Archive for the ‘Email’ category

Emails sent to unintended recipient

March 13th, 2017

Orange County Global Medical Center recently suffered data breach which involved some of its patients. As per the reports, an employee emailed an Orange County Global statistical report to an wrong recipient.

“We take this matter, and the security and privacy of your information, very seriously,” explained the letter, a copy of which was posted on the California Office of Attorney General. “Since the incident occurred, and in addition to instructing the inadvertent recipient to delete the information, we have implemented additional protocols for sending information, reviewed our policies and procedures, and provided additional training to staff.”

Facility came to know about the incident the same day. It reached out to the recipient asking him to immediately and permanently delete the email and related information from his email account.

Affected information included patient treatment and diagnoses information, medical record numbers, dates of birth, treatment dates, and names.

Orange County Global Medical Center mentioned that patient Social Security numbers, driver’s license numbers, health insurance information, or financial account information were not affected in the incident. It didn’t mentioned the number of patients affected by the incident. It is providing free access to identity monitoring and restoration services for one year to affected patients.

As per the statement:

“If you believe there was fraudulent use of your information as a result of this incident and would like to discuss how you may be able to resolve those issues, please reach out to an Experian agent. If, after discussing your situation with an agent, it is determined that identity restoration support is needed then an Experian Identity Restoration agent is available to work with you to investigate and resolve each incident of fraud that occurred from the date of the incident.”

Facility has asked affected patients to contact Experian Identity Works for any fraud issues. One can also enroll for –

  • Internet Surveillance
  • Identity Restoration
  • Experian IdentityWorks ExtendCARET
  • $1 Million Identity Theft Insurance

___________________________________________________________________________________

Alertsecs cloud-based information security service provides an easy and convenient way to protect information on your organization’s laptops and co

Data breach due to hacking

March 2nd, 2017

Emory Healthcare’s Orthopaedics & Spine Center and Brain Health Center (EHC) at Emory Clinic recently suffered data breach, which impacted almost 80,000 patients. Facility came to know about the incident on Jan 3, 2017. It involved third party database called Waits & Delays. As per the statement, the affected database was used for patients’ appointment information.

Affected information included patient names, dates of birth, contact information, internal medication record numbers, dates of service, and physician names. The above information was removed from the server by an unauthorized individual. The person demanded payment from EHC to restore the data.

As per the reports, individuals who scheduled an appointment at the Orthopaedics & Spine Center within Emory Clinic between March 25, 2015 and January 3, 2017, and any patients with an appointment at Emory Clinic Brain Health Center between December 6, 2016 and January 3, 2016 are potentially affected.

As per the OCR data breach reporting tool, incident affected 79,930 individuals.  Facility mentioned that no Social Security numbers, financial information, diagnoses, or any other information from patient EHRs were accessed during the incident.

Another instance of unauthorized access by an independent security research center was also noticed. It resulted due to efforts of finding gaps in application security to alert companies of areas needing improvement by security company.

Facility launched an internal investigation after the incident. It also notified law enforcement. Potentially affected individuals are also notified. EHC is performing analysis on its current security measures. Internal and external systems which contained patient information will be changed as per the reports.

EHC mentioned that it has no information or indication of accessed data misuse.

“Please refer to the notice you will receive in the mail regarding steps that you can take to protect yourself. In general, we recommend, as a precautionary measure, that you remain vigilant to protect against potential fraud and/or identity theft by, among other things, reviewing your account statements and monitoring credit reports closely. If you detect any suspicious activity on an account, you should promptly notify the financial institution or company with which the account is maintained. You should also promptly report any fraudulent activity or any suspected incidents of identity theft to proper law enforcement authorities, including the police and your state’s attorney general.”

___________________________________________________________________________________

Alertsec’s cloud-based information security service provides an easy and convenient way to protect information on your organization’s laptops and computers.

Emails forwarded to personal email account

February 24th, 2017

An employee of A Multnomah County Health Department automatically forwarded all emails from county email account to a personal Google email account. The recipient email account is not maintained by the Oregon county. PHI was present on some of the emails. The incident has  created a PHI breach.

On November 22, 2016 facility came to know about the incident during an audit. Facility mentioned that it found no evidence  of the emails getting misused. It also concluded that personal account had been deleted after the investigation. It is no longer available to the employees.

PHI was present in the email attachments because it was attributed to a member of the Health Department. Potentially affected information included individuals’ names, medical record numbers, prescription numbers, diagnoses, and dates of service. As per the OCR data breach reporting tool, incident affected 1,700 individuals.

Facility also mentioned that there is no presence of any patient’s Social Security number, home address, or phone number.

Multnomah County and the County Health Department are also monitoring any activity involving patient information.  It is also taking measures to increase protections of personal information in response to this incident.

“We have policies and procedures for handling personal information which were reviewed with the staff member involved in this incident,” the department explained. “We are also reviewing controls, business practices and policies to increase protections of personal information in response to this incident.”

About Multnomah County:

Around 766,135 residents in the country

Total area of 465 square miles

It includes cities like Fairview, Gresham, Maywood Park, Portland, Troutdale, Wood Village

County Employees number count is 5,600 people

Facility provides Services for seniors and disabled people, animal services, assessment and taxation, bridges, community justice, courts, elections, health, jails, libraries, marriage licenses and passports, school and community partnerships.

_____________________________________________________________________________________________________

Alertsec’s cloud-based information security service provides an easy and convenient way to protect information on your organization’s laptops and computers.

Health Facility suffers email hack

February 7th, 2017

Multicare Health System recently announced data breach due to an email hack. The incident potentially affected 1,200 patients. The Washington health system mentioned that it has no information at this time to believe that any patient personal health information was accessed or misused in any way.

Facility will send the notification to affected patients. Also, patients have been advised to review their Explanation of Benefits statements and to remain vigilant to signs of irregularities related to their health insurance.

MultiCare stated that an unauthorized individual gained access to an employee email account. The information in the emails likely contained personal patient information ranging from addresses to account balances. Facility added that financial information and Social Security numbers were not present on the affected email account.

After the incident the affected email account has been secured. Password has been changed. Facility initiated an investigation into the incident and has provided contact information for patients concerned about the status of their information.

About Multicare:

“MultiCare is a not-for-profit health care organization with more than 10,000 employees and a comprehensive network of services throughout Pierce, South King, Thurston and Kitsap counties.

Facilities heritage dates back to the founding of Tacoma’s first hospital in 1882. Since then, it has grown to meet the ever-changing needs of our region-always focusing on excellence, innovation and patient care.”

When  email account gets hacked one should follow below steps to minimize the damage:

Initial step is to assess the damage done by hackers.

Visit the website of your email provider and try to regain the access.

Change the password by authorised method. Check inbox and trash for any password reset emails, which were not initiated by you.

Scan your computer with anti virus software. Many emails are hacked today to install virus on your computer.

Review your personal settings.

Validate the source  of any program, game and app before downloading it.

_____________________________________________________________________________________________________

Alertsec Endpoint Encrypt is the full disk encryption service that delivers a mobile data protection system for all information stored on laptops used throughout your organization.

Burrell Behavioral Health data breach

September 10th, 2016

Missouri-based Burrell Behavioral Health recently suffered data breach. Facility faced cybersecurity attack after unauthorized party accessed employee’s email account. It discovered the breach on on July 7, 2016. Internal investigation was launched immediately and the account was secured. According to the reports, unauthorized access occurred from July 6, 2016 to July 7, 2016.

“Burrell Behavioral Health has established a dedicated assistance line for anyone seeking additional information regarding this incident, as well as steps to better protect against identity theft. “

Affected information included clients’ names, addresses, dates of birth, Social Security numbers, doctor’s names, diagnoses, disability code, health insurance number, treatments, treatment locations and medical record numbers.

“We take any threat to the security of information entrusted to us very seriously,” Burrell Presdent and CEO Dr. Todd Schaible said in a statement. “Once the attack was discovered, we immediately took counter measures and also hired nationally-renowned computer forensic investigators to determine exactly what happened and what information was at risk. We apologize for any inconvenience or concern this incident may cause our community.”

As per the OCR data breach reporting tool, in total 7,748 individuals may have been affected. Burrell mentioned that the patient PHI in the email account was accessed, but that “information at risk varies for each individual.”

One year of complimentary credit monitoring and identity restoration is provided for the affected people. Facility asked people to remain vigil to avoid identity theft which includes-

Reviewing account statements, medical bills, and health insurance statements regularly for suspicious activity, to ensure that no one has submitted fraudulent medical claims using your name and address. Report all suspicious or fraudulent charges to your account and insurance providers. If you do not receive regular Explanation of Benefits statements, you can contact your health plan and request them to send such statements following the provision of services.

 ___________________________________________________________________________________

Alertsec is used by organizations that have recognized the need to protect their information.Customers range from single-user sole traders and consultants to multinational companies with a large number of offices around the globe.

Email error and data breach

September 6th, 2016

Planned Parenthood of Greater Washington and Northern Idaho recently suffered data breach. It notified the affected individuals mentioning the data security incident. According to the reports, emails notifying individuals of an online portal were sent to the wrong addresses. accessible_resources

“Planned Parenthood of Greater Washington and North Idaho (PPGWNI) has been helping women, men, and teens make responsible decisions about their sexual health for nearly 50 years. Dedicated to delivering the highest quality reproductive health care services since 1967, PPGWNI is also committed to providing responsible, age-appropriate sexuality education. Protecting a woman’s fundamental right to choose is a major part of our organization’s underlying philosophy. “

Some individuals received another person’s email. It contained the second individual’s first and last name. Personal or health information was not present in the email.

“Privacy is a top priority for us, and we regret any confusion or concern this error has caused,” the statement reads. “We are reinforcing existing privacy policies and technological protocols internally and with our partners, and are evaluating additional safeguards to prevent any similar incidents from occurring in the future.”

As soon as Planned Parenthood knew about the breach they immediately shut down the portal. Facility didn’t realized there was error. Hence, there is no evidence indicating that any of the data has been misused.

“We are committed to ensuring individuals affected by this incident have the necessary information about this matter.  Those individuals who believe they could have been affected by the incident and would like to obtain more information can do so by calling customer care.”

As per the OCR lists , total 10,700 individuals potentially got affected by this incident.

Below are the simple mistakes which can cause data breach:

Human Error: It is one of the main concern IT department faces. Many companies have to cope with such mistakes when unauthorised people opens the official emails.

Software Error: Sometimes software can have bugs which forces legitimate emails to be sent in unauthorised inbox. People viewing the same can misuse it.

____________________________________________________________________________________________

Alertsec is used by organizations that have recognized the need to protect their information.Customers range from single-user sole traders and consultants to multinational companies with a large number of offices around the globe.

Unauthorized access and data breach

May 31st, 2016

The Southeast Eye Institute, PA, or Eye Associates of Pinellas recently suffered a possible healthcare data breach. The incident occurred due to hacking incident.  An unauthorized party accessed patient files which was managed by a third-party vendor.The number of affected patients stands at 87,314 individuals as per Office of Civil Rights (OCR) data breach portal.

“We have learned that Bizmatics became aware of the incident in late 2015, but neither Bizmatics, law enforcement, nor the cyber forensics firm is able to pinpoint the precise date on which the attack began. Bizmatics has communicated to us that it believes the incident began in early 2015.”

Bizmatics Inc, an off-site vendor for Southeast Eye Institute was attacked by hackers. Affected information included names, addresses, telephone numbers, Social Security numbers, dates of birth, and insurance information. The practice reported that medical and financial information was not involved in the event.

Bizmatics Inc mentioned that patient information was segregated into several different files. The purpose was to increase healthcare data security measures. It didn’t mention whether hackers were able to combine all the data. It didn’t confirm the type of patients file which were affected.

Southeast East Institute mentioned that affected patients included who visited the facility an on or before November 16, 2015.

“We have no reason to believe that our patient files were the target of the hackers’ attack on Bizmatics. Due to the nature of the attack, Bizmatics cannot say for certain that PTCOA’s patient files were among the data that was accessed or acquired by the hacker.”

Southeast Eye Institute no longer works with Bizmatics Inc. However, the Bizmatics Inc. contacted the FBI. It also hired a cybersecurity firm to improve its data security measures which includes strengthening firewalls and network configurations.

————————————————————————————————————————————————————-

Alertsec has created a web based encryption service that radically simplifies deployment and management of PC encryption by using industry leading Check Point Full Disk Encryption software.

Malicious email and data breach

May 11th, 2016

Mayfield Brain and Spine may have suffered data breach due to malicious emails. It has notified some patients about the healthcare ransomware incident. According to OCR reporting tool, the breach has affected 23,341 individuals.

According to the statement, Mayfield Brain and Spine medical center mentioned that an unauthorized entity accessed its account related to outside vendor. After accessing the database it has sent a fraudulent email. The modus operand was simple. When email recipients opened the attachment, malware gets downloaded.

“The vendor receives only email addresses from Mayfield,” said Mayfield Clinic Inc.’s Vice President of Communications Thomas Rosenberger. “No other health or financial information is shared. In this incident, no Mayfield systems were involved, and no patient health or financial information was compromised.

Facility works with vendor to email Mayfield information, such as newsletters, educational information, invitations, and announcements. The vendors also send the emails to patients, business associates, event attendees, website contacts, and other people associated with Mayfield Clinic Inc.

“Mayfield’s first priority is always the well-being of our patients. Once we learned of the incident, we immediately communicated with recipients by email, by social media, and on our website, including both notification and instructions on how to remove the virus.”

Mayfield Brain and Spine guided recipients to resolve the issue by downloading free software to eliminate the malware.  Also, it has collaborated with the vendor’s compliance office to analyze the situation. The facility is also working with computer virus protection service to nullify the virus.

“We are continuously monitoring the situation,” continued Rosenberger. “With all of the action taken to date, we do not believe that recipients of the fraudulent email need to take any additional steps at this time.”

According to the statement:

Mayfield Brain & Spine is the full-service patient care provider of the Mayfield Clinic, one of the nation’s leading physician organizations for neurosurgical treatment, education, and research. With more than 20 specialists in neurosurgery, interventional neuroradiology, physical medicine and rehabilitation, and pain management, Mayfield Brain & Spine treats 20,000 patients from 35 states and 13 countries in a typical year. Mayfield physicians specialize in the treatment of back and neck pain, sciatica, Parkinson’s disease, essential tremor, NPH, epilepsy, brain and spinal tumors, stroke, moyamoya, brain aneurysms, Chiari malformation, scoliosis, kyphosis, facial pain, facial twitch, trauma, concussion, spinal cord injury, and carpal tunnel. As leading innovators in their field, Mayfield physicians have pioneered surgical procedures and instrumentation that have revolutionized the medical art of neurosurgery for spinal diseases and disorders, brain tumors, and neurovascular diseases and disorders.

————————————————————————————————————————————————————-

Alertsec is the full disk encryption service that delivers a mobile data protection system for all information stored on laptops used throughout your organization.

Data Breach Due to Email Misconduct

April 11th, 2016

Val Verde Regional Medical Center recently announced data breach when unsecured PHI in an email was discovered.

“On or about August 9, 2015, an independent healthcare provider downloaded unsecured protected health information and emailed it to a personal account without encryption protection,” explained the press release. “In addition, the independent contractor was not authorized to access some of the protect[ed] health information.”

Val Verde Regional Medical Center came to know about health data breach on December 8, 2015. Affected patient information in the email included names, addresses, phone numbers, medical record numbers, and visit numbers.

According to the OCR data breach portal, two thousand individuals were affected by the incident. Val Verde Regional Medical Center launched an investigation. It also notified patients who were possibly affected by the event.

Internal audit and improved security measures to the hospital’s HIPAA security program is being undertaken by the hospital.

Val Verde Medical Center  believes that there have been no reports of improper use of PHI, patient medical histories, or Social Security numbers by unauthorized individuals. It has encouraged all potentially affected patients to monitor credit reports for suspicious activity.

Users are advised to take necessary steps.They are advised to obtain credit reports from one or more of the major credit reporting agencies to monitor financial accounts for unauthorized activity. Consumers are entitled to  get a free copy of their credit report from each of the major nationwide credit reporting companies once every 12 months. They need to request the same as per the federal law.

Del Rio and surrounding communities received services from Val Verde Regional Medical Center since 1959. Val Verde Regional Medical Center considers the privacy of patients as a high priority task. It is guided by the mission to improve the health of the people in the communities served.

————————————————————————————————————————————————————-

Alertsec is the full disk encryption service that delivers a mobile data protection system for all information stored on laptops used throughout your organization.