AlertSec Xpress

Ransomeware attack

September 23rd, 2016

Oklahoma-based Saint Francis Health System recently announced data breach when its server was accessed by an unauthorized party. The reports suggests that patient information was accessed by the outside intruder. The facility also mentioned it received an email on September 7, 2016 that the incident took place. Spokesperson Sevan Roberts said that there was a demand for payment for the information by the anonymous individuals/individual. comp-hacking

“Saint Francis decided not to act on the demand because payment does not guarantee or prevent data from being disclosed,” said a Saint Francis statement. “The health system understands the importance of protecting our patients’ information, and deeply regrets that this occurred.”

Roberts also added that the information on the server affected approximately 6,000 names and addresses. Social Security numbers, driver’s license and financial information were not present on the server. After the incident, the server has been disabled. Facility is working with local law enforcement.

“Saint Francis has also been working with a leading forensics firm to investigate this incident and look for ways to enhance our existing security measures,” the statement read. “Notification letters are being mailed to those individuals who may have been affected and complimentary participation in identity monitoring service is provided.”

Is it a good idea to negotiate the ransom?

Ransomware is one of the threat looming over different sectors of industries. All types of malware attack make the news. Malware is a piece of software that encrypts your data. Data is unencrypted when ransom demand is met. The intruder provides the  key to decrypt their data generally after the payment.

Many facilities pay ransom because it is safest and quickest way. The example includes many facilities like Hollywood Presbyterian Medical Centre. Allen Stefanek, the Chief Operating Officer said that the ransom was paid, stating that “the quickest and most efficient way to restore our systems and administrative functions was to pay the ransom and obtain the decryption key. In the best interest of restoring normal operations, we did this.”

____________________________________________________________________________________________

Alertsec customers range from single-user sole traders and consultants to multinational companies with a large number of offices around the globe. Over 4 million users worldwide use Alertsec Check Point Full Disk Encryption.

Health Centre Data breach

September 20th, 2016

Codman Square Health Center which is based in Massachusetts suffered data breach recently. It is notifying patients about the incident which exposed some of their information due to unauthorized HIE access. health

“Codman Square Health Center is a community-based, outpatient health care and multi-service centre which opened the facility in 1979. The facility started with two-physician staff. Today, a staff of 280 multi-lingual and multi-cultural expert clinicians, medical staff and employees, most of whom reside in the neighborhoods surrounding Codman Square take care of 115,000 client contacts each year. It also has developed an astounding depth and breadth of community programs, as well as strong partnerships with other organizations.”

On July 13, 2016 facility mentioned that an employee had accessed the New England Healthcare Exchange Network (NEHEN) without authorization. It also mentioned that the conduct of the employee was against Codman policies. As per the OCR data breach reporting tool, 3,840 individuals were affected.

Facility website mentioned that some access information may have included that of non-Codman patients.

Affected information included names, addresses, dates of birth, gender, medical services payer information, and medical insurance coverage information. Social Security numbers may have been included in some cases. Codman said that there is no indication that the information was misused.

Facility will send notification via mail. Only those individuals will receive a letter who were affected by the data security incident.

“Those Codman patients who do not receive a letter have not been affected,” Codman explained.

“For affected individuals who are not Codman patients, those directly affected will be notified by mail if contact information is provided. The health center has suspended or terminated all employees involved in the incident.  Codman Square has also retrained all employees.”

____________________________________________________________________________________________

Alertsec is used by organizations that have recognized the need to protect their information.

Missing binder data breach

September 18th, 2016

An Oberlin, Kansas facility suffered data breach when its binder went missing. It reported a PHI breach. Facility found out that a CAT scan log binder was not in its regular place. According to the Decatur Health Systems (DHS), mentioned in an online statement that the binder went missing from DHS between 5pm on July 22, 2016 and 7am on July 25, 2016.  The incident caused data breach for 707 patients.  data-data

Affected information included patient names, dates of birth, dates of exams, diagnoses leading to the CAT scan, ordering providers, and x-ray exposure levels. Social Security numbers were not included.

As per the Privacy Officer Erica Forti, potentially affected individuals will receive a notification letter.

Facility mentioned that it is working with local and federal law enforcement agencies to retrieve the binder. It wants to find who removed it. Also, know the patient information misuse.

DHS knows the importance of keeping protected health information private and sincerely apologizes to the patients whose names were in the binder. They are working to ensure all patient information contained in other hard copy records and other sources of patient information are secure. They have changed key locks within the facility, conducted audits, and implemented new policies and processes. DHS employees have received additional training on security beyond their annual education and training.

According to the website:

Decatur Health Systems, Inc. is a rural health organization which works as critical access hospital and a rural family practice clinic.  Facility also manage a independent living complex.  It mentioned that it is committed to providing quality health care to the rural population.

Preventative Services: 

General Health Maintenance

Management of Chronic Medical Conditions

Same Day Appointments

New Patients Welcome

Routine Physicals

Routine Well Child Checks

Work, School and Sports Physicals

Pap Smears and Routine Gynecological Care

Immunizations

Screening

Pregnancy Testing

Acute Care Services:

Chronic and Acute Childhood Illnesses

Chronic and Acute Adult Illnesses

Minor Injuries

Family Planning and Education

Minor Lacerations

Fracture Care

____________________________________________________________________________________________

Alertsec is the full disk encryption service that delivers a mobile data protection system for all information stored on laptops used throughout your organization.

Members affected by data breach

September 16th, 2016

Geisinger Health Plan (GHP) suffered data breach due to unauthorized PHI disclosure which  affected 2,814 members from 220 employers. The incident occurred due to processing error. Facility learned about the incident on August 4. According to the statement, the error may have led to PHI being mistakenly mailed to other citizens. data

“Geisinger Health Plan has received national attention for its ability to foster innovation, while uniquely and effectively managing medical costs and improving outcomes.” As mentioned on the website.

Affected information due to this data breach included Member name, date of birth, health insurance premium information, member identification number and smoking status. Medical treatment or financial information like Social Security numbers, were not included in the mail.

“We have contacted both the affected members and businesses regarding the processing error and the possibility of a disclosure,” Geisinger Privacy Officer John Gildersleeve said in a statement. “In addition, we have requested that the invoices be returned so they can be properly destroyed in compliance with Geisinger Health System policies and procedures.”

As per the Gildersleeve, only affected individuals by this incident will receive notification letter.

“We take our responsibility to protect personal information seriously,” he said. “We apologize for any inconvenience and remain dedicated to safeguarding member information.”

According to the statement:

Our roots evolved from a rural, prepaid health plan offered as a pilot program in 1972 to Geisinger Medical Center employees and residents of the five counties that surrounded the hospital. In 1985, the Health Plan received its Certificate of Authority to operate an HMO under the authority of the Pennsylvania Health Maintenance Act of 1973. The Health Plan had a significant premium advantage during the period of escalating healthcare costs in the 1980s and ’90s. Membership grew rapidly, and in 1990, the Health Plan reached its 100,000-member milestone.

 ___________________________________________________________________________________________

Alertsec is used by organizations that have recognized the need to protect their information.Customers range from single-user sole traders and consultants to multinational companies with a large number of offices around the globe.

Stolen laptop and data breach

September 14th, 2016

A U.S. HealthWorks employee’s laptop was stolen which resulted in data breach. It contained patient information which affected 1,400 US HealthWorks patients. As per the reports, the device was encrypted but the laptop’s password was also stolen. Hence thief can access the information on the device. stolen-lap

Facility mentioned that emails on the computer had information for a limited number of individuals.It do not include Financial or account information. But full names and possibly some limited medical information, including diagnoses and visit dates, and limited health insurance information may have been affected.

U.S. Healthcare also specialise in urgent healthcare. It mentioned that there convenient Urgent Care centers offers quality medical care, excellent customer service, and a knowledgeable staff to the  patients.

Facility has established a dedicated call center to answer patients queries related to data breach.

“To help prevent something like this from happening again, we are enhancing our existing procedures related to the security of laptops and user passwords, as well as providing additional information security training for all U.S. HealthWorks employees,” the statement  mentioned.

According to the OCR reports, 1,400 individuals may have had their information compromised.

“We sincerely regret any inconvenience or concern about this incident. We began mailing letters to affected individuals on September 2, 2016, and have established a dedicated call center to answer any questions they may have. If you believe you may be affected and have not received a letter by September 17, 2016.”

As mentioned on the website:

U.S. HealthWorks, a subsidiary of Dignity Health, was founded in 1995 and is the leading national provider of occupational medicine and urgent care services. With more than 200 locations in 21 states, and more than 4,000 employees, including approximately 800 medical providers, U.S. HealthWorks serves more than 13,000 patients each day. U.S. HealthWorks Medical Group offers programs and services that can help prevent illnesses, maintain good health and provide early intervention and rehabilitation whenever injuries or health problems occur.

 ___________________________________________________________________________________________

Alertsec is the full disk encryption service that delivers a mobile data protection system for all information stored on laptops used throughout your organization.

Burrell Behavioral Health data breach

September 10th, 2016

Missouri-based Burrell Behavioral Health recently suffered data breach. Facility faced cybersecurity attack after unauthorized party accessed employee’s email account. It discovered the breach on on July 7, 2016. Internal investigation was launched immediately and the account was secured. According to the reports, unauthorized access occurred from July 6, 2016 to July 7, 2016. 19

“Burrell Behavioral Health has established a dedicated assistance line for anyone seeking additional information regarding this incident, as well as steps to better protect against identity theft. “

Affected information included clients’ names, addresses, dates of birth, Social Security numbers, doctor’s names, diagnoses, disability code, health insurance number, treatments, treatment locations and medical record numbers.

“We take any threat to the security of information entrusted to us very seriously,” Burrell Presdent and CEO Dr. Todd Schaible said in a statement. “Once the attack was discovered, we immediately took counter measures and also hired nationally-renowned computer forensic investigators to determine exactly what happened and what information was at risk. We apologize for any inconvenience or concern this incident may cause our community.”

As per the OCR data breach reporting tool, in total 7,748 individuals may have been affected. Burrell mentioned that the patient PHI in the email account was accessed, but that “information at risk varies for each individual.”

One year of complimentary credit monitoring and identity restoration is provided for the affected people. Facility asked people to remain vigil to avoid identity theft which includes-

Reviewing account statements, medical bills, and health insurance statements regularly for suspicious activity, to ensure that no one has submitted fraudulent medical claims using your name and address. Report all suspicious or fraudulent charges to your account and insurance providers. If you do not receive regular Explanation of Benefits statements, you can contact your health plan and request them to send such statements following the provision of services.

 ___________________________________________________________________________________

Alertsec is used by organizations that have recognized the need to protect their information.Customers range from single-user sole traders and consultants to multinational companies with a large number of offices around the globe.

Vendor error & data breach

September 8th, 2016

CHI Franciscan Health Highline Medical Center (Highline) recently suffered data breach. Facility  notified certain patients.hqdefault

Vendor R-C Healthcare Management (R-C Healthcare) previously worked with Highline. In 2014,  the medical center was acquired by CHI. R-C Healthcare alerted Highline that files with patient information had been mistakenly been made accessible online.

The affected files were secured till June 13. Affected information included patient names, dates of service, health insurance information and Social Security numbers.According to the reports, potentially affected patients include those involved in account reporting functions from 1993 to 1994 and then from 2008 to 2013.

“We take our responsibility to protect patient privacy very seriously and have taken immediate responsive action,” Highline explained. “We work to continually improve our policies, processes and educational offerings to ensure our patients receive the benefit of proven information security and confidentiality practices.”

Facility has no information of the data being “accessed, viewed, acquired or otherwise compromised by any unauthorized third party,” it is still offering free credit monitoring services to those who were possibly affected.

As per the OCR data breach reporting tool, 18,399 individuals’ information was made online in the incident.

“We deeply regret any concern this may cause our patients. We take our responsibility to protect patient privacy very seriously and have taken immediate responsive action. We work to continually improve our policies, processes and educational offerings to ensure our patients receive the benefit of proven information security and confidentiality practices.”

As mentioned on the website:

The seeds for CHI Franciscan Health were planted in 1891, when the Sisters of St. Francis of Philadelphia established St. Joseph Hospital, now known as St. Joseph Medical Center, in Tacoma. Over the years, our health care ministry has grown with the enduring goal of fulfilling the spiritual, emotional and physical needs of the people we serve.

 ___________________________________________________________________________________________

Alertsec is the full disk encryption service that delivers a mobile data protection system for all information stored on laptops used throughout your organization.

Email error and data breach

September 6th, 2016

Planned Parenthood of Greater Washington and Northern Idaho recently suffered data breach. It notified the affected individuals mentioning the data security incident. According to the reports, emails notifying individuals of an online portal were sent to the wrong addresses. accessible_resources

“Planned Parenthood of Greater Washington and North Idaho (PPGWNI) has been helping women, men, and teens make responsible decisions about their sexual health for nearly 50 years. Dedicated to delivering the highest quality reproductive health care services since 1967, PPGWNI is also committed to providing responsible, age-appropriate sexuality education. Protecting a woman’s fundamental right to choose is a major part of our organization’s underlying philosophy. “

Some individuals received another person’s email. It contained the second individual’s first and last name. Personal or health information was not present in the email.

“Privacy is a top priority for us, and we regret any confusion or concern this error has caused,” the statement reads. “We are reinforcing existing privacy policies and technological protocols internally and with our partners, and are evaluating additional safeguards to prevent any similar incidents from occurring in the future.”

As soon as Planned Parenthood knew about the breach they immediately shut down the portal. Facility didn’t realized there was error. Hence, there is no evidence indicating that any of the data has been misused.

“We are committed to ensuring individuals affected by this incident have the necessary information about this matter.  Those individuals who believe they could have been affected by the incident and would like to obtain more information can do so by calling customer care.”

As per the OCR lists , total 10,700 individuals potentially got affected by this incident.

Below are the simple mistakes which can cause data breach:

Human Error: It is one of the main concern IT department faces. Many companies have to cope with such mistakes when unauthorised people opens the official emails.

Software Error: Sometimes software can have bugs which forces legitimate emails to be sent in unauthorised inbox. People viewing the same can misuse it.

____________________________________________________________________________________________

Alertsec is used by organizations that have recognized the need to protect their information.Customers range from single-user sole traders and consultants to multinational companies with a large number of offices around the globe.

Mental Health Office data breach

September 4th, 2016

The New York State Office of Mental Health (OMH) mentioned that one of its facilities suffered a cybersecurity breach. The incident potentially exposed the records of research participants. According to the reports, certain parts of New York State Psychiatric Institute’s system was accessed by unauthorized individuals. cybersecurity

“NYSPI and OMH have established this special toll-free number to answer any questions participants in affected research studies may have. If you are a research participant, please call the toll free number if you have any questions.”

Affected information included names, addresses, dates of birth, telephone numbers, and email addresses. Social Security numbers, driver’s license or state identification numbers, school, county, and coded health-related information from interviews or questionnaires may have been included in some cases.

“OMH is working with law enforcement and has hired a leading cyber-security contractor to conduct a forensic security investigation of NYSPI’s computer systems to better protect persons against future security issues,” the statement reads. “In addition, OMH is providing identity protection services from ID Experts at no charge for all participants in the next 12 months.”

As per the OCR data breach notification database, 21,880 individuals were affected by this data breach.

Message from the Director includes:

 Columbia University Department of Psychiatry, New York State Psychiatric Institute, and the Psychiatric Services at NewYork-Presbyterian Hospital form an extraordinary convergence of scientific expertise, clinical talent, and technological resources.

 Already, we are ranked among the top five psychiatric programs in the nation, and indeed the world, by virtually every measuring organization. Ultimately, however, this program should be undisputed as the leading Department of Psychiatry in the world, establishing new paradigms in academic psychiatry through psychiatric research, clinical care, policy, education and training.

 I am proud to report that by all measures, we have made great progress toward that vision. We have added new divisions, which have epitomize the philosophy of our program in psychiatry: a tireless, pioneering exploration of the newest scientific possibilities in psychiatric care, combined with a scrupulous commitment to the well-being of our patients and their needs and rights as individuals.

____________________________________________________________________________________________

 Alertsec is used by organizations that have recognized the need to protect their information.Customers range from single-user sole traders and consultants to multinational companies with a large number of offices around the globe.

Harbin Clinic data breach

September 2nd, 2016

Georgia based Harbin Clinic, LLC suffered data breach recently. Facility has notified approximately 500 patients. Some of patients information may be breached after several boxes of medical records were found to no longer be in a storage facility. data tt

As per the Iron Mountain, Inc  “several boxes of medical records are unaccounted for and/or are missing or destroyed from their Atlanta facility.”

“Harbin Clinic engaged the data safety warehouse to maintain the privacy of our patients’ records, as Iron Mountain is well regarded in the data storage industry, housing billions of information assets,” Harbin Chief Compliance and Privacy Officer Lori Custer, JD, CHC, said in a statement.

Medical records in the boxes included information of cardiovascular medicine and obstetrics and gynecology patients who took treatment in the facility before 2002. Affected information also included patient names, dates of birth, addresses, diagnoses, Social Security numbers and insurance information.

“In order to protect our patient’s rights and private information, we enforce strict rules for those who handle patient information and we regularly educate all employees on privacy regulations,” Custer explained. “Though we had contracted with an internationally-acclaimed data warehouse as our partner in keeping records safe, once we were informed of the loss we took immediate steps to assist our patients in learning about and managing any privacy concerns.”

About Harbin Clinic:

 Harbin Clinic has been committed to providing excellent and innovative patient care for more than 100 years in Northwest Georgia.

 At Harbin Clinic, you have access to more than 240 healthcare professionals who provide integrated care across more than 40 medical specialties and services. We believe it’s important for you to be involved in your healthcare, so we work with you to provide care that is tailored to your needs.

 ___________________________________________________________________________________________

Alertsec is the full disk encryption service that delivers a mobile data protection system for all information stored on laptops used throughout your organization.