identity theft

Data breaches due to unauthorized access

March 23rd, 2017

Virginia Commonwealth University (VCU) Health System recently announced data breach which affected over 2,700 patients. The incident occurred due to unauthorized access over a three-year period between January 3, 2014 and January 10, 2017.

Facility conducted investigation which found out that employees of community physician groups, and an employee of a contracted vendor had access to patient records without proper explanation. Concerned employees are terminated.

“As part of the health system’s partnership with community physicians, access is provided to their practices so they can view the medical records of their patients who are referred to the VCU Health System for care and treatment. Access also is provided to certain contracted vendors who provide medical equipment to patients for continuity of care at discharge from the hospital.”

Affected information included patient names, addresses, dates of birth, medical record numbers, health care providers, visit dates and Social Security numbers.

Facility is providing one year of free credit monitoring.

Second incident involves Tarleton Medical who announced data breach recently. Incident involves unauthorized access of a data server containing PHI from patient medical records.

Affected information included patient names, addresses, dates of birth, Social Security numbers, and healthcare claims information.

Facility did not mention number of individuals affected. As per the OCR reporting tool, incident affected 3,929 individuals.

“We have taken steps to enhance the security of TM patient information to prevent similar incidents from occurring in the future,” the healthcare organization explained in its notification letter.

Tarleton Medical contacted FBI. It is also offering patients free access to a credit monitoring service for one year.

As per the statement, it advised patients to follow below guidelines:

You can follow the recommendations on the following page to protect your personal information. You can also contact ID Experts with any questions Please note that the deadline to enroll is three months following the date of this letter. To receive the aforementioned services, you must be over the age of 18, have established credit in the U.S., have a Social Security number in your name, and have a U.S. residential address associated with your credit file. Your services start on the date that you enroll in the services and can be used at any time thereafter for 12 months following  enrollment.

___________________________________________________________________________________

Alertsec helps you comply with HIPAA, PCI and SOX requirements. The implemented encryption is powered by CheckPoint and has the highest security certifications: FIPS 140-2, Common Criteria EAL4 and BITS.

Verifone suffers data breach

March 17th, 2017

Payment solutions provider Verifone recently announced data breach which affected its internal network.

Verifone CIO and senior vice president Steve Horan sent an email to employees and contractors. They need to change the password within 24 hours. Also, they will be blocked from installing software on a computer till investigation completes. It came to know about the breach from Visa and MasterCard.

Verifone spokesman Andy Payment mentioned that breach didn’t affect payment services network. “We believe today that due to our immediate response, the potential for misuse of information is limited,” he said.

The attack has been traced to Russian hacking group.

As per the statement, “According to the forensic information to date, the cyber attempt was limited to controllers at approximately two dozen gas stations, and occurred over a short time-frame. We believe that no other merchants were targeted and the integrity of our networks and merchants’ payment terminals remain secure and fully operational.”

“The fact that Verifone asked employees and contractors to change their passwords and restricted their control over their desktops and laptops suggests that the attackers followed the usual path to gain access to critical systems such as payment terminals: exploit different vulnerabilities to take control over the devices and the accounts of people already inside the company,” Balabit product manager Peter Gyongyosi told eSecurity Planet by email.

“This once again underscores the importance of a multi-layer, defense-in-depth approach to security,” Gyongyosi added. “Keeping endpoint devices completely secure, especially in a large enterprise, is an impossible task and organizations must prepare for situations where an attacker would gain access to internal accounts. Fine-grained access control and detailed monitoring of activities — especially those related to critical systems — and advanced analytics such as behavior analysis can help security teams gain an edge over the attackers.”

Fortune 1000 Security Performance is declining. Verifone is a member of the Fortune 1000.

“It is possible Fortune 1000 companies exhibit a higher frequency of system compromises due to having a large attack surface,” the report states. “Fortune 1000 companies tend to have a high number of employees, which often corresponds to more networked devices and more IP addresses owned. Criminals also may have more motivation to target these prominent companies as they manage PII, PCI and intellectual property.”

___________________________________________________________________________________

Alertsec is powered by Check Point Endpoint Security products, which are positioned in the leaders quadrant in Gartner’s Magic Quadrant for Mobile Data Protection.

Unauthorized employee access at Vanderbilt University

March 6th, 2017

Vanderbilt University Medical Center (VUMC) recently suffered data breach when it came to know about the unauthorized employee access to patient medical records. As per the reports, concerned employee were working as patient transporters. Patients’ electronic medical records was accessed without necessary permissions.

As per the statement, “The breach prompted the medical center to change the way the patient transport staff gets information so that it no longer gives them access to electronic medical records. Staff in that department were also retrained about appropriate access to information. VUMC is in the process of migrating from its current electronic health record system to a new software system designed by Epic Systems.”

Facilty conducted an audit of electronic medical records (EHR) which was accessed by the employee.  As per the reports, two employees were involved in the breach who viewed adult and pediatric patient information, including patients’ names, dates of birth, and medical record numbers for internal use. One of them got access to patient Social Security numbers in a few instances.

VUMC mentioned that there is no information whether data was downloaded, transferred, or misused in any way. Affected patients received notification letter Facility has offered fraud or identity theft services. As per the report from The Tennessean, incident affected 3,247 medical records.

“We are committed to providing our patients the highest quality care and protecting the confidentiality of their personal information. To our knowledge, the information the employees viewed was not printed, forwarded or downloaded.  So far, we have no reason to believe that our patients’ personal information has been used or disclosed in other ways,” said VUMC Chief Communications Officer John Howser. “While we are not aware of any risk of financial harm to these patients, we are contacting each of them by letter to recommend that they vigilantly review account statements and their credit status.”

_____________________________________________________________________________________________________

Alertsec helps you comply with HIPAA, PCI and SOX requirements. The implemented encryption is powered by CheckPoint and has the highest security certifications: FIPS 140-2, Common Criteria EAL4 and BITS.

Data breach due to hacking

March 2nd, 2017

Emory Healthcare’s Orthopaedics & Spine Center and Brain Health Center (EHC) at Emory Clinic recently suffered data breach, which impacted almost 80,000 patients. Facility came to know about the incident on Jan 3, 2017. It involved third party database called Waits & Delays. As per the statement, the affected database was used for patients’ appointment information.

Affected information included patient names, dates of birth, contact information, internal medication record numbers, dates of service, and physician names. The above information was removed from the server by an unauthorized individual. The person demanded payment from EHC to restore the data.

As per the reports, individuals who scheduled an appointment at the Orthopaedics & Spine Center within Emory Clinic between March 25, 2015 and January 3, 2017, and any patients with an appointment at Emory Clinic Brain Health Center between December 6, 2016 and January 3, 2016 are potentially affected.

As per the OCR data breach reporting tool, incident affected 79,930 individuals.  Facility mentioned that no Social Security numbers, financial information, diagnoses, or any other information from patient EHRs were accessed during the incident.

Another instance of unauthorized access by an independent security research center was also noticed. It resulted due to efforts of finding gaps in application security to alert companies of areas needing improvement by security company.

Facility launched an internal investigation after the incident. It also notified law enforcement. Potentially affected individuals are also notified. EHC is performing analysis on its current security measures. Internal and external systems which contained patient information will be changed as per the reports.

EHC mentioned that it has no information or indication of accessed data misuse.

“Please refer to the notice you will receive in the mail regarding steps that you can take to protect yourself. In general, we recommend, as a precautionary measure, that you remain vigilant to protect against potential fraud and/or identity theft by, among other things, reviewing your account statements and monitoring credit reports closely. If you detect any suspicious activity on an account, you should promptly notify the financial institution or company with which the account is maintained. You should also promptly report any fraudulent activity or any suspected incidents of identity theft to proper law enforcement authorities, including the police and your state’s attorney general.”

___________________________________________________________________________________

Alertsec’s cloud-based information security service provides an easy and convenient way to protect information on your organization’s laptops and computers.

Financial companies get new security law

February 28th, 2017

The State of New York will be implementing new regulations that require banks, financial services companies to have cyber security programs and also maintain them to specific standards.

“As our global financial network becomes even more interconnected and entities around the world increasingly suffer information breaches, New York is leading the charge to combat the ever-increasing risk of cyber attacks,” Maria T. Vullo, superintendent of the New York State Department of Financial Services, said in a statement.

Financial companies now need to check security at third party vendors. Also, they need to maintain adequately funded and staffed cyber security program. It should be monitored by qualified management. The team should report to organisation’s senior body.

Standards are also set for access controls, encryption and penetration testings. Breaches should have response plan. Preservation of data comes under this new rule. And notification to the Department of Financial Services should be sent.

Prevalent director of product management Jeff Hill told “The economic wake of a substantial data breach can stretch for years, impacting not only tangible bottom line results, but also inflicting reputational damage that can linger indefinitely.”

“New York State’s new rules are particularly forward-looking in that they emphasize the importance of understanding and managing third party risk, the source of more than half of all breaches according to a number of studies,” Hill added. “Addressing what is often the soft underbelly of many enterprises’ cyber security defenses — third parties/vendors — the State of New York is forcing a critical element of its economic infrastructure to cover all its bases.”

“In recent times, the regulatory pendulum has begun to swing in favor of a ‘lighter’ approach for banks, financial services and for other industries too, for that matter,” VASCO Data Security head of global marketing David Vergara said by email. “It’s good to see, however, that good sense regulations like this one have survived to offer additional consumer protection via thorough evaluations of third party vendors, comprehensive risk assessments and advocacy for stronger multi-factor authentication.”

___________________________________________________________________________________

Alertsec’s cloud-based information security service provides an easy and convenient way to protect information on your organization’s laptops and computers.

Data breach at rehabilitation facility

February 27th, 2017

Catalina Post-Acute and Rehabilitation recently announced data breach when paper files were left in an unattended area. The patient data and certain employee information were left temporarily vulnerable to possible unauthorized public access. Current or past residents and employees are encouraged to take steps to protect themselves.

Facility has mission statement provided on the website as, “Working together to create a sense of community, our dedicated and compassionate staff will strive to exceed your expectations and make a difference in the lives of those we serve by providing exceptional care and service, and remembering you are the reason we are here.”

The healthcare organization mentioned that it came to know about these files on December 5, 2016. Affected information included demographic information. Diagnoses and Social Security numbers in some cases. As per the OCR reporting tool, the incident affected 2,953 individuals.

Facility mentioned that it launched an investigation into the incident. Also, protocols in place relating to PHI storage and employee information are reviewed. It also mentioned that as per the internal investigation it appears that no patient or employee information was misused.

“Catalina Post-Acute and Rehabilitation is committed to the proper handling and protection of resident and employee information, and regularly assesses its systems and processes to ensure that this information is maintained and managed in accordance with State and Federal Law,” the online statement explained.

Facility also mentioned that consumers may request free copy of their credit report once 12 months from Equifax, Experian and Trans Union. These agencies have central website to provide free credit report.  It has also provided contact number to answer questions and queries of affected individuals.

___________________________________________________________________________________

Alertsec is powered by Check Point Endpoint Security products, which are positioned in the leaders quadrant in Gartner’s Magic Quadrant for Mobile Data Protection.

Healthcare companies to increase security spending

February 26th, 2017

As per the recent survey of more than 1,100 senior security executives worldwide, here are the results-

  • Seventy six percent of global healthcare organizations plan to increase security budget
  • Eight one percent of U.S. healthcare organizations mentioned that they will increase the security budget

As per the survey conducted by Thales Data Threat, sixty percent healthcare are deploying to cloud, big data, and IoT or container environments without proper security measures.  Ninety percent believes that they can face data breach.

“For healthcare data to remain safe from cyber exploitation, encryption strategies need to move beyond laptops and desktops to reflect a world of Internet-connected heart-rate monitors, implantable defibrillators and insulin pumps,” Thales e-Security vice president of strategy Peter Galvin said in a statement. “Adhering to the security status quo will create vulnerabilities that lead to breaches, and further erode customer trust.”

As per the Redspin’s Breach Report there is increase in data breach incidents in 2016.

“Healthcare providers have become the primary targets of malicious hackers, and their attacks are becoming increasingly sophisticated and disruptive to operations,” Dan Berger, vice president at CynergisTek, said in a statement (Redspin is now part of the CynergisTek portfolio).

“The dramatic increase in hacking attacks in 2016, coupled with the large number of patient records copmromised in those incidents, points to a pressing need for providers to take a much more proactive and comprehensive approach to protecting their information assets in 2017 and beyond,” Berger added.

Accenture conducted survey which concluded that 26 percent of U.S. consumers faced data breach. Fifty percent faced medical identity theft.

“Health systems need to recognize that many patients will suffer personal financial loss from cyber attacks of their medical information,” Reza Chapman, managing director of cyber security in Accenture’s health practice, said in a statement. “Not only do health organizations need to stay vigilant in safeguarding personal information, they need to build a foundation of digital trust with patients to help weather the storm of a breach.

Fifty percent found the breach by themselves by looking at their credit card statement. Twenty five percent changed their healthcare providers after the breach. Twenty one percent changed insurance plan. And nineteen percent took help of legal counsel.

___________________________________________________________________________________

Alertsec helps you comply with HIPAA, PCI and SOX requirements. The implemented encryption is powered by CheckPoint and has the highest security certifications: FIPS 140-2, Common Criteria EAL4 and BITS.

Emails forwarded to personal email account

February 24th, 2017

An employee of A Multnomah County Health Department automatically forwarded all emails from county email account to a personal Google email account. The recipient email account is not maintained by the Oregon county. PHI was present on some of the emails. The incident has  created a PHI breach.

On November 22, 2016 facility came to know about the incident during an audit. Facility mentioned that it found no evidence  of the emails getting misused. It also concluded that personal account had been deleted after the investigation. It is no longer available to the employees.

PHI was present in the email attachments because it was attributed to a member of the Health Department. Potentially affected information included individuals’ names, medical record numbers, prescription numbers, diagnoses, and dates of service. As per the OCR data breach reporting tool, incident affected 1,700 individuals.

Facility also mentioned that there is no presence of any patient’s Social Security number, home address, or phone number.

Multnomah County and the County Health Department are also monitoring any activity involving patient information.  It is also taking measures to increase protections of personal information in response to this incident.

“We have policies and procedures for handling personal information which were reviewed with the staff member involved in this incident,” the department explained. “We are also reviewing controls, business practices and policies to increase protections of personal information in response to this incident.”

About Multnomah County:

Around 766,135 residents in the country

Total area of 465 square miles

It includes cities like Fairview, Gresham, Maywood Park, Portland, Troutdale, Wood Village

County Employees number count is 5,600 people

Facility provides Services for seniors and disabled people, animal services, assessment and taxation, bridges, community justice, courts, elections, health, jails, libraries, marriage licenses and passports, school and community partnerships.

_____________________________________________________________________________________________________

Alertsec’s cloud-based information security service provides an easy and convenient way to protect information on your organization’s laptops and computers.

Data breach due to email hack

February 20th, 2017

Foot and ankle surgeon Jay Berenter’s office announced data breach due to an email hack. Hackers sent some patients an email that the office employees claimed not to have sent. As per the reports, the email sent to Dr. Berenter’s contacts  contained a DocuSign document waiting for their review.

As per the statement, “Dr. Berenter takes the protection of information seriously and understands how important trust is in a physician-patient relationship.”

Dr. Berenter’s office immediately sent another email informing patients not to access the DocuSign email. After the incident came to notice, Dr. Berenter’s office took steps to secure the email account. It also hired forensic IT specialists.

Investigation was carried out to determine the extent of breach. it also checked whether any of the office’s systems were affected. Facility mentioned that the incident was determined to be limited to the email account only. Potentially affected information includes patient registration forms, prescriptions, and patient names.  As per the data breach reporting tool, the incident affected 569 individuals.

Facility has also hired forensic IT specialists to investigate the incident further. It is trying to make sure that no electronic medical records were accessed. Facility is implementing new email system. Additional internal administrative steps are taken to prevent a similar hack.

Federal agencies of California Attorney General and the Federal Department of Health and Human Services are notified about the incident. Facility believes that there is no evidence to say that information is misused.

Dr. Berenter’s office has provided contact information to answer queries. One year of complimentary identity theft protection is provided to potentially affected clients. It has also encouraged to place a free 90 day fraud alert on affected accounts.

“Protecting your information is incredibly important to Dr. Berenter, as is addressing this incident with the information and assistance you may need.”

___________________________________________________________________________________

Alertsec helps you comply with HIPAA, PCI and SOX requirements.

Break In causes data breach

February 14th, 2017

Wichita, Family Medicine East, Chartered based in Kansas reported that it suffered data breach due to theft of an unencrypted desktop computer and printer from its facility. As per the reports, an individual got into the building by breaking an exterior window. Family Medicine mentioned that police have not yet caught the thief. Also, stolen items are not recovered.

Family East mentioned that “a significant number contained images of typed office notes dictated by Family Medicine East physicians during 2002 and 2003.”

Affected information included patient names, dates of birth, appointment dates, and the name or initials of the physician or PA who saw patients were in the notes. Social Security numbers and addresses are not included in the breach. Letters written to other physicians discussing a Family Medicine referral were included for few. Letters were also identified by name and information about their medical condition.

“[The notes and letters] were typed by transcriptionists engaged for that purpose in 2002 and 2003,” Family East said in its online statement. “The files remained on the computer that was stolen as a result of an employee’s oversight, and were not detected during a number of risk analyses undertaken prior to the theft, as part of efforts to secure all individually identifiable health information.”

Individuals who got treated in 2002 or 2003 are asked “to take steps to eliminate or minimize potential harm that could be caused by the theft.” Steps also include obtaining credit reports and monitoring their financial and baking accounts for activities.

Facility mentioned that it is offering complimentary credit monitoring services to potentially affected patients. It also said that all computers and systems will be encrypted.

“While Family Medicine East hopes to recover the stolen computer, this may not be possible,” the statement explained. “As part of its ongoing effort to prevent breaches of protected health information, Family Medicine East began the process of encrypting health information stored on laptop computers used by the doctors, PAs and nurses for patient care some time ago.”

_____________________________________________________________________________________________________

Alertsec’s cloud-based information security service provides an easy and convenient way to protect information on your organization’s laptops and computers.