Data theft

PHI available online

January 5th, 2017

Indiana-based Fairbanks Hospital recently mentioned that they suffered data breach. It said that Fairbanks employees had online access to certain current and former patients’ PHI. This access was not meant for all the employees.

“The investigation has determined that this issue existed since at least November of 2013, however we are unable to determine whether the issue existed prior to that time,” the hospital said. “We have now corrected this issue so that only the appropriate Fairbanks personnel has electronic access to files containing patient information.”

As per the OCR data breach reporting tool, incident affected 12,994 individuals. Breached information included names, Social Security numbers, dates of birth, contact information, patient identification numbers, diagnoses, treatment information, health insurance information, and information related to initial admission and appointment scheduling.

Facility mentioned that the affected information will vary by patient. The majority of patients are “only having their name and limited information relating to initial admission and scheduling of appointments impacted.”

Fairbanks said that it is not aware of any actual or attempted misuse of the information. Facility is offering Identity and credit monitoring services.

“We encourage you to remain vigilant against incidents of identity theft and fraud, to review your account statements, and to monitor your credit reports and explanation of benefits forms for suspicious activity,” Fairbanks said. “This also includes reviewing account statements, medical bills, and health insurance statements regularly to ensure that no one has submitted fraudulent medical claims using your name and address.”

Fairbanks mentioned that individuals can place “fraud alert’ at no charge. This step will alert creditors to take additional steps to verify your identity prior to granting credit in your name. As this procedure tells creditors to follow certain rules, it may delay individuals’ ability to obtain credit.

Individuals can also place a security freeze on credit reports. This process will give rights to bureau not to release any information from a consumer’s credit report without the consumer’s written authorization. It may delay, interfere or prevent timely approval. It can affect processing for new loans, credit mortgages, employment, housing, or other services. This service is provided free of cost if individual provides valid police report.

Individuals can also educate themselves for identity theft, fraud alerts, and the steps one can take by contacting the Federal Trade Commission or individuals’ state Attorney General.

____________________________________________________________________________________________

Alertsec’s cloud-based information security service provides an easy and convenient way to protect information on your organization’s laptops and computers.

Ransomware attack

December 18th, 2016

Dr. Melissa D. Selke based in New Jersey recently announced a data breach. Facility website posted a data breach notification letter. The incident may have affected several thousand patients.

Selke found out that her system had been infected with a virus that prohibited access to patient files. The system was restored immediately. After investigation, the possibility of ransomware attack was analyzed. An unauthorized third party introduced the virus onto her system.

Melissa D. Selke, MD, has practiced privately in the area of Hillsborough and Somerset, New Jersey.  Her total experience of the practice is 15 years. She is board certified in Family Medicine.

Dr. Selke has following education qualification –

BA in behavioral biology with honors at the Johns Hopkins University in Baltimore, Maryland

MD at Baylor College of Medicine in Houston, Texas. After graduating

Residency in Family Medicine at Spartanburg Regional Medical Center in Spartanburg, South Carolina.

Affected information in this incident includes patients’ names, addresses, phone numbers, Social Security numbers, treatment and diagnosis information, driver’s license information, health insurance information, treating physician information, medical record number, and treatment date(s).

Dr. Melissa mentioned in her letter that the third-party “viewed or took patient information stored on the server.”

“We take this incident, and patient privacy, very seriously,” Selke said in a statement. “We are taking steps to help prevent another incident of this kind from happening, and continue to review our processes, policies, and procedures that address data privacy.”

As per the OCR data breach reporting tool, incident has affected approximately 4,200 individuals.

While no protection services were offered, Selke encouraged affected individuals “to remain vigilant against incidents of identity theft and fraud.” Individuals should regularly review their financial account statements, credit reports, and explanations of benefits for suspicious activity, the notification letter said.

____________________________________________________________________________________________

Alertsec helps you comply with HIPAA, PCI and SOX requirements. The implemented encryption is powered by CheckPoint and has the highest security certifications: FIPS 140-2, Common Criteria EAL4 and BITS.

Data breach at Quest Diagnostics

December 15th, 2016

Quest Diagnostics recently suffered data breach which may have involved the information of 34,000 patients. According to the reports,  an unauthorized third party got access of the MyQuest Care360® internet application.

Quest Diagnostics is a global company with headquarters in the U.S. It has operations in India, Ireland, and Mexico. Customers from more than 130 countries use its products and services. Facility also has collaboration with many international diagnostic laboratories, clinics and hospitals.

In United States, facility provides clinical testing services through a national network of laboratories. It is located in major metropolitan areas. In India, it provides a range of products and services to physicians, hospitals, life insurance companies and pharmaceutical/biotech companies through the state-of-the-art laboratory facility in Gurgaon.

In the data breach, Social Security numbers, credit card information, and insurance or other financial information are safe. Affected information included name, date of birth, lab results, and telephone numbers for few.

“When the intrusion was discovered, we immediately took steps to stop any further unauthorized activity,” read the letter, which was signed by Quest Executive Director of Compliance Operations & Privacy Office Carl A. Landorno. “We are taking steps to prevent similar incidents from happening in the future, and are working with a leading cybersecurity firm to assist with our investigation and to further evaluate our systems. We have also reported the incident to federal law enforcement authorities.”

Quest believes that there is no indication that the PHI has been misused in any way. It also mentioned that there is no need for potentially affected individuals to take additional steps to protect themselves from the breach.

“We sincerely apologize for this breach of your information. We have established a dedicated toll free number for you to call if you have any questions regarding this incident.”

____________________________________________________________________________________________

Alertsec’s cloud-based information security service provides an easy and convenient way to protect information on your organization’s laptops and computers.

Data breach due to stolen flash drive

December 10th, 2016

OptumHealth based in New Mexico recently announced data breach. The incident was outcome of missing unencrypted flash drive. Approximately 2,000 individuals were affected.

The device contained information for some individuals who were enrolled in an OptumHealth plan. Affected information includes individuals’ name and a full or partial date of birth, telephone number, health identification number, address, provider name, diagnosis, or other health information. Financial information was not affected. Some individuals’ full or partial Social Security numbers were present on the flash drive.

“Upon discovery, we took prompt action to investigate the matter,” OptumHealth said in its statement. “The U.S. Postal Service was immediately notified to assist in locating the flash drive, and we are working closely with them as they further investigate the matter. We have implemented new measures to help prevent this from occurring in the future, including updating our processes related to vendors in efforts to prevent the occurrence of similar incidents.”

OptumHealth sent the notification letter to potentially affected individuals. Facility mentioned that there are few individuals who cannot be notified via mail.

While OptumHealth mentioned that “the information potentially accessed was limited,” it still encouraged individuals to enroll in the free services. As per the OCR data breach reporting tool, incident affected 2,006 individuals. It has also offered one year of complimentary identity theft protection services.

As per the statement,

We also encourage individuals to be vigilant against incidents of identity theft. As a precaution to protect against misuse of your information, we recommend that individuals regularly monitor documentation concerning health care, bank and credit card statements, and tax returns to check for any unfamiliar activity. If you notice any suspicious activity on health statements, bank or credit card statement, or tax returns, please immediately contact the financial institution, credit card company, health plan, or other relevant institution.

 ___________________________________________________________________________________________

Alertsec’s cloud-based information security service provides an easy and convenient way to protect information on your organization’s laptops and computers.

Data breach at Vascular Surgical

December 7th, 2016

Vascular Surgical Associates based in Georgia recently suffered data breach after one of its computer servers was hacked. As per the statement, the attack occurred during the time of a software update. After an initial investigation by the facility, it found out that a compromised vendor password was used in this incident.

As per the FAQ section of Vascular Surgical, it had “hired vendors with national reputations and significant client bases to support the computer system infrastructure we use to maintain our medical records.” Furthermore, the ONC had certified the software.

“A password that was created by one of these vendors and controlled by that vendor was used to access our system inappropriately,” the FAQ read. “The perpetrators installed software on our system to prevent us from seeing the activity, but once that activity was identified by our internal IT staff, the system access was changed to prevent additional access using that password.”

As per the OCR data breach reporting tool, incident affected 36,496 individuals. As per the preliminary reports, it is likely that the hackers reside in other countries. Affected information included medical records and demographic information such as dates of birth and addresses. Social Security numbers and financial data were not present on the compromised server. Facility also mentioned that portal was not involved or affected. Patient care is carried as usual.

“Upon learning of the incident and verifying the unauthorized access through forensic evaluation, we immediately secured the server so that this type of attack could not occur again,” the statement explained. “We are confident that none of our staff had any involvement in this incident, as the compromised password that was used to access the information was only available to our vendors and their staffs.”

____________________________________________________________________________________________

Alertsec’s cloud-based information security service provides an easy and convenient way to protect information on your organization’s laptops and computers.

Data breach due to stolen laptop

November 30th, 2016

Kineto Rehab PHysical Therapy, PLLC based in New York recently suffered data breach due to stolen laptop.  As per the reports, a bag containing a work laptop was stolen by the individual. Facility got hold of the footage which identifies thief. It also found out the bag later without laptop in it. Police are still working to track down the thief.

As per the statement, “We sincerely apologize for this incident and we regret any inconvenience it may cause you. Should you have questions or concerns regarding this matter, please do not hesitate to contact us.”

Affected information includes patient names, dates of birth, addresses, Social Security numbers, insurance information and clinical/physical therapy notes.

“There is no indication that your information has been accessed or used by an unauthorized individual,” read the Kineto statement, which was signed by CEO Shirley Agapito, DPT. “Please be assured that we have taken every step necessary to address the incident, and that we are committed to fully protecting all the information that has been entrusted to us.”

As per the OCR data breach reporting tool, the incident affected 665 individuals. Facility mentioned that affected Individuals will be offered a complimentary one-year membership identity protection services.

Website statement provides guidelines as below:

Fraud Alert

Place fraud alert when someone else tries to open a credit account in your name, get add on card or increase the credit limit.

Security Freeze

One can place security freeze on credit report which will stop lenders and others from accessing credit report completely.

Review Reports

Order free annual credit report and look for any discrepancies and spendings.

Credit providers and tools

Create message /email alerts on credit cards and bank accounts to notify you of any transaction or activity. Report the bank if you have not carried out that activity.

____________________________________________________________________________________________

Alertsec helps you comply with HIPAA, PCI and SOX requirements.

GHS data breach

November 15th, 2016

South Carolina based facility Greenville Health System (GHS) recently suffered data breach when one of its vendors had inappropriately downloaded patient data. The incident has potentially affected 2,500 patients.

GHS is associated with Ambucor Health Solutions, a remote-monitoring labor service for cardiac devices. As per the reports, one of the Ambucor employee downloaded GHS information just before his employment at Ambucor ended.

Law enforcement handed over two flash drives in July to Ambucur, which had been turned in when the employee left. Facility has began to notify patients about the incident.

Affected information may include the patient’s name, date of birth, home address, phone number, race, diagnosis, medications, testing data, patient identification number, medical device information (such as the manufacturer, identification number and model/serial numbers), Ambucor enrollment number, Ambucor enrollment date, Ambucor technician name, physician name(s) and the name and address of the practice where the patient was seen.

“GHS and Carolina Cardiology Consultants take patient privacy seriously and deeply regret any inconvenience or concern this incident may cause our patients,” Dr. Joseph Manfredi, ambulatory director of electrophysiology, told the news source.

Ambucor announced that it will offer affected patients one year of identity protection services and, if required, related recovery services and $1 million of identity theft insurance at no cost.

“Letters with instructions about activating the free identity protection services will be mailed to affected patients” said Ambucor

Facility mentioned that the affected patients should consider activating the identity protection services. it also said that steps are taken to prevent this type of incident from occurring again. It will  thoroughly review and update it processes as per the HIPAA security standards.

Tips to prevent data theft

Employees must undergo training

Sensitive information must be secured through encryption

Access to the sensitive data should be controlled

Keep software and system up to date

Verify security controls of third parties

Dispose of sensitive data

____________________________________________________________________________________________

Alertsec Endpoint Encrypt is the full disk encryption service that delivers a mobile data protection system for all information stored on laptops used throughout your organization.

Data breach due to stolen laptop

November 6th, 2016

MGA Home Healthcare Colorado, Inc. recently suffered data breach  after a laptop was stolen from an employee’s locked vehicle. Facility is notifying 3,119 patients about the incident.

As per the statement, ‘MGA is committed to the privacy of its patients’ and employees’ information and regrets any concerns or inconveniences that this incident may have caused.For further information and assistance, potentially affected individuals may contact MGA’s incident response service provider, AllClear ID.’

Theft reportedly took place sometime between August 19, 2016 and August 20, 2016 while MGA came to know about it on August 20. Facility notified law enforcement.

MGA said that it is conducting a thorough review of the potentially affected records to confirm what information was exposed. Affected information included names, addresses and other demographic information. Information about MGA-provided healthcare services may have also been exposed. for some patients. Also, thirty two patients had their Social Security number or driver’s license number included in the laptop.

“MGA has no evidence that the information on the laptop has been accessed or used,” MGA maintained. “As a precaution, MGA is offering identity theft protection services to affected individuals. MGA is committed to the privacy of its patients’ and employees’ information and regrets any concerns or inconveniences that this incident may have caused.”

Ways to secure your laptop:

Login Password

Provide a login name and password to access your system

Authentication Gestures

Some laptop comes with authentication gestures. It is part of hardware solution which can be utilised to secure your laptop

Encrypted File Systems

First understand what is a file system. Each operating system uses some algorithm to store and retrieve data from your hard disk. Encrypted File Systems layer themselves on top of an existing file system

Encryption

Through this method encrypting individual files or directories manually is carried out. There are various tools available in the market to do so.

Tracing and Tracking

 With the help of tracking feature/companies you can know the location of the laptop. The laptop must be connected to the internet to send the location pointer.

 ___________________________________________________________________________________

Alertsec Endpoint Encrypt is the full disk encryption service that delivers a mobile data protection system for all information stored on laptops used throughout your organization.

California based healthcare facility recently suffered data breach

November 5th, 2016

Physical therapy organization recently suffered a data breach. The incident has potentially affected the information of approximately 8,000 individuals.

As per the reports, Silver Creek Fitness & Physical Therapy, Silver Creek Physical Therapy Gilroy, Silver Creek Physical Therapy Sunnyvale, and Silver Creek Physical Therapy Los Gatos (Silver Creek) billing and software companies reported to Silver Creek about the vulnerability of Amazon “S3” storage account.

The incident provided the access to individuals outside of the organization. Various facilities mentioned that the account was vulnerable from May 2016 to September 11, 2016. Facility also said that some PHI was in the storage account.

Affected information includes patient names, Medicare numbers, prescriptions, dates of birth, treatment locations, treatment dates, Social Security numbers for a small subset of individuals, driver’s license numbers, and progress notes. As per the OCR data breach reporting tool, total 8,009 individuals were affected.

“We take any threat to the security of information entrusted to us very seriously,” Co-founder of Silver Creek Fitness & Physical Therapy Todd Jones said in a statement.  “Once the error was discovered, we worked with the billing and software companies to ensure that access to the storage account was restricted and that proper access credentials are in place. We apologize for any inconvenience or concern this incident may cause our patients.”

Facility mentioned that it is unaware of any misuse of client personal information. It is offering credit monitoring and identity restoration services.

Fraud prevention tips for the affected individuals includes:

Review of account statements, medical bills, and health insurance statements

Credit reports monitoring

Placing credit file fraud alert activation

Placing credit file security freeze

It’s also important to educate on identity theft, fraud alerts, and the steps to protect by contacting the Federal Trade Commission or your state Attorney General.

____________________________________________________________________________________________

Alertsec’s cloud-based information security service provides an easy and convenient way to protect information on your organization’s laptops and computers.

 

Anthem data breach

November 3rd, 2016

Anthem, Inc. based in Indiana recently reported data breach which affected 3,500 Medicare members. According to the reports, certain personal information was exposed after company policies were violated by the employees. Medicare sales department employee emailed company information to his personal email address.

“The individual is no longer employed with our company,” Anthem wrote. “When questioned, the individual advised that he was using the data to validate his commission payments. The information obtained by the individual is the property of the company, and he, like all employees, was prohibited from sending such information outside of the company.”

Affected information included names, dates of birth, addresses, health plan information and, in some cases, Medicare ID numbers. Facility believes that there is no indication of information misuse or identity theft.

Facility mentioned that affected individuals should routinely review accounts statements from time to time and get credit report from one or more of the national credit reporting companies.

Facility mentioned that, ‘We have worked diligently since the discovery of this matter to identify all individuals whose information may have been impacted by the actions of the former sales employee. We have identified Medicare-eligible individuals impacted and we are in the process of contacting these individuals for whom we have valid addresses by U.S. Postal Service addresses. For those whose Medicare ID numbers (which may include a Social Security number) may have been included, we will offer free identity theft protection and credit repair/monitoring services through AllClear Credit and Identity Theft Monitoring and AllClear Identity Repair.’

Earlier Anthem suffered data breach which was considered one of the largest healthcare data breaches. Hackers broke into one of its databases which potentially compromised 78.8 million individuals. This incident breached names, dates of birth, medical IDs or Social Security numbers, street addresses, and email addresses of millions.

____________________________________________________________________________________________

The Alertsec service protects everything stored on the computer such as Word, PowerPoint, Excel, Outlook, Gmail, Photos, Credit Card data files etc. Perhaps, most importantly, your login credentials to cloud applications are protected.