Health And Human Services

Urology clinic suffers data breach

August 5th, 2015

A Montana urology clinic storage unit that housed patient records was broken into and patient data was possibly accessed. The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) online breach reporting database shows that 6,500 patients were affected.

Practice manager Tanna Darling mentioned that Urology Associates have sent data breach notification letters to patients. Darling said that “over a few thousand” letters were sent out.

Urology Clinic officials reported that the break-in occurred at the clinic’s storage unit having gated facility. There is possibility that the unauthorized individual was renting a separate storage unit at the facility and therefore had access to the first gate.

“Everything was in disarray, but it honestly didn’t look like they took anything,” Darling said.

Kalispell Police Department Captain Scott Warnell said that the incident is part of a larger trend that is happening across the county, and that the department is making extra patrols on storage units to ensure that unauthorized individuals are not in the area. Patients whose information was possibly accessed will receive one free year of credit monitoring from Urology Associates.

Montana data breach notification law was updated last year.

“Upon discovery or notification of a breach of the security of a data system, a state agency that maintains computerized data containing personal information in the data system shall make reasonable efforts to notify any person whose unencrypted personal information was or is reasonably believed to have been acquired by an unauthorized person,” the law states.

Alertsec strengthens security

Alertsec has created a web based encryption service that radically simplifies deployment and management of PC encryption by using industry leading Check Point Full Disk Encryption (former Pointsec) software.

Organizations, especially corporate giants, have to have an information security policy in place that proves they have taken the necessary steps and measures to safeguard the information they gathered. If these policies are not adhered to, the regulators may prosecute.

Alertsec Xpress is used by organizations that have recognized the need to protect their information. Customers range from single-user sole traders and consultants to multinational companies with a large number of offices around the globe. Over 4 million users worldwide use Alertsec Xpress’s Check Point Full Disk Encryption.

UPMC suffers second data breach

July 25th, 2015

Recent data breach in University of Pittsburgh Medical Center (UPMC) Health Plan affected 722 patients. This is the second health data breach at a UPMC facility in just under two months. The incident involved emailing of a data file with certain PHI to the incorrect address.

The affected information includes patient names, member ID numbers, dates of birth, phone numbers, name of the primary care physician’s office, and insurance plan types. Social Security numbers or information about medical histories were not disclosed.

UPMC Health Plan Director of Public Relations Gina Pferdehirt mentioned in an email response that “in context the breach is very minor,” but added that the healthcare organization

was taking the incident seriously.

The data breach occurred when  a former MML employee copied certain items of personal information from the billing system over the past two years and then illegally disclosed that information to a third party.

“MML takes this matter very seriously and terminated this employee after being informed of this criminal investigation,” according to a Medical Management statement. “MML is cooperating with federal law enforcement authorities in their criminal investigation.”

According to the statement:

“We apologize for any anxiety or inconvenience that this incident may cause our members,” Chief Compliance Officer of the UPMC Insurance Services Division William Gedman said in a statement. “Based on our ongoing investigation, we will make all changes necessary to further enhance our already stringent privacy protections. UPMC Health Plan is committed to doing our utmost to minimize the chance that this type of issue will occur again.”

Alertsec strengthens security

Alertsec has created a web based encryption service that radically simplifies deployment and management of PC encryption by using industry leading Check Point Full Disk Encryption (former Pointsec) software.

Organizations, especially corporate giants, have to have an information security policy in place that proves they have taken the necessary steps and measures to safeguard the information they gathered. If these policies are not adhered to, the regulators may prosecute.

Alertsec Xpress is used by organizations that have recognized the need to protect their information. Customers range from single-user sole traders and consultants to multinational companies with a large number of offices around the globe. Over 4 million users worldwide use Alertsec Xpress’s Check Point Full Disk Encryption.

Medical records found in residential driveway

May 15th, 2015

An Orlando facility suffered a data breach after medical records were found in a residential driveway. According to the reports, Florida resident John Henderson received a letter from Orlando facility informing that a list of patients and their information was found in a neighborhood driveway. Henderson also mentioned that his son’s information was on the found patient list.

The affected information includes patient names, medical record numbers, account numbers and even diagnoses. The notification letter added that Social Security numbers and insurance information were not included on the papers. Facility mentions that one of its employees reportedly took the patient list home by mistake, and it is believed that it fell out of the employee’s car

“It just don’t make sense, it don’t make sense,” Henderson told the news source. “And I can’t believe Orlando Health is this irresponsible.”

Orlando Health said that notification letters were sent to 68 patients “out of an abundance of caution,” and that it does not believe that any harm will come from the incident.

“We understand the concerns of patients involved in this incident,” Orlando Health said in its letter, according to the news reports. “The privacy and security of our patients’ health information is a top priority for us. We conducted a thorough investigation of the incident and found no evidence of malice or intent.”

Get your personal as well as office laptops encrypted by Alertsec

Unencrypted laptops present a major risk of data loss. 80% of information theft is due to lost or stolen laptops and other equipment. About 50% of network intrusions are performed with credentials gathered from lost or stolen devices. The penalties for a data breach are severe not only in terms of the monetary fines imposed on the organization, but also the potential loss of trust from customers and suppliers. Encryption software greatly enhances the security of your organization’s data as the information is not compromised if a laptop is lost or stolen.

Alertsec Xpress is the full disk encryption service that delivers a mobile data protection system for all information stored on laptops used throughout your organization.

Potential PHI exposure due to phishing scam

March 29th, 2015

Children National Health System (Children’s National) employees fell victim to phishing scam which led to potential PHI breach for some patients. According to the reports, hackers could have gained access to PHI from the employee’s email account. The affected information includes names, addresses, dates of birth, and telephone numbers. Moreover, clinical information such as diagnoses, treatment received, medical record numbers, medical service codes or health insurance information, were also potentially accessed. Few records also included Social Security Numbers.

“We reported the phishing attack to federal law enforcement and continue to work with them in their investigation,” the statement read. “Importantly, neither patient charts nor our electronic medical records system were compromised. Only the discrete information contained in the email accounts was potentially affected.”

After the incident, the company is training the employees to handle the suspicious emails. The facility has enhanced its existing technical safeguards and a review of systems is underway.

According to the statement:

We have no evidence that this information in the emails has been misused or even accessed. However, in an abundance of caution, we began sending letters to affected patients on February 24, 2015, and have established a dedicated call center to answer questions patients may have.

We recommend that affected patients regularly review the explanation of benefits statement that they receive from their health insurer. If you identify services listed on your explanation of benefits that you did not receive, please immediately contact your insurer.

Alertsec strengthens security

Alertsec has created a web based encryption service that radically simplifies deployment and management of PC encryption by using industry leading Check Point Full Disk Encryption (former Pointsec) software.

Organizations, especially corporate giants, have to have an information security policy in place that proves they have taken necessary steps and measures to safeguard the information they gathered. If these policies are not adhered to, the regulators may prosecute.

Alertsec Xpress is used by organizations that have recognized the need to protect their information. Customers range from single-user sole traders and consultants to multinational companies with a large number of offices around the globe. Over 4 million users worldwide use Alertsec Xpress’s Check Point Full Disk Encryption.

Stolen server leads to data breach

February 18th, 2015

Three notices were sent to patients informing them about the data breach which was caused by burglary in California dentist Dr. Cathrine Steinborn’s office. Apparently, first notice didn’t contain enough information, as two more notices were sent.

“Your dental records and radiographs were fully backed up, so there will be no loss of continuity of care,” Steinborn wrote in the first data security notice. “However, your personal identity and insurance information is on the server and could be compromised.”

The first notification failed to notify patient’s the details of information may have been compromised by the data breach. Dr. Catherine explained that a door was forced open and the server containing patients’ electronic records was stolen.

A police report was filed and the dentist’s office is working with its property manager “to enhance the physical security of the building,” Steinborn explained.

Second letter mentioned that the dentist’s office does not store patients’ financial information, such as credit cards, or driver’s license numbers but keeps names, addresses, phone numbers, insurance information, dates of birth and group numbers on file. Also, patients’ Social Security numbers, as well as all patients’ health history and dental records are kept in office.

“Our server had two levels of password protection, but was not encrypted,” Steinborn said in the second letter. “Currently, our files are in the cloud, in an encrypted form. I will be having the new server encrypted. An IT specializing in HIPAA will complete a thorough risk evaluation and we will be implementing robust physical and IT security going forward.”

Final letter was about security aspects.

“We previously provided notice of this incident to you, and are providing you additional information about the incident and helpful information on protecting against identity theft and fraud.”

Alertsec strengthens security

Alertsec has created a web based encryption service that radically simplifies deployment and management of PC encryption by using industry leading Check Point Full Disk Encryption (former Pointsec) software.

Organizations, especially corporate giants, have to have an information security policy in place that proves they have taken necessary steps and measures to safeguard the information they gathered. If these policies are not adhered to, the regulators may prosecute.

Alertsec Xpress is used by organizations that have recognized the need to protect their information. Customers range from single-user sole traders and consultants to multinational companies with a large number of offices around the globe. Over 4 million users worldwide use Alertsec Xpress’s Check Point Full Disk Encryption.

No Heath Data Encryption in Federal Sites

November 9th, 2014

Individuals used AIDS-related medical services information on government health websites which lacked health data encryption. In the recent times health care security is on high priority agenda and lapses like federal websites demands for change.  According to the reports, government is taking initiatives to secure the data. The sites have possible risk of exposing the identities of visitors as private information, like the actual latitude and longitude location of visitors.

“The sites and apps did not themselves track visitors, but their data was handled in ways that could have enabled monitoring by employers, universities or others with access to the data flowing between individual devices – such as computers and smartphones – and the Internet.,” the news source reported.

Steve Roosa, a partner at law firm Holland & Knight, first made the health data encryption discovery. Roosa explained that as part of HIPAA, the Department of Health and Human Services (HHS) enforces federal healthcare privacy rules when personal medical information is handled by private entities.

“It is somewhat shocking, and more than a little ironic, that HHS has opted not to adhere to its own standards here, when the failure to do so puts sensitive health information at risk,” Roosa said in the report.

Aids.gov was one of the website and its Director Miguel Gomez said they started automatically using encryption for all of its users. Since 2010, the website transmitted unencrypted location information of users searching for healthcare providers online. However, the site started offering encryption services – for those who knew how to use it – since last year.

Alertsec strengthens security

Alertsec has created a web based encryption service that radically simplifies deployment and management of PC encryption by using industry leading Check Point Full Disk Encryption (former Pointsec) software.

Organizations, especially corporate giants, have to have an information security policy in place that proves they have taken necessary steps and measures to safeguard the information they gathered. If these policies are not adhered to, the regulators may prosecute.

Alertsec Xpress is used by organizations that have recognized the need to protect their information. Customers range from single-user sole traders and consultants to multinational companies with a large number of offices around the globe. Over 4 million users worldwide use Alertsec Xpress’s Check Point Full Disk Encryption.

Montana Health Department hacked

June 7th, 2014

Montana Department of Public Health and Human Services is notifying public program clients and employees about data breach due to recent incident of server hacking. Montana hired an investigator and confirmed that their server was inappropriately accessed. The server had sensitive information which included state public assistance data such as food stamps, welfare payments, Medicaid, home heating aid and child-care assistance, birth records and some state employee information. It was also found out that there may have been clients’ names, addresses, birth dates, Social Security numbers and healt

As protected health information (PHI) was involved in this breach, Montana may initiate conversation with the Department of Health and Human Services (HHS). Montana’s state CIO, Ron Baldwin, told the Gazette that this was a first-time breach and that an outsider found a software vulnerability prior to the department being able to patch it, leading to the server hack. “This is not unique to Montana, it’s not unique to state government,” he said. “All states, all major businesses are experiencing these (attempts) every day, every month, every year … and they come from all over the world.”

Montana Department of Public Health and Human Services director Richard Opper suggested that the hackers may have been involved with trading Bitcoins in some form. “Out of an abundance of caution, we are taking the necessary steps to reach out to those whose information may have been stored in the server,” he said to the Gazette. “DPHHS is committed to answering questions clients and employees may have, and to help them take advantage of services we are offering.”

Alertsec strengthens security

Alertsec has created a web based encryption service that radically simplifies deployment and management of PC encryption by using industry leading Check Point Full Disk Encryption (former Pointsec) software.

Organizations, especially corporate giants, have to have an information security policy in place that proves they have taken necessary steps and measures to safeguard the information they gathered. If these policies are not adhered to, the regulators may prosecute.

Alertsec Xpress is used by organizations that have recognized the need to protect their information. Customers range from single-user sole traders and consultants to multinational companies with a large number of offices around the globe. Over 4 million users worldwide use Alertsec Xpress’s Check Point Full Disk Encryption.

Largest ever violation settlement by NYP and CU

May 10th, 2014

The Department of Health and Human Services (HHS) has issued $4.8 million worth of HIPAA fines to New York and Presbyterian Hospital (NYP) and Columbia University (CU). Earlier NYP and CU had violated both the HIPAA Privacy and Security Rules which resulted in electronic Protected Health Information (ePHI) of 6800 patients to data breach. NYP and CU learned of the breach when a deceased patient’s partner found the former patient’s ePHI on the internet.

Breach occurred when the application developer for the affiliate organizations tried deactivating a personally owned computer server on the network which held the data. Soon the ePHI become accessible on the internet search engines after the process of server deactivation.

NYP and CU had submitted a joint breach report after ePHI held on their network suffered data breach. EPHI included patient status, vital signs, medications, and laboratory results.  NYP paid OCR $3,300,000 and CU had to give $1,500,000, with both agreeing to complete corrective action plans. It includes risk analyses, developing risk management plans, revising policies and procedures, staff training, and providing OCR with progress reports.

“When entities participate in joint compliance arrangements, they share the burden of addressing the risks to protected health information,” said Christina Heide, Acting Deputy Director of Health Information Privacy for OCR. “Our cases against NYP and CU should remind health care organizations of the need to make data security central to how they manage their information systems.”

According to the hhs.gov website,

In addition to the impermissible disclosure of ePHI on the internet, OCR’s investigation found that neither NYP nor CU made efforts prior to the breach to assure that the server was secure and that it contained appropriate software protections.  Moreover, OCR determined that neither entity had conducted an accurate and thorough risk analysis that identified all systems that access NYP ePHI.  As a result, neither entity had developed an adequate risk management plan that addressed the potential threats and hazards to the security of ePHI.  Lastly, NYP failed to implement appropriate policies and procedures for authorizing access to its databases and failed to comply with its own policies on information access management.

Alertsec strengthens security

Alertsec has created a web based encryption service that radically simplifies deployment and management of PC encryption by using industry leading Check Point Full Disk Encryption (former Pointsec) software.

Organizations, especially corporate giants, have to have an information security policy in place that proves they have taken necessary steps and measures to safeguard the information they gathered. If these policies are not adhered to, the regulators may prosecute.

Alertsec Xpress is used by organizations that have recognized the need to protect their information. Customers range from single-user sole traders and consultants to multinational companies with a large number of offices around the globe. Over 4 million users worldwide use Alertsec Xpress’s Check Point Full Disk Encryption.

– See more at: http://blog.alertsec.com/#sthash.4Btkgtu7.dpuf

Enhanced by Zemanta