Data loss

Data breach due to hacking

March 2nd, 2017

Emory Healthcare’s Orthopaedics & Spine Center and Brain Health Center (EHC) at Emory Clinic recently suffered data breach, which impacted almost 80,000 patients. Facility came to know about the incident on Jan 3, 2017. It involved third party database called Waits & Delays. As per the statement, the affected database was used for patients’ appointment information.

Affected information included patient names, dates of birth, contact information, internal medication record numbers, dates of service, and physician names. The above information was removed from the server by an unauthorized individual. The person demanded payment from EHC to restore the data.

As per the reports, individuals who scheduled an appointment at the Orthopaedics & Spine Center within Emory Clinic between March 25, 2015 and January 3, 2017, and any patients with an appointment at Emory Clinic Brain Health Center between December 6, 2016 and January 3, 2016 are potentially affected.

As per the OCR data breach reporting tool, incident affected 79,930 individuals.  Facility mentioned that no Social Security numbers, financial information, diagnoses, or any other information from patient EHRs were accessed during the incident.

Another instance of unauthorized access by an independent security research center was also noticed. It resulted due to efforts of finding gaps in application security to alert companies of areas needing improvement by security company.

Facility launched an internal investigation after the incident. It also notified law enforcement. Potentially affected individuals are also notified. EHC is performing analysis on its current security measures. Internal and external systems which contained patient information will be changed as per the reports.

EHC mentioned that it has no information or indication of accessed data misuse.

“Please refer to the notice you will receive in the mail regarding steps that you can take to protect yourself. In general, we recommend, as a precautionary measure, that you remain vigilant to protect against potential fraud and/or identity theft by, among other things, reviewing your account statements and monitoring credit reports closely. If you detect any suspicious activity on an account, you should promptly notify the financial institution or company with which the account is maintained. You should also promptly report any fraudulent activity or any suspected incidents of identity theft to proper law enforcement authorities, including the police and your state’s attorney general.”

___________________________________________________________________________________

Alertsec’s cloud-based information security service provides an easy and convenient way to protect information on your organization’s laptops and computers.

Data breach at rehabilitation facility

February 27th, 2017

Catalina Post-Acute and Rehabilitation recently announced data breach when paper files were left in an unattended area. The patient data and certain employee information were left temporarily vulnerable to possible unauthorized public access. Current or past residents and employees are encouraged to take steps to protect themselves.

Facility has mission statement provided on the website as, “Working together to create a sense of community, our dedicated and compassionate staff will strive to exceed your expectations and make a difference in the lives of those we serve by providing exceptional care and service, and remembering you are the reason we are here.”

The healthcare organization mentioned that it came to know about these files on December 5, 2016. Affected information included demographic information. Diagnoses and Social Security numbers in some cases. As per the OCR reporting tool, the incident affected 2,953 individuals.

Facility mentioned that it launched an investigation into the incident. Also, protocols in place relating to PHI storage and employee information are reviewed. It also mentioned that as per the internal investigation it appears that no patient or employee information was misused.

“Catalina Post-Acute and Rehabilitation is committed to the proper handling and protection of resident and employee information, and regularly assesses its systems and processes to ensure that this information is maintained and managed in accordance with State and Federal Law,” the online statement explained.

Facility also mentioned that consumers may request free copy of their credit report once 12 months from Equifax, Experian and Trans Union. These agencies have central website to provide free credit report.  It has also provided contact number to answer questions and queries of affected individuals.

___________________________________________________________________________________

Alertsec is powered by Check Point Endpoint Security products, which are positioned in the leaders quadrant in Gartner’s Magic Quadrant for Mobile Data Protection.

Healthcare companies to increase security spending

February 26th, 2017

As per the recent survey of more than 1,100 senior security executives worldwide, here are the results-

  • Seventy six percent of global healthcare organizations plan to increase security budget
  • Eight one percent of U.S. healthcare organizations mentioned that they will increase the security budget

As per the survey conducted by Thales Data Threat, sixty percent healthcare are deploying to cloud, big data, and IoT or container environments without proper security measures.  Ninety percent believes that they can face data breach.

“For healthcare data to remain safe from cyber exploitation, encryption strategies need to move beyond laptops and desktops to reflect a world of Internet-connected heart-rate monitors, implantable defibrillators and insulin pumps,” Thales e-Security vice president of strategy Peter Galvin said in a statement. “Adhering to the security status quo will create vulnerabilities that lead to breaches, and further erode customer trust.”

As per the Redspin’s Breach Report there is increase in data breach incidents in 2016.

“Healthcare providers have become the primary targets of malicious hackers, and their attacks are becoming increasingly sophisticated and disruptive to operations,” Dan Berger, vice president at CynergisTek, said in a statement (Redspin is now part of the CynergisTek portfolio).

“The dramatic increase in hacking attacks in 2016, coupled with the large number of patient records copmromised in those incidents, points to a pressing need for providers to take a much more proactive and comprehensive approach to protecting their information assets in 2017 and beyond,” Berger added.

Accenture conducted survey which concluded that 26 percent of U.S. consumers faced data breach. Fifty percent faced medical identity theft.

“Health systems need to recognize that many patients will suffer personal financial loss from cyber attacks of their medical information,” Reza Chapman, managing director of cyber security in Accenture’s health practice, said in a statement. “Not only do health organizations need to stay vigilant in safeguarding personal information, they need to build a foundation of digital trust with patients to help weather the storm of a breach.

Fifty percent found the breach by themselves by looking at their credit card statement. Twenty five percent changed their healthcare providers after the breach. Twenty one percent changed insurance plan. And nineteen percent took help of legal counsel.

___________________________________________________________________________________

Alertsec helps you comply with HIPAA, PCI and SOX requirements. The implemented encryption is powered by CheckPoint and has the highest security certifications: FIPS 140-2, Common Criteria EAL4 and BITS.

Unauthorized EHR access at medical centre

February 22nd, 2017

Dignity Health St. Joseph’s Hospital and Medical Center recently announced data breach, which has potentially affected 600 patient medical record. During routine review of employee access to the hospital’s electronic health records, St. Joseph’s came to know about the incident.

“Dignity Health and St. Joseph’s Hospital and Medical Center are committed to furthering the healing ministry of Jesus, and to providing high-quality, affordable healthcare to the communities we serve.”

As per the reports, sections of patient medical records were viewed without authorization by a part time hospital employee. Facility has sent advisory letters to impacted patients.

St. Joseph’s mentioned that the records did not contain Social Security numbers, billing, and credit card information. It also added that there is “no reason to believe these patients need to take any action to protect themselves against identity theft.”

“Dignity Health St. Joseph’s Hospital and Medical Center is deeply committed to protecting its patients,” the statement explained. “Any person who accesses medical records without a job-related reason is in violation of St. Joseph’s policy and appropriate action has been taken in response to this event.”

The individuals who were patients at St. Joseph’s between Oct. 1, and Nov. 22, 2016 are notified. Potentially affected information included patient medical records, demographic information (e.g. names and dates of birth), and clinical data, such as doctor’s orders and diagnostic information.

“St. Joseph’s regrets any inconvenience caused by this incident. Letters have been mailed to patients whose medical records may have been viewed and the hospital has established a call center to answer any questions they may have. “

An electronic health record (EHR) is a digital patient’s record. EHRs are advantageous as they are  are real-time as well as patient-centric. It also contains broader view of patient’s record and care.

___________________________________________________________________________________

Alertsec Endpoint Encrypt is the full disk encryption service that delivers a mobile data protection system for all information stored on laptops used throughout your organization.

Data breach due to email hack

February 20th, 2017

Foot and ankle surgeon Jay Berenter’s office announced data breach due to an email hack. Hackers sent some patients an email that the office employees claimed not to have sent. As per the reports, the email sent to Dr. Berenter’s contacts  contained a DocuSign document waiting for their review.

As per the statement, “Dr. Berenter takes the protection of information seriously and understands how important trust is in a physician-patient relationship.”

Dr. Berenter’s office immediately sent another email informing patients not to access the DocuSign email. After the incident came to notice, Dr. Berenter’s office took steps to secure the email account. It also hired forensic IT specialists.

Investigation was carried out to determine the extent of breach. it also checked whether any of the office’s systems were affected. Facility mentioned that the incident was determined to be limited to the email account only. Potentially affected information includes patient registration forms, prescriptions, and patient names.  As per the data breach reporting tool, the incident affected 569 individuals.

Facility has also hired forensic IT specialists to investigate the incident further. It is trying to make sure that no electronic medical records were accessed. Facility is implementing new email system. Additional internal administrative steps are taken to prevent a similar hack.

Federal agencies of California Attorney General and the Federal Department of Health and Human Services are notified about the incident. Facility believes that there is no evidence to say that information is misused.

Dr. Berenter’s office has provided contact information to answer queries. One year of complimentary identity theft protection is provided to potentially affected clients. It has also encouraged to place a free 90 day fraud alert on affected accounts.

“Protecting your information is incredibly important to Dr. Berenter, as is addressing this incident with the information and assistance you may need.”

___________________________________________________________________________________

Alertsec helps you comply with HIPAA, PCI and SOX requirements.

Break In causes data breach

February 14th, 2017

Wichita, Family Medicine East, Chartered based in Kansas reported that it suffered data breach due to theft of an unencrypted desktop computer and printer from its facility. As per the reports, an individual got into the building by breaking an exterior window. Family Medicine mentioned that police have not yet caught the thief. Also, stolen items are not recovered.

Family East mentioned that “a significant number contained images of typed office notes dictated by Family Medicine East physicians during 2002 and 2003.”

Affected information included patient names, dates of birth, appointment dates, and the name or initials of the physician or PA who saw patients were in the notes. Social Security numbers and addresses are not included in the breach. Letters written to other physicians discussing a Family Medicine referral were included for few. Letters were also identified by name and information about their medical condition.

“[The notes and letters] were typed by transcriptionists engaged for that purpose in 2002 and 2003,” Family East said in its online statement. “The files remained on the computer that was stolen as a result of an employee’s oversight, and were not detected during a number of risk analyses undertaken prior to the theft, as part of efforts to secure all individually identifiable health information.”

Individuals who got treated in 2002 or 2003 are asked “to take steps to eliminate or minimize potential harm that could be caused by the theft.” Steps also include obtaining credit reports and monitoring their financial and baking accounts for activities.

Facility mentioned that it is offering complimentary credit monitoring services to potentially affected patients. It also said that all computers and systems will be encrypted.

“While Family Medicine East hopes to recover the stolen computer, this may not be possible,” the statement explained. “As part of its ongoing effort to prevent breaches of protected health information, Family Medicine East began the process of encrypting health information stored on laptop computers used by the doctors, PAs and nurses for patient care some time ago.”

_____________________________________________________________________________________________________

Alertsec’s cloud-based information security service provides an easy and convenient way to protect information on your organization’s laptops and computers.

Health Facility suffers email hack

February 7th, 2017

Multicare Health System recently announced data breach due to an email hack. The incident potentially affected 1,200 patients. The Washington health system mentioned that it has no information at this time to believe that any patient personal health information was accessed or misused in any way.

Facility will send the notification to affected patients. Also, patients have been advised to review their Explanation of Benefits statements and to remain vigilant to signs of irregularities related to their health insurance.

MultiCare stated that an unauthorized individual gained access to an employee email account. The information in the emails likely contained personal patient information ranging from addresses to account balances. Facility added that financial information and Social Security numbers were not present on the affected email account.

After the incident the affected email account has been secured. Password has been changed. Facility initiated an investigation into the incident and has provided contact information for patients concerned about the status of their information.

About Multicare:

“MultiCare is a not-for-profit health care organization with more than 10,000 employees and a comprehensive network of services throughout Pierce, South King, Thurston and Kitsap counties.

Facilities heritage dates back to the founding of Tacoma’s first hospital in 1882. Since then, it has grown to meet the ever-changing needs of our region-always focusing on excellence, innovation and patient care.”

When  email account gets hacked one should follow below steps to minimize the damage:

Initial step is to assess the damage done by hackers.

Visit the website of your email provider and try to regain the access.

Change the password by authorised method. Check inbox and trash for any password reset emails, which were not initiated by you.

Scan your computer with anti virus software. Many emails are hacked today to install virus on your computer.

Review your personal settings.

Validate the source  of any program, game and app before downloading it.

_____________________________________________________________________________________________________

Alertsec Endpoint Encrypt is the full disk encryption service that delivers a mobile data protection system for all information stored on laptops used throughout your organization.

Stolen laptop results in data breach

February 2nd, 2017

Children’s Hospital Los Angeles (CHLA) and Children’s Hospital Los Angeles Medical Group (CHLAMG) recently suffered data breach when one of its unencrypted laptop was stolen. The laptop contained personal health information of 3,600 patients.

According to the reports, laptop was taken away by thief from the locked vehicle of a CHLAMG physician at CHLA. Investigation conducted by the facility found that the laptop was encrypted to up-to-date institutional standards along with password-protection. But later review mentioned the possibility of unencrypted status of laptop.

Facility is notifying patients whose information was stored on the laptop. Affected information includes names, addresses, medical record numbers, and certain clinical information.

“Following the notification regarding the burglary, an investigation took place to determine whether patient health information existed on the laptop,” CHLA spokesman Lorenzo Benet said in a statement. “Based on the investigation, the laptop has not been used to access the internet. From that information, we believe that all data may have been erased from the device without any patient data being accessed.”

Also, a protocol is created to erase data from the laptop when it logs onto the internet next time. Notification letters sent by facility will instruct individuals to review health insurance documents for evidence of misuse or identify theft.

Facility also asked patients to review their Explanation of Benefits statements in case of any unusual behavior . Also, they are advised to notify the hospital immediately for any issues.

About Childrens Hospital Los Angeles

“Children’s Hospital Los Angeles has been named the best children’s hospital in California and among the top 10 in the nation for clinical excellence with its selection to the prestigious U.S. News & World Report Honor Roll. Children’s Hospital is home to The Saban Research Institute, one of the largest and most productive pediatric research facilities in the United States. Children’s Hospital is also one of America’s premier teaching hospitals through its affiliation with the Keck School of Medicine of the University of Southern California since 1932.”

___________________________________________________________________________________

Alertsec Endpoint Encrypt is certified according to Common Criteria AEL4 and FIPS 140-2.

Unsecured database and data breach

April 16th, 2016

Einstein Healthcare Network announced possible data breach when one of its databases was left unsecured on its website. Einstein Healthcare Network is a Pennsylvania-based healthcare network. The incident has affected approximately 3,000 individuals.

According to the reports, Einstein Healthcare Network found that one of its website databases was available to unauthorized users. Accessible information included patient information that was entered by individuals on information form on the healthcare network’s webpage.

EHR systems was not connected to the website. Affected information included patient names, telephone numbers, reasons for submitting requests, healthcare provider names, and health information.Social Security numbers, financial information, or EHR information was not present on the database. Individuals who entered Information on the webpage’s form before feb 2016 were affected.

“It’s important to note that in the data we evaluated, hacking or IT incidents only accounted for about one in 10 data breaches,”said study lead author Dr. Vincent Liu, a research scientist with the Kaiser Permanente Division of Research in Oakland.

“While hacking has garnered a lot of recent attention, a more common reason for breaches is simple theft of unsecured paper or electronic records,” he continued. “Nonetheless, the potential for hacking to result in a large number of compromised records tends to be higher than for other sources of data breaches.”

Einstein Healthcare Network has now secured the website database and removed it from public view. Internal investigation is also ordered by Einstein Health.

A call center was created to answer questions related to this incident. Einstein Healthcare Network also mentioned that it is committed to improving security measures on its website. Healthcare believes that they have no knowledge that any patient information has been used improperly. Notification letters are sent to affected individuals.

According to the statement by Einstein, “To help prevent something like this from happening in the future, we have secured the website database and are enhancing our security measures for the website. We deeply regret any concern this may cause our patients.”

The breach was not result of hacking but due to technical error. Albert Einstein Healthcare Network is a system based in Philadelphia. Healthcare operates as Einstein Medical Center in Philadelphia, MossRehab with locations throughout Philadelphia and Montgomery Counties, Einstein Medical Center Elkins Park, and Einstein Medical Center Montgomery in East Norriton. Rehabilitation beds and skilled nursing beds as well as primary care and specialty physician practices are available in it’s facilities.

————————————————————————————————————————————————————-

Alertsec is the full disk encryption service that delivers a mobile data protection system for all information stored on laptops used throughout your organization.

Healthcare sub contractor fails to secure server

August 13th, 2014

Healthcare subcontractor may have compromised up to 570 patients’ data due to recent data breach. At this point name of the sub contractor is not known. According to the reports, sub contractor inadvertently failed to secure a computer server containing patient account information.

Breached information includes patient invoice numbers, charge amounts, balance due, policy numbers and billing-related status comments. It was noticed that Social Security numbers and medical records were not part of the breach.

Free patient identity protection services for affected patients are offered by the physicians. According to the HIPAA Omnibus Rule more responsibility falls on sub contractor to help out with breach notification and other breach-related activities. Terms and status of HIPAA business associate agreement (BAA) is not known.

“There is no indication that personal information has been acquired or used,” the company said. It is not known whether any people in or around Guilford County were affected. A company spokeswoman did not immediately return a request for comment.

Get your personal as well as office laptops encrypted by Alertsec

Unencrypted laptops present a major risk of data loss. 80% of information theft is due to lost or stolen laptops and other equipment. About 50% of network intrusions are performed with credentials gathered from lost or stolen devices. The penalties for a data breach are severe not only in terms of the monetary fines imposed on the organization, but also the potential loss of trust from customers and suppliers. Encryption software greatly enhances the security of your organization’s data as the information is not compromised if a laptop is lost or stolen.

Alertsec Xpress is the full disk encryption service that delivers a mobile data protection system for all information stored on laptops used throughout your organization.

Get your personal as well as office laptops encrypted by Alertsec

Unencrypted laptops present a major risk of data loss. 80% of information theft is due to lost or stolen laptops and other equipment. About 50% of network intrusions are performed with credentials gathered from lost or stolen devices. The penalties for a data breach are severe not only in terms of the monetary fines imposed on the organization, but also the potential loss of trust from customers and suppliers. Encryption software greatly enhances the security of your organization’s data as the information is not compromised if a laptop is lost or stolen.

Alertsec Xpress is the full disk encryption service that delivers a mobile data protection system for all information stored on laptops used throughout your organization.

– See more at: http://blog.alertsec.com/#sthash.GEAE5nsG.dpuf