the data that was accessed or acquired by the hacker.”

Southeast Eye Institute no longer works with Bizmatics Inc. However, the Bizmatics Inc. contacted the FBI. It also hired a cybersecurity firm to improve its data security measures which includes strengthening firewalls and network configurations.

————————————————————————————————————————————————————-

Alertsec has created a web based encryption service that radically simplifies deployment and management of PC encryption by using industry leading Check Point Full Disk Encryption software.

Hacking incident and data breach

May 24th, 2016

Indiana-based Lafayette Pain Care PC recently suffered probable data breach after an outside entity accessed some patients EHR data. According to the OCR data breach portal, around 7,500 individuals were affected by the possible PHI breach.

As per the statement, “Lafayette Pain Care’s EHR management vendor experienced a hacking incident that could have resulted in some patient files being exposed to intruders. The potential healthcare data breach affected multiple EHR systems across the country, confirmed the statement.”

“All this said, our electronic medical records provider has informed us that it is not aware of any evidence that our patient records were in fact accessed or acquired by any unauthorized persons,” as per the website.

Lafayette Pain Care has notified affected individuals and has asked patients to monitor their credit accounts. It also advised to report any suspicious or inappropriate activity. It has also offered free credit monitoring services to affected and verified patients.

“We do recommend that our patients check with their local credit bureau or credit monitoring agency (such as TransUnion, Experian, or Equifax) for any unauthorized activity with their credit or identity. Patients can also utilize the site www.annualcreditreport.com to review their credit report annually.”

“If any unauthorized activity is noted, it should be reported appropriately. We recommend that all persons receiving medical or surgical care, regularly review their Explanation of Benefits forms to confirm the accuracy of included listed services.”

According to the statement:

Lafayette Pain Care is pleased to welcome new patients to our practice. As a valued customer of our practice, we maintain complete records on you to ensure that we can always communicate with you promptly, treat you in the most appropriate and effective manner, coordinate with your other doctors where needed, and ensure your care is paid for by insurance or other means.

————————————————————————————————————————————————————-

Alertsec is the full disk encryption service that delivers a mobile data protection system for all information stored on laptops used throughout your organization.

Theft exposed PHI information

May 16th, 2016

Some incarcerated patients at the California Correctional Healthcare Services are affected by the potential healthcare data breach. Affected information included PHI or personally identifiable information such as medical, mental health, and custodial information.

Facility did not mention number of affected individuals by the security incident. But it said that PHI may have been affected for patients who were incarcerated between 1996 and 2014 in the California Department of Corrections and Rehabilitation.

As per the statement, “We regret this incident occurred and take these events seriously. CCHCS has taken steps to mitigate these types of events including information security training for staff and we are reinforcing information security practices. We are also taking steps to ensure that all CCHCS mobile devices include appropriate technology protections.”

The possible PHI breach incident occurred after work laptop was stolen from an employee’s personal vehicle. According to the reports, laptop was not encrypted.But the facility said that laptop was password protected.

“Under current federal regulations, an entity shall, following the discovery of a breach of unsecured protected health information, notify each individual whose unsecured protected health information has been, or is reasonably believed by the covered entity to have been, accessed, acquired, used, or disclosed as a result of such breach.”

Officials are still not sure the the extent of breach as it failed to analyse the total information contained in the laptop. California Correctional Healthcare Services cannot identify specific individuals. But it has attempted to contact each individual affected by the incident. It is possible that some patients will not receive any notification from facility, so notice is uploaded on its website and information  of the event is sent to the media.

“CCHCS [California Correctional Healthcare Services] is committed to protecting the personal information of our patients,” said Director of Communications and Legislation Joyce Hayhoe in the press release. “Appropriate actions were immediately implemented and shall continue to occur. This includes, but is not limited to, corrective discipline, information security training, procedural amendments, process changes and technology controls and safeguards. As necessary, policies, risk assessments and contracts shall be reviewed and updated.”

————————————————————————————————————————————————————-

Alertsec has created a web based encryption service that radically simplifies deployment and management of PC encryption by using industry leading Check Point Full Disk Encryption software.

A medical group suffers data breach

May 13th, 2016

Hacking incident may have affected medical group in Texas. The incident may have exposed patient and employee information. According to the reports, approximately 50,000 individuals were affected by the healthcare data security breach at the Medical Colleagues of Texas, LLP. Affected information included employee and patient information, such as names, addresses, Social Security numbers, and health insurance information.

“It’s a lot of records,” stated Dallas attorney Lindsay B. Nickle, who signifies the audience, Medical Co-workers of Texas.

According to the statement,

‘We sincerely regret any inconvenience or concern this matter may cause and remain dedicated to protecting patients’ information.’

The Medical Colleagues of Texas, LLP mentioned that it discovered an outside element accessing its computer network. The relevant network stored EHR and personnel data. After it came to know about the breach, the healthcare system conducted an internal investigation. It also hired an independent forensic expert  who will examine and secure the network.

“We do not know who, we do not know where,” she stated. “We simply realize that online hackers experienced the network.”

The healthcare system has notified affected individuals  through mail. It also established a call center to address any questions or concerns. Free credit monitoring services for impacted patients are created.

“In addition, since this event was discovered, we have taken steps to prevent this type of event from happening again, including updating our computer network, strengthening our firewalls, and implementing two factor authorization measures for remote access,” explained Medical Colleagues of Texas, LLP in the notice. “We are also providing additional training and strengthening our policies and procedures in regards to the protection of sensitive personal information.”

“Medical Colleagues of Texas takes the privacy and security of protected information very seriously, and although we are not aware of the misuse of any information”

————————————————————————————————————————————————————-

Alertsec is the full disk encryption service that delivers a mobile data protection system for all information stored on laptops used throughout your organization.

Internet and PHI breach

May 12th, 2016

The Children’s National Medical Center in Washington DC may have recently suffered data breach as few of its document where available on the internet. The incident may have occurred in February. According to the reports, due to Ascend Healthcare Systems mistake, a former business associate of the healthcare system, data related to 4,107 patients of Children’s National Medical Center was accessible via the Internet.

“Due to changes and upgrades to systems, a system that is secure today could become vulnerable with the next change – thus the need to repeat the vulnerability scan periodically,” says Mark Dill, former longtime CISO at the Cleveland Clinic who is now a principal consultant at tw-Security.

PHI could have been found using a search engine, like Google. Affected information includes names, dates of births, medications lists, and physicians’ notes on diagnosis and treatment. The incident occurred as the File Transfer Protocol site was misconfigured. Facility mentioned that the site was a standard network for storing and transferring files.

According to the Children’s National Medical Center, Ascend Healthcare Systems violated its contract who was required to delete all patient information as per the separation agreement.  After the incident, Ascend is advised by the Children’s Hospital Medical Center’s to delete transcription documents from its servers and secure the site.

Medical center didn’t receive any reports about inappropriate access or misuse of patient information. It has sent notification letters to affected individuals. Also, a dedicated call center was created to answer queries. Children’s National regrets any concern this incident may cause.

According to the statement:

Children’s National Health System, based in Washington, DC, has been serving the nation’s children since 1870. Children’s National is a Leapfrog Group Top Hospital, Magnet® designated, and was ranked among the top 10 pediatric hospitals by U.S. News & World Report 2015-16. Home to the Children’s Research Institute and the Sheikh Zayed Institute for Pediatric Surgical Innovation, Children’s National is one of the nation’s top NIH-funded pediatric institutions. With a community-based pediatric network, seven regional outpatient centers, an ambulatory surgery center, two emergency rooms, an acute care hospital, and collaborations throughout the region, Children’s National is recognized for its expertise and innovation in pediatric care and as an advocate for all children.

————————————————————————————————————————————————————-

Alertsec has created a web based encryption service that radically simplifies deployment and management of PC encryption by using industry leading Check Point Full Disk Encryption software.