Archive for the ‘Healthcare’ category

Data breaches due to unauthorized access

March 23rd, 2017

Virginia Commonwealth University (VCU) Health System recently announced data breach which affected over 2,700 patients. The incident occurred due to unauthorized access over a three-year period between January 3, 2014 and January 10, 2017.

Facility conducted investigation which found out that employees of community physician groups, and an employee of a contracted vendor had access to patient records without proper explanation. Concerned employees are terminated.

“As part of the health system’s partnership with community physicians, access is provided to their practices so they can view the medical records of their patients who are referred to the VCU Health System for care and treatment. Access also is provided to certain contracted vendors who provide medical equipment to patients for continuity of care at discharge from the hospital.”

Affected information included patient names, addresses, dates of birth, medical record numbers, health care providers, visit dates and Social Security numbers.

Facility is providing one year of free credit monitoring.

Second incident involves Tarleton Medical who announced data breach recently. Incident involves unauthorized access of a data server containing PHI from patient medical records.

Affected information included patient names, addresses, dates of birth, Social Security numbers, and healthcare claims information.

Facility did not mention number of individuals affected. As per the OCR reporting tool, incident affected 3,929 individuals.

“We have taken steps to enhance the security of TM patient information to prevent similar incidents from occurring in the future,” the healthcare organization explained in its notification letter.

Tarleton Medical contacted FBI. It is also offering patients free access to a credit monitoring service for one year.

As per the statement, it advised patients to follow below guidelines:

You can follow the recommendations on the following page to protect your personal information. You can also contact ID Experts with any questions Please note that the deadline to enroll is three months following the date of this letter. To receive the aforementioned services, you must be over the age of 18, have established credit in the U.S., have a Social Security number in your name, and have a U.S. residential address associated with your credit file. Your services start on the date that you enroll in the services and can be used at any time thereafter for 12 months following  enrollment.

___________________________________________________________________________________

Alertsec helps you comply with HIPAA, PCI and SOX requirements. The implemented encryption is powered by CheckPoint and has the highest security certifications: FIPS 140-2, Common Criteria EAL4 and BITS.

Emails sent to unintended recipient

March 13th, 2017

Orange County Global Medical Center recently suffered data breach which involved some of its patients. As per the reports, an employee emailed an Orange County Global statistical report to an wrong recipient.

“We take this matter, and the security and privacy of your information, very seriously,” explained the letter, a copy of which was posted on the California Office of Attorney General. “Since the incident occurred, and in addition to instructing the inadvertent recipient to delete the information, we have implemented additional protocols for sending information, reviewed our policies and procedures, and provided additional training to staff.”

Facility came to know about the incident the same day. It reached out to the recipient asking him to immediately and permanently delete the email and related information from his email account.

Affected information included patient treatment and diagnoses information, medical record numbers, dates of birth, treatment dates, and names.

Orange County Global Medical Center mentioned that patient Social Security numbers, driver’s license numbers, health insurance information, or financial account information were not affected in the incident. It didn’t mentioned the number of patients affected by the incident. It is providing free access to identity monitoring and restoration services for one year to affected patients.

As per the statement:

“If you believe there was fraudulent use of your information as a result of this incident and would like to discuss how you may be able to resolve those issues, please reach out to an Experian agent. If, after discussing your situation with an agent, it is determined that identity restoration support is needed then an Experian Identity Restoration agent is available to work with you to investigate and resolve each incident of fraud that occurred from the date of the incident.”

Facility has asked affected patients to contact Experian Identity Works for any fraud issues. One can also enroll for –

  • Internet Surveillance
  • Identity Restoration
  • Experian IdentityWorks ExtendCARET
  • $1 Million Identity Theft Insurance

___________________________________________________________________________________

Alertsecs cloud-based information security service provides an easy and convenient way to protect information on your organization’s laptops and co

Health Facility suffers data breach due to improper shredding of paper documents

March 9th, 2017

Minnesota-based Allina Health recently suffered data breach due to paper documents, which were emptied into the trash insecurely. As per the reports, proper shredding of the documents was not done.

Documents belong to physician’s private office and was supposed to be shredded at the Minneapolis Heart Institute at Abbott Northwestern Hospital. After the incident, facility launched an investigation. Affected information included patient information including names, medical record numbers, addresses, and insurance information.

As per the OCR data breach reporting tool, incident affected 776 patients.  Facility mentioned that some patients use their Social Security numbers as identification numbers on insurance documents.  Hence there is possibility of Social Security numbers being exposed.

“Allina Health has undertaken a system wide awareness campaign to inform the workforce of the simplified “shred all paper” disposal process and reinforced its safeguards policy to re-emphasize the importance of proper disposal.”

Allina Health also added that there is no information or evidence of any misuse of the data. It is notifying affected patients. Also, one year of free credit monitoring and identity protection services are provided.

“Allina Health has simplified its systemwide process to require all paper and documents be placed into secured or locked shredding bins, whether or not the paper contains patient information,” the statement explained. “All paper is shredded and then recycled. The enhanced process also removes all desk-side recycling bins to prevent paper from being placed into recycling without being shredded first.”

Allina Health mentioned that it takes the confidentiality of patients’ information very seriously. Also, it will take steps to ensure that a similar incident does not occur in the future. Patients who believe they may have been impacted or patients who have other questions should call toll-free number.

___________________________________________________________________________________

Alertsec helps you comply with HIPAA, PCI and SOX requirements.

Unauthorized employee access at Vanderbilt University

March 6th, 2017

Vanderbilt University Medical Center (VUMC) recently suffered data breach when it came to know about the unauthorized employee access to patient medical records. As per the reports, concerned employee were working as patient transporters. Patients’ electronic medical records was accessed without necessary permissions.

As per the statement, “The breach prompted the medical center to change the way the patient transport staff gets information so that it no longer gives them access to electronic medical records. Staff in that department were also retrained about appropriate access to information. VUMC is in the process of migrating from its current electronic health record system to a new software system designed by Epic Systems.”

Facilty conducted an audit of electronic medical records (EHR) which was accessed by the employee.  As per the reports, two employees were involved in the breach who viewed adult and pediatric patient information, including patients’ names, dates of birth, and medical record numbers for internal use. One of them got access to patient Social Security numbers in a few instances.

VUMC mentioned that there is no information whether data was downloaded, transferred, or misused in any way. Affected patients received notification letter Facility has offered fraud or identity theft services. As per the report from The Tennessean, incident affected 3,247 medical records.

“We are committed to providing our patients the highest quality care and protecting the confidentiality of their personal information. To our knowledge, the information the employees viewed was not printed, forwarded or downloaded.  So far, we have no reason to believe that our patients’ personal information has been used or disclosed in other ways,” said VUMC Chief Communications Officer John Howser. “While we are not aware of any risk of financial harm to these patients, we are contacting each of them by letter to recommend that they vigilantly review account statements and their credit status.”

_____________________________________________________________________________________________________

Alertsec helps you comply with HIPAA, PCI and SOX requirements. The implemented encryption is powered by CheckPoint and has the highest security certifications: FIPS 140-2, Common Criteria EAL4 and BITS.

Data breach due to hacking

March 2nd, 2017

Emory Healthcare’s Orthopaedics & Spine Center and Brain Health Center (EHC) at Emory Clinic recently suffered data breach, which impacted almost 80,000 patients. Facility came to know about the incident on Jan 3, 2017. It involved third party database called Waits & Delays. As per the statement, the affected database was used for patients’ appointment information.

Affected information included patient names, dates of birth, contact information, internal medication record numbers, dates of service, and physician names. The above information was removed from the server by an unauthorized individual. The person demanded payment from EHC to restore the data.

As per the reports, individuals who scheduled an appointment at the Orthopaedics & Spine Center within Emory Clinic between March 25, 2015 and January 3, 2017, and any patients with an appointment at Emory Clinic Brain Health Center between December 6, 2016 and January 3, 2016 are potentially affected.

As per the OCR data breach reporting tool, incident affected 79,930 individuals.  Facility mentioned that no Social Security numbers, financial information, diagnoses, or any other information from patient EHRs were accessed during the incident.

Another instance of unauthorized access by an independent security research center was also noticed. It resulted due to efforts of finding gaps in application security to alert companies of areas needing improvement by security company.

Facility launched an internal investigation after the incident. It also notified law enforcement. Potentially affected individuals are also notified. EHC is performing analysis on its current security measures. Internal and external systems which contained patient information will be changed as per the reports.

EHC mentioned that it has no information or indication of accessed data misuse.

“Please refer to the notice you will receive in the mail regarding steps that you can take to protect yourself. In general, we recommend, as a precautionary measure, that you remain vigilant to protect against potential fraud and/or identity theft by, among other things, reviewing your account statements and monitoring credit reports closely. If you detect any suspicious activity on an account, you should promptly notify the financial institution or company with which the account is maintained. You should also promptly report any fraudulent activity or any suspected incidents of identity theft to proper law enforcement authorities, including the police and your state’s attorney general.”

___________________________________________________________________________________

Alertsec’s cloud-based information security service provides an easy and convenient way to protect information on your organization’s laptops and computers.

Healthcare companies to increase security spending

February 26th, 2017

As per the recent survey of more than 1,100 senior security executives worldwide, here are the results-

  • Seventy six percent of global healthcare organizations plan to increase security budget
  • Eight one percent of U.S. healthcare organizations mentioned that they will increase the security budget

As per the survey conducted by Thales Data Threat, sixty percent healthcare are deploying to cloud, big data, and IoT or container environments without proper security measures.  Ninety percent believes that they can face data breach.

“For healthcare data to remain safe from cyber exploitation, encryption strategies need to move beyond laptops and desktops to reflect a world of Internet-connected heart-rate monitors, implantable defibrillators and insulin pumps,” Thales e-Security vice president of strategy Peter Galvin said in a statement. “Adhering to the security status quo will create vulnerabilities that lead to breaches, and further erode customer trust.”

As per the Redspin’s Breach Report there is increase in data breach incidents in 2016.

“Healthcare providers have become the primary targets of malicious hackers, and their attacks are becoming increasingly sophisticated and disruptive to operations,” Dan Berger, vice president at CynergisTek, said in a statement (Redspin is now part of the CynergisTek portfolio).

“The dramatic increase in hacking attacks in 2016, coupled with the large number of patient records copmromised in those incidents, points to a pressing need for providers to take a much more proactive and comprehensive approach to protecting their information assets in 2017 and beyond,” Berger added.

Accenture conducted survey which concluded that 26 percent of U.S. consumers faced data breach. Fifty percent faced medical identity theft.

“Health systems need to recognize that many patients will suffer personal financial loss from cyber attacks of their medical information,” Reza Chapman, managing director of cyber security in Accenture’s health practice, said in a statement. “Not only do health organizations need to stay vigilant in safeguarding personal information, they need to build a foundation of digital trust with patients to help weather the storm of a breach.

Fifty percent found the breach by themselves by looking at their credit card statement. Twenty five percent changed their healthcare providers after the breach. Twenty one percent changed insurance plan. And nineteen percent took help of legal counsel.

___________________________________________________________________________________

Alertsec helps you comply with HIPAA, PCI and SOX requirements. The implemented encryption is powered by CheckPoint and has the highest security certifications: FIPS 140-2, Common Criteria EAL4 and BITS.

Unauthorized EHR access at medical centre

February 22nd, 2017

Dignity Health St. Joseph’s Hospital and Medical Center recently announced data breach, which has potentially affected 600 patient medical record. During routine review of employee access to the hospital’s electronic health records, St. Joseph’s came to know about the incident.

“Dignity Health and St. Joseph’s Hospital and Medical Center are committed to furthering the healing ministry of Jesus, and to providing high-quality, affordable healthcare to the communities we serve.”

As per the reports, sections of patient medical records were viewed without authorization by a part time hospital employee. Facility has sent advisory letters to impacted patients.

St. Joseph’s mentioned that the records did not contain Social Security numbers, billing, and credit card information. It also added that there is “no reason to believe these patients need to take any action to protect themselves against identity theft.”

“Dignity Health St. Joseph’s Hospital and Medical Center is deeply committed to protecting its patients,” the statement explained. “Any person who accesses medical records without a job-related reason is in violation of St. Joseph’s policy and appropriate action has been taken in response to this event.”

The individuals who were patients at St. Joseph’s between Oct. 1, and Nov. 22, 2016 are notified. Potentially affected information included patient medical records, demographic information (e.g. names and dates of birth), and clinical data, such as doctor’s orders and diagnostic information.

“St. Joseph’s regrets any inconvenience caused by this incident. Letters have been mailed to patients whose medical records may have been viewed and the hospital has established a call center to answer any questions they may have. “

An electronic health record (EHR) is a digital patient’s record. EHRs are advantageous as they are  are real-time as well as patient-centric. It also contains broader view of patient’s record and care.

___________________________________________________________________________________

Alertsec Endpoint Encrypt is the full disk encryption service that delivers a mobile data protection system for all information stored on laptops used throughout your organization.

Unauthorized access and data breach

February 17th, 2017

Verity Health System based in California recently announced that an unauthorized access may have caused data breach. The incident affected personal information of more than 9,000 individuals.

Verity Health operates six hospitals which includes Seton in Daly City, Seton Coastside in Moss Beach, O’Connor in San Jose, St. Louise in Gilroy and two in Southern California. It also runs Verity Medical Foundation and Verity Physician Network. Verify Health was known as Daughters of Charity. It was renamed after taken over by investment firm BlueMountain Capital Management.

Verity Health mentioned that the access occurred on the Verity Medical Foundation-San Jose Medical Group website.  It mentioned that the website is no longer in use. Also, immediate steps were taken to secure it and protect it from further damage.

Affected information included patient names, dates of birth, medical record numbers, addresses, email addresses, phone numbers and the last four digits of credit card numbers. Full credit card numbers and Social Security numbers were not included in the breach.

Verity mentioned that 9,000 got affected individuals in its statement. As per the OCR data breach reporting tool, incident impacted 10,164 individuals.

“Verity Health System takes the security of our patients’ information seriously, and we regret that this incident occurred,” Verity Health CEO Andrei Soran said in a statement. “We took immediate steps to investigate this incident, notify the affected individuals and appropriate authorities, and ensure enhanced protection of our information systems going forward. We are working with a leading cyber-security firm to further evaluate the integrity of our information systems.”

Facility believes that there are no reports of misuse of information. It has also established a call center to answer queries. It is also offering one free year of credit monitoring services for potentially affected patients.

___________________________________________________________________________________

Alertsec helps you comply with HIPAA, PCI and SOX requirements. The implemented encryption is powered by CheckPoint and has the highest security certifications: FIPS 140-2, Common Criteria EAL4 and BITS.

Health Facility suffers email hack

February 7th, 2017

Multicare Health System recently announced data breach due to an email hack. The incident potentially affected 1,200 patients. The Washington health system mentioned that it has no information at this time to believe that any patient personal health information was accessed or misused in any way.

Facility will send the notification to affected patients. Also, patients have been advised to review their Explanation of Benefits statements and to remain vigilant to signs of irregularities related to their health insurance.

MultiCare stated that an unauthorized individual gained access to an employee email account. The information in the emails likely contained personal patient information ranging from addresses to account balances. Facility added that financial information and Social Security numbers were not present on the affected email account.

After the incident the affected email account has been secured. Password has been changed. Facility initiated an investigation into the incident and has provided contact information for patients concerned about the status of their information.

About Multicare:

“MultiCare is a not-for-profit health care organization with more than 10,000 employees and a comprehensive network of services throughout Pierce, South King, Thurston and Kitsap counties.

Facilities heritage dates back to the founding of Tacoma’s first hospital in 1882. Since then, it has grown to meet the ever-changing needs of our region-always focusing on excellence, innovation and patient care.”

When  email account gets hacked one should follow below steps to minimize the damage:

Initial step is to assess the damage done by hackers.

Visit the website of your email provider and try to regain the access.

Change the password by authorised method. Check inbox and trash for any password reset emails, which were not initiated by you.

Scan your computer with anti virus software. Many emails are hacked today to install virus on your computer.

Review your personal settings.

Validate the source  of any program, game and app before downloading it.

_____________________________________________________________________________________________________

Alertsec Endpoint Encrypt is the full disk encryption service that delivers a mobile data protection system for all information stored on laptops used throughout your organization.

Data breach due to stolen flash drive

December 10th, 2016

OptumHealth based in New Mexico recently announced data breach. The incident was outcome of missing unencrypted flash drive. Approximately 2,000 individuals were affected.

The device contained information for some individuals who were enrolled in an OptumHealth plan. Affected information includes individuals’ name and a full or partial date of birth, telephone number, health identification number, address, provider name, diagnosis, or other health information. Financial information was not affected. Some individuals’ full or partial Social Security numbers were present on the flash drive.

“Upon discovery, we took prompt action to investigate the matter,” OptumHealth said in its statement. “The U.S. Postal Service was immediately notified to assist in locating the flash drive, and we are working closely with them as they further investigate the matter. We have implemented new measures to help prevent this from occurring in the future, including updating our processes related to vendors in efforts to prevent the occurrence of similar incidents.”

OptumHealth sent the notification letter to potentially affected individuals. Facility mentioned that there are few individuals who cannot be notified via mail.

While OptumHealth mentioned that “the information potentially accessed was limited,” it still encouraged individuals to enroll in the free services. As per the OCR data breach reporting tool, incident affected 2,006 individuals. It has also offered one year of complimentary identity theft protection services.

As per the statement,

We also encourage individuals to be vigilant against incidents of identity theft. As a precaution to protect against misuse of your information, we recommend that individuals regularly monitor documentation concerning health care, bank and credit card statements, and tax returns to check for any unfamiliar activity. If you notice any suspicious activity on health statements, bank or credit card statement, or tax returns, please immediately contact the financial institution, credit card company, health plan, or other relevant institution.

 ___________________________________________________________________________________________

Alertsec’s cloud-based information security service provides an easy and convenient way to protect information on your organization’s laptops and computers.