AlertSec Xpress

Neurosurgical Center data breach

August 20th, 2016

The Center for Neurosurgical and Spinal Disorders (CNSD) mentioned that approximately 1,100 patients may have been affected by recent data breach.  Security incident occurred this summer which exposed data. According to the reports, hacker gained unauthorised access of CNSD office manager’s computer by installing a program. The purpose of the program is to record keystrokes and periodically took screenshots of what was being displayed on the computer. data theft

“We detected an unauthorized intruder in one of our computers. Access to this computer was immediately shut down; subsequently, CNSD’s servers and network were taken offline.”

“A subsequent investigation revealed that screen shots of 823 CNSD’s patients (along with 311 patients of another practice for whom CNSD bills) were taken between the dates of 7/7/16-7/18/16,” CNSD reported. “It is unclear whether any of this information was downloaded.”

As per the investigation by CNSD IT professional, hacker had gained remote access. Affected information included names, addresses, phone numbers, Social Security numbers, medical chart information, and billing information which got revealed in the screen shots. Affected patients will be receiving notification letters.

“After the FBI took the hacked hard drive, CNSD’s IT professional put in a new hard drive with a new operating system into the computer at issue, and CNSD hired a separate IT security company to perform a complete examination of all software, servers, computers, routers, firewalls, and office security,” the statement read. “No additional suspicious programs, viruses, spyware, or malware were detected. The security firm has been retained to provide ongoing network security analysis and advanced threat protection.”

As per the statement:

CNSD reported the security breach to the FBI. Two FBI agents came to CNSD’s office and interviewed the owner, office manager, and IT professional.  The FBI has taken custody of the hard drive which was hacked and opened an investigation.

____________________________________________________________________________________________

Alertsec is used by organizations that have recognized the need to protect their information.Customers range from single-user sole traders and consultants to multinational companies with a large number of offices around the globe. Over 4 million users worldwide use Alertsec Check Point Full Disk Encryption.

VAPC suffers data breach

August 18th, 2016

Arizona-based Valley Anesthesiology and Pain Consultants (VAPC) came to know about the unauthorized access on one of its computer systems. The incident has potentially caused the information exposure of 882,590 patients.

Affected information included patient names, their providers’ names, dates of service, places of treatment, names of health insurers, insurance identification numbers, diagnosis and treatment codes, and Social Security numbers in a few cases.

Other information which got exposed include credentialing information, such as names, dates of birth, social security numbers, professional license numbers, Drug Enforcement Agency (DEA) numbers, National Provider Identifiers (NPIs), as well as bank account information and potentially other financial information.

OLYMPUS DIGITAL CAMERA

For few employee, information exposed includes names, dates of birth, addresses, Social Security numbers, bank account information and financial information, such as tax information.

“VAPC recognizes the importance of protecting the privacy and security of personal information, and regrets any inconvenience or concern this incident may cause,” VAPC said in a statement. “In addition to security safeguards already in place, VAPC is taking steps to enhance the security of its computer systems in order to prevent this type of incident from occurring again in the future. These steps include reviewing its security processes, strengthening its network firewalls, and continuing to incorporate best practices in IT security.”

Free credit monitoring and identity protection services will be provided to patients whose Social Security numbers or Medicare numbers are affected. VPAC believes that information is not being misused. Call centre is also setup to resolve queries.

Examples of similar data breaches include:

Hacking

Cloning of Credit or debit cards

An employee with legitimate access to data intentionally breaches information

Sensitive documents are lost, discarded or stolen

Portable storage device is stolen, lost, discarded or stolen

Sensitive information is posted publicly on a website by mistake

According to the website:

The business affairs of Valley Anesthesiology and Pain Consultants are managed by a board of directors, comprised of its four elected officers, elected representatives of its five Divisions:  Barrow Neurological Institute, Downtown, Scottsdale North, Scottsdale Osborn, West Valley, and up to two members at-large.

____________________________________________________________________________________________

Alertsec is the full disk encryption service that delivers a mobile data protection system for all information stored on laptops used throughout your organization.

Bon Secours Health System data breach

August 16th, 2016

South Carolina-based Bon Secours Health System, Inc. recently suffered a potential healthcare. The incident may have affected 665,000 patients. According to the reports, Bon Secours has hired vendor R-C Healthcare Management which made patient files available online as it attempted to adjust its computer network settings.

stethoscope lying on keyboard of a laptop

R-C Healthcare was notified by the facility so that the patient information would no longer be available. Affected information included patients’ names, health insurers’ names, health insurance identification numbers, limited clinical information, Social Security numbers, and in some instances, bank account information. However, medical records were not available on the internet.

“We deeply regret any concern this may cause our patients,” Bon Secours said on its website. “To help prevent something like this from happening in the future, we are reinforcing standards with our vendors to ensure our patients’ information is securely maintained.”

Bon Secours mentioned that all patients were not affected. Those who were potentially affected will receive a notification letter in the mail. It also said that the information in the files was not misused in any way.

“If patients see that their insurer has been charged for services or procedures that they did not receive, they should contact their insurer to notify the insurer of their concerns,” the statement said. “Unfortunately, Bon Secours is not able to contact the insurer on the patient’s behalf.”

In previous week another health care data breach was noticed. Professional Dermatology Care, P.C. mentioned that 13,237 were potentially affected in a ransomware attack.

According to the facility criminals wanted to “extract money from the company in order to de-encrypt data, rather than for the misuse of patient data.”

“PDC P.C. has already taken numerous steps to safeguard and prevent any further data breach of its network server and its patients’ protected health information; we have increased cyber security, implemented a new firewall as well as malware protection services,” PDC P.C. stated on its website. “The data breach was immediately reported to the F.B.I. and reports are being provided to the Virginia Office of the Attorney General and to the U.S. Department of Health and Human Services.”

____________________________________________________________________________________________

Alertsec has created a web based encryption service that radically simplifies deployment and management of PC encryption by using industry leading Check Point Full Disk Encryption software.

Virginia-based Professional Dermatology Care, P.C. (PDC P.C.) suffers data breach

August 12th, 2016

Reston recently mentioned that it had suffered potential data breach after ransomware attack. According to the reports, the potential data breach was discovered on June 27, 2016. Unauthorized PHI access occurred between June 19, 2016 and June 27, 2016. Facility said that the criminals likely wanted to “extract money from the company in order to de-encrypt data, rather than for the misuse of patient data.” Telemedicine_Consult

Affected information included patient names, addresses, dates of birth, Social Security and Medicare numbers, and medical and billing records. As per the OCR data breach reporting tool, 13,237 individuals were potentially affected.

“PDC PC has already taken numerous steps to safeguard and prevent any further data breach of its network server and its patients’ protected health information; we have increased cyber security, implemented a new firewall as well as malware protection services,” Reston explained. “The data breach was immediately reported to the F.B.I. and reports are being provided to the Virginia Office of the Attorney General and to the U.S. Department of Health and Human Services.”

Facility mentioned that it is not aware of the patient data being misused but encouraged patients to take steps to monitor their credit and financial accounts. It said that obtaining credit reports, registering a fraud alert with the credit reporting agencies, and monitoring financial and health accounts for unauthorized activity can all be beneficial. Affected individuals will be notified by the mail.

According to the website:

“We focus on the prevention and treatment of skin cancers. The hallmark of our practice is a complete head to toe full skin exam. We specialize in  dermatoscopic examination of the skin to detect and remove precancerous lesions as well as cancers such as Basal Cell, Squamous Cell and Melanoma.:

____________________________________________________________________________________________

Alertsec has created a web based encryption service that radically simplifies deployment and management of PC encryption by using industry leading Check Point Full Disk Encryption software.

Unauthorized database access and security breach

August 10th, 2016

Jefferson Medical Associates (JMA) mentioned that an unauthorized individual unlawfully accessed and copied one of the practice’s databases. According to the investigation carried out by Mississippi medical group, database access occurred on 1st of June. Also, several remote connection to the database were made from March 25, 2014, and June 1, 2016. sevurity breach

Affected information includes patient names, dates of birth, Social Security numbers, addresses, and phone numbers. Also, limited JMA prescription information, including drug names, dosages, and refill quantities, may also have been involved.

“We sincerely regret any concern or inconvenience this incident has caused or may cause any of our valued patients,” JMA’s Administrator Robby Graham said in a statement. “We take the privacy of their health information as seriously as we do their care. We want to assure our patients and the community we serve that we will continue to work both to understand this incident and to implement measures to further strengthen our data security.”

Investigators said that unauthorized individual accessed the data just to show their ability.

“JMA has not been able to determine whether any of these other connections actually resulted in any acquisition, access, use, or disclosure of patient information, but it is possible,” the medical group explained.

According to the OCR data breach reporting tool, 10,401 individuals may have been affected. Facility will send the emails to affected individuals, Also, one year of credit monitoring and identity protection services is offered.

“I was just going through randomly looking at the publicly available, configured for public access databases on those ports, and this one showed up,” Cybersecurity researcher Chris Vickery told local news station. “When I realized there Social Security numbers and names and phone numbers and prescription information, it dawned on me that ‘hey this probably should not be public if it is real data.’ So then I started the process of trying to figure out whose it was.”

According to the Vickery, “the incident should not be considered a hack because the data was available to anyone who knew where to look.”

“This information is private information,” Jefferson Medical’s legal counsel Katie Gilchrist told the news source. “It’s federally protected information. It’s information that was on our server. This individual accessed it without our permission. He did in secret. There has never been a time when patient information in Jefferson Medical’s possession has been just out there for anyone to get to.”

 ___________________________________________________________________________________

Alertsec is used by organizations that have recognized the need to protect their information. Over 4 million users worldwide use Alertsec Check Point Full Disk Encryption.

Unauthorized employee access and data breach

August 8th, 2016

Memorial Hermann Health System recently suffered potential data breach after an employee accessed the data outside of normal job duties. According to the reports, patient records may have been compromised. Memorial Hermann came to know about the breach on July 7, 2014. It mentioned that the unauthorized access reportedly occurred from December 2007 to July 2014. Patients in this time frame are affected. theft

“We value patient privacy and deeply regret any inconvenience this may have caused our patients. Although privacy training is in place for all employees, Memorial Hermann continues to investigate and to review its privacy policies and practices in an effort to prevent something like this from happening in the future.” Memorial Hermann Health System explained.

Affected information included patients’ names, addresses, medical record numbers, dates of birth, health insurance information, and Social Security numbers in a few cases. Financial information was not included. A forensic investigation was launched after the discovery, and the employee’s access to medical records was suspended. Facility began to send out data breach notification letters via mail to around 10,604 affected individuals.

“We recommend that you regularly review the explanation of benefits statement that you receive from you or your child’s health insurer,” the statement read. “If you identify services on the explanation of benefits that you did not receive, please immediately contact the insurer. We value patient privacy and deeply regret any inconvenience this may have caused our patients. Although privacy training is in place for all employees, Memorial Hermann continues to investigate and to review its privacy policies and practices in an effort to prevent something like this from happening in the future.”

According to the website:

At Memorial Hermann, we’re all about advancing health. Yours.  It begins by redefining healthcare. That means bringing together all aspects of the health system – care delivery, physicians and health solutions to create a truly integrated health system. Our 5,500 affiliated physicians and 24,000 employees practice evidence-based medicine with a relentless focus on quality and patient safety. Our efforts continue to result in national awards and recognition, including being ranked one of the nation’s Top 5 large health systems by Truven Health for patient safety and quality.

 ___________________________________________________________________________________

Alertsec has created a web based encryption service that radically simplifies deployment and management of PC encryption by using industry leading Check Point Full Disk Encryption software.

Banner Health data breach

August 6th, 2016

Banner Health based in Arizona recently suffered data breach when it had incident of cybersecurity attack. It potentially affected 3.7 million patients, members and beneficiaries, providers, and food and beverage outlet customers. According to the Banner Health, cyberattack affected “a limited number of Banner Health computer servers as well as the computer systems that process payment card data at certain Banner Health food and beverage outlets.”  virus

“Banner is committed to maintaining the privacy and security of information of our patients, employees, plan members and beneficiaries, customers at our food and beverage outlets, as well as our providers,” Banner Health President and CEO Peter Fine said in a statement.

Affected patients included names, dates of birth, addresses, physicians’ names, dates of service, clinical information, and possibly health insurance information accessed. Social Security numbers were also included in the breach those who provided the same. Also, members and beneficiaries got their names, dates of birth, Social Security numbers, addresses, dates of service and claims information, and health insurance information as a current or former health plan member or beneficiary exposed. Payment cards used at 27 different Banner Health locations was also affected which was used during certain date range.

Banner’s affected facilities includes Arkansas, Arizona, Colorado, and Wyoming.

“The attackers targeted payment card data, including cardholder name, card number, expiration date and internal verification code, as the data was being routed through affected payment processing systems,” Banner said.

Names, addresses, dates of birth, DEA (Drug Enforcement Agency) numbers, TINs (Tax Identification Number), NPIs (National Provider Identifiers) numbers, or Social Security numbers may have been affected for the providers. Banner sent data breach notification letters to those potentially affected.

“We have returned to accepting all forms of payment at food and beverage facilities. You can use your payment card with confidence,” Banner explained. “This incident did not affect payment cards used for payment of medical services.”

____________________________________________________________________________________________

Alertsec is used by organizations that have recognized the need to protect their information. Over 4 million users worldwide use Alertsec Check Point Full Disk Encryption.

Hillary Clinton email controversy and best practices for protecting data in your company

August 4th, 2016

According to the new reports, U.S. Attorney General Loretta Lynch mentioned that the Department of Justice is closing its case regarding Clinton. Earlier, clinton has used personal email account to conduct government business instead of official U.S. government email account. data pro

Hillary received explicit warnings from the State Department’s cybersecurity team to stop using personal email. She had a private domain hosted on a private server placed in her home. This controversy can help us to understand the best data practices.

According to the comey,  Clinton and her colleagues were “sloppy,” “negligent,” and “extremely careless”  to handle classified information passing through her private server.

“Participants who know or should know that information is classified are still obligated to protect it,” said Comey at his press conference. He mentioned that everyone must be well trained and accountable for the information they handle, receive, read and exposed to. Proper training and sound implementation avoids security incidents.

“We [at the FBI] assess that it is possible that hostile actors gained access to Secretary Clinton’s personal email account,” said Comey at his press conference.

Many Clinton’s emails contained sensitive foreign intelligence data which can be compromised. Earlier, Clinton’s server was hacked in 2013.

“There are only two kinds of organizations,” MIT engineering and IT professor Stuart Madnick, who also serves as Director of the Interdisciplinary Consortium for Improving Critical Infrastructure Cybersecurity, has said at numerous symposiums and conferences at MIT over the past couple of years. “Those that have been hacked and those that don’t yet know they have been hacked.”

“‘Prevention, prevention, prevention, that’s all I’m focused on,’ is gonna be doomed to failure,” said Chertoff in his keynote address at the Advanced Cyber Security Center’s 2014 annual conference. “You’re not gonna eliminate the risk of cyber attacks; this is about managing the risk.”

House Democrats tried to defend Clinton during the hearing saying she may not have noticed or may not have understood “tiny, little” markings of “(C)” next to some paragraphs in her emails.  It is for classified files.

“It’s possible that she didn’t understand what a ‘(C)’ meant when she saw it in the body of an email like that,” testified Comey, who further indicated that before his investigation, he likely would have automatically assumed that a State Department official would know what the ‘(C)’ meant. “[It’s] not that she would have no idea what a classified marking would be, [but] it’s an interesting question whether she … was actually sophisticated enough to understand what [‘(C)’] means.”

In your company make sure that employees should read, understand, acknowledge the policies and receive effective training to handle day to day data and its classification to consider them accordingly.

 ___________________________________________________________________________________

Alertsec is used by organizations that have recognized the need to protect their information. Over 4 million users worldwide use Alertsec Check Point Full Disk Encryption.

Hacking causes EHR breach

August 2nd, 2016

As per the notice on website, Athens Orthopedic Clinic in Georgia mentioned that it has experienced a potential EHR breach after a healthcare cybersecurity incident. Facility said that an external entity had launched a cyberattack on its EHR system using a third-party vendor’s credentials. hack

Affected information included names, addresses, Social Security numbers, dates of birth, telephone numbers, and, in some cases, diagnoses and partial medical histories. Facility did not mention the number of individuals affected.

Many have earlier mentioned the need to strengthen healthcare systems.

“You rarely hear healthcare as the focus of the cyber-security industry,” Ralph Echemendia, CEO of cyber-security consulting firm Red-e Digital says. “With the Sony hack, an entire corporation was taken completely down. Nobody could go to work. If you do that to a hospital, people die.”

Cybersecurity experts were hired to investigate the attack and assess facility systems. Cybersecurity firm’s recommendations are implemented to improve healthcare data security.

“We are in the process of notifying the affected patients, and deeply regret any stress this may cause our patients,” Kayo Elliott, CEO of Athens Orthopedic Clinic told OnlineAthens.com.

“Rest assured that we are taking all necessary measures to ensure that any resulting damage is limited to the extent possible and working to retain your trust in our practice. We advise that our patients contact credit reporting agencies to create a fraud alert as soon as possible; we have posted a statement on our website that includes credit reporting agency contact information.”

According to the website:

Athens Orthopedic Clinic has been providing comprehensive orthopedic care to Athens and surrounding communities since 1966. AOC is a healthcare facility with a long-standing tradition of excellence and service. As a total orthopedic care center, our physicians specialize in orthopedic surgery and handle the diagnosis and treatment of diseases and injuries of the bones, muscles, tendons, nerves and ligaments in both adults and children.

____________________________________________________________________________________________

Alertsec has created a web based encryption service that radically simplifies deployment and management of PC encryption by using industry leading Check Point Full Disk Encryption software.

Data breach due to theft incident

July 28th, 2016

Total number of 7,784 individuals were notified about potential PHI breach by the Ohio area dental practice. Patient records were stolen as reported by the Office of Civil Rights on its website. Sunbury Plaza Dental mentioned that its secured storage unit containing business and patient records was burglarized. It came to know about the incident when law enforcement officials notified them.

The officers said that some patient records were stolen from the storage unit. Majority of records were not touched. Affected information included patient files contained personally identifiable information, such as names, addresses, dates of birth, and Social Security numbers, as well as some healthcare data. 11

Theft incident was committed by suspects to commit identity fraud. All patient files involved in the incident are recovered now. Also, the dental practice updated its policies and procedures for safeguarding patient information. It also partnered with law enforcement agencies to investigate the break-in.

Complimentary identity monitoring services for a year is provided by the facility to affected individuals.

How you can protect yourself:

“It is recommended that patients affected by this matter regularly review their account statements and check their credit report for incidents of fraud and identify theft. To help our patients with this we have secured the services of Kroll to provide identity monitoring for one year to our patients affected by this matter. This service includes Credit Monitoring, Web Watcher, Public Persona, Quick Cash Scan, $1 Million Identity Theft Insurance, Identity Consultation, and Identity Restoration.”

Currently many healthcare data breach occur due to theft incident. Another incident involved Texas-based medical office which affected around 2,900 individuals. According to the website notice of StarCare Specialty Health System, one or more burglars broke into its East Broadway office in Lubbock, Texas and stole five laptops. One of the laptop contained confidential patient information. It was not encrypted.

Affected information included names, medical record numbers, telephone numbers, diagnoses, admission and discharge dates, dates of birth, Social Security numbers, and Medicare and Medicaid numbers.

According to the statement:

“StarCare is giving one year of free identity monitoring to those clients who may have been affected by this breach. This service will provide credit monitoring, identity monitoring, identity theft insurance and fraud restoration services. Signing up for this program will not affect your credit score. If you are a client you will receive a notification letter. If you have not received your letter or wish to determine if you are a part of the impacted population. “

____________________________________________________________________________________________

Alertsec has created a web based encryption service that radically simplifies deployment and management of PC encryption by using industry leading Check Point Full Disk Encryption software.