data encryption

Summit Reinsurances Services announces data breach

March 20th, 2017

Summit Reinsurance Services, Inc., recently suffered data breach when it became aware of a ransomware attack on its server. Patient PHI was present was involved in the incident. Facility immediately conducted Investigation. It mentioned that an unauthorized user accessed the server during March 13, 2016.

Affected information included Social Security numbers, health insurance information, provider names, and claim-focused medical records containing diagnoses and clinical information.

Facility didn’t mention the number of affected patients. Also, there is no information or evidence of any misuse of information. It is providing information about ways of protecting against identity theft and fraud. One year of free credit monitoring and identity restoration is provided.

As per the statement:

  • Facility is asking patients to remain vigilant against incidents of identity theft and fraud. Review of account statements should be done. Also, credit reports and explanation of benefits forms should be monitored for suspicious activity.
  • Three major credit bureaus can be reached directly to request a free copy of credit report.
  • Fraud alerts can be placed on the files that will alert affected patients before granting credit. But it will delay ability to obtain credit while the agency verifies identity.
  • Security freeze on credit reports can be placed. Once this is activated, credit bureau can’t release consumer’s credit report without the consumer’s written authorization. This facility will affect customers request for new loans, credit mortgages, employment, housing, or other services.

“In order to request a security freeze, you will need to supply your full name, address, date of birth, Social Security number, current address, all addresses for up to five previous years, email address, a copy of your state identification card or driver’s license, and a copy of a utility bill, bank or insurance statement, or other statement proving residence.”

____________________________________________________________________________ 

Alertsec’s cloud-based information security service provides an easy and convenient way to protect information on your organization’s laptops and computers.

Verifone suffers data breach

March 17th, 2017

Payment solutions provider Verifone recently announced data breach which affected its internal network.

Verifone CIO and senior vice president Steve Horan sent an email to employees and contractors. They need to change the password within 24 hours. Also, they will be blocked from installing software on a computer till investigation completes. It came to know about the breach from Visa and MasterCard.

Verifone spokesman Andy Payment mentioned that breach didn’t affect payment services network. “We believe today that due to our immediate response, the potential for misuse of information is limited,” he said.

The attack has been traced to Russian hacking group.

As per the statement, “According to the forensic information to date, the cyber attempt was limited to controllers at approximately two dozen gas stations, and occurred over a short time-frame. We believe that no other merchants were targeted and the integrity of our networks and merchants’ payment terminals remain secure and fully operational.”

“The fact that Verifone asked employees and contractors to change their passwords and restricted their control over their desktops and laptops suggests that the attackers followed the usual path to gain access to critical systems such as payment terminals: exploit different vulnerabilities to take control over the devices and the accounts of people already inside the company,” Balabit product manager Peter Gyongyosi told eSecurity Planet by email.

“This once again underscores the importance of a multi-layer, defense-in-depth approach to security,” Gyongyosi added. “Keeping endpoint devices completely secure, especially in a large enterprise, is an impossible task and organizations must prepare for situations where an attacker would gain access to internal accounts. Fine-grained access control and detailed monitoring of activities — especially those related to critical systems — and advanced analytics such as behavior analysis can help security teams gain an edge over the attackers.”

Fortune 1000 Security Performance is declining. Verifone is a member of the Fortune 1000.

“It is possible Fortune 1000 companies exhibit a higher frequency of system compromises due to having a large attack surface,” the report states. “Fortune 1000 companies tend to have a high number of employees, which often corresponds to more networked devices and more IP addresses owned. Criminals also may have more motivation to target these prominent companies as they manage PII, PCI and intellectual property.”

___________________________________________________________________________________

Alertsec is powered by Check Point Endpoint Security products, which are positioned in the leaders quadrant in Gartner’s Magic Quadrant for Mobile Data Protection.

Health Facility suffers data breach due to improper shredding of paper documents

March 9th, 2017

Minnesota-based Allina Health recently suffered data breach due to paper documents, which were emptied into the trash insecurely. As per the reports, proper shredding of the documents was not done.

Documents belong to physician’s private office and was supposed to be shredded at the Minneapolis Heart Institute at Abbott Northwestern Hospital. After the incident, facility launched an investigation. Affected information included patient information including names, medical record numbers, addresses, and insurance information.

As per the OCR data breach reporting tool, incident affected 776 patients.  Facility mentioned that some patients use their Social Security numbers as identification numbers on insurance documents.  Hence there is possibility of Social Security numbers being exposed.

“Allina Health has undertaken a system wide awareness campaign to inform the workforce of the simplified “shred all paper” disposal process and reinforced its safeguards policy to re-emphasize the importance of proper disposal.”

Allina Health also added that there is no information or evidence of any misuse of the data. It is notifying affected patients. Also, one year of free credit monitoring and identity protection services are provided.

“Allina Health has simplified its systemwide process to require all paper and documents be placed into secured or locked shredding bins, whether or not the paper contains patient information,” the statement explained. “All paper is shredded and then recycled. The enhanced process also removes all desk-side recycling bins to prevent paper from being placed into recycling without being shredded first.”

Allina Health mentioned that it takes the confidentiality of patients’ information very seriously. Also, it will take steps to ensure that a similar incident does not occur in the future. Patients who believe they may have been impacted or patients who have other questions should call toll-free number.

___________________________________________________________________________________

Alertsec helps you comply with HIPAA, PCI and SOX requirements.

Unauthorized employee access at Vanderbilt University

March 6th, 2017

Vanderbilt University Medical Center (VUMC) recently suffered data breach when it came to know about the unauthorized employee access to patient medical records. As per the reports, concerned employee were working as patient transporters. Patients’ electronic medical records was accessed without necessary permissions.

As per the statement, “The breach prompted the medical center to change the way the patient transport staff gets information so that it no longer gives them access to electronic medical records. Staff in that department were also retrained about appropriate access to information. VUMC is in the process of migrating from its current electronic health record system to a new software system designed by Epic Systems.”

Facilty conducted an audit of electronic medical records (EHR) which was accessed by the employee.  As per the reports, two employees were involved in the breach who viewed adult and pediatric patient information, including patients’ names, dates of birth, and medical record numbers for internal use. One of them got access to patient Social Security numbers in a few instances.

VUMC mentioned that there is no information whether data was downloaded, transferred, or misused in any way. Affected patients received notification letter Facility has offered fraud or identity theft services. As per the report from The Tennessean, incident affected 3,247 medical records.

“We are committed to providing our patients the highest quality care and protecting the confidentiality of their personal information. To our knowledge, the information the employees viewed was not printed, forwarded or downloaded.  So far, we have no reason to believe that our patients’ personal information has been used or disclosed in other ways,” said VUMC Chief Communications Officer John Howser. “While we are not aware of any risk of financial harm to these patients, we are contacting each of them by letter to recommend that they vigilantly review account statements and their credit status.”

_____________________________________________________________________________________________________

Alertsec helps you comply with HIPAA, PCI and SOX requirements. The implemented encryption is powered by CheckPoint and has the highest security certifications: FIPS 140-2, Common Criteria EAL4 and BITS.

Data breach due to hacking

March 2nd, 2017

Emory Healthcare’s Orthopaedics & Spine Center and Brain Health Center (EHC) at Emory Clinic recently suffered data breach, which impacted almost 80,000 patients. Facility came to know about the incident on Jan 3, 2017. It involved third party database called Waits & Delays. As per the statement, the affected database was used for patients’ appointment information.

Affected information included patient names, dates of birth, contact information, internal medication record numbers, dates of service, and physician names. The above information was removed from the server by an unauthorized individual. The person demanded payment from EHC to restore the data.

As per the reports, individuals who scheduled an appointment at the Orthopaedics & Spine Center within Emory Clinic between March 25, 2015 and January 3, 2017, and any patients with an appointment at Emory Clinic Brain Health Center between December 6, 2016 and January 3, 2016 are potentially affected.

As per the OCR data breach reporting tool, incident affected 79,930 individuals.  Facility mentioned that no Social Security numbers, financial information, diagnoses, or any other information from patient EHRs were accessed during the incident.

Another instance of unauthorized access by an independent security research center was also noticed. It resulted due to efforts of finding gaps in application security to alert companies of areas needing improvement by security company.

Facility launched an internal investigation after the incident. It also notified law enforcement. Potentially affected individuals are also notified. EHC is performing analysis on its current security measures. Internal and external systems which contained patient information will be changed as per the reports.

EHC mentioned that it has no information or indication of accessed data misuse.

“Please refer to the notice you will receive in the mail regarding steps that you can take to protect yourself. In general, we recommend, as a precautionary measure, that you remain vigilant to protect against potential fraud and/or identity theft by, among other things, reviewing your account statements and monitoring credit reports closely. If you detect any suspicious activity on an account, you should promptly notify the financial institution or company with which the account is maintained. You should also promptly report any fraudulent activity or any suspected incidents of identity theft to proper law enforcement authorities, including the police and your state’s attorney general.”

___________________________________________________________________________________

Alertsec’s cloud-based information security service provides an easy and convenient way to protect information on your organization’s laptops and computers.

Data breach at rehabilitation facility

February 27th, 2017

Catalina Post-Acute and Rehabilitation recently announced data breach when paper files were left in an unattended area. The patient data and certain employee information were left temporarily vulnerable to possible unauthorized public access. Current or past residents and employees are encouraged to take steps to protect themselves.

Facility has mission statement provided on the website as, “Working together to create a sense of community, our dedicated and compassionate staff will strive to exceed your expectations and make a difference in the lives of those we serve by providing exceptional care and service, and remembering you are the reason we are here.”

The healthcare organization mentioned that it came to know about these files on December 5, 2016. Affected information included demographic information. Diagnoses and Social Security numbers in some cases. As per the OCR reporting tool, the incident affected 2,953 individuals.

Facility mentioned that it launched an investigation into the incident. Also, protocols in place relating to PHI storage and employee information are reviewed. It also mentioned that as per the internal investigation it appears that no patient or employee information was misused.

“Catalina Post-Acute and Rehabilitation is committed to the proper handling and protection of resident and employee information, and regularly assesses its systems and processes to ensure that this information is maintained and managed in accordance with State and Federal Law,” the online statement explained.

Facility also mentioned that consumers may request free copy of their credit report once 12 months from Equifax, Experian and Trans Union. These agencies have central website to provide free credit report.  It has also provided contact number to answer questions and queries of affected individuals.

___________________________________________________________________________________

Alertsec is powered by Check Point Endpoint Security products, which are positioned in the leaders quadrant in Gartner’s Magic Quadrant for Mobile Data Protection.

Healthcare companies to increase security spending

February 26th, 2017

As per the recent survey of more than 1,100 senior security executives worldwide, here are the results-

  • Seventy six percent of global healthcare organizations plan to increase security budget
  • Eight one percent of U.S. healthcare organizations mentioned that they will increase the security budget

As per the survey conducted by Thales Data Threat, sixty percent healthcare are deploying to cloud, big data, and IoT or container environments without proper security measures.  Ninety percent believes that they can face data breach.

“For healthcare data to remain safe from cyber exploitation, encryption strategies need to move beyond laptops and desktops to reflect a world of Internet-connected heart-rate monitors, implantable defibrillators and insulin pumps,” Thales e-Security vice president of strategy Peter Galvin said in a statement. “Adhering to the security status quo will create vulnerabilities that lead to breaches, and further erode customer trust.”

As per the Redspin’s Breach Report there is increase in data breach incidents in 2016.

“Healthcare providers have become the primary targets of malicious hackers, and their attacks are becoming increasingly sophisticated and disruptive to operations,” Dan Berger, vice president at CynergisTek, said in a statement (Redspin is now part of the CynergisTek portfolio).

“The dramatic increase in hacking attacks in 2016, coupled with the large number of patient records copmromised in those incidents, points to a pressing need for providers to take a much more proactive and comprehensive approach to protecting their information assets in 2017 and beyond,” Berger added.

Accenture conducted survey which concluded that 26 percent of U.S. consumers faced data breach. Fifty percent faced medical identity theft.

“Health systems need to recognize that many patients will suffer personal financial loss from cyber attacks of their medical information,” Reza Chapman, managing director of cyber security in Accenture’s health practice, said in a statement. “Not only do health organizations need to stay vigilant in safeguarding personal information, they need to build a foundation of digital trust with patients to help weather the storm of a breach.

Fifty percent found the breach by themselves by looking at their credit card statement. Twenty five percent changed their healthcare providers after the breach. Twenty one percent changed insurance plan. And nineteen percent took help of legal counsel.

___________________________________________________________________________________

Alertsec helps you comply with HIPAA, PCI and SOX requirements. The implemented encryption is powered by CheckPoint and has the highest security certifications: FIPS 140-2, Common Criteria EAL4 and BITS.

Unauthorized EHR access at medical centre

February 22nd, 2017

Dignity Health St. Joseph’s Hospital and Medical Center recently announced data breach, which has potentially affected 600 patient medical record. During routine review of employee access to the hospital’s electronic health records, St. Joseph’s came to know about the incident.

“Dignity Health and St. Joseph’s Hospital and Medical Center are committed to furthering the healing ministry of Jesus, and to providing high-quality, affordable healthcare to the communities we serve.”

As per the reports, sections of patient medical records were viewed without authorization by a part time hospital employee. Facility has sent advisory letters to impacted patients.

St. Joseph’s mentioned that the records did not contain Social Security numbers, billing, and credit card information. It also added that there is “no reason to believe these patients need to take any action to protect themselves against identity theft.”

“Dignity Health St. Joseph’s Hospital and Medical Center is deeply committed to protecting its patients,” the statement explained. “Any person who accesses medical records without a job-related reason is in violation of St. Joseph’s policy and appropriate action has been taken in response to this event.”

The individuals who were patients at St. Joseph’s between Oct. 1, and Nov. 22, 2016 are notified. Potentially affected information included patient medical records, demographic information (e.g. names and dates of birth), and clinical data, such as doctor’s orders and diagnostic information.

“St. Joseph’s regrets any inconvenience caused by this incident. Letters have been mailed to patients whose medical records may have been viewed and the hospital has established a call center to answer any questions they may have. “

An electronic health record (EHR) is a digital patient’s record. EHRs are advantageous as they are  are real-time as well as patient-centric. It also contains broader view of patient’s record and care.

___________________________________________________________________________________

Alertsec Endpoint Encrypt is the full disk encryption service that delivers a mobile data protection system for all information stored on laptops used throughout your organization.

Data breach due to email hack

February 20th, 2017

Foot and ankle surgeon Jay Berenter’s office announced data breach due to an email hack. Hackers sent some patients an email that the office employees claimed not to have sent. As per the reports, the email sent to Dr. Berenter’s contacts  contained a DocuSign document waiting for their review.

As per the statement, “Dr. Berenter takes the protection of information seriously and understands how important trust is in a physician-patient relationship.”

Dr. Berenter’s office immediately sent another email informing patients not to access the DocuSign email. After the incident came to notice, Dr. Berenter’s office took steps to secure the email account. It also hired forensic IT specialists.

Investigation was carried out to determine the extent of breach. it also checked whether any of the office’s systems were affected. Facility mentioned that the incident was determined to be limited to the email account only. Potentially affected information includes patient registration forms, prescriptions, and patient names.  As per the data breach reporting tool, the incident affected 569 individuals.

Facility has also hired forensic IT specialists to investigate the incident further. It is trying to make sure that no electronic medical records were accessed. Facility is implementing new email system. Additional internal administrative steps are taken to prevent a similar hack.

Federal agencies of California Attorney General and the Federal Department of Health and Human Services are notified about the incident. Facility believes that there is no evidence to say that information is misused.

Dr. Berenter’s office has provided contact information to answer queries. One year of complimentary identity theft protection is provided to potentially affected clients. It has also encouraged to place a free 90 day fraud alert on affected accounts.

“Protecting your information is incredibly important to Dr. Berenter, as is addressing this incident with the information and assistance you may need.”

___________________________________________________________________________________

Alertsec helps you comply with HIPAA, PCI and SOX requirements.

Unauthorized access and data breach

February 17th, 2017

Verity Health System based in California recently announced that an unauthorized access may have caused data breach. The incident affected personal information of more than 9,000 individuals.

Verity Health operates six hospitals which includes Seton in Daly City, Seton Coastside in Moss Beach, O’Connor in San Jose, St. Louise in Gilroy and two in Southern California. It also runs Verity Medical Foundation and Verity Physician Network. Verify Health was known as Daughters of Charity. It was renamed after taken over by investment firm BlueMountain Capital Management.

Verity Health mentioned that the access occurred on the Verity Medical Foundation-San Jose Medical Group website.  It mentioned that the website is no longer in use. Also, immediate steps were taken to secure it and protect it from further damage.

Affected information included patient names, dates of birth, medical record numbers, addresses, email addresses, phone numbers and the last four digits of credit card numbers. Full credit card numbers and Social Security numbers were not included in the breach.

Verity mentioned that 9,000 got affected individuals in its statement. As per the OCR data breach reporting tool, incident impacted 10,164 individuals.

“Verity Health System takes the security of our patients’ information seriously, and we regret that this incident occurred,” Verity Health CEO Andrei Soran said in a statement. “We took immediate steps to investigate this incident, notify the affected individuals and appropriate authorities, and ensure enhanced protection of our information systems going forward. We are working with a leading cyber-security firm to further evaluate the integrity of our information systems.”

Facility believes that there are no reports of misuse of information. It has also established a call center to answer queries. It is also offering one free year of credit monitoring services for potentially affected patients.

___________________________________________________________________________________

Alertsec helps you comply with HIPAA, PCI and SOX requirements. The implemented encryption is powered by CheckPoint and has the highest security certifications: FIPS 140-2, Common Criteria EAL4 and BITS.