Healthcare

Data breach at rehabilitation facility

February 27th, 2017

Catalina Post-Acute and Rehabilitation recently announced data breach when paper files were left in an unattended area. The patient data and certain employee information were left temporarily vulnerable to possible unauthorized public access. Current or past residents and employees are encouraged to take steps to protect themselves.

Facility has mission statement provided on the website as, “Working together to create a sense of community, our dedicated and compassionate staff will strive to exceed your expectations and make a difference in the lives of those we serve by providing exceptional care and service, and remembering you are the reason we are here.”

The healthcare organization mentioned that it came to know about these files on December 5, 2016. Affected information included demographic information. Diagnoses and Social Security numbers in some cases. As per the OCR reporting tool, the incident affected 2,953 individuals.

Facility mentioned that it launched an investigation into the incident. Also, protocols in place relating to PHI storage and employee information are reviewed. It also mentioned that as per the internal investigation it appears that no patient or employee information was misused.

“Catalina Post-Acute and Rehabilitation is committed to the proper handling and protection of resident and employee information, and regularly assesses its systems and processes to ensure that this information is maintained and managed in accordance with State and Federal Law,” the online statement explained.

Facility also mentioned that consumers may request free copy of their credit report once 12 months from Equifax, Experian and Trans Union. These agencies have central website to provide free credit report.  It has also provided contact number to answer questions and queries of affected individuals.

___________________________________________________________________________________

Alertsec is powered by Check Point Endpoint Security products, which are positioned in the leaders quadrant in Gartner’s Magic Quadrant for Mobile Data Protection.

Data breach due to email hack

February 20th, 2017

Foot and ankle surgeon Jay Berenter’s office announced data breach due to an email hack. Hackers sent some patients an email that the office employees claimed not to have sent. As per the reports, the email sent to Dr. Berenter’s contacts  contained a DocuSign document waiting for their review.

As per the statement, “Dr. Berenter takes the protection of information seriously and understands how important trust is in a physician-patient relationship.”

Dr. Berenter’s office immediately sent another email informing patients not to access the DocuSign email. After the incident came to notice, Dr. Berenter’s office took steps to secure the email account. It also hired forensic IT specialists.

Investigation was carried out to determine the extent of breach. it also checked whether any of the office’s systems were affected. Facility mentioned that the incident was determined to be limited to the email account only. Potentially affected information includes patient registration forms, prescriptions, and patient names.  As per the data breach reporting tool, the incident affected 569 individuals.

Facility has also hired forensic IT specialists to investigate the incident further. It is trying to make sure that no electronic medical records were accessed. Facility is implementing new email system. Additional internal administrative steps are taken to prevent a similar hack.

Federal agencies of California Attorney General and the Federal Department of Health and Human Services are notified about the incident. Facility believes that there is no evidence to say that information is misused.

Dr. Berenter’s office has provided contact information to answer queries. One year of complimentary identity theft protection is provided to potentially affected clients. It has also encouraged to place a free 90 day fraud alert on affected accounts.

“Protecting your information is incredibly important to Dr. Berenter, as is addressing this incident with the information and assistance you may need.”

___________________________________________________________________________________

Alertsec helps you comply with HIPAA, PCI and SOX requirements.

Unauthorized access and data breach

February 17th, 2017

Verity Health System based in California recently announced that an unauthorized access may have caused data breach. The incident affected personal information of more than 9,000 individuals.

Verity Health operates six hospitals which includes Seton in Daly City, Seton Coastside in Moss Beach, O’Connor in San Jose, St. Louise in Gilroy and two in Southern California. It also runs Verity Medical Foundation and Verity Physician Network. Verify Health was known as Daughters of Charity. It was renamed after taken over by investment firm BlueMountain Capital Management.

Verity Health mentioned that the access occurred on the Verity Medical Foundation-San Jose Medical Group website.  It mentioned that the website is no longer in use. Also, immediate steps were taken to secure it and protect it from further damage.

Affected information included patient names, dates of birth, medical record numbers, addresses, email addresses, phone numbers and the last four digits of credit card numbers. Full credit card numbers and Social Security numbers were not included in the breach.

Verity mentioned that 9,000 got affected individuals in its statement. As per the OCR data breach reporting tool, incident impacted 10,164 individuals.

“Verity Health System takes the security of our patients’ information seriously, and we regret that this incident occurred,” Verity Health CEO Andrei Soran said in a statement. “We took immediate steps to investigate this incident, notify the affected individuals and appropriate authorities, and ensure enhanced protection of our information systems going forward. We are working with a leading cyber-security firm to further evaluate the integrity of our information systems.”

Facility believes that there are no reports of misuse of information. It has also established a call center to answer queries. It is also offering one free year of credit monitoring services for potentially affected patients.

___________________________________________________________________________________

Alertsec helps you comply with HIPAA, PCI and SOX requirements. The implemented encryption is powered by CheckPoint and has the highest security certifications: FIPS 140-2, Common Criteria EAL4 and BITS.

Break In causes data breach

February 14th, 2017

Wichita, Family Medicine East, Chartered based in Kansas reported that it suffered data breach due to theft of an unencrypted desktop computer and printer from its facility. As per the reports, an individual got into the building by breaking an exterior window. Family Medicine mentioned that police have not yet caught the thief. Also, stolen items are not recovered.

Family East mentioned that “a significant number contained images of typed office notes dictated by Family Medicine East physicians during 2002 and 2003.”

Affected information included patient names, dates of birth, appointment dates, and the name or initials of the physician or PA who saw patients were in the notes. Social Security numbers and addresses are not included in the breach. Letters written to other physicians discussing a Family Medicine referral were included for few. Letters were also identified by name and information about their medical condition.

“[The notes and letters] were typed by transcriptionists engaged for that purpose in 2002 and 2003,” Family East said in its online statement. “The files remained on the computer that was stolen as a result of an employee’s oversight, and were not detected during a number of risk analyses undertaken prior to the theft, as part of efforts to secure all individually identifiable health information.”

Individuals who got treated in 2002 or 2003 are asked “to take steps to eliminate or minimize potential harm that could be caused by the theft.” Steps also include obtaining credit reports and monitoring their financial and baking accounts for activities.

Facility mentioned that it is offering complimentary credit monitoring services to potentially affected patients. It also said that all computers and systems will be encrypted.

“While Family Medicine East hopes to recover the stolen computer, this may not be possible,” the statement explained. “As part of its ongoing effort to prevent breaches of protected health information, Family Medicine East began the process of encrypting health information stored on laptop computers used by the doctors, PAs and nurses for patient care some time ago.”

_____________________________________________________________________________________________________

Alertsec’s cloud-based information security service provides an easy and convenient way to protect information on your organization’s laptops and computers.

Data breach due to stolen flash drive

December 10th, 2016

OptumHealth based in New Mexico recently announced data breach. The incident was outcome of missing unencrypted flash drive. Approximately 2,000 individuals were affected.

The device contained information for some individuals who were enrolled in an OptumHealth plan. Affected information includes individuals’ name and a full or partial date of birth, telephone number, health identification number, address, provider name, diagnosis, or other health information. Financial information was not affected. Some individuals’ full or partial Social Security numbers were present on the flash drive.

“Upon discovery, we took prompt action to investigate the matter,” OptumHealth said in its statement. “The U.S. Postal Service was immediately notified to assist in locating the flash drive, and we are working closely with them as they further investigate the matter. We have implemented new measures to help prevent this from occurring in the future, including updating our processes related to vendors in efforts to prevent the occurrence of similar incidents.”

OptumHealth sent the notification letter to potentially affected individuals. Facility mentioned that there are few individuals who cannot be notified via mail.

While OptumHealth mentioned that “the information potentially accessed was limited,” it still encouraged individuals to enroll in the free services. As per the OCR data breach reporting tool, incident affected 2,006 individuals. It has also offered one year of complimentary identity theft protection services.

As per the statement,

We also encourage individuals to be vigilant against incidents of identity theft. As a precaution to protect against misuse of your information, we recommend that individuals regularly monitor documentation concerning health care, bank and credit card statements, and tax returns to check for any unfamiliar activity. If you notice any suspicious activity on health statements, bank or credit card statement, or tax returns, please immediately contact the financial institution, credit card company, health plan, or other relevant institution.

 ___________________________________________________________________________________________

Alertsec’s cloud-based information security service provides an easy and convenient way to protect information on your organization’s laptops and computers.

Data breach due to stolen laptop

November 6th, 2016

MGA Home Healthcare Colorado, Inc. recently suffered data breach  after a laptop was stolen from an employee’s locked vehicle. Facility is notifying 3,119 patients about the incident.

As per the statement, ‘MGA is committed to the privacy of its patients’ and employees’ information and regrets any concerns or inconveniences that this incident may have caused.For further information and assistance, potentially affected individuals may contact MGA’s incident response service provider, AllClear ID.’

Theft reportedly took place sometime between August 19, 2016 and August 20, 2016 while MGA came to know about it on August 20. Facility notified law enforcement.

MGA said that it is conducting a thorough review of the potentially affected records to confirm what information was exposed. Affected information included names, addresses and other demographic information. Information about MGA-provided healthcare services may have also been exposed. for some patients. Also, thirty two patients had their Social Security number or driver’s license number included in the laptop.

“MGA has no evidence that the information on the laptop has been accessed or used,” MGA maintained. “As a precaution, MGA is offering identity theft protection services to affected individuals. MGA is committed to the privacy of its patients’ and employees’ information and regrets any concerns or inconveniences that this incident may have caused.”

Ways to secure your laptop:

Login Password

Provide a login name and password to access your system

Authentication Gestures

Some laptop comes with authentication gestures. It is part of hardware solution which can be utilised to secure your laptop

Encrypted File Systems

First understand what is a file system. Each operating system uses some algorithm to store and retrieve data from your hard disk. Encrypted File Systems layer themselves on top of an existing file system

Encryption

Through this method encrypting individual files or directories manually is carried out. There are various tools available in the market to do so.

Tracing and Tracking

 With the help of tracking feature/companies you can know the location of the laptop. The laptop must be connected to the internet to send the location pointer.

 ___________________________________________________________________________________

Alertsec Endpoint Encrypt is the full disk encryption service that delivers a mobile data protection system for all information stored on laptops used throughout your organization.

Integrity Transitional Hospital data breach

November 2nd, 2016

Integrity Transitional Hospital based in Texas recently suffered a hacking attack. As per the Office for Civil Rights data breach reporting tool, this incident may have affected 29,514 patients.

The statement on the website began with following, ‘Integrity Transitional Hospital (“Integrity”) is deeply committed to protecting the security and confidentiality of the information in its care. Regrettably, this notice concerns an incident involving some of that information.’

Facility mentioned that it stores certain patient information on laboratory specimens from companies that work with various healthcare providers. Then specimens are submitted to laboratories for testing. The data is kept for billing purposes.

Affected information included some of the lab results, lab testing information, health insurance information, and scanned driver’s licenses associated with laboratory services. Social Security numbers and other financial information were not included in the breach.

“Integrity is committed to the security of the sensitive information it maintains and is taking this matter very seriously,” the hospital said. “To help prevent a similar incident from reoccurring, we are enhancing existing security on our systems related to the laboratory information we maintain.”

Facility belives that there is no such evidence which concludes that breached information is misused. It has began mailing letters to affected individuals. Dedicated call centre is established by the Integrity to answer queries regarding the incident.

Integrity Hospital adheres to the following values(as mentioned on its website):

Compassion: Provide the best care, treating patients and family members with sensitivity and empathy.

Integrity: Adhere to the highest standards of professionalism, ethics and personal responsibility, worthy of the trust our patients place in us.

Respect: Treat everyone in our diverse community, including patients, their families and colleagues, with dignity.

Excellence: Deliver the best outcomes and highest quality services through the dedicated effort of every team member.

 ___________________________________________________________________________________________

Alertsec helps you comply with HIPAA, PCI and SOX requirements.

Data breach at CalOptima

October 20th, 2016

CalOptima based in the California recently suffered data breach. It has reported the second breach in a month. According to the reports, PHI data breach has affected 56,000 individuals.

Incident involves former CalOptima employee who downloaded data to an unencrypted USB flash drive. Affected information includes patient names, other demographic information, and other health plan-related information. Also, Social Security numbers, and the Social Security numbers of children were included for few cases.

Different notification letters were posted to the California Attorney General’s Office based on whether Social Security numbers were included or not.

“While we are still investigating this matter, CalOptima felt it was important to notify you promptly of this incident,” explained one of the notification letters. “We regret that this occurred and want to assure you that we are changing our procedures and practices to minimize the risk of it happening again.”

CalOptima spokeswoman Bridget Kelly mentioned that the investigation is going on. She also added that there is no reason to believe that the information was misused.

“We have implemented several additional safeguards to better protect members against this type of incident in the future,” Kelly said.

As per the statement, facility has asked the affected individuals to follow guidelines.

 We recommend that you monitor your credit using the free service from IDT911. CalOptima is providing you with access to Triple Bureau Credit Monitoring services at no charge. These services provide you with alerts for twelve months from the date of enrollment when changes occur to any of one of your Experian, Equifax or TransUnion credit files. This notification is sent to you the same day that the change or update takes place with the bureau. These services will be provided by IDT911, a company that specializes in identity theft education and resolution.

____________________________________________________________________________________________

 Alertsec is used by organizations that have recognized the need to protect their information.

Sensitive information on internet affects 300k

October 9th, 2016

Central Ohio Urology Group (COUG) recently suffered data breach. The incident may have exposed the information of patients, employees, and individuals who got the services from the facility.

As per the statement, “We want to make affected individuals aware of steps they can take to guard against fraud or identify theft. Individuals can carefully check their credit reports for accounts they did not open or for inquiries from creditors they did not initiate, and should call the credit agency immediately if they see something they do not understand. Any suspicious activity on a credit report should be reported to the local police or sheriff’s office. When contacting law enforcement, individuals should file a police report for identity theft and get a copy of it, since it may be necessary to give copies of the police report to creditors to clear up fraudulent records.”

Affected information included names, addresses, telephone number(s), emails, dates of birth, Social Security numbers, driver’s license/state identification numbers, patient identification numbers, medical and health plan information, account information, diagnoses or treatment information, health insurance information and identifiers, and employment-related information.

According to the reports, an unauthorized individual made the files and documents live on the internet. Online drive was accessible on August 2, 2016. As per the OCR data breach reporting tool, data of 300,000 individuals was breached.

COUG removed the information from the drive within hours and local law enforcement were contacted. Facility also hired a forensics firm to investigate the incident.

“We carefully reviewed the posted files and documents to determine what types of information had been put online and which individuals may have been affected,” the statement reads. “Additionally, we installed network monitoring software, implemented a new firewall, added access restrictions and began updating system protections to help prevent this type of incident from recurring in the future.”

One year of complimentary identity protection services to individuals is provided to the potentially affected individuals.

____________________________________________________________________________________________

Alertsec is used by organizations that have recognized the need to protect their information.

Ransomware and data breach

October 7th, 2016

Urgent Care Clinic of Oxford in Mississippi recently suffered data breach due to ransomware attack.  According to the reports, the server was attacked in early July. The facility came to know about the incident on August 2, 2016.

As per the statement, “ We understand this may pose an inconvenience to you, and we sincerely regret that this situation has occurred.”

Facility regained control of the server and shut down its remote access. It is taking precaution to prevent the same type of incident. Affected information included patients’ names, Social Security numbers, dates of birth, and other personal information. Any health information on file was also accessed.

“The investigation revealed it is very likely that the attack was carried out by criminal Russian hackers,” Urgent Care said in a letter signed by Dr. Willis Dabbs and Dr. David Coon. “Unfortunately, we cannot say which patients specifically may have been affected by this data breach.”

Facility did not specify number of affected patients by the incident. It has urged individuals to regularly check all credit and bank accounts and report any suspicious activity. Facility is also offering one year of complimentary identity protection services.

“We understand this may pose an inconvenience to you, and we sincerely regret that this situation has occurred,” Dabbs and Coon wrote. “Urgent Care is committed to providing quality care and service to all its patients, and that includes keeping your personal information as safe and secure as possible.”

Direction to place fraud alert:

A fraud alert is a consumer statement added to your credit report. This statement alerts creditors of possible fraudulent activity within your report as well as requests that they contact you prior to establishing any accounts in your name. Once the fraud alert is added to your credit report, all creditors should contact you prior to establishing any account in your name.

____________________________________________________________________________________________

Alertsec is the full disk encryption service that delivers a mobile data protection system for all information stored on laptops used throughout your organization.