Author Archives: HIPAA Journal

Dominion National Discovers 9-Year PHI Breach

Dominion National, a Virginia-based insurer, health plan administrator, and administrator of dental and vision benefits, has experienced a data security incident involving the personal information of individuals connected to the services it provides. Hackers fist gained access to its servers in 2010.

Following an internal alert, Dominion National launched an internal investigation and determined that its systems had been breached.

A leading cybersecurity company performed a comprehensive forensic analysis and review of affected data and confirmed the sensitive information of current and former members of Dominion National and Avalon Vision plans may have been compromised.

Data relating to individuals affiliated with the organizations that the company administers dental and vision benefits for, plan producers, and participating healthcare providers were also potentially compromised. Unauthorized access to its systems first occurred on August 25, 2010, nine years before the investigation was completed. It is currently unclear when the Dominion National first became aware of the breach.

The investigation into the cyberattack concluded on April 24, 2019. All affected individuals have been notified and offered two years membership to credit monitoring and identity theft protection services. Dominion National has cleaned all affected servers and has enhanced its monitoring and alerting software.

The types of information involved varied from individual to individual but may have included names along with addresses, email addresses, dates of birth, Social Security numbers, bank account and routing numbers, taxpayer ID numbers, member ID numbers, group numbers, and subscriber numbers.

The breach has yet to appear on the HHS’ Office for Civil Rights Breach Portal and no announcement has yet been made about the number of individuals affected by the breach.

The post Dominion National Discovers 9-Year PHI Breach appeared first on HIPAA Journal.

DHS Warns of Increasing Risk of Wiper Malware Attacks by Iranian Threat Actors

The Director of the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning following a rise in cyberattacks by ‘Iranian regime actors.’

The warning from Christopher C. Krebs came as tensions are building between the United States and Iran. Iran has been accused of planting magnetic mines to damage commercial shipping vessels and a U.S. surveillance drone was shot as it flew over the Strait of Hormuz. Iran claims the drone was flying in its territory.

The U.S. responded with a planned air strike, although it was called off by President Trump due to the likely loss of life. However, a strike did take place in cyberspace. The U.S. Cyber Command has reportedly launched an attack on an Iranian spying group, Islamic Revolutionary Guard Corps, that is believed to have been involved in the mine laying operation. According to a recent report in the Washington Post, the cyberattacks disabled the command and control system that was used to launch missiles and rockets.

Iranian threat actors have also been highly active. There have been increasing numbers of cyberattacks on United States industries and government agencies.

While cyberattacks can take many forms, Iranian threat actors have increased attacks using wiper malware. In addition to stealing data and money, the threat actors use the malware to wipe systems clean and take down entire networks.

Iran is one of three countries rated by the United States as having highly capable threat actors involved in economic espionage and theft of trade secrets and proprietary data. Iranian hackers are more than capable of conducting devastating cyberattacks.

Iranian hackers were behind the SamSam ransomware attacks on healthcare providers and hackers working for the Iranian regime are believed to be responsible for the cyberattack on the Saudi Arabian oil firm Saudi Aramco in 2012. Shamoon wiper malware was used in that attack to wipe tens of thousands of devices.

The harm caused by these wiper attacks is considerable. In 2017, attacks using NotPetya wiper malware resulted in global financial losses of between $4 billion and $8 billion. The attack on the shipping firm Maersk resulted in losses of around $300 million. The attacks are also common. According to a recent report by Carbon Black, 45% of healthcare CISOs have experienced a wiper malware attack in the past 12 months.

The hackers may be highly capable, but they still use basic techniques and exploit common weaknesses to gain access to networks. These include phishing and spear phishing, social engineering, password spraying, and credential stuffing.

All of these attack methods can be blocked with basic cybersecurity measures such as enforcing the use of strong passwords, changing all default passwords, rate limiting on logins, applying the rule of least privilege when setting permissions, implementing multi-factor authentication, closing unused ports, disabling RDP, prompt patching,  adopting a robust backup strategy, and providing security awareness training to employees.

Krebs warned that all U.S industries, government agencies, and businesses should be alert to the risk of cyberattacks. “If you suspect an incident, take it seriously and act quickly,” said Krebs.

The post DHS Warns of Increasing Risk of Wiper Malware Attacks by Iranian Threat Actors appeared first on HIPAA Journal.

Ransomware Attacks Reported by California and Illinois Clinics

Patients of Quantum Vision Centers and Eye Surgery Center in Illinois are being notified that some of their protected health information may have been compromised in an April 2019 ransomware attack.

An unauthorized individual gained access to certain Quantum systems and deployed ransomware on April 18, 2019. The ransomware encrypted files, some of which contained information such as names, dates of birth, addresses, health insurance information, and Social Security numbers.

A third-party computer forensics firm has been hired to help determine the nature and scope of the attack. The investigation is ongoing, but it is believed that the malware was not used to steal any patient information. The sole purpose of the attack appears to have been to extort money from the business.

Encrypted files are now being recovered and backup measures have been implemented to ensure services can continue to be provided to patients, albeit with some disruption.

It is currently unclear exactly how many patients have been affected. Affected individuals have been offered one year of credit monitoring services.

Marin Community Clinics Recovers from Ransomware Attack

Marin Community Clinics in California has experienced a ransomware attack that caused considerable disruption to its IT systems last week.

The attack occurred between 9pm and 10pm on Wednesday, June 19 and resulted in widespread file encryption. A ransom demand was issued and, after consulting with its network operator, Marin Community Clinics paid an undisclosed percentage of the ransom demand.

Computer systems were taken out of action as a result of the attack. Even with the keys to unlock the encrypted files, recovery has taken several days. All computer systems are expected to be brought back online by Saturday 22, June.

Medical services continued to be provided to patients while computer systems were down and the hospital was operating in emergency mode. Patient information was recorded on paper and will be transferred when systems are brought back online. The data recovery process is progressing and major data loss is not anticipated.

Marin Community Clinics’ CEO Mitesh Popat told the Marin Independent Journal that no patient data was compromised and major data loss is not expected; however, there may be minor data loss for certain patients as a result of the data recovery process.

It is currently unclear how the ransomware was introduced and for how long the hackers had access to its systems prior to the deployment of ransomware.

The post Ransomware Attacks Reported by California and Illinois Clinics appeared first on HIPAA Journal.

Vulnerabilities in Servers Behind Majority of Healthcare Data Breaches

Cybercriminals are managing to find and exploit vulnerabilities to gain access to healthcare networks and patient data with increasing regularity. The past two months have been the worst and second worst ever months for healthcare data breaches in terms of the number of breaches reported.

Phishing attacks on healthcare organizations have increased and email is now the most common location of breached protected health information. However, a recent analysis of the data breaches reported to the Department of Health and Human Services’ Office for Civil Rights (OCR) in the past 12 months has revealed servers to be the biggest risk. Servers were found to be involved in more than half of all healthcare data breaches.

Clearwater Cyberintelligence Institute (CCI) analyzed the 90 healthcare data breaches reported to OCR in the past 12 months. Those breaches resulted in the exposure, impermissible disclosure, or theft of the records of more than 9 million individuals.

The CCI analysis revealed 54% of all reported breaches of 500 or more healthcare records were in some way related to servers.

Servers house essential programs that are used across the healthcare organization. As a central repository of programs and data, they are an attractive target for hackers. Once access has been gained, data can be viewed, copied, altered, or deleted, systems can be sabotaged, and healthcare organizations can be subjected to extortion using ransomware.

CCI performed a risk analysis to determine high and critical risks facing health systems and hospitals. CCI determined 63% of all identified risks were related to the failure to adequately address vulnerabilities in servers.

The high number of server-related data breaches clearly shows that those flaws are being exploited by hackers to gain access to healthcare networks.

According to CCI, one of the most common server vulnerabilities is the failure to keep on top of user account management. When employees leave the company their accounts must be deleted. Dormant accounts are a major risk and are often used by malicious actors to access systems and mask their activities. CCI notes the risk increases with the number of accounts that are left dormant. The longer those accounts are left open, the greater the likelihood that at least one will be used for illicit or malicious purposes.

To address this risk, security controls should be implemented that automatically disable or delete accounts when the HR department changes the status of an employee. If that is not possible, CCI recommends conducting frequent, periodic reviews to ensure all unused accounts are disabled.

In an ideal world, an account would be disabled instantly. In practice, CCI recommends having the systems, policies, and procedures in place to ensure no account remains open for more than 48 hours after it is no longer required.

Reviews of system activity logs should also be conducted to determine whether dormant accounts have been used inappropriately or if any actively used accounts have been compromised or are being misused.

Excessive permissions on user accounts is another serious server vulnerability. Excessive permissions can result in accidental or deliberate access, alteration, or deletion of data. The failure to restrict access rights is also a violation of the HIPAA principle of least privilege.

CCI reports that the risk of excessive user permissions is highest in organizations that do not regularly review user permissions (43.6%), perform user activity reviews (43.6%), or when there is a lack of proper user account management (43.1%).

Regular reviews of user activity will help healthcare organizations to quickly identify anomalies in user data that could be indicative of account misuse or a cyberattack. The frequency of those reviews should be dictated by several factors, including staff turnover and the number of users. CCI suggests user permission and user activity log reviews at least every quarter for an organization with 100 or more users.

The post Vulnerabilities in Servers Behind Majority of Healthcare Data Breaches appeared first on HIPAA Journal.

Phishing Attacks Reported by Broome County, NY and UMassMemorial Community Healthlink

Broome County in New York has started notifying 7,048 individuals that some of their protected health information (PHI) was compromised in a phishing attack on county employees.

Broome County officials learned about the attack on January 2, 2019 when it was discovered that an employee’s direct deposit account information had been changed. An investigation was immediately launched which revealed ‘numerous’ Broome County email accounts had been compromised as a result of responses to phishing emails. Further, an unauthorized individual had also gained access to employees’ PeopleSoft accounts.

A computer forensics expert was hired to assist with the investigation and determine how and when access to the accounts was first gained. That investigation revealed the first accounts were compromised on November 20, 2018 and further accounts were compromised up to January 2, 2019.

Employee direct deposit information has been checked and all emails and email attachments in the compromised accounts have been analyzed.

Broome County says multiple county departments were affected, including the Department of Health. The Willow Point Nursing Home and Rehabilitation & Nursing Center were also affected.

The types of information in the emails varied from individual to individual, but may have included names, contact information, Social Security numbers, bank account numbers, other financial information, dates of birth, medical record numbers, patient identification numbers, health insurance information, claims information, and medical and clinical information such as diagnoses and treatment information.

Broome County will implement additional safeguards to protect against any future attempted cyberattacks, including multi-factor authentication, and additional training will be provided to staff.

Community Health Link Phishing Attack Impacts 4,598 Patients

UMass Memorial Community Healthlink, a provider of behavioral health, addiction, and homeless services throughout central Massachusetts, has discovered the email accounts of two employees have been accessed by an unauthorized individual.

The breach was detected on April 18, 2019 and the accounts were secured. The breach investigation revealed the accounts were first accessed the same day and information in the compromised email accounts was only available for a limited time period.

No evidence was found to suggest emails had been viewed or copied; however, the following information may have been subjected to unauthorized access: Names, dates of birth, client identification numbers, diagnosis and treatment information, health insurance information, and in limited instances, Social Security numbers.

In response to the breach, passwords were reset, rules were strengthened to prevent email accounts from being accessed from external domains, automatic alerts have been increased, and defenses have been strengthened against email impersonation attacks. Further training has also been provided to employees.

The post Phishing Attacks Reported by Broome County, NY and UMassMemorial Community Healthlink appeared first on HIPAA Journal.

Ransomware Attack Affects More than 60 Assisted Living Facilities

A provider of software for assisted living communities has experienced a ransomware attack that has affected more than 60 facilities that use the software.

Tenx Systems, doing business as ResiDex Software, said the attack occurred on April 9, 2019 and affected its server infrastructure.

Rapid action was taken to move the servers to a new hosting provider and files were seamlessly recovered from backups the same day as the attack. No ransom was paid.

A forensic investigation was launched to determine whether any files had been accessed or other malicious actions had been performed by the attackers. The investigation revealed its servers were first compromised on April 2, 2019, 7 days prior to the deployment of ransomware.

While extortion through file encryption may have been the main aim of the attack, it is possible that the attackers gained access to names, Social Security numbers, and medical records contained in the ResiDex system.

It was not possible to establish which, if any, records were subjected to unauthorized access due to the complexity of the attack and the steps taken by the attackers to conceal their activities.

Notifications are now being sent to all affected individuals, which are spread across Massachusetts, Minnesota, Missouri and Tennessee.

The number of individuals affected has not been publicly disclosed and the incident has yet to appear on the HHS’ Office for Civil Rights Breach Portal.

Prescription Information of 78,000 U.S. Patients Exposed Online

Security researchers at vpnMentor have discovered a freely accessible database of patient prescription information that contains records relating to more than 78,000 U.S. patients who use the prescription medication Vascepa.

Vascepa is a drug used to lower triglycerides for individuals on low-cholesterol and low fat diets. The MongoDB database had been left unprotected allowing the following information to be viewed without authentication: Names, addresses, telephone numbers, email addresses, pharmacy information, prescribing doctor, NPI number, NABP E-profile number, and other personally identifiable data.

The records appeared to have come from a company called PSKW, which provides patient and provider messaging, co-pay, and assistance programs for healthcare organizations via a service named ConnectiveRX.

vpnMentor has reported the breach PSKW, although it is currently unclear to whom the database belongs.

The post Ransomware Attack Affects More than 60 Assisted Living Facilities appeared first on HIPAA Journal.

May 2019 Healthcare Data Breach Report

In April, more healthcare data breaches were reported than in any other month to date. The high level of data breaches has continued in May, with 44 data breaches reported. Those breaches resulted in the exposure of almost 2 million individuals’ protected health information.

Healthcare data breaches by month 2014-2019

On average, 2018 saw 29.5 healthcare data breaches reported to the HHS’ Office for Civil Rights each month – a rate of more than one a day.

From January 2019 to May 2019, an average of 37.2 breaches have been reported each month. Up until May 31, 2019, 186 healthcare data breaches had been reported to OCR, which is more than half (52%) the number of breaches reported last year.

It remains to be seen whether the increase in data breaches is just a temporary blip or whether 40+ healthcare data breaches a month will become the new norm.

Healthcare records exposed by month 2017-2019

May saw a 186% increase in the number of exposed records compared to April. Across the 44 breaches, 1,988,376 healthcare records were exposed or compromised in May. So far this year, more than 6 million healthcare records have been exposed, which is more than half of the number of records exposed in 2018.

Healthcare records exposed by year 2014-2019

In terms of the number of records exposed, May would have been similar to April were it not for a massive data breach at the healthcare clearinghouse Inmediata Health Group. The breach was the largest of the year to date and resulted in the exposure of 1,565,338 records.

A web page which was supposed to only be accessible internally had been misconfigured and the page could be accessed by anyone over the internet.

 

Rank Name of Covered Entity Covered Entity Type Individuals Affected Type of Breach
1 Inmediata Health Group, Corp. Healthcare Clearing House 1,565,338 Unauthorized Access/Disclosure
2 Talley Medical Surgical Eyecare Associates, PC Healthcare Provider 106,000 Unauthorized Access/Disclosure
3 The Union Labor Life Insurance Company Health Plan 87,400 Hacking/IT Incident
4 Encompass Family and internal medicine group Healthcare Provider 26,000 Unauthorized Access/Disclosure
5 The Southeastern Council on Alcoholism and Drug Dependence Healthcare Provider 25,148 Hacking/IT Incident
6 Cancer Treatment Centers of America® (CTCA) at Southeastern Regional Medical Center Healthcare Provider 16,819 Hacking/IT Incident
7 Takai, Hoover, and Hsu, P.A. Healthcare Provider 16,542 Unauthorized Access/Disclosure
8 Hematology Oncology Associates, PC Healthcare Provider 16,073 Hacking/IT Incident
9 Acadia Montana Treatment Center Healthcare Provider 14,794 Hacking/IT Incident
10 American Baptist Homes of the Midwest Healthcare Provider 10,993 Hacking/IT Incident

Causes of May 2019 Healthcare Data Breaches

Hacking/IT incidents were the most numerous in May with 22 reported incidents. In total, 225,671 records were compromised in those breaches. The average breach size was 10,258 records with a median of 4,375 records.

There were 18 unauthorized access/disclosure incidents in May, which resulted in the exposure of 1,752,188 healthcare records. The average breach size was 97,344 records and the median size was 2,418 records.

8,624 records were stolen in three theft incidents. The average breach size 2,875 records and the median size was 3,578 records. There was one loss incident involving 1,893 records.

causes of May 2019 healthcare data breaches

Location of Breached PHI

Email continues to be the most common location of breached PHI. 50% of the month’s breaches involved at least some PHI stored in email accounts. The main cause of these types of breaches is phishing attacks.

Network servers were the second most common location of PHI. They were involved in 11 breaches, which included hacks, malware infections and ransomware attacks.  Electronic medical records were involved in 7 breaches, most of which were unauthorized access/disclosure breaches.

Location of breached PHi (may 2019)

May 2019 Healthcare Data Breaches by Covered Entity Type

Healthcare providers were the worst affected covered entity type in May with 34 breaches. 5 breaches were reported by health plans and 4 breaches were reported by business associates of HIPAA-covered entities. A further two breaches had some business associate involvement. One breach involved a healthcare clearinghouse.

May 2019 healthcare data breaches by covered entity type

May 2019 Healthcare Data Breaches by State

May saw healthcare data breaches reported by entities in 17 states.  Texas was the worst affected state in May with 7 reported breaches. There were 4 breaches reported by covered entities and business associates in California and 3 breaches were reported in each of Indiana and New York.

2 breaches were reported by entities base in Connecticut, Florida, Georgia, Maryland, Minnesota, North Carolina, Ohio, Oregon, Washington, and Puerto Rico. One breach was reported in each of Colorado, Illinois, Kentucky, Michigan, Missouri, Montana, and Pennsylvania.

HIPAA Enforcement Actions in May 2019

OCR agreed two settlements with HIPAA covered entities in May and closed the month with fines totaling $3,100,000.

Touchstone Medical Imaging agreed to settle its HIPAA violation case for $3,000,000. The Franklin, TN-based diagnostic medical imaging services company was investigated after it was discovered that an FTP server was accessible over the internet in 2014.

The settlement resolves 8 alleged HIPAA violations including the lack of a BAA, insufficient access rights, a risk analysis failure, the failure to respond to a security incident, a breach notification failure, a media notification failure, and the impermissible disclosure of the PHI of 307,839 individuals.

Medical Informatics Engineering settled its case with OCR and agreed to pay a financial penalty of $100,000 to resolve alleged HIPAA violations uncovered during the investigation of its 2015 breach of 3.5 million patient records. Hackers had gained access to MIE servers for 19 days in May 2015.

OCR determined there had been a failure to conduct a comprehensive risk analysis and, as a result of that failure, there was an impermissible disclosure of 3.5 million individuals’ PHI.

It did not end there for MIE. MIE also settled a multi-state lawsuit filed by 16 state attorneys general. A multi-state investigation uncovered several HIPAA violations. MIE agreed to pay a penalty of $900,000 to resolve the case.

The post May 2019 Healthcare Data Breach Report appeared first on HIPAA Journal.

Oregon Department of Human Services Notifies 645,000 Clients of Phishing Breach

The Oregon Department of Human Services (ODHS) is notifying 645,000 clients that some of their personal information has potentially been compromised as a result of a phishing attack.

The targeted attack started on January 9, 2019 and resulted in 9 ODHS employees following links in emails and disclosing their login credentials.

ODHS and the Department of Administrative Services Enterprise Security Office discovered the breach on January 28 following reports from employees who believed their email accounts had been accessed. All affected email accounts were rapidly identified and remote access to the accounts was blocked the same day.

An investigation was launched into the breach to determine what protected health information may have been viewed and who had been affected. That process has taken some time to complete as it involved checking around 2 million emails.

The attackers accessed the compromised accounts and were able to access emails in the accounts for a period of 19 days. ODHS has confirmed that no malware was installed by the attackers but they may have viewed or obtained PHI such as names, contact information, Social Security numbers, case numbers, and sensitive health information.

On March 21, when it became clear that PHI was involved, ODHS uploaded a substitute breach notice to its website and created a call center where affected individuals could find out more about the breach. However, individual breach notifications were not sent until June 21.

ODHS oversees programs related to child welfare, individuals with disabilities, and seniors and deals with some of the most vulnerable individuals in the state. To protect those individuals from harm, ODHS has covered the cost of a $1 million identity theft reimbursement insurance policy and is offering all affected individuals 12 months of complimentary credit monitoring and identity theft recovery services.

ODHS spokesperson Robert Oakes said this was an “extremely sophisticated email attack.” ODHS has since closed access to the email web application that was breached and will continue to conduct internal security audits to vulnerabilities and will subject those vulnerabilities to a HIPAA-compliant risk management process. Training is already provided to staff on security awareness and efforts will continue to educate the workforce about the dangers from phishing.

The post Oregon Department of Human Services Notifies 645,000 Clients of Phishing Breach appeared first on HIPAA Journal.

Potential Breach at Meditab Software Impacts 2 Maryland Healthcare Providers

Two healthcare providers in Maryland have been affected by a potential breach at their business associate, Meditab Software Inc.

Meditab provides EMR and practice management software to healthcare providers and its systems contain patient information. In March 2019, Meditab discovered some protected health information (PHI) had been left unprotected.

Meditab had created a portal to view statistics for its Fax Cloud services. Statistics were maintained on all faxes, but no images were stored directly on the fax server. When faxes were transmitted, a link to the fax image on a separate and secure server was temporarily available until the fax was confirmed as having been received. When receipt was confirmed, the link is no longer available.

Usernames and passwords were required to gain access to the portal; however, in January, a Meditab programmer deactivated authentication without authorization. While authentication was disabled, a limited number of faxes containing medical information were discoverable between January 9 and March 14, 2019.

The exposed information may have included names, addresses, phone numbers, dates of birth, and medical records and treatment notes, which may include diagnoses and treatment information.

The firm recently informed Capitol Cardiology Associates (CCA) and Southern Maryland Medical Group (SMMG) that the PHI of some of their patients had been exposed.

Meditab said at no point could its analytics portal be searched or crawled by search engines, so discovering the portal would not have been easy. However, if the portal was located, an unauthorized individual could have opened the fax messages individually and had the option of downloading or printing those faxes. Meditab believes the risk of harm to patients is low.

According to the breach reports submitted to the HHS’ Office for Civil Rights, 1,980 CCA patients and 1,400 SMMG patients have been affected.

It is currently unclear whether any other healthcare providers have been affected by the breach.

The post Potential Breach at Meditab Software Impacts 2 Maryland Healthcare Providers appeared first on HIPAA Journal.