Optanix Achieves ISO 27001, SSAE-18 SOC 1 Type 2 and HIPAA-HITECH Security Recertification – PR Newswire (press release)

Posted by HIPAA - Google News
Optanix Achieves ISO 27001, SSAE-18 SOC 1 Type 2 and HIPAA-HITECH Security Recertification
PR Newswire (press release)
Health Insurance Portability and Accountability Act (HIPAA), including HIPAA Security Rule and HITECH breach notification attestation and compliance. This attestation confirms that Optanix implemented and maintains the relevant safeguards, standards ...

Reports Flood in on New ‘Unprecedented’ Global Ransomware Attack

Posted by HIPAA Journal

A major global cyberattack involving Petya ransomware is currently underway, with firms across Russia, Ukraine and Europe affected. The attack is understood to involve Petya ransomware, in what appears to be a similar incident to the WannaCry ransomware attacks last month.

Companies confirmed as being infected with the ransomware include the Russian oil firm Rosneft, the Russian metal maker Evraz, French construction materials firm Saint Gobain, many Russian banks, the international Boryspil airport in Ukraine, the Ukraine government, two Ukrainian postal services, the Ukrainian aviation firm Antonov, shipping firm A.P. Moller-Maersk, legal firm DLA Piper, food manufacturer Mondelex and the advertising group WPP.  Many more companies are believed to have have been attacked with the list of victims certain to grow. Attacks now occurring in the UK and India and may spread further afield. Ukraine’s Prime Minister Volodymyr Groysman has said the ransomware attack is unprecedented.

The attacks appear to have started Tuesday, with Russian cybersecurity firm Group-IB suggesting ransomware was installed using some of the NSA exploits published by Shadow Brokers – two of those exploits were also used to install WannaCry ransomware on organizations around the globe last month.

In contrast to WannaCry, Petya ransomware is not understood to have a kill switch. Recovery from the attack will only be possible if data backups exist and have not been encrypted in the attack or if the ransom is paid. The ransom demand is understood to be $300 per infected device.

Petya ransomware is different to many other ransomware variants as it does not encrypt files. Instead, the ransomware attacks and replaces the Master File Table (MFT). The MFT is needed by computers to determine the location of files stored on the hard drive. Without access to the MFT, files cannot be located. Files are not encrypted, but since the files cannot be located the end result is the same. Files cannot be opened.

At this stage, the infection process is not fully understood, with some news outlets claiming the attacks are occurring via malicious email attachments, while others report they involve exploits for unaddressed vulnerabilities.

Further information will be published when it becomes available.

The post Reports Flood in on New ‘Unprecedented’ Global Ransomware Attack appeared first on HIPAA Journal.

Experian Health Accidentally Sends PHI to Incorrect Individuals

Posted by HIPAA Journal

Experian Health has discovered the protected health information of some patients has been accidentally disclosed to incorrect individuals due to a technical error that occurred during a server migration.

The disclosed data including names, addresses, genders, dates of birth, Medicare ID/HIC numbers, member ID numbers, insurance/payer company names, group numbers/group policy numbers and Medicaid case numbers. The data were shared with incorrect HIPAA covered entities. No information was sent to or otherwise shared with members of the public.

Experian Health took immediate action to address what it refers to as ‘an isolated error’ and reports that the mistake has been corrected. The error affected two platforms used by Experian Health, with data disclosed between February 13 and March 13, 2017.

The information disclosed could only have been accessed or saved by HIPAA-covered entities, who are bound by HIPAA Rules. Therefore, the risk of protected health information being misused is likely to be low.

Experian Health notified affected healthcare institutions of the error on April 28, 2017. One of those entities was Southern Illinois Healthcare (SIH), which was told that 600 of its patients were impacted. Experian Health is a business associate of SIH and performs insurance eligibility verification during patient registration. Experian Health also works with other healthcare organizations.

At present, it is unclear exactly how many patients have been impacted in total since the incident has yet to appear on the Department of Health and Human Services’ Office for Civil Rights breach portal. It is possible that breach notices will be submitted separately by all of the covered entities impacted by the incident.

SIH has made the decision to offer credit monitoring and credit repair services to all affected individuals as a precautionary measure. Those services, which are being provided through AllClear ID, are available for 24 months without charge.

The post Experian Health Accidentally Sends PHI to Incorrect Individuals appeared first on HIPAA Journal.

Pair Charged with Identity Theft in Relation to WVU Medicine Breach

Posted by HIPAA Journal

A federal grand jury has charged a former healthcare worker and her accomplice with identity theft, aggravated identity theft, bank fraud and producing false documents, in connection with the theft of PHI from WVU Medicine University Healthcare.

Angela Dawn Roberts, 41, of Stephenson, VA had previously worked at WVU Medicine Berkley Medical Center, where she is alleged to have accessed the WVU Medicine University Healthcare database to obtain sensitive patient information in order to steal the identities of patients.

Court documents indicate names, addresses, dates of birth, Social Security numbers and driver’s license numbers were accessed and manually copied onto paper, with printouts of driver’s licenses also made. Angela Roberts is alleged to have disclosed the information to her accomplice, Ajarhi Savimi Roberts, 24, of Stephens City, VA.

Ajarhi Roberts used the information to open bank accounts and obtain credit cards in victims’ names and used the accounts to steal thousands of dollars. The crimes occurred between March 1, 2016, and Jan. 31, 2017.

The pair, who also used the names Angela Dawn Lee and Wayne Roberts, are alleged to have fraudulently obtained money from several banks including Bank of America, Barclay, Chase Bank, Discover and Wells Fargo. The pair are thought to have obtained at least $40,000 using the names and identities of WVU Medicine patients.

The 36-count indictment suggests the information of 10 patients was used for the crimes, although WVU Medicine University Healthcare has previously indicated the records of at least 113 patients had been accessed and stolen, while 7,445 breach notifications were mailed to patients as their protected health information had also potentially been accessed.

Prosecutors are seeking a monetary judgement of $13, 085.65. The paid both face a lengthy jail term if convicted of the crimes.

The post Pair Charged with Identity Theft in Relation to WVU Medicine Breach appeared first on HIPAA Journal.

Aetna Error Sees PHI of 5,000 Individuals Exposed Online

Posted by HIPAA Journal

Hartford, CT-based health insurer Aetna has discovered the protected health information of more than 5,000 plan members has been exposed online and was accessible through search engines.

Aetna started investigating a security issue affecting two computer services on April 27, 2017. Those services were intended to show documents containing PHI to plan members and other authorized individuals, although it was discovered that the documents had been indexed by search engines and could be viewed by unauthorized individuals.

On May 10, the investigation had uncovered evidence that confirmed a data breach had occurred, with the investigation concluding on June 9. While the investigation into security issues was launched in April, Aetna first became aware of exposed PHI on February 1, according to the San Antonio Express-News. It is unclear why it took almost three months for an investigation to be launched.

Aetna says Social Security numbers, financial information and credit/debit card information was not exposed. The PHI in the documents only included names, identification numbers, member numbers, provider information and claim payment amounts. Some individuals also had dates of service, procedure codes and service codes exposed.

1,708 Ohio and 522 Texas residents are known to have been affected by the breach. In total, the PHI of 5,002 individuals was exposed online, according to the breach report submitted to the Department of Health and Human Services’ Office for Civil Rights.

Aetna has not uncovered evidence to suggest any information has been misused as a result of its exposure online. Action has already been taken to deindex the documents to prevent them from being displayed in search engine results and for cached data to be removed from search engines. Steps have also been taken to prevent the documents from being re-indexed by search engines.

Affected individuals and plan sponsors are now being notified of the data breach by mail.

The post Aetna Error Sees PHI of 5,000 Individuals Exposed Online appeared first on HIPAA Journal.