Archive for the ‘Computer news’ category

Internet and PHI breach

May 12th, 2016

The Children’s National Medical Center in Washington DC may have recently suffered data breach as few of its document where available on the internet. The incident may have occurred in February. According to the reports, due to Ascend Healthcare Systems mistake, a former business associate of the healthcare system, data related to 4,107 patients of Children’s National Medical Center was accessible via the Internet.

“Due to changes and upgrades to systems, a system that is secure today could become vulnerable with the next change – thus the need to repeat the vulnerability scan periodically,” says Mark Dill, former longtime CISO at the Cleveland Clinic who is now a principal consultant at tw-Security.

PHI could have been found using a search engine, like Google. Affected information includes names, dates of births, medications lists, and physicians’ notes on diagnosis and treatment. The incident occurred as the File Transfer Protocol site was misconfigured. Facility mentioned that the site was a standard network for storing and transferring files.

According to the Children’s National Medical Center, Ascend Healthcare Systems violated its contract who was required to delete all patient information as per the separation agreement.  After the incident, Ascend is advised by the Children’s Hospital Medical Center’s to delete transcription documents from its servers and secure the site.

Medical center didn’t receive any reports about inappropriate access or misuse of patient information. It has sent notification letters to affected individuals. Also, a dedicated call center was created to answer queries. Children’s National regrets any concern this incident may cause.

According to the statement:

Children’s National Health System, based in Washington, DC, has been serving the nation’s children since 1870. Children’s National is a Leapfrog Group Top Hospital, Magnet® designated, and was ranked among the top 10 pediatric hospitals by U.S. News & World Report 2015-16. Home to the Children’s Research Institute and the Sheikh Zayed Institute for Pediatric Surgical Innovation, Children’s National is one of the nation’s top NIH-funded pediatric institutions. With a community-based pediatric network, seven regional outpatient centers, an ambulatory surgery center, two emergency rooms, an acute care hospital, and collaborations throughout the region, Children’s National is recognized for its expertise and innovation in pediatric care and as an advocate for all children.

————————————————————————————————————————————————————-

Alertsec has created a web based encryption service that radically simplifies deployment and management of PC encryption by using industry leading Check Point Full Disk Encryption software.

Malicious email and data breach

May 11th, 2016

Mayfield Brain and Spine may have suffered data breach due to malicious emails. It has notified some patients about the healthcare ransomware incident. According to OCR reporting tool, the breach has affected 23,341 individuals.

According to the statement, Mayfield Brain and Spine medical center mentioned that an unauthorized entity accessed its account related to outside vendor. After accessing the database it has sent a fraudulent email. The modus operand was simple. When email recipients opened the attachment, malware gets downloaded.

“The vendor receives only email addresses from Mayfield,” said Mayfield Clinic Inc.’s Vice President of Communications Thomas Rosenberger. “No other health or financial information is shared. In this incident, no Mayfield systems were involved, and no patient health or financial information was compromised.

Facility works with vendor to email Mayfield information, such as newsletters, educational information, invitations, and announcements. The vendors also send the emails to patients, business associates, event attendees, website contacts, and other people associated with Mayfield Clinic Inc.

“Mayfield’s first priority is always the well-being of our patients. Once we learned of the incident, we immediately communicated with recipients by email, by social media, and on our website, including both notification and instructions on how to remove the virus.”

Mayfield Brain and Spine guided recipients to resolve the issue by downloading free software to eliminate the malware.  Also, it has collaborated with the vendor’s compliance office to analyze the situation. The facility is also working with computer virus protection service to nullify the virus.

“We are continuously monitoring the situation,” continued Rosenberger. “With all of the action taken to date, we do not believe that recipients of the fraudulent email need to take any additional steps at this time.”

According to the statement:

Mayfield Brain & Spine is the full-service patient care provider of the Mayfield Clinic, one of the nation’s leading physician organizations for neurosurgical treatment, education, and research. With more than 20 specialists in neurosurgery, interventional neuroradiology, physical medicine and rehabilitation, and pain management, Mayfield Brain & Spine treats 20,000 patients from 35 states and 13 countries in a typical year. Mayfield physicians specialize in the treatment of back and neck pain, sciatica, Parkinson’s disease, essential tremor, NPH, epilepsy, brain and spinal tumors, stroke, moyamoya, brain aneurysms, Chiari malformation, scoliosis, kyphosis, facial pain, facial twitch, trauma, concussion, spinal cord injury, and carpal tunnel. As leading innovators in their field, Mayfield physicians have pioneered surgical procedures and instrumentation that have revolutionized the medical art of neurosurgery for spinal diseases and disorders, brain tumors, and neurovascular diseases and disorders.

————————————————————————————————————————————————————-

Alertsec is the full disk encryption service that delivers a mobile data protection system for all information stored on laptops used throughout your organization.

Identity and Access Management

May 9th, 2016

Research director Felix Gaehtgens at the Gartner Identity and Access Management (IAM) Conference in London mentioned that issuing one-time password (OTP) tokens to third-party organizations can cause many problems. He mentioned that some third-party organizations even hang one-time password tokens on a wall with the name of the companies they belong to, facing a webcam.

“For employees or contractors working internally who need privileged access, having OTP is great. But not for external third party workers,” he said. “Why? Because third parties leave OTPs on their desks; when they go on holiday they leave them for other people to use. It happens all the time.”

Also with shared password comes the biggest risk of accountability. Companies can take various steps to secure there data.

Phone

He suggested to call instead of OTP tokens.

“What you need to do is choose something that is hideous to share, like something linked to a particular mobile phone,” he said. “That’s because a worker isn’t going to leave his phone behind when he goes away on holiday.”

Many Phone-based authentication systems are available in the market.

Dedicated person for IAM

He suggested sponsorship approach where internal employees act as sponsors for external workers and keeps track of them.

“When I suggest this people say ‘Ooh, are you going to delegate third-party privileged access to a third party?’ said Gaehtgens. “The answer is ‘no.’ They have to make a request to your organization for access for a particular employee. But they can de-authorize their own people (for example when they leave the organization).”

Third Party Access

Providing short term access for related resources will secure the data after the work is done.

“So you need to be able to say ‘You can access this system for four hours’ and give out privileges in small chunks,” Gaehtgens said. “Instead of the general sys admin model, you need to give them just what they need.”

Access Management

One can use privilege access management (PAM) and shared account password management (SAPM) tools. to manage third-party access privileges.

IAM on the Record

When third parties have privileged access to your systems, Gaehtgens said it’s important to record at least some of their sessions. “You should let everyone know they are being recorded; at the very least this should make people less sloppy,” he advised.

“Every so often you will see a complete idiot who you never want on your systems again, as they clearly don’t know what they are doing,” he said. “But you may also learn something. Third parties may do something better than you, so you can watch what they do and use it to build up your best practices.”

————————————————————————————————————————————————————-

Alertsec is the full disk encryption service that delivers a mobile data protection system for all information stored on laptops used throughout your organization.

Lab Results and Data Breach

May 6th, 2016

BioReference Laboratories in New Jersey may have suffered possible data breach when  photographs containing PHI were sent in an unsecured email. According to the reports, some of its phlebotomists took pictures of lab test results with help of their smartphones. Later employees send emails attaching the photos to the laboratories through unsecured email. The pictures stored in the phone were present without any necessary safeguards.

According to the BioReference Laboratories, “BioReference is the third largest full service clinical diagnostic laboratory in the U.S. providing testing and related services to physician offices, clinics, hospitals, long term care facilities, employers, governmental units and correctional institutions. We offer a comprehensive test list focusing on molecular diagnostics, anatomical pathology, genetics, and women’s health. Moreover, through its GeneDx subsidiary, BioReference has an international presence in more than 50 countries around the world.”

Affected information includes including names, dates of birth, addresses, admission and discharge dates, medical record numbers, Social Security numbers, insurance information, diagnosis codes, and descriptions of lab tests, may be at risk of being improperly accessed, stated the company. Photos didn’t contain passwords, security codes, or financial information.

Company stated that this type of photo sharing incident may have occurred  earlier multiple times. The statement failed to mention the number of patients affected by the incident.  But the OCR data breach reporting tool mentioned that 3,563 individuals were potentially affected.

An internal investigation is launched along with upgrade in healthcare data security measures and internal safeguards. Affected individuals are contacted by facility officials for the possible healthcare data breach,. They are offered free credit monitoring service.

BioReference Information –

BioReference has more than 5000 people working for them. It is contracted with virtually all national health plans (UHC, Cigna, Aetna, Humana, Coventry and most Blues Plans). It has laboratory locations in nine states: New York, New Jersey, Maryland, Massachusetts, Rhode Island, Ohio, Florida, Texas and California.

————————————————————————————————————————————————————-

Alertsec has created a web based encryption service that radically simplifies deployment and management of PC encryption by using industry leading Check Point Full Disk Encryption software.

Stolen laptop and Data breach

May 4th, 2016

EqualizeRCM Systems, a billing and collection services vendor recently suffered healthcare incident when one of its
laptop was stolen. Laptop contained patients information which included names, addresses, phone numbers, dates of birth, insurance information, genders, healthcare provider information, billing and diagnosis codes, medical record numbers, internal reference numbers, dates and types of service, locations of services received, and other administrative data.

Affected facilities included-

  • Northstar Healthcare Surgery Center (Scottsdale, Houston, Dallas)Microsurgery Institute (Houston, Dallas)Hermann Drive Surgical HospitalVictory Medical Center Houston
  • Central Dallas Surgery Center
  • Southwest Freeway Surgery Center
  • Kirby Surgical Center
  • Plano Surgical Hospital

Stolen laptop belonged to one of its employees. EqualizeRCM Systems launched investigation after the incident. Financial information and Social Security numbers were not affected. Number of affected individuals were not specified by the facility. But the letter to the New Hampshire Department of Justice mentioned that two individuals from the state were affected.

Facility believes that the information is not misused. But it has offered affected individuals with complimentary identity theft monitoring and remediation services.Notification letters are also sent to affected individuals. EqualizeRCM Systems mentioned that it has developed and implemented additional security measures.

“The privacy and protection of patient information is a top priority for EqualizeRCM, and we deeply regret any inconvenience or concern this incident may cause,” explained the statement. “We are working closely with the affected facilities in our response to this event, and have taken steps to help prevent this type of incident from happening in the future including reviewing our policies and procedures, implementing additional safeguards to ensure information in our control is appropriately protected, and retraining employees on existing policies for the proper handling of sensitive information.”

“EqualizeRCM provides a variety of scalable services to healthcare entities across many segments including ambulatory surgery centers (ASC), durable medical equipment manufacturers (DME), Mental Health Facilities, physicians and providers, hospitals, and urgent care facilities.”

————————————————————————————————————————————————————-

Alertsec has created a web based encryption service that radically simplifies deployment and management of PC encryption by using industry leading Check Point Full Disk Encryption (former Pointsec) software

Robbery and Data breach

May 2nd, 2016

A California-based chiropractic office, Vibrant Body Wellness suffered data breach after its facility was burgled. The incident affected around 600 patients.  According to the reports, laptop and hard drive was stolen. It contained health related data.

Vibrant Body Wellness published the statement as –

“We were robbed! Literally.Yes, it’s sad but true — our office at Vibrant Body Wellness was broken into during the weekend of March 5th to March 8th.  Things were stolen and no one was physically injured.  We are grateful for that, and have been sorting through the violation and the lessons over the past month.  The support and well wishes from our practice members and from our community members has been heartening, so thank you for reaching out and for your patience as we replace equipment and update security procedures.”

Affected information included names, addresses, dates of birth, contact information, diagnoses, and billing information. The laptop was password-protected. Also, the patient information on the hard drive was encrypted.

Local law enforcement officials were notified about the incident. As per the statement, notification letters are sent to affected individuals. They are also encouraged to place a fraud alert on their credit accounts. The practice believes that the information is not being misused or inappropriately accessed.

“We understand that this may pose an inconvenience to you. We sincerely apologize and regret that this situation has occurred,” wrote the owner of the practice, Teresa Lau, DC, in a letter to affected patients. “Vibrant Body Wellness is committed to providing quality care, including protecting your personal information, and we want to assure you that we have policies and procedures to protect your privacy.”

Facility also provided information for placing initial fraud alert, “We are keenly aware of how important your personal information is to you.  You may place an initial fraud alert on your own credit account with Equifax, who will notify the other two credit bureaus.  The fraud alert does not impact your credit score and provides an extra layer of protection–creditors must contact you directly before issuing credit in your name.  The initial fraud alert lasts for 90 days, is free, and can be renewed for free after 90

————————————————————————————————————————————————————-

Alertsec is the full disk encryption service that delivers a mobile data protection system for all information stored on laptops used throughout your organization

Truck and Data Breach

April 29th, 2016

A mail delivery truck which was having health information was stolen. This has resulted into a potential healthcare data breach for Kaiser Permanente, a healthcare system based in California. According to the reports, health information of approximately 2,400 individuals was affected . The truck was stolen from the parking lot.

The truck was not parked in a secure area even there are guidelines by Kaiser Permanente’s. Truck contained “Evidence of Coverage” handbooks for Kaiser Permanente patients who are on the Inland Empire Health Plan. Affected information included personal information, such as names, addresses, and an overview of plan benefits.

According to the reports, thieves gained entry to the vehicle. They drove to an unspecified location and left the empty truck behind.

After the incident, the healthcare facility reported the stolen vehicle to local law enforcement officials.Michelle Simms, a Kaiser Permanente spokeswoman, said the health care provider spoke to Los Angeles County Sheriff’s station in Santa Clarita. Truck was found with missing health records. Facility believes that there is no evidence of misuse of PHI information. Also, the file didn’t contain Social Security numbers, medical record numbers, descriptions of health services, health statuses, and financial information.

“We are in the process of notifying and apologizing to our members affected by this incident,” officials said in a statement. “We have investigated this matter and are taking appropriate steps to prevent similar errors in the future.”

With the rise in data breaches due to stolen records, it is better to go for digitization with proper safeguards. Some of the responsible health data handling includes –

  • Administrative safeguards includes policies and procedures to protect the privacy, and security of patients’ PHI
  • Physical safeguards includes measures to protect the hardware and the facilities
  • Technical safeguards includes health IT system to protect health information and to control access to it

————————————————————————————————————————————————————-

Alertsec has created a web based encryption service that radically simplifies deployment and management of PC encryption by using industry leading Check Point Full Disk Encryption (former Pointsec) software

Phishing Scam and Data Breach

April 27th, 2016

Wyoming Medical Center recently suffered data breach when it was hit by phishing scam. According to the reports, 3,184 individuals received the notification letter by the medical center which mentioned that their PHI may have been accessed by an unauthorized user.

Facility explained the phishing email as,

“Phishing emails are email messages appearing to come from legitimate sources, such as a bank, a trusted friend or colleague, or trusted businesses, etc.  Phishing is an attempt to acquire sensitive information such as usernames, passwords, credit card information, email addresses, or Social Security Numbers.  Many times, it is difficult to identify phishing emails. “

Earlier in this February, the medical center found out that two email accounts were accessed by an outside entity.  Phishing email was sent to one of the employee and after opening it other employees also received emails. This unauthorized access lasted for around fifteen minutes.

Affected information included data related to hospital purchasing, wound care, and patients who were on isolation precaution. Also, PHI information was exposed which included names, medical record numbers, dates of hospital services, account numbers, dates of birth, and some medical information. Medical center mentioned that  EHR systems were not compromised.

Wyoming Medical Center has also reviewed its security policies. Facility also mentioned that there is limited scope of identity risk, “No, the information accessible by the unauthorized user was limited and did not include the proper information to allow for identity theft.  If you are concerned about potential identity theft, you may contact one of the credit reporting agencies that will place fraud protection on your credit report.  All you have to do is contact one of the three credit reporting agencies and ask them to put a fraud alert on your credit file, and they should automatically inform the other two credit agencies. “

Medical Center facility also mentioned that they take privacy very seriously by educating employees on privacy. It also has firewalls and necessary safeguards to avoid such incidents. It also performs routine audit to fine loopholes in the system. Also, information security firms are given contracts to monitor and audits systems routinely.

————————————————————————————————————————————————————-

Alertsec is the full disk encryption service that delivers a mobile data protection system for all information stored on laptops used throughout your organization.

Stolen flash drive and data breach

April 25th, 2016

A dental clinic in Wisconsin recently suffered a healthcare data breach after theft incident. Flash drive containing patient information was stolen. According to the reports, flash drive stored dental information of patients.

Potentially exposed information included names, dental patient identification numbers, dates of visits, and dental insurance identification numbers. Financial information was not contained on the flash drive, confirmed Oneida Health Center. Flash drive was stolen from its office.

According to the statement,

“If affected individuals have broader concerns regarding their information, they may also contact one of the three major credit bureaus (below) to place a fraud alert on their credit report. Once one credit bureau confirms the fraud alert, the other two credit bureaus will automatically be notified to place alerts. “

Theft incident affected around 2,700 individuals. Onieda Health Center stated the scope of incident is limited. Also, there is no indications that the data was misused or inappropriately disclosed. Facility requested patients to notify their dental insurance companies and monitor for identity theft.

Local law enforcement is working to solve the case and notified all affected individuals of the security incident.

“To prevent a reoccurrence of this type of isolated internal incident, we are implementing the following measures: Reviewing and implementing administrative procedures regarding the use of flash drives and implementing appropriate technological safeguards concerning their security and storage,”

explained the press release.

According to the reports, personal identifying data, financial information, social security information, claims information, or any other diagnosis/ treatment information was not present on the stolen flash drive. Also, the information was related only to specific dental category and information from any other departments within the Oneida Health Center was not involved.

————————————————————————————————————————————————————-

Alertsec is the full disk encryption service that delivers a mobile data protection system for all information stored on laptops used throughout your organization.

Hacking Incident and Data Breach

April 22nd, 2016

The Pain Treatment Centers of America (PTCOA) and Interventional Surgery Institute (ISI), a healthcare network in Arkansas suffered a potential data breach. The incident came to notice when  a vendor mentioned about hacking incident. According to OCR’s Tool, 19,397 individuals were possibly affected by the data security incident.

PTCOA and ISI mentioned that EHR and healthcare practice management tool operated by Bizmatics, a third-party vendor is used by them to manage patient files and contains the medical records of all its patients.

According to the PTCOA notice,“Your patient information is important to us, and we select vendors to help us better manage and secure that information. As such, security is the number one priority for our technology vendors, including Bizmatics.”

Unauthorized outside party accessed Bizmatics data server which stored customer records. Bizmatics collaborated with law enforcement officials and a cyber forensics firm to investigate the the incident. After the audit, Bizmatics mentioned the affected systems are secured.

“We have no reason to believe that our patient files were the target of the hackers’ attack on Bizmatics,” wrote PTCOA and ISI. “Due to the nature of the attack, Bizmatics cannot say for certain that PTCOA’s patient files were among the data that was accessed or acquired by the hacker.”

PTCOA also mentioned following in the statement,

“We are taking this issue seriously and have retained Experian, an industry leader in credit monitoring and identity theft recovery, to help patients monitor this situation in the coming months. We are offering a complimentary one-year membership of Experian’s® ProtectMyID® Alert. “

PTCOA advice following steps to the users –

  • Review your account statements and credit reports and notify law enforcement and us of suspicious activity
  • Consider placing a fraud alert or a security freeze on your credit files
  • Protect your Passwords
  • Fight “phishing” – don’t take the bait

————————————————————————————————————————————————————-

Alertsec is the full disk encryption service that delivers a mobile data protection system for all information stored on laptops used throughout your organization.