Archive for the ‘identity theft’ category

Data breach at Vascular Surgical

December 7th, 2016

Vascular Surgical Associates based in Georgia recently suffered data breach after one of its computer servers was hacked. As per the statement, the attack occurred during the time of a software update. After an initial investigation by the facility, it found out that a compromised vendor password was used in this incident.

As per the FAQ section of Vascular Surgical, it had “hired vendors with national reputations and significant client bases to support the computer system infrastructure we use to maintain our medical records.” Furthermore, the ONC had certified the software.

“A password that was created by one of these vendors and controlled by that vendor was used to access our system inappropriately,” the FAQ read. “The perpetrators installed software on our system to prevent us from seeing the activity, but once that activity was identified by our internal IT staff, the system access was changed to prevent additional access using that password.”

As per the OCR data breach reporting tool, incident affected 36,496 individuals. As per the preliminary reports, it is likely that the hackers reside in other countries. Affected information included medical records and demographic information such as dates of birth and addresses. Social Security numbers and financial data were not present on the compromised server. Facility also mentioned that portal was not involved or affected. Patient care is carried as usual.

“Upon learning of the incident and verifying the unauthorized access through forensic evaluation, we immediately secured the server so that this type of attack could not occur again,” the statement explained. “We are confident that none of our staff had any involvement in this incident, as the compromised password that was used to access the information was only available to our vendors and their staffs.”

____________________________________________________________________________________________

Alertsec’s cloud-based information security service provides an easy and convenient way to protect information on your organization’s laptops and computers.

Data breach due to missing laptop

December 3rd, 2016

Briar Hill Management which is based in Mississippi recently suffered data breach. It has started notifying affected individuals. It mentioned that some of personal information, including health data, was breached. This incident was the outcome of missing company laptop.

As per the OCR data breach reporting tool, incident affected 2,000 individuals. Briar Hill Management of Ridgeland, Mississippi provides management services for skilled nursing facilities in the State.

An employee was unable to locate the laptop. Also, it was found that the employee had violated company policy. Laptop contained resident health information on its hard drive. Also it was not properly secured outside the office.

“We sincerely regret any concern or inconvenience this incident has caused or may cause any of our valued residents and their families,” Briar Hill Management Compliance Officer Sandy Lindsey said in a statement. “We take resident privacy as seriously as we do their care. We want to assure our residents and the community we serve that we will continue to work both to understand this incident and to implement measures to further strengthen our data security.”

Affected information included resident names, addresses, Social Security numbers, dates of birth, dates of service, prescription information, and medical records. Part of the information is affected. Facility is still to find the laptop. It mentioned that there is no sign of data misuse.

“In response to this issue, Briar Hill Management has taken numerous remedial actions, including sanctioning the employee involved, seeking local law enforcement assistance, and implementing additional security measures for all mobile technology used by its personnel,” the statement read.

Hacking, phishing and ransomware is the hot topic. But many of the industry sectors have more implications due to lost or stolen mobile devices.

“This gets at what constitutes a breach – even if a device were lost due to an employee’s carelessness, the organization must still disclose that event because there is some chance that the data may fall into the wrong hands. Given the volume of sensitive data accessed by employees on a daily basis, it’s inevitable that some will find its way onto devices and that some devices will be lost or stolen,” said Salim Hafid, Bitglass product manager.

____________________________________________________________________________________________

Alertsec helps you comply with HIPAA, PCI and SOX requirements. The implemented encryption is powered by CheckPoint and has the highest security certifications: FIPS 140-2, Common Criteria EAL4 and BITS.

Data breach due to stolen laptop

November 30th, 2016

Kineto Rehab PHysical Therapy, PLLC based in New York recently suffered data breach due to stolen laptop.  As per the reports, a bag containing a work laptop was stolen by the individual. Facility got hold of the footage which identifies thief. It also found out the bag later without laptop in it. Police are still working to track down the thief.

As per the statement, “We sincerely apologize for this incident and we regret any inconvenience it may cause you. Should you have questions or concerns regarding this matter, please do not hesitate to contact us.”

Affected information includes patient names, dates of birth, addresses, Social Security numbers, insurance information and clinical/physical therapy notes.

“There is no indication that your information has been accessed or used by an unauthorized individual,” read the Kineto statement, which was signed by CEO Shirley Agapito, DPT. “Please be assured that we have taken every step necessary to address the incident, and that we are committed to fully protecting all the information that has been entrusted to us.”

As per the OCR data breach reporting tool, the incident affected 665 individuals. Facility mentioned that affected Individuals will be offered a complimentary one-year membership identity protection services.

Website statement provides guidelines as below:

Fraud Alert

Place fraud alert when someone else tries to open a credit account in your name, get add on card or increase the credit limit.

Security Freeze

One can place security freeze on credit report which will stop lenders and others from accessing credit report completely.

Review Reports

Order free annual credit report and look for any discrepancies and spendings.

Credit providers and tools

Create message /email alerts on credit cards and bank accounts to notify you of any transaction or activity. Report the bank if you have not carried out that activity.

____________________________________________________________________________________________

Alertsec helps you comply with HIPAA, PCI and SOX requirements.

Data breach due to billing service provider

November 24th, 2016

A physical therapy provider recently suffered data breach which involves personal information. The security incident may have affected 1,100 patients at Best Health Physical Therapy. secure-data

Best Health is owned by Travis Lombardi, PT, MSPT.  It provides solution and services to meet rehabilitation goals of individuals. It provides solution for orthopedic and sports medicine, neurological, arthritis, fracture and other issues.

Facility came to know that one of the computer from its billing services provider was inappropriately accessed. The person who got access to the accounts writes blogs on internet security. The individual was reportedly looking for data vulnerabilities. He said that he has no intention of misusing any of the accessed information.

Potentially affected information includes names, addresses, dates of birth, insurance information, driver’s license information and health information. Best Health said that there is no evidence that the data was misused. It also highlighted the fact that the vulnerability was not on its computer system. Billing provider’s system failed to secure its system.

“Best Health took immediate steps to investigate and determine the source and extent of any access to our patients’ information,” Best Health said. “The vulnerability was identified and closed by the billing service provider immediately. Updated access controls are now in place to secure the account. Best Health has terminated its relationship with the billing service provider.”

Best Health did not mention the number of affected individuals but as per the OCR data breach reporting tool,  total 1,100 patients’ information were affected.

“Best Health takes the privacy and protection of its patients very seriously and we sincerely apologize for any concern that this may cause. If you are a patient of Best Health and have questions or concerns regarding this matter and/or the protections available to you, please do not hesitate to call.”

____________________________________________________________________________________________

Alertsec Endpoint Encrypt helps you protect your valuable data from falling into the wrong hands by encrypting it at the source.

Horizon Data Breach

November 18th, 2016

Horizon Blue Cross Blue Shield (Horizon) based in New Jersey recently suffered data breach when  one of its vendors potentially exposed the information. The incident has resulted into 70,000 members being potential affected.

Horizon Blue Cross Blue Shield of New Jersey has offered quality health insurance products since 1932. It offers services to New Jersey families and businesses. Facility vision aims at continuing to lead the transformation of health care in New Jersey. It is closely collaborating with hospitals and physicians and improving quality and enhancing patient experience. It also strives for lowering the total cost of care.

Command Marketing Innovations (CMI) works for Horizon BCBSNJ to do printing job. CMI found a printing error which resulted into sending of Explanation of Benefits (EOB) statements and Explanation of Payment (EOP) statements with information intended for a different Horizon BCBSNJ. Printed error affected only EOBs and EOPs.

As per the Horizon spokesman Kevin McArdle, in the last three days, 170,000 envelopes were mailed. He didn’t mention the number of envelopes containing the information of other members. Also, Kevin added that he was not aware of reports of suspicious activity due to this incident.

Affected information includes member name, member ID number, claim number, date of service, limited description of services, service codes or provider/facility name. Social Security numbers, financial information, addresses, and dates of birth were not present in the envelopes.

“The print error was determined to be related to a change in the printing process made by CMI,” the statement explained. “CMI has implemented corrective actions to restore compliance with Horizon BCBSNJ’s strict quality control and privacy standards and assure accurate performance going forward.”

Facility mentioned that it will monitor impacted members’ accounts for any potential fraudulent submission of medical claims.

“Corrected EOBs and EOPs will be reissued within the next week and notifications of the error will be mailed to impacted Horizon BCBSNJ members,” Facility mentioned.

____________________________________________________________________________________________

Alertsec’s cloud-based information security service provides an easy and convenient way to protect information on your organization’s laptops and computers.

GHS data breach

November 15th, 2016

South Carolina based facility Greenville Health System (GHS) recently suffered data breach when one of its vendors had inappropriately downloaded patient data. The incident has potentially affected 2,500 patients.

GHS is associated with Ambucor Health Solutions, a remote-monitoring labor service for cardiac devices. As per the reports, one of the Ambucor employee downloaded GHS information just before his employment at Ambucor ended.

Law enforcement handed over two flash drives in July to Ambucur, which had been turned in when the employee left. Facility has began to notify patients about the incident.

Affected information may include the patient’s name, date of birth, home address, phone number, race, diagnosis, medications, testing data, patient identification number, medical device information (such as the manufacturer, identification number and model/serial numbers), Ambucor enrollment number, Ambucor enrollment date, Ambucor technician name, physician name(s) and the name and address of the practice where the patient was seen.

“GHS and Carolina Cardiology Consultants take patient privacy seriously and deeply regret any inconvenience or concern this incident may cause our patients,” Dr. Joseph Manfredi, ambulatory director of electrophysiology, told the news source.

Ambucor announced that it will offer affected patients one year of identity protection services and, if required, related recovery services and $1 million of identity theft insurance at no cost.

“Letters with instructions about activating the free identity protection services will be mailed to affected patients” said Ambucor

Facility mentioned that the affected patients should consider activating the identity protection services. it also said that steps are taken to prevent this type of incident from occurring again. It will  thoroughly review and update it processes as per the HIPAA security standards.

Tips to prevent data theft

Employees must undergo training

Sensitive information must be secured through encryption

Access to the sensitive data should be controlled

Keep software and system up to date

Verify security controls of third parties

Dispose of sensitive data

____________________________________________________________________________________________

Alertsec Endpoint Encrypt is the full disk encryption service that delivers a mobile data protection system for all information stored on laptops used throughout your organization.

Data breach at Broward Health

November 12th, 2016

Data breach at Florida-based Broward Health affected 126 former patients. According to the Law enforcement authorities, certain patient information was found in an individual’s home at the time of  routine investigation.

“Broward Health has been working with local and federal law enforcement since May 2016. Our investigation began as quickly as possible while maintaining all appropriate safeguards and precautions.”

Affected information included full names, dates of birth, addresses, phone numbers, Social Security numbers, primary insurance providers, insurance guarantors, reasons for visit, employers, emergency contact/next of kin, and their addresses and phone numbers. Test results and other medical information were not present on the Facesheets.

“We have notified 126 former patients or their listed next of kin of the privacy breach by mailing a letter to their last known address on September 23, 2016.” Facility mentioned.

As per the reports, an individual got hold of registration Facesheets from Broward Health Imperial Point without permission. Information present on the Facesheets was associated with the patients who visited Broward Health Imperial Point between November 2011 and March 2012.

Facility mentioned that it is re-educating staff members and strengthening procedures for the protection of patients’ personal information.

Broward Health’s disclosure said. “We also offered affected patients an identity theft protection service at no cost.”

Broward Health Senior Vice President and CIO Doris Peek told the press about the series of data breach incident in Florida.  List of hospitals suffered by data theft includes Fort Lauderdale’s Holy Cross, Hollywood’s Memorial Regional and the University of Florida’s Shands Hospital in Gainesville. As per Peek, identity theft ring has paid hospital registrars to give them copies of Facesheets.

“This ring of thugs got busted,” said Peek. “They send in tax information to the IRS about persons to get their tax refund. They targeted the older and sick population.

____________________________________________________________________________________________

Alertsec’s cloud-based information security service provides an easy and convenient way to protect information on your organization’s laptops and computers.

California based healthcare facility recently suffered data breach

November 5th, 2016

Physical therapy organization recently suffered a data breach. The incident has potentially affected the information of approximately 8,000 individuals.

As per the reports, Silver Creek Fitness & Physical Therapy, Silver Creek Physical Therapy Gilroy, Silver Creek Physical Therapy Sunnyvale, and Silver Creek Physical Therapy Los Gatos (Silver Creek) billing and software companies reported to Silver Creek about the vulnerability of Amazon “S3” storage account.

The incident provided the access to individuals outside of the organization. Various facilities mentioned that the account was vulnerable from May 2016 to September 11, 2016. Facility also said that some PHI was in the storage account.

Affected information includes patient names, Medicare numbers, prescriptions, dates of birth, treatment locations, treatment dates, Social Security numbers for a small subset of individuals, driver’s license numbers, and progress notes. As per the OCR data breach reporting tool, total 8,009 individuals were affected.

“We take any threat to the security of information entrusted to us very seriously,” Co-founder of Silver Creek Fitness & Physical Therapy Todd Jones said in a statement.  “Once the error was discovered, we worked with the billing and software companies to ensure that access to the storage account was restricted and that proper access credentials are in place. We apologize for any inconvenience or concern this incident may cause our patients.”

Facility mentioned that it is unaware of any misuse of client personal information. It is offering credit monitoring and identity restoration services.

Fraud prevention tips for the affected individuals includes:

Review of account statements, medical bills, and health insurance statements

Credit reports monitoring

Placing credit file fraud alert activation

Placing credit file security freeze

It’s also important to educate on identity theft, fraud alerts, and the steps to protect by contacting the Federal Trade Commission or your state Attorney General.

____________________________________________________________________________________________

Alertsec’s cloud-based information security service provides an easy and convenient way to protect information on your organization’s laptops and computers.

 

Anthem data breach

November 3rd, 2016

Anthem, Inc. based in Indiana recently reported data breach which affected 3,500 Medicare members. According to the reports, certain personal information was exposed after company policies were violated by the employees. Medicare sales department employee emailed company information to his personal email address.

“The individual is no longer employed with our company,” Anthem wrote. “When questioned, the individual advised that he was using the data to validate his commission payments. The information obtained by the individual is the property of the company, and he, like all employees, was prohibited from sending such information outside of the company.”

Affected information included names, dates of birth, addresses, health plan information and, in some cases, Medicare ID numbers. Facility believes that there is no indication of information misuse or identity theft.

Facility mentioned that affected individuals should routinely review accounts statements from time to time and get credit report from one or more of the national credit reporting companies.

Facility mentioned that, ‘We have worked diligently since the discovery of this matter to identify all individuals whose information may have been impacted by the actions of the former sales employee. We have identified Medicare-eligible individuals impacted and we are in the process of contacting these individuals for whom we have valid addresses by U.S. Postal Service addresses. For those whose Medicare ID numbers (which may include a Social Security number) may have been included, we will offer free identity theft protection and credit repair/monitoring services through AllClear Credit and Identity Theft Monitoring and AllClear Identity Repair.’

Earlier Anthem suffered data breach which was considered one of the largest healthcare data breaches. Hackers broke into one of its databases which potentially compromised 78.8 million individuals. This incident breached names, dates of birth, medical IDs or Social Security numbers, street addresses, and email addresses of millions.

____________________________________________________________________________________________

The Alertsec service protects everything stored on the computer such as Word, PowerPoint, Excel, Outlook, Gmail, Photos, Credit Card data files etc. Perhaps, most importantly, your login credentials to cloud applications are protected.

Ransomware attack at NJSC

October 28th, 2016

New Jersey Spine Centre announced data breach when its server suffered ransomware attack. Facility mentioned that all of the practice’s electronic medical record files were encrypted. 
eat

Affected information included Clinical information which includes procedures, office notes, reports, demographic information, personal information, and some financial information. Facility notified the FBI and local authorities regarding the incident.

“The malware was blocked by our virus protection software but unfortunately not before the damage had already been completed to our records,” New Jersey Spine Center explained. “The virus likely gained access by utilizing a list of stolen passwords by running an automated program, and demanded a ransom payment to obtain an encryption key to unlock the files.”

Facility did not mentioned whether ransom was paid but it did say that the practice obtained the key. As per the OCR data breach reporting tool states, total 28,000 individuals were affected by the incident.

Facility also mentioned that there is no information to suggest that any medical, personal of financial information was used or stolen by the individuals. Notifications are sent to the concerned individuals.

New Jersey Spine Center is the leading choice for spine care in eastern Pennsylvania and southern New York. It brings the cutting-edge and comprehensive spine care to the region. It also provide a comprehensive evaluation process permitting a thorough and complete evaluation of patients problem for appropriate decision making. A multi-disciplinary approach is provided which enables facility to provide the options available for care.

Two types ransomware in circulation 

First type is called Encrypting ransomware. It uses advanced encryption algorithms to block system files. Hackers demand payment to provide the victim with the key to unblock content.

Second type is called Locker ransomware. It locks the victim out of the operating system and the system. Attackers ask for money to unlock the system.

____________________________________________________________________________________________

Alertsec was established was that encryption should be simple, transparent and available for all.