We have repeatedly reiterated numerous warnings to the healthcare industry about malware and ransomware [see related posts here and here]. Our predictions have unfortunately become true, as November was the worst month ever...more
On November 28, 2016, the Office for Civil Rights (OCR) issued an Alert to its listservs that a phishing email is being circulated on “mock HHS Departmental letterhead under the signature of OCR”s Director, Jocelyn Samuels”...more
12/2/2016
/ Business Associates ,
Covered Entities ,
Cyber Attacks ,
Cybersecurity ,
Data Breach ,
Department of Health and Human Services (HHS) ,
Email ,
Hackers ,
Health Care Providers ,
Health Insurance Portability and Accountability Act (HIPAA) ,
Healthcare ,
HIPAA Audits ,
OCR ,
PHI ,
Phishing Scams
In a recent newsletter, the Office for Civil Rights (OCR) encourages health care organizations to review their procedures around authentication and “ensure that they have the appropriate safeguards in place.”...more
11/21/2016
/ Authentication ,
Business Associates ,
Covered Entities ,
Cyber Crimes ,
Cybersecurity ,
Data Breach ,
Health Care Providers ,
Health Insurance Portability and Accountability Act (HIPAA) ,
Healthcare ,
OCR ,
PHI ,
Risk Assessment ,
Risk Management
There are arguments that there is a dearth of guidance by both the Office for Civil Rights (OCR) and Federal Trade Commission (FTC), so when guidance comes out, we listen. But the most recent guidance jointly issued by the...more
11/4/2016
/ Cybersecurity ,
Data Breach ,
Data Protection ,
Department of Health and Human Services (HHS) ,
Disclosure Requirements ,
Electronic Medical Records ,
Federal Trade Commission (FTC) ,
FTC Act ,
Health Care Providers ,
Health Insurance Portability and Accountability Act (HIPAA) ,
Healthcare ,
HIPAA Authorization Forms ,
New Guidance ,
OCR ,
Personally Identifiable Information ,
PHI
The NTT Security Q3 Quarterly Threat Intelligence Report states that the healthcare industry is the fifth most targeted industry for ransomware (behind financial services, retail, manufacturing and technology) for all cyber...more
10/28/2016
/ Cyber Attacks ,
Data Breach ,
Electronic Medical Records ,
Hackers ,
Health Care Providers ,
Health Insurance Portability and Accountability Act (HIPAA) ,
Healthcare ,
HIPAA Breach ,
Malware ,
PHI ,
Ransomware
The Office for Civil Rights (OCR) has announced that it has entered into a settlement with St. Joseph Health, which operates hospitals and nursing homes in California, Texas and New Mexico, for $2.14 million for alleged HIPAA...more
Approximately 300,000 patients of Central Ohio Urology Group have been notified that their protected health information has been stolen and posted online.
Although the actual date of the hacking has not been released,...more
We previously reported that 21st Century Oncology suffered a data breach in October 2015 involving an intrusion into its systems which compromised around 2 million patients’ records, including their names, Social Security...more
10/13/2016
/ Class Action ,
Cyber Crimes ,
Cybersecurity ,
Data Breach ,
Fair Credit Reporting Act (FCRA) ,
Hackers ,
Health Care Providers ,
Healthcare ,
Personally Identifiable Information ,
Popular ,
Unfair or Deceptive Trade Practices
We watch closely for any guidance to HIPAA covered entities and business associates from the Department of Health and Human Services Office for Civil Rights (HHS/OCR). Why? Because there is so little of it. Lately, the only...more
10/10/2016
/ Business Associates ,
Covered Entities ,
Cybersecurity ,
Data Protection ,
Department of Health and Human Services (HHS) ,
GAO ,
Health Care Providers ,
Health Insurance Portability and Accountability Act (HIPAA) ,
Healthcare ,
NIST ,
OCR
The New Jersey Spine Center was hit with a variant of CryptoWall ransomware on July 27, 2016 that encrypted its electronic health record and its backup files. A double whammy....more
10/7/2016
/ Cyber Attacks ,
Data Breach ,
Electronic Medical Records ,
Hackers ,
Health Care Providers ,
Health Insurance Portability and Accountability Act (HIPAA) ,
Healthcare ,
HIPAA Breach ,
Malware ,
PHI ,
Ransomware
Yuba Sutter Medical Center in California (Yuba Sutter) has notified its patients that it has suffered a recent ransomware attack that caused parts of its network to be incapacitated. As a result, patient files were unable to...more
9/27/2016
/ Cyber Attacks ,
Cybersecurity ,
Data Breach ,
Hackers ,
Health Care Providers ,
Health Insurance Portability and Accountability Act (HIPAA) ,
Healthcare ,
HIPAA Breach ,
Malware ,
PHI ,
Ransomware
MedStar Health Cardiology Associates, (“MedStar Cardiology”) affiliated with MedStar Health, which was recently in the news for a ransomware attack, discovered that an employee sent protected health information of 907...more
SCAN Health Plan of California, SCAN Health Plan Arizona, and VillageHealth are in the process of notifying certain plan members and non-plan members of a breach of protected health information, including names, addresses,...more
Orleans Medical Clinic (Orleans) in Indiana has notified the Office for Civil Rights that the protected health information of 6,890 patients was compromised as a result of an upgrade to its server. Orleans is in the process...more
Everybody knows how much I hate USB and thumb drives. The latest scheme is for hackers to leave thumb drives in coffee shops, airports, office buildings, libraries and other public places. These USB and thumb drives contain...more
FireEye Labs has reported that the Locky ransomware continues to hit the health care industry hard, and has increased in the month of August.
Although the telecommunications, manufacturing and aerospace/defense...more
We continue to warn health care organizations about the real and serious risks associated with ransomware and malware, but organizations don’t prepare for it adequately and are getting hit hard.
Just this past week,...more
8/22/2016
/ Cyber Attacks ,
Cybersecurity ,
Data Breach ,
Hackers ,
Health Care Providers ,
Health Insurance Portability and Accountability Act (HIPAA) ,
Healthcare ,
HIPAA Breach ,
Malware ,
PHI ,
Popular ,
Ransomware
We previously reported that the Joint Commission on Accreditation of Healthcare Organizations (JCAHO) lifted its ban on allowing health care providers to use texts for physician orders....more
Athens Orthopedic Clinic in Georgia reported on July 25, 2016, that a hacker gained access to its electronic medical record system at the end of June using the log-in credentials of a third-party vendor....more
StarCare Specialty Health System, located in Lubbock, Texas, is notifying 2,900 patients “who received Intellectual Developmental Disabilities program services, Behavioral Health program services, and Therapeutic Treatment...more
Oregon Health & Science University (OHSU) has agreed to settle alleged HIPAA violations involving two separate data breaches with the Office for Civil Rights (OCR) for $2.7 million.
In the span of three months in 2013,...more
Our predictions that the Office for Civil Rights (OCR) will become more aggressive with audits, investigations, and fines against HIPAA business associates has come true.
On June 24, 2016, the OCR announced that it has...more
7/6/2016
/ Business Associates ,
Health Care Providers ,
Health Insurance Portability and Accountability Act (HIPAA) ,
HIPAA Audits ,
HIPAA Breach ,
HITECH Act ,
Investigations ,
Mobile Device Management ,
Mobile Devices ,
OCR ,
PHI ,
Settlement Agreements
Patterson Dental Supply, Massachusetts General Hospital’s (MGH) vendor that provides software to the hospital to manage dental practice information, has reportedly admitted that approximately 4,300 of MGH’s patient records...more
Complete Chiropractic & Bodywork Therapies, located in Ann Arbor, Michigan, recently notified 4,082 patients that its server, which contained the electronic medical record and billing information of patients, was infected...more
The U.S. Food and Drug Administration (FDA) just issued draft guidance on the Use of Electronic Health Record Data in Clinical Investigations for comment within the next 60 days.
The guidance is intended to assist all...more