Author Archives: HIPAA Journal

Benefit Recovery Specialists Hacked and PHI of 274,837 Individuals Exposed

The Houston, TX-based billing and collection company, Benefit Recovery Specialists, Inc., (BRSI) has announced it has discovered malware on its systems that may have allowed unauthorized individuals to view or obtain protected health information.

The personal and protected health information (PHI) on BRSI systems had been provided to the company in its capacity as a business associate and included the PHI of current and former members and patients of its health plan and healthcare provider customers.

The malware was discovered on April 30, 2020 and an internal investigation was immediately launched. Third-party computer forensics specialists were engaged to help investigate the breach and determine the extent and scope of the attack. The investigation revealed an unauthorized individual had gained access to BRSI systems using stolen employee credentials. Once a foothold had been established in the network, the attacker downloaded malware.

The forensic investigators concluded that the attacker first gained access to BRSI systems on April 20, 2020 and had access to the systems until April 30, 2020. During that time, PHI was accessible and may have been exfiltrated. The substitute breach notice on the BRSI website makes no mention of the type of malware involved.

The types of sensitive data on the compromised parts of its systems included names, dates of birth, dates of service, provider names, policy identification numbers, procedure codes, and/or diagnosis codes. The Social Security numbers of some individuals were also potentially compromised.

The investigation into the breach concluded on May 29, 2020 and patients started to be notified on June 2, 2020. No evidence of misuse of individuals’ PHI was identified, but affected individuals have been told to be alert to the risk of identity theft and fraud and have been advised to carefully monitor their account and explanation of benefits statements for signs of misuse of their information. Based on the substitute breach notice, it does not appear that credit monitoring services are being offered to breach victims.

The incident has been reported to the Department of Health and Human Services’ Office for Civil Rights. The breach summary indicates 274,837 individuals have been affected, making this one of the largest healthcare data breaches to be reported in 2020.

The post Benefit Recovery Specialists Hacked and PHI of 274,837 Individuals Exposed appeared first on HIPAA Journal.

Benefit Recovery Specialists Hacked and PHI of 274,837 Individuals Exposed

The Houston, TX-based billing and collection company, Benefit Recovery Specialists, Inc., (BRSI) has announced it has discovered malware on its systems that may have allowed unauthorized individuals to view or obtain protected health information.

The personal and protected health information (PHI) on BRSI systems had been provided to the company in its capacity as a business associate and included the PHI of current and former members and patients of its health plan and healthcare provider customers.

The malware was discovered on April 30, 2020 and an internal investigation was immediately launched. Third-party computer forensics specialists were engaged to help investigate the breach and determine the extent and scope of the attack. The investigation revealed an unauthorized individual had gained access to BRSI systems using stolen employee credentials. Once a foothold had been established in the network, the attacker downloaded malware.

The forensic investigators concluded that the attacker first gained access to BRSI systems on April 20, 2020 and had access to the systems until April 30, 2020. During that time, PHI was accessible and may have been exfiltrated. The substitute breach notice on the BRSI website makes no mention of the type of malware involved.

The types of sensitive data on the compromised parts of its systems included names, dates of birth, dates of service, provider names, policy identification numbers, procedure codes, and/or diagnosis codes. The Social Security numbers of some individuals were also potentially compromised.

The investigation into the breach concluded on May 29, 2020 and patients started to be notified on June 2, 2020. No evidence of misuse of individuals’ PHI was identified, but affected individuals have been told to be alert to the risk of identity theft and fraud and have been advised to carefully monitor their account and explanation of benefits statements for signs of misuse of their information. Based on the substitute breach notice, it does not appear that credit monitoring services are being offered to breach victims.

The incident has been reported to the Department of Health and Human Services’ Office for Civil Rights. The breach summary indicates 274,837 individuals have been affected, making this one of the largest healthcare data breaches to be reported in 2020.

The post Benefit Recovery Specialists Hacked and PHI of 274,837 Individuals Exposed appeared first on HIPAA Journal.

States Start to Make Temporary COVID-19 Telehealth Changes Permanent

Following the decision of the HHS’ Centers for Medicaid and Medicare Services (CMS) to expand access to telehealth services and increase coverage in response to the COVID-19 pandemic, states introduced temporary emergency waivers to their telehealth laws. Healthcare providers and patients have welcomed the changes to telehealth policies, which improved access to telehealth services to help control the spread of the virus, SARS-CoV-2. There have been increasing calls for the changes to be made permanent, and several states such as Massachusetts, Colorado, and Idaho have taken steps to ensure the changes continue after the COVID-19 public health emergency is declared over.

On March 16, 2020, the Massachusetts Board of Registration in Medicine (BORIM) approved a new policy that states the same standard of care applies to in-person and telehealth visits and a face-to-face encounter is not a pre-requisite for a telehealth visit. The policy was introduced on a temporary basis in response to COVID-19, but on June 26, 2020, BORIM made the policy change permanent. This is the first telehealth-specific policy to be adopted by BORIM and Massachusetts was one of the first states to make temporary COVID-19 telehealth policies permanent.

There have been increasing calls at the Federal level for the expansion of access to telehealth services to be made permanent and for there to be continued reimbursement parity for in-person and virtual visits when the COVID-19 nationwide public health emergency is declared over.

CMS Administrator Seema Verma has expressed support for the expansion of telehealth access to continue and, at a recent meeting of the Senate Committee on Health, Education, Labor & Pensions (HELP), the 30+ temporary changes to Federal telehealth policies were discussed and Congress was urged to make several of the changes permanent. There is a commonly held view that telehealth can improve patient outcomes, help providers deliver a better patient experience, and that telehealth will help to reduce the cost of healthcare provision.

Two Federal policy changes that have attracted considerable support are the relaxation of the Medicare originating site requirement to allow physicians to provide telehealth services to all patients, no matter where they are located, and expansion of the number of telehealth services covered under Medicare.

These and other policies changes have received support at the state level. Several other states have now taken steps to improve telehealth access. Colorado Governor, Jared Polis, signed a bill this week that prohibits health insurance companies from requiring a patient to have a pre-established relationship with a virtual care provider. The law, which applies to Medicaid and state-regulated health plans, also prohibits insurers from imposing additional location, certification, or licensure requirements on providers as a condition for telehealth reimbursement and the restrictions on the technology that can be used to provide telehealth services have also been removed. Audio or video communication solutions only need to be compliant with the HIPAA Security Rule.

Idaho Governor Brad Little has similarly taken steps to make the COVID-19 changes to telehealth laws permanent, including the state’s temporary telehealth rule waivers that increased the medications that could be prescribed in telehealth visits, the broadening of the technology that can be used for providing telehealth services, and the change that allows out-of-state providers to treat patients virtually.

“Our loosening of healthcare rules since March helped to increase the use of telehealth services, made licensing easier, and strengthened the capacity of our healthcare workforce – all necessary to help our citizens during the global pandemic,” said Gov. Little. “We proved we could do it without compromising safety. Now it’s time to make those healthcare advances permanent moving forward.”

All states expanded access to telehealth services for Medicaid beneficiaries following the announcement by the CMS about the expansion of access to telehealth and increased coverage. Many more states are now expected to make the emergency changes permanent.  However, health insurers must also make changes and confirm that they will continue to reimburse physicians for virtual visits at the same rate as in-person visits, otherwise it is likely that telehealth will be dropped in favor of in-person visits.

The post States Start to Make Temporary COVID-19 Telehealth Changes Permanent appeared first on HIPAA Journal.

Optimum Behavioral Care, Inc Confirmed as HIPAA Compliant by Compliancy Group

Compliancy Group has announced that Optimum Behavioral Care, Inc. d/b/a Frank Morelli, LMHC, has implemented an effective HIPAA compliance program and has demonstrated compliance with the Health Insurance Portability and Accountability Act (HIPAA) Privacy, Security, Breach Notification and Omnibus Rules.

Frank Morelli is a Licensed Mental Health Counselor practicing in Jacksonville, FL with more than 25 years’ experience of providing behavioral wellness to the entire family. His practice is especially well suited to treating patients with obsessive-compulsive disorder, PTSD, anxiety disorders, and depression.

 

Frank Morelli sought assistance from Compliancy Group to ensure that fully compliant policies and procedures had been implemented and appropriate safeguards were in place to ensure the confidentiality, integrity, and availability of PHI. “Protecting the records and communications of my clients is just the right thing to do.  Confidentiality is the cornerstone of psychotherapy,” said Frank Morelli.

Frank Morelli used Compliancy Group’s proprietary HIPAA-compliance tracking solution, The Guard, to monitor progress and guide his compliance efforts, with assistance provided by Compliancy Group’s expert compliance coaches.

Frank Morelli successfully completed Compliancy Group’s 6-Stage HIPAA Risk Analysis and remediation process and his good faith effort towards HIPAA compliance was verified by Compliancy Group’s HIPAA subject matter experts and Compliance Coaches and Frank Morelli was awarded Compliancy Group’s HIPAA Seal of Compliance.

The HIPAA Seal of Compliance demonstrates to current and former patients that Frank Morelli’s practice is committed to ensuring the confidentiality of patient data and protecting the privacy of patients. Forward-thinking providers like Frank Morelli, LMHC choose the HIPAA Seal of Compliance to differentiate their services.

“Navigating the HIPAA rules are challenging for providers of healthcare services.  Compliancy Group makes the process straight forward, thorough, and complete.  OBC, Inc is a better choice for psychotherapy for having respected the rights of consumers, and a better company for faithfulness to high standards,” said Compliancy Group.

The post Optimum Behavioral Care, Inc Confirmed as HIPAA Compliant by Compliancy Group appeared first on HIPAA Journal.

FBI and CISA Issue Joint Alert About Threat of Malicious Cyber Activity Through Tor

A joint alert was recently issued by the FBI and the DHS’ Cybersecurity Infrastructure Security Agency (CISA) regarding cybercriminals’ use of The Onion Router (Tor) in cyberattacks.

Tor is free, open source software that was developed by the U.S. Navy in the mid-1990s. Today, Tor is used to browse the internet anonymously. When using Tor, internet traffic is encrypted multiple times and a user is passed through a series of nodes in a random path to a destination server. When a user is connected to the Tor network, their online activity cannot easily be traced back to their IP address. When a Tor user accesses a website, rather than their own IP address being recorded, the IP address of the exit node is recorded.

Unsurprisingly, given the level of anonymity provided by Tor, it has been adopted by many threat actors to hide their location and IP address and conduct cyberattacks and other malicious activities anonymously. Cybercriminals are using Tor to perform reconnaissance on targets, conduct cyberattacks, view and exfiltrate data, and deploy malware, ransomware, and conduct Denial of Service (DoS) attacks. According to the alert, cybercriminals are also using Tor to relay commands to malware and ransomware through their command and control servers (C2).

Since malicious activities can be conducted anonymously, it is hard for network defenders to respond to attacks and perform system recovery. CISA and the FBI recommend that organizations conduct a risk assessment to identify their risk of compromise via Tor. The risk related to Tor will be different for each organization so an assessment should determine the likelihood of an attack via Tor, and the probability of success given the mitigations and security controls that have been put in place. Before a decision can be made about whether to block Tor traffic, it is important to assess the reasons why legitimate users may be choosing to use Tor to access the network. Blocking Tor traffic will improve security but will also block legitimate users of Tor from accessing the network.

CISA and the FBI warn that Tor has been used in the past by a range of different threat actors, from nation-state sponsored Advanced Persistent Threat (APT) actors to individual, low skill hackers. Organizations that do not take steps to either block inbound and outbound traffic via Tor, or monitor traffic from Tor nodes closely, will be at a heightened risk of being attacked.

In these attacks, reconnaissance is conducted, targets are selected, and active and passive scans are performed to identify vulnerabilities in public facing applications which can be exploited in anonymous attacks. Standard security tools are not sufficient to detect and block attacks, instead a range of security solutions need to be implemented and logging should be enabled to allow analysis of potentially malicious activity using both indicator and behavior-based analyses.

“Using an indicator-based approach, network defenders can leverage security information and event management (SIEM) tools and other log analysis platforms to flag suspicious activities involving the IP addresses of Tor exit nodes,” according to the report. A list of all Tor exit node IP addresses is maintained by the Tor Project’s Exit List Service, and these can be downloaded. Security teams can use the list to identify any substantial transactions associated with those IP addresses by analyzing their netflow, packet capture (PCAP), and web server logs

“Using a behavior-based approach, network defenders can uncover suspicious Tor activity by searching for the operational patterns of Tor client software and protocols,” such as Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) ports.

“Organizations should research and enable the pre-existing Tor detection and mitigation capabilities within their existing endpoint and network security solutions, as these often employ effective detection logic. Solutions such as web application firewalls, router firewalls, and host/network intrusion detection systems may already provide some level of Tor detection capability,” suggest the FBI and CISA.

While it is possible to reduce risk by blocking all Tor web traffic, this highly restrictive approach will not totally eliminate risk as additional Tor network access points are not all listed publicly. This approach will also block legitimate Tor traffic. Tailor monitoring, analysis, and blocking of web traffic to and from public Tor entry and exit nodes may be a better solution, although this approach is likely to be resource intensive.

Details of how to block, monitor and analyze Tor traffic are provided in the alert, a PDF copy of which is available for download here.

The post FBI and CISA Issue Joint Alert About Threat of Malicious Cyber Activity Through Tor appeared first on HIPAA Journal.

Microsoft Shuts Down COVID-19 Phishing Campaign and Warns of Malicious OAuth Apps

A large-scale phishing campaign conducted in 62 countries has been shut down by Microsoft.  The campaign was first identified by Microsoft’s Digital Crimes Unit (DCU) in December 2019. The phishing campaign targeted businesses and was conducted to obtain Office 365 credentials. Those credentials were then used to access victims’ accounts to obtain sensitive information and contact lists. The accounts were then used for business email compromise (BEC) attacks to obtain fraudulent wire transfers and redirect payroll.

Initially, the emails used in the campaign appeared to have been sent by an employer and contained business-related reports with a malicious email attachment titled Q4 Report – Dec19. Recently, the phishing campaign changed and the attackers switched to COVID-19 lures to exploit financial concerns related to the pandemic. One of the lures used the term “COVID-19 bonus” to get victims to open malicious email attachments or click malicious links.

When the email attachments were opened or links clicked, users were directed to a webpage hosting a malicious application. The web apps closely resemble legitimate web apps that are often used by businesses to improve productivity and security and support remote workers. Users were requested to grant Office 365 OAuth applications access to their Office 365 accounts.

When permission is granted, the attackers obtained access and refresh tokens that allowed them to gain access to the victims’ Office 365 accounts. In addition to gaining access to contact lists, emails, attachments, notes, tasks, and profiles, they also had access to the SharePoint document management system and OneDrive for Business, and any files in those cloud storage accounts.

Microsoft implemented technical measures to block the phishing emails and filed a civil case in the U.S. District Court for the Eastern District of Virginia to obtain a court order to seize six domains being used by the scammers to host the malicious apps. Recently, the court order was obtained and Microsoft has now disabled the domains. Without access to their infrastructure, the cybercriminals are no longer able to conduct cyberattacks. The campaign is believed to be the work of a cybercriminal organization rather than a nation state-sponsored group.

“This unique civil case against COVID-19-themed BEC attacks has allowed us to proactively disable key domains that are part of the criminals’ malicious infrastructure, which is a critical step in protecting our customers,” explained Microsoft.

Microsoft also shared best practices to help organizations to improve defenses against phishing and BEC attacks. The first step to take is to enable multifactor authentication on all email accounts, both business and personal. Businesses should provide training to employees to teach them how to identify phishing and BEC attacks and security alerts should be enabled for suspicious links and files.

Any email forwarding rules should be checked to identify suspicious activity and organizations should educate staff on how Microsoft permissions and the consent framework works.  Audits should be conducted on apps and consent permissions to ensure that applications are only granted access to the data they need.

The post Microsoft Shuts Down COVID-19 Phishing Campaign and Warns of Malicious OAuth Apps appeared first on HIPAA Journal.

TigerConnect Rated Among Top Advanced Clinical Communications Platforms by KLAS

TigerConnect, the most widely adopted care team collaboration solution, has been recognized by KLAS and rated among the top platforms in the KLAS Clinical Communications 2020 Advanced User Insights report.

KLAS is a healthcare IT data and insights company that conducts impartial research on software and services used by healthcare providers and payers worldwide. The company obtains feedback from healthcare professionals that are using software solutions and services, the insights are analyzed, trends are identified, and the company’s reports are used by healthcare organizations around the world to make decisions about healthcare software and services.

For the Clinical Communications 2020 Advanced User Insights report, KLAS collected data from multiple case studies and conducted in-depth interviews with three to five advanced users of each platform at organizations at the cutting edge of clinical communication to find out how these solutions have improved efficiency, security, and patient satisfaction. The report details the outcomes that have been achieved, the lessons learned by advanced users, and the range of workflows that each communication platform covers.

TigerConnect was recognized as having a very large customer base in both inpatient and non-inpatient care settings. KLAS found the platform to be highly customer centric, with nimble development for advanced users across different care settings. The platform had the most extensive breadth of workflows for advanced users out of all platforms assessed for the report and was the only clinical communications platform that had over 50% adoption of advanced workflows in nine out of the ten categories assessed.

TigerConnect was also rated the top vendor for patient-centered care team communications, pre-admission workflows, clinical support staff workflows, and discharge & post-discharge workflows. TigerConnect was recognized as having standout capabilities such as allowing communication to continue during EHR downtime, allowing care coordinators to coordinate care with referred caregivers, and the ability of the platform to link messages to patient records and pull all pertinent information for patient care.

“The KLAS report highlights one of TigerConnect’s biggest strengths – our ability to help healthcare organizations across the full continuum of care meaningfully connect and enhance outcomes,” says Brad Brooks, TigerConnect CEO. “More than 6,000 healthcare organizations rely on our platform to enable seamless collaboration in a scalable, fully integrated, easy-to-use solution. With so many challenges facing our industry during the COVID-19 pandemic, now is the time for innovation that enhances care and strengthens the bottom line.”

The post TigerConnect Rated Among Top Advanced Clinical Communications Platforms by KLAS appeared first on HIPAA Journal.

Health Plan Member Portals Accessed Using Stolen Credentials

The Philadelphia-based health plan, Independence Blue Cross, and AmeriHealth HMO, Inc. and AmeriHealth Insurance Company of New Jersey have discovered unauthorized individuals gained access to pages in their member portals between March 17, 2020 and April 30, 2020 and potentially viewed the personal and protected health information of some of their members.

The types of information exposed included names, member identification numbers, plan type, spending account balances, user reward summaries, and claims information.

An investigation into the breach revealed valid credentials had been used to access the portal. In all cases, the passwords used to access to the member portals had been obtained as a result of breaches of third-party websites and applications, such as the breach of MyFitnessPal in 2018. The passwords for those third-party websites had been reused on member portals.

The health plans were informed of the breach on May 8, 2020 and immediately took steps to secure the accounts and prevent further unauthorized access. All affected members have now been notified and have been offered 24 months of free credit monitoring and identity theft protection services.

49,500 Providence Health Plan Members Affected by Business Associate Data Breach

49,511 members of the Oregon-based Providence Health Plan have been affected by a data breach at one of its business associates.

On April 17, 2020, Brooklyn-based Zipari alerted Providence Health Plan about a coding error that allowed documents related to employer-sponsored health plans to be exposed online. The coding error was detected by Zipari on April 9, 2020. The investigation revealed the documents had been accessed by unauthorized individuals in May, September, and November 2019. The documents contained member names, employer names, and dates of birth. No other information was compromised.

The breach prompted Providence Health Plan to arrange a third-party audit of Zipari’s data security practices. Affected plan members have been offered complimentary credit monitoring services.

Central California Alliance for Health Discovers ‘Many’ Email Accounts Breached

On May 7, 2020, Central California Alliance for Health (CCAH) discovered an unauthorized individual gained access to the email accounts of some of its employees and potentially viewed and obtained the protected health information of some of its members. According to the breach notice submitted to the California Attorney General’s office, many CCAH email accounts were subjected to unauthorized access for about one hour.

A review of the compromised email accounts revealed they contained names, dates of birth, demographic information, Medi-Cal ID numbers, Alliance Care Management Program records, claims information, medical information, and referral information.

A full password reset was performed on all CCAH email accounts and further training has been provided to the workforce on email security. CCAH is unaware of any misuse of members information.

The post Health Plan Member Portals Accessed Using Stolen Credentials appeared first on HIPAA Journal.

Florida Orthopaedic Institute Facing Class Action Lawsuit Over Ransomware Attack

It is becoming increasingly common for healthcare organizations to face legal action after experiencing a ransomware attack in which patient data is stolen. The Florida Orthopedic Institute, one of the largest orthopedic providers in the state, is one of the latest healthcare providers to face a class action lawsuit over a ransomware attack.

The ransomware attack was detected on April 9, 2020 when staff were prevented from accessing computer systems and data due to the encryption of files. A third-party computer forensics firm was engaged to assist with the investigation and determined on May 6, 2020 that the attackers may have accessed and exfiltrated patient data. A range of sensitive data was potentially compromised including names, dates of birth, Social Security numbers, and health insurance information. Affected patients were notified about the breach on or around June 19, 2020 and were offered complimentary identity theft and credit monitoring services for 12 months. At the time of issuing notifications, no evidence had been found to suggest patient data had been misused.

Attorney John Yanchunis of the law firm Morgan & Morgan recently filed a lawsuit against Florida Orthopedic Institute in Hillsborough County, FL alleging the healthcare provider failed to implement appropriate safeguards to ensure the confidentiality of patient data. He claimed “Certainly, this information was in the hands of cybercriminals and was being used maliciously.”

The lawsuit alleges the healthcare provider was “lackadaisical, cavalier, reckless, or in the very least, negligent” with respect to maintaining the privacy of its patients and basic cybersecurity best practices were not followed. In addition to negligence, the lawsuit alleges invasion of privacy, breach of fiduciary duty, breach of implied contract, unjust enrichment and violation of the Florida’s Deceptive and Unfair Trade Practices Act.

While patients were offered complimentary identity theft protection services, Yanchunis claims that 12 months of coverage is not nearly enough to protect victims, since affected individuals now face an elevated risk of financial harm as a result of the breach for many years to come.

The lawsuit seeks extended credit monitoring for breach victims and at least $99 million in damages on behalf of the current and former patients.

The incident has yet to appear on the breach portal maintained by the HHS’ Office for Civil Rights so it is currently unclear how many patients have been affected by the attack. According to the lawsuit, at least 100,000 patients were affected and potentially more than 150,000.

Other recent ransomware attacks that have resulted in lawsuits include the attack on DCH Health System and BST & Co CPAs LLC. Grays Harbor Community Hospital recently proposed a $185,000 settlement to resolve a potential class action lawsuit filed on behalf of a victim of the breach.

The post Florida Orthopaedic Institute Facing Class Action Lawsuit Over Ransomware Attack appeared first on HIPAA Journal.