AlertSec Xpress

Texas medical group data breach

July 28th, 2016

Texas medical group notified  1,326 patients of possible PHI breach  when former employee may have inadvertently exposed PHI after leaving patient records at his previous home. Texas medical group mentioned that there has been no evidence that patient information was misused or accessed by unauthorized persons. medical-563427_960_720

According to the statement,  Mario Gross, MD, had left patient records at his former residence after he moved away from the area. Local bank took possession of the house. PHI information was left unsupervised at the residence. Premier Physicians Group removed and secured the patient files after the incident. Affected PHI included names, dates of birth, medical record numbers, Social Security numbers, clinical data, and medical insurance information.

Premier Physicians Group has notified all  the affected patients. It has also taken steps to increase healthcare data security.

“This includes reviewing and modifying our policies and procedures, educating our medical staff about the incident and tasking them with reviewing and updating their own controls over patient records, and reminding our workforce about the rules and procedures for protecting patient records,” the statement explained.

“The privacy and protection of patients’ personal information will continue to be a top priority for us.”

What steps can I take to protect my personal information?

If you detect any suspicious activity on any of your accounts, you should promptly notify the financial institution or company with which the account is maintained. You should also promptly report any fraudulent activity or any suspected incidents of identity theft to proper law enforcement authorities.

Obtain a copy of your credit report, free of charge, directly from each of the three nationwide credit reporting agencies. To order your credit report, free of charge once every 12 months, please visit www.annualcreditreport.com or call toll free.Contact information for the three nationwide credit reporting agencies is included in the e-mail and letter, and is also listed at the bottom of this page.

Please notify your financial institution immediately of any unauthorized transactions made or new accounts opened in your name.

You can take steps recommended by the Federal Trade Commission to protect yourself from identify theft.

____________________________________________________________________________________________

Alertsec is used by organizations that have recognized the need to protect their information. Customers range from single-user sole traders and consultants to multinational companies with a large number of offices around the globe.

Kaiser Permanente data breach

July 27th, 2016

Kaiser Permanente may have suffered possible data breach due to theft of its ultrasound units. This incident has affected 1,100 members of the facility. Undisclosed number of ultrasound units were stolen by the two former employees. Facility recovered a “significant portion” of the stolen machines which contained ePHI, such as names, medical record numbers, and medical images.

Kaiser Permanente is an integrated managed care system which maintains healthcare coverage for 9 million individuals. According to the reports, the stolen machines were found in a locked storage unit. Some units are yet to be located. It mentioned that that the only reason for the theft was to sell the units for profit. It has nothing to do with disclosing or misusing PHI. Also, there is no evidence that ePHI was accessed by an unauthorized entity.  28

Facility launched an investigation to identify which members may have had their information exposed by the incident. It has also contacted local law enforcement officials. Notifications letters specifically addressing the ePHI data elements found for each affected individual are sent.

“Kaiser Permanente is committed to protecting the confidentiality of our members’ personal information,” explained the statement. “We are continuing our investigation of this incident and are taking appropriate actions to prevent similar errors in the future. We are cooperating fully with law enforcement in this matter.”

“We sincerely apologize for any inconvenience or concern this incident may cause. Because Social Security numbers were not accessed, the risk for any fraud is quite low. Additionally, we believe that this equipment was only stolen to sell for profit, and not to reveal or misuse member information. There is no sign that health information has been used for fraud or other criminal activity,” said Angela Anderson, Regional Privacy & Security Officer, Kaiser Permanente Northern California.

___________________________________________________________________________________________

Alertsec is used by organizations that have recognized the need to protect their information. Customers range from single-user sole traders and consultants to multinational companies with a large number of offices around the globe. Over 4 million users worldwide use Alertsec Check Point Full Disk Encryption.

CO healthcare data breach

July 26th, 2016

A Colorado-based healthcare office has reported a possible PHI breach and notified 1,835 patients about the incident. Former employee emailed patient information to her personal email which has resulted into the data breach. According to the Office of Civil Rights data breach tool, total 1,835 individuals were affected by the unauthorized disclosure incident. data breach

Lasair Aesthetic Health mentioned that a former manager after resignation sent email from her phone to forward documents containing patient lists and data to her personal email account. Affected information included names, amount patients spent, credits with Lasair during 2015, and, in some cases, treatment results and photographic images without faces showing.

Facility has ordered the former employee to destroy the documents. Also, prohibited him to use the patient information. She has confirmed that the documents have been deleted. Facility is still looking for an injunction to ensure that the information cannot be used or disclosed. Police were also notified about the incident.

Lasair has researched methods for upgrading its information technology system to further restrict the abilities to access, copy, and move files from the office’s network to avoid such incidents.

“We are conducting further analysis of our privacy and security safeguards to identify any additional ways we may strengthen the protection of our patients’ information.”

Now it will require all staff to understand the new procedures. Also,data breach services company is hired and e mailing notification letters to all individuals are sent.

“As a general precaution, we recommend that patients regularly review and closely monitor their financial account statements. Although Lasair does not keep credit card numbers on record, we recommend that our patients review their credit card charges routinely. If patients identify any charges on their credit or debit cards, or withdrawals from their bank accounts that they did not authorize, they should contact their bank or credit card company immediately and follow their procedures to freeze transactions or accounts, obtain new cards, and/or to challenge any unauthorized purchases.”

___________________________________________________________________________________________

Alertsec has created a web based encryption service that radically simplifies deployment and management of PC encryption by using industry leading Check Point Full Disk Encryption software.

Data breach at North Ottowa Medical Group

July 24th, 2016

North Ottowa Medical Group suffered data breach along with many other healthcare facilities due to hacking incident at Bizmatics, an EHR vendor. Bizmatics notified Michigan-based medical group  about the data breach. It mentioned unauthorised user access of its server, but didn’t confirm whether North Ottawa Medical Group data was accessed or not. hacking

According to the reports, about 22,000 individuals were affected by the healthcare data security event. Possible affected data relates to patients at the medical group’s employed physician practices, including the internal medicine, family practice, and women’s health offices.Disclosed information included names, addresses, health visit information, treatments, health insurance information, and Social Security numbers. The incident may have also exposed the last four digits of a credit card number for some patients.

The medical center mentioned that an independent cyber forensics firm, hired by Bizmatics, is working with the vendor. Also, law enforcement officials conducted a criminal investigation.

“These investigations found that there was no reason to believe patient files were the target of the attack,” the press release stated. “Further, investigators could not conclusively determine if there was, in fact, a PHI breach at all.”

North Ottowa Medical Center has notified affected individuals and the Department of Health and Human Services of the incident. Complimentary identity recovery assistance services for a year is also setup.

According to the website:

Nonetheless, out of an abundance of caution, NOCHS has reported this incident to the Department of Health and Human Services (DHHS), and is treating the situation as though an actual breach occurred. Therefore, in accordance with HIPAA law NOCHS has notified DHHS, NOMG patients, and by way of this news release, the community. NOMG patients will also receive identity recovery assistance services for a year, at no cost.

The North Ottawa Medical Group doctors, physician assistants and nurse practitioners work directly for and within the North Ottawa Community Health System and your community hospital. Our mission is to develop a personal, long-term relationship with you, as well as be our community’s most trusted, local partner in creating a healthier future for all.

____________________________________________________________________________________________

Alertsec has created a web based encryption service that radically simplifies deployment and management of PC encryption by using industry leading Check Point Full Disk Encryption software.

AK healthcare data breach

July 22nd, 2016

Hacking incident at Bizmatics has led to many healthcare data breaches. AK healthcare organization has  reported another data breach due to Bizmatics EHR breach. Medical record information exposed included names, addresses, dates of birth, insurance information, Social Security numbers, and clinical documentation.hacking

Bizmatics has alerted the healthcare organization about the hacking incident and possible data breach. Arkansas Spine and Pain mentioned that some of its patient files were viewed unauthorizedly.

Pain mentioned that the intruders accessed vendor’s system by installing malware. Bizmatics could not confirm if any of the healthcare organization’s EHR files were accessed by the hackers. Facility has notified all potentially affected individuals.

AK healthcare added that Bizmatics was “taking steps to further strengthen its defenses against cyberattacks, including hardening its firewall and network configurations.”

“We have also been assured by Bizmatics that they are committed to ensuring its systems are as secure as they can be in our current environment,” the statement explained.

Earlier Bizmatics has notified many other healthcare providers of potential EHR breaches after hackers accessed its servers containing medical records. One such example include Florida-based Southeast Eye Institute, PA. It has contacted over 87,000 patients of a possible healthcare data breach. Integrated Health Solutions in Pennsylvania also suffered data breach.

According to the website:

Arkansas Spine and Pain (ASAP) is Central Arkansas’ leading program for the management, treatment and rehabilitation for spine and pain relief and sports-related injuries.At Arkansas Spine and Pain we consider the whole person and their family when treating the pain. Pain Clinic staff work with other health care professionals, physical therapists, family physicians and services that might be needed such as social workers, hospice, home care agencies, behavioral health specialists to assist with modification of life styles and to encourage retaining and regaining maximum quality of life.

___________________________________________________________________________________________

Alertsec is the full disk encryption service that delivers a mobile data protection system for all information stored on laptops used throughout your organization.

TX clinic data breach

July 20th, 2016

The Midland Women’s Clinic in Texas have suffered a PHI breach after a former physician left patient information at his private residence. According to the reports, Mario M. Gross, MD may have made some patient information accessible to unauthorized parties.

Affected information included names and addresses as well as some healthcare data, such as dates of birth, account numbers, diagnoses, medications, procedures, and physician notes. In some cases, patients may have also had their Social Security and Medicare and/or Medicaid numbers disclosed by the incident, reported Midland Women’s Clinic. data theft

As per The Office of Civil Rights(OCR),  717 patients were affected by the incident.

The patient records were secured after facility knew about the incident. It has also launched an internal investigation to identify affected individuals.It has also implemented additional data security measures to stop future incidents.

“The Clinic has reviewed and modified its policies and procedures to prevent future incidents, educated its medical staff about the incident and tasked them with reviewing and updating their own controls over patient records, and reminded its workforce about the rules and procedures for protecting patient records,” stated the press release.

According to the statement:

Midland Women’s Clinic is proactively reaching out to impacted patients to provide guidance on how they can protect themselves.   Impacted patients will be notified shortly by mail.  Impacted patients can also call.

Midland Women’s Clinic announced that it is currently investigating a security incident involving certain patients’ personal information. The Clinic is providing notice to individuals who may have been affected by the incident.  The Clinic regrets any inconvenience or concern this incident may cause.

About Midland Women’s Clinic

Established in 1951, Midland Women’s Clinic is dedicated to providing the highest quality of women’s health services and comprehensive gynecology and obstetric care for every stage of life.  Midland Women’s Clinic has been and continues to be a model for collaborative medical excellence for OB‐GYN care in Midland.

____________________________________________________________________________________________

Alertsec has created a web based encryption service that radically simplifies deployment and management of PC encryption by using industry leading Check Point Full Disk Encryption software.

Planned Parenthood data breach

July 18th, 2016

Around 2,506 patients were affected after paper records were exposed during the closure of a healthcare center in Iowa. The incident at Planned Parenthood of the Heartland has resulted into possible healthcare data breach. NetworkOperations

According to the reports, patients at the Dubuque location who were treated between August 2008 and April 2014 had their PHI accessed by an unauthorized entity following the closure and sale of the healthcare center. Affected information included names, dates of birth, mailing addresses, insurance information, Social Security numbers, medical record numbers, diagnoses, treatments, and lab results.

The healthcare system has mentioned that it had secured the records. Also, measures are implemented to ensure that patient privacy and confidentiality is being protected.

“PPHeartland’s [Planned Parenthood of the Heartland] standard policy is to conduct ongoing security audits—which already far surpass state and federal regulatory standards—to ensure we remain true to our commitment to patient privacy,” Chief Clinical Officer Penny Dickey said in a statement.

“We have conducted a rigorous review of our processes and revised our facilities relocation protocols. All staff responsible for facility relocation have been apprised of these modifications.”

All affected individuals were notified about the incident.

“PPHeartland is dedicated to securing and maintaining our patients’ trust; this incident is in no way representative of PPHeartland’s stringent privacy standards,” added Dickey. “We will continue to strive toward the highest quality patient care, including stringent confidentiality standards, at all of our health centers.”

According to the statement:

Planned Parenthood of the Heartland (PPHeartland) has served women and men of all ages since the 1930s. Today the organization offers a full range of quality reproductive health care services to residents in Arkansas, Iowa, Nebraska and eastern Oklahoma through 17 health centers and Education Resource Centers in Des Moines, Lincoln and Omaha.

Planned Parenthood is the nation’s leading provider and advocate of high-quality, affordable health care for women, men, and young people, as well as the nation’s largest provider of sex education. With approximately 700 health centers across the country, Planned Parenthood organizations serve all patients with care and compassion, with respect and without judgment. Through health centers, programs in schools and communities, and online resources, Planned Parenthood is a trusted source of reliable health information that allows people to make informed health decisions. We do all this because we care passionately about helping people lead healthier lives.

 ____________________________________________________________________________________

Alertsec is used by organizations that have recognized the need to protect their information. Customers range from single-user sole traders and consultants to multinational companies with a large number of offices around the globe.

Application Security Improvement

July 15th, 2016

The average organization uses and implements around 229,000 open source components for developing software. The research was conducted by Sonatype, a provider of software development lifecycle solutions. It manages a central repository of these components for the Java development community. According to the survey, Thirty one billion requests for downloads from the repository in 2015 was made as compared to 17 billion in 2014. 19

The number “blows people’s minds,” said Derek Weeks, a VP and DevOps advocate at Sonatype. “The perspective of the application security professional or DevOps security professional or open source governance professional is, ‘This really changes the game. If it were 100, I could control that, but if it is 200,000 the world has changed.”

Firm also found certain application security issues related to the use of open source components.

“The application security professional’s usual response to that is ‘that doesn’t mean those vulnerabilities ended up in our applications.’ But when we looked across 25,000 applications we saw an average of 6.8 percent of components across those apps had at least one known vulnerability,” Weeks said. “That tells me that from the beginning of the software supply chain to the end products developed through these supply chains, there isn’t enough control.”

Weeks said that the study was conducted to educate and increase awareness around the massive consumption of open source components.

“By revealing this information, we think we can help change people’s behavior around how they think about and use open source components in wiser, more efficient and safer ways,” he said.

One can also use supply chain best practices to improve application security. Example includes building in quality as early as possible by sourcing fewer and better components.

“From an application security perspective if you are a CISO that has 2,000 developers individually sourcing components, it is very difficult to audit, protect and maintain your organization. If you limit the number of places where components can come in, you can ensure you know what is coming in and can use the opportunity to vet it,” he said. “This is a fundamental supply chain best practice. Toyota has hundreds of thousands of employees but not hundreds of thousands of employees in procurement; the number of employees that is vetting the components in their products is fairly small.”

Weeks also mentioned that managing and vetting open source components is further complicated by the fact there are repositories for different development languages, including PHP, Python and Ruby.

Weeks explained. “You might say, ‘You can’t use any component with a CVSS Level 10 vulnerability anywhere in our organization.’ Your solution can automatically check for that and notify the developer. It’s like a food label on a product on the grocery shelf; it can help make a decision as to whether a component complies with the organization’s standards.”

____________________________________________________________________________________________

Alertsec has created a web based encryption service that radically simplifies deployment and management of PC encryption by using industry leading Check Point Full Disk Encryption software.

Securing data from departing employees

July 14th, 2016

Employees after leaving a company can take sensitive data with them intentionally or unintentionally. The harm caused by such incidents are huge. Consider example of an employee of the FDIC who exposed 44,000 FDIC customers’ personal information. She had downloaded the data to her personal storage device. More such data breaches can be found across the industry. data data

According to the survey by Veriato, a provider of employee monitoring software, third of participants believe they own or share ownership of the corporate data they work on and more than half feel it’s fine to take corporate data with them when they leave a job.

“The potential damage from even one employee taking confidential and proprietary customer data, software code or login credentials with them to a new job, especially with a competitor, is astronomical,” Veriato COO Mike Tierney said at the time.

Companies can potentially defuse such data threats.

It’s crucial to focus on what really matters in protecting sensitive data, said AvePoint product analyst Ben Oster. “You can have all these policies in place, but if HR lets somebody walk over and plug in a USB drive after they’ve been let go, it doesn’t matter,” he said.

Oster provided the example. “She plugged her drive in and just copied a folder that she thought was her information, and it turns out it wasn’t. The issue is not that she was able to copy that data; the issue is that that data existed outside of anyone’s knowledge of where it was.”

“If we can’t actually break down how to discover it or classify it, we can’t start to put things in place that say, ‘You can’t take this document,’ because we don’t know what’s in it.”

“You really need to get in there and figure out what that is, because if you don’t, you’re going to see things get even fuzzier,” he said.

Companies can take holistic approach to data loss prevention. Michela Menting, research director at ABI Research mentioned that the good data loss prevention (DLP) solution can be key to protecting your data.

“DLP systems act as enforcers of data security policies by performing deep content inspection and a contextual security analysis of transactions,” Menting said. “They provide a centralized management framework designed to detect and prevent the unauthorized use and transmission of confidential information.”

AvePoint’s Oster mentioned that the strong security awareness training program can help to great extent.

“As consumers and employees, we need to be more aware of what we’re doing with data, what that content actually means, and what the privacy and compliance implications are of everything we touch on a daily basis,” he said.

Encryption is the key to the problem. One can start encrypting the content with relevant softwares.

“If you’re encrypting every single piece of information everywhere, the workload becomes larger, it becomes harder for your end users to use that data, and you’re actually more likely to drive them onto a system that’s not under your control,” Oster said.

And once employees start saving corporate data to their own Dropbox or OneDrive, you’ve lost track of it. “So while encryption can protect the data when it’s in motion or at rest, anything that makes it harder for your end users to get their jobs done likely pushes them toward a solution that you don’t want,” Oster said.

“We saw a case once where a company terminated an employee, and then HR walked them back and let them plug in a USB drive — and they promptly took 20 GB worth of information,” Oster said. “It doesn’t matter how good your information security is if HR is letting them do that.”

____________________________________________________________________________________________

Alertsec is the full disk encryption service that delivers a mobile data protection system for all information stored on laptops used throughout your organization.

Data breach at Veterans Affairs Medical Center

July 8th, 2016

The Veterans Affairs Medical Center in Washington DC recently suffered possible data breach after an alleged theft incident. Facility has notified 1,062 individuals according to the OCR’s website. Affected information included personal information on veterans, first and last names as well as full and partial Social Security numbers.data protection

“The Washington DC Veterans Affairs Medical Center realizes the importance of safeguarding Veterans privacy and personal information. Accordingly, the medical center is taking concerted steps to inform affected Veterans of a recent potential breach of privacy information.”

The Department of Veterans Affairs mentioned that it got information of missing controlled substance monthly report on March 31. All affected individuals are notified through mailed correspondence. It also included instructions on credit monitoring and methods for protecting privacy. It also stated that “appropriate actions are being taken to protect their [affected veterans] identities.”

“The Washington DC Veterans Affairs Medical Center takes matters such as this very seriously and has implemented new procedures to reduce the possibility of this type of incident in the future,” explained the statement.

 

According to the website:

We provide specialized services and care for Veterans such as: invasive and noninvasive cardiology, home based primary care, women’s health, MRI, PET/CT center, interventional radiology, renal care, trauma services, nutritional services, homeless outreach, compensated work therapy, substance abuse treatment, recreation therapy, and alternative therapies as well as a wide variety of Telehealth services. The DC VA Medical Center is also home to the Integrative Health and Wellness (IHW) Program, a patient-centered program that offers services such as acupuncture, yoga, meditation, nutrition and health education, massage, qigong, and t’ai chi.

____________________________________________________________________________________________

Alertsec is the full disk encryption service that delivers a mobile data protection system for all information stored on laptops used throughout your organization.