Author Archives: HIPAA Journal

Researchers Describe Possible Synthetic DNA Supply Chain Attack

A team of researchers at Ben-Gurion University in Israel have described a possible bioterrorist attack scenario in which the supply chain of synthetic DNA could be compromised. DNA synthesis providers could be tricked into producing harmful DNA sequences, bypassing current security controls, and delivering those sequences to healthcare customers.

Synthetic DNA is currently produced for research purposes and is available in many ready-to-use forms. Clients of DNA synthesis providers specify the DNA sequences they require and the DNA synthesis company generates the requested sequences to order and ships them to their customers.

There are safety controls in place to prevent DNA being synthesized that could be harmful, but the Ben-Gurion University researchers point out that those safety checks are insufficient. Hackers could potentially exploit security weaknesses and inject rogue genetic information into the synthesis process, unbeknown to the customers or DNA synthesis providers. For example, rogue genetic material could be inserted that encodes for a harmful protein or a toxin.

The researchers describe an attack scenario where a bioterrorist could conduct an attack that sees harmful biological material ordered, produced, and delivered to customers, without the attacker ever having to come into contact with lab components or biological materials. The researchers say the hypothetical attack method they describe is an “end-to-end cyberbiological attack” that can be performed remotely using a computer with a carefully crafted spear phishing email that delivers a malicious browser plug-in.

An attacker could craft a spear phishing email targeting an individual and use social engineering techniques to get them to install a malicious browser plug-in on their computer. When a genuine order is placed for a specific DNA sequence, the attacker would perform a man-in-the-middle attack and change the requested DNA sequence sent to the DNA synthesis provider, without the knowledge of the person submitting the order.

Checks would be performed by the DNA synthesis company to screen out potentially dangerous sequences. Provided those checks are passed, DNA synthesis would begin, and the product would then be shipped to the customer. The sequence would be checked by the customer, but the same malicious plugin could return the requested sequence. The DNA sequence with the rogue DNA would then be used in the belief it is the sequence requested.

Source: Ben-Gurion University

The research paper describing the threat and the potential attack method – Cyberbiosecurity: Remote DNA Injection Threat in Synthetic Biology – was recently published in Nature Biotechnology. The image above shows the attack process with the malicious steps detailed in red.

The Department of Health and Human Services has produced HHS Screening Framework Guidance for Providers of Synthetic Double-Stranded DNA and requires DNA synthesis providers to screen double stranded DNA. The screening process should highlight any harmful sequences and would ensure that those sequences were not released to customers; however, the researchers point out that there is currently no single, comprehensive database of all pathogenic sequences and it is potentially possible to bypass these checks.

“Currently, the software stack used to develop synthetic genes is loosely secured, allowing the injection of rogue genetic information into biological systems by a cybercriminal with an electronic foothold within an organization’s premises,” explained the researchers. The researchers also demonstrated that through the use of obfuscation, 16 out of 50 DNA samples were not detected by screening systems.

A bioterrorist attack of this nature would be complex, which limits the potential for such an attack to occur, but given the potentially devastating consequences, more rigorous security controls need to be implemented. The current safety mechanisms have been put in place to prevent the deliberate or accidental synthesis of harmful DNA, but the researchers explain that those safety mechanisms have not been adapted to reflect recent developments in synthetic biology and cyberwarfare.

“Biosecurity researchers agree that an improved DNA screening methodology is required to prevent bioterrorists and careless enthusiasts from generating dangerous substances in their labs,” explained the researchers in the report.

The post Researchers Describe Possible Synthetic DNA Supply Chain Attack appeared first on HIPAA Journal.

Webinar: How HIPAA-Compliant Messaging Transforms Healthcare

Data show 70% of delays in providing treatment to patients is due to miscommunication, so resolving the problems that result in miscommunication in healthcare is key to improving quality of care, clinical outcomes, and the patient experience.

One of the biggest contributory factors to miscommunication is the use of outdated communications systems, which has long been a problem in healthcare. Fortunately, there is a solution that has been shown to greatly improve communication efficiency and reduce the potential for errors and miscommunication – a secure texting platform.

To find out more about secure, HIPAA-compliant messaging and how it can make care teams immediately more efficient and effective, we invite you to join this upcoming webinar.

During the webinar you will discover how this single change can lead to major improvements in collaboration, save valuable time, decrease costs, and lead to happier staff and patients.

The webinar is being hosted by TigerConnect, the leading secure healthcare messaging provider, and will take place on Wednesday, December 9 at 10 a.m. PT / 1 p.m. ET.

Webinar Details:

How HIPAA-Compliant Messaging Transforms Healthcare

Date/Time: Wednesday, December 9 – 10 a.m. PT / 12 p.m. CT / 1 p.m. ET

Hosted by:
Julie Grenuk, Nurse Executive, TigerConnect
Tommy Wright, Director of Product Marketing, TigerConnect

Register Here

The post Webinar: How HIPAA-Compliant Messaging Transforms Healthcare appeared first on HIPAA Journal.

Email Account Breaches Reported by University of Minnesota Physicians and McLeod Health

University of Minnesota Physicians has suffered a phishing attack that allowed unauthorized individuals to gain access to the email accounts of two employees. One email account was accessible between January 30 and January 31, 2020 and the other on February 4, 2020 for a short period of time.

Upon discovery of the breach, the accounts were immediately secured, and third-party forensic investigators were engaged to assess the nature and scope of the breach. The review did not uncover any evidence to suggest emails in the accounts had been viewed or patient data obtained, but it was not possible to rule out data access with a sufficiently high degree of certainty.

A review of the compromised accounts revealed they contained the protected health information of certain patients. The types of information in the accounts varied from patient to patient and may have included name, address, date of birth, date of death, date of service, telephone number, medical record number, account number, payment card number, health insurance information, and medical information. A limited number of individuals also had their Social Security number exposed.

Notification letters started to be sent to affected individuals on March 30, 2020, even though the investigation was still ongoing. That investigation has now been completed. The delay was due to the painstaking and lengthy process involved in identifying the relevant data.

University of Minnesota Physicians said that at the time of the breach, multiple email security controls were in place including multi-factor authentication, regular training was being provided to employees on privacy and security, and phishing simulations were being conducted.

Additional technology has now been implemented to further improve security and refresher security training has been provided to employees. Affected individuals have been offered 12 months of complimentary credit monitoring and identity theft protection services through Kroll.

The March 30, 2020 entry on the Office for Civil Rights breach portal indicates 683 individuals have been affected at the time of writing.

McLeod Health Discovers Email Account Breach

South Carolina-based Mcleod Health has discovered the email account of an employee has been accessed by unauthorized individual. Suspicious email account activity was detected on June 23, 2020 and the email account was immediately secured.

A comprehensive forensic review was conducted to determine the nature and scope of the breach, which revealed the email account was breached between April 13, 2020 and April 16, 2020. On August 19, 2020, McLeod Health determined the content of the email account had been downloaded by the attacker in April.

McLeod Health is in the process of conducting a review of the impacted email account to determine what information has been obtained by the attacker and which patients have been affected. Notifications will be mailed to affected patients when the review is completed.

McLeod Health had previously implemented multi-factor authentication to prevent compromised credentials from being used to gain access to email accounts; however, some internal settings had prevented it from being implemented on some devices. That issue is now being addressed and additional security awareness training is being provided to employees.

The post Email Account Breaches Reported by University of Minnesota Physicians and McLeod Health appeared first on HIPAA Journal.

Healthcare Provider Discovers Patient Data Exposed Online for Over 4 Years

A round up of healthcare data breaches recently reported by Fairchild Medical Center, Harvard Pilgrim Health Care, and Indian Health Council Inc.

Fairchild Medical Center Discovers Patient Information has been Exposed Online

Fairchild Medical Center in Yreka, CA, has started notifying certain patients that some of their protected health information may have been accessed by unauthorized individuals over the Internet.

In July 2020, Fairchild Medical Center was notified by a third-party security company that a server had been misconfigured, which allowed it to be accessed via the Internet. Assisted by third-party computer specialists, the medical center determined patient information could potentially have been accessed by unauthorized individuals.

The server contained medical images along with patient names, dates of birth, patient identification numbers, exam identification numbers, ordering provider names, and exam dates. The misconfiguration had occurred on December 16, 2015 and was not corrected until July 31, 2020. After changes were made to secure the server, they were verified by a third-party security company.

A forensic investigation could not confirm whether patient information was accessed by unauthorized individuals during the time the server was exposed, but the possibility could not be ruled out.

Harvard Pilgrim Health Care Reports Mismailing Incident

Harvard Pilgrim Health Care is notifying 8,022 individuals that a software error in its enrollment data management system caused an individual’s mailing addresses to be associated with another address associated with that individual’s health plan. As a result of the error, some mailings may have been misdirected to the address of a subscriber of the individual’s health plan or to a former address. The issue was traced back to an error that occurred in 2013.

The types of information that may have been disclosed varied from mailing to mailing and potentially included the member’s name, ID number, date of birth, telephone number, dates of service, provider names, treatment information, charges for services, deductibles, co-pay amount, and co-insurance information related to healthcare coverage.

The issue has now been corrected and the process of system updates has been reviewed and enhanced. Affected individuals have been asked to check their Activity Summaries and to report any suspicious entries to Harvard Pilgrim immediately.

Indian Health Council Inc Suffers Ransomware Attack

Valley Center, CA-based Indian Health Council Inc. was the victim of a ransomware attack in September 2020 that resulted in file encryption and may have impacted patients’ protected health information. The cyberattack was discovered on September 22, 2020 and independent computer forensic experts were engaged to assist with the investigation.

A review of the files accessible to the attacker revealed some contained patient information such as names, birth dates, health information, and health insurance information and, for a limited number of individuals, information about health conditions, treatment, or diagnosis information.

Following the attack, passwords were changed, and security has been strengthened to prevent further attacks. Additional measures implemented include further controls covering remote access and multi-factor authentication.

All patients affected by the breach have now been notified. The breach report submitted to the Office for Civil Rights indicates 5,769 individuals were potentially affected.

The post Healthcare Provider Discovers Patient Data Exposed Online for Over 4 Years appeared first on HIPAA Journal.

Healthcare Provider Discovers Patient Data Exposed Online for Over 4 Years

A round up of healthcare data breaches recently reported by Fairchild Medical Center, Harvard Pilgrim Health Care, and Indian Health Council Inc.

Fairchild Medical Center Discovers Patient Information has been Exposed Online

Fairchild Medical Center in Yreka, CA, has started notifying certain patients that some of their protected health information may have been accessed by unauthorized individuals over the Internet.

In July 2020, Fairchild Medical Center was notified by a third-party security company that a server had been misconfigured, which allowed it to be accessed via the Internet. Assisted by third-party computer specialists, the medical center determined patient information could potentially have been accessed by unauthorized individuals.

The server contained medical images along with patient names, dates of birth, patient identification numbers, exam identification numbers, ordering provider names, and exam dates. The misconfiguration had occurred on December 16, 2015 and was not corrected until July 31, 2020. After changes were made to secure the server, they were verified by a third-party security company.

A forensic investigation could not confirm whether patient information was accessed by unauthorized individuals during the time the server was exposed, but the possibility could not be ruled out.

Harvard Pilgrim Health Care Reports Mismailing Incident

Harvard Pilgrim Health Care is notifying 8,022 individuals that a software error in its enrollment data management system caused an individual’s mailing addresses to be associated with another address associated with that individual’s health plan. As a result of the error, some mailings may have been misdirected to the address of a subscriber of the individual’s health plan or to a former address. The issue was traced back to an error that occurred in 2013.

The types of information that may have been disclosed varied from mailing to mailing and potentially included the member’s name, ID number, date of birth, telephone number, dates of service, provider names, treatment information, charges for services, deductibles, co-pay amount, and co-insurance information related to healthcare coverage.

The issue has now been corrected and the process of system updates has been reviewed and enhanced. Affected individuals have been asked to check their Activity Summaries and to report any suspicious entries to Harvard Pilgrim immediately.

Indian Health Council Inc Suffers Ransomware Attack

Valley Center, CA-based Indian Health Council Inc. was the victim of a ransomware attack in September 2020 that resulted in file encryption and may have impacted patients’ protected health information. The cyberattack was discovered on September 22, 2020 and independent computer forensic experts were engaged to assist with the investigation.

A review of the files accessible to the attacker revealed some contained patient information such as names, birth dates, health information, and health insurance information and, for a limited number of individuals, information about health conditions, treatment, or diagnosis information.

Following the attack, passwords were changed, and security has been strengthened to prevent further attacks. Additional measures implemented include further controls covering remote access and multi-factor authentication.

All patients affected by the breach have now been notified. The breach report submitted to the Office for Civil Rights indicates 5,769 individuals were potentially affected.

The post Healthcare Provider Discovers Patient Data Exposed Online for Over 4 Years appeared first on HIPAA Journal.

More Than 295K Patients Impacted by Cyberattack on AspenPointe

The Colorado Springs-based mental health and behavioral health services provider AspenPointe has announced it was the victim of a cyberattack in September 2020 in which patient information may have been compromised. The attack forced the healthcare provider to take its systems offline and most of its operations were affected for several days while the attack was mitigated.

Third-party cybersecurity professionals were engaged to assist with the investigation and recovery efforts and determine the extent to which patient information may have been compromised. A review of the documents potentially accessible to the attackers revealed on November 10, 2020 that patient information had potentially been accessed or acquired.

The documents on the breached systems contained patient names along with one or more of the following data elements: date of birth, driver’s license number, bank account information, Medicaid ID number, admission/discharge dates, diagnosis code, date of last visit, and/or Social Security number.

Following the discovery of the breach, a password reset was performed. Cybersecurity has since been strengthened with additional endpoint protection technology, changes to the firewall, and other measures and network monitoring has been enhanced.

Notification letters are now being sent to all individuals potentially affected by the breach and a 1-year complimentary membership to IDX credit monitoring services is being provided to breach victims. Breach victims are also protected by a $1 million identity theft insurance policy and will have access to identity theft recovery services should they be required.

AspenPointe explained in its substitute breach notice that there have been no reported cases of identity theft, fraud, or improper use of patient information and no evidence was found to indicate any patient data was actually stolen by the attackers.

The breach report submitted to the Department of Health and Human Services’ Office for Civil Rights indicates the protected health information of 295,617 patients was potentially compromised in the attack.

The post More Than 295K Patients Impacted by Cyberattack on AspenPointe appeared first on HIPAA Journal.

Mayo Clinic Faces Multiple Lawsuits over Insider Privacy Breach

Mayo Clinic is facing multiple class action lawsuits over an insider data breach reported in October 2020. Mayo Clinic discovered a former employee had accessed the medical records of 1,600 patients without authorization and viewed information such as patient names, demographic information, dates of birth, medical record numbers, medical images, and clinical notes.

The Health Insurance Portability and Accountability Act (HIPAA) requires all HIPAA-covered entities to implement safeguards to ensure the privacy, confidentiality, and integrity of protected health information and limits the disclosures and uses of that information when patient consent is not obtained.

Healthcare employees are permitted to access PHI in the course of their work duties, but in this case the former employee had no legitimate work reason for viewing the records. The unauthorized access is in violation of the HIPAA Rules; however, there is no private cause of action in HIPAA, so individuals affected by such a breach cannot take legal action for any HIPAA violation that results in their medical records being exposed or compromised.

Two lawsuits have recently been filed in Minnesota state courts alleging violations of the Minnesota Health Records Act (MHRA), which introduced stricter regulations covering the privacy of healthcare data in Minnesota. MHRA applies to all applies to all Minnesota-licensed physicians and the legislation does have a private cause of action, so patients whose providers violate MHRA can be sued.

The lawsuit alleges Mayo Clinic did not implement systems or procedures to ensure plaintiffs’ and similarly situated individuals’ health records would be protected and not subject to unauthorized access, and that the former employee accessed the plaintiffs’ medical records without first obtaining their consent.

Under MHRA, healthcare providers must obtain a signed and dated consent form from a patient or the patient’s legal representative authorizing the release of their medical records, unless there is a specific authorization in law, or when there is a representation from a provider holding a signed and dated consent form from the patient in question authorizing the release of their medical records.

The lawsuit also brings common law tort claims for the invasion of privacy, negligent infliction of emotional distress, and vicarious liability. A major contributory factor to the emotional distress was some of the medical images that were accessible included nude photographs of patients taken in connection with their cancer treatments. The plaintiffs seek monetary damages and other relief deemed appropriate by the courts.

The post Mayo Clinic Faces Multiple Lawsuits over Insider Privacy Breach appeared first on HIPAA Journal.

US Fertility Reports Ransomware Attack Involving Data Theft

US Fertility has announced it suffered a ransomware attack on September 14, 2020 that affected some of its computer systems, including systems that contained sensitive protected health information. US Fertility is the largest operator of fertility clinics in the United States, running clinics at 55 locations in 10 states. Almost half of its locations are known to have been affected by the attack.

US Fertility responded immediately to the attack and determined that data had been encrypted on a number of its servers and workstations connected to its domain. Those devices were immediately taken offline while the attack was investigated. Third-party security and forensic experts were retained to assist with the investigation and the recovery of data on the affected workstations and servers. USF said it successfully restored all affected devices and reconnected them to the network on September 20, 2020. The attack has been reported to federal law enforcement and USF is assisting in the ongoing investigation.

USF said the forensic investigation has now been completed and data theft has been confirmed. The attackers first gained access to its network on August 12, 2020 and access remained possible until the attack was discovered on September 14, 2020. A review was conducted of all files accessible to the attackers, that that review was completed on November 13.

USF said unknown actors may have had access to files containing names, addresses, dates of birth, MPI numbers, and Social Security numbers. The types of data exposed varied from individual to individual and most patients did not have their Social Security number compromised.

While data theft was confirmed, there have been no reports received to indicate protected health information has been misused, but affected individuals have been advised to monitor their accounts and report any cases of suspected misuse of their protected health information.

USF has taken several steps to improve security since the attack, including fortification of its firewall, enhanced monitoring of networking activity, and further training has been provided to employees on data protection, computer security, and recognizing phishing emails.

The post US Fertility Reports Ransomware Attack Involving Data Theft appeared first on HIPAA Journal.

UVM Health Restores Electronic Health Record System One Month After Ransomware Attack

University of Vermont Health Network has announced it has brought its electronic health record (EHR) system back online, a month after experiencing a ransomware attack. The ransomware attack occurred on October 25, 2020 and caused a massive outage across all six of its hospitals. For the past month, staff have been forced to record patient information, orders, and medications using pen and paper while its computer systems were out of action.

Care continued to be provided to patients during the attack and recovery process, but the recovery of its EHR will greatly improve efficiency. The attack caused major disruption, especially at University of Vermont Medical Center in Burlington, but the attack affected its entire network. Without access to essential patient data, many elective procedures had to be rescheduled and the radiology department on the main campus experienced major delays, and was only open on a limited basis.

In a November 24, 2020 update, UVM Health announced it had achieved a major milestone in the recovery process, having brought its Epic EHR system back online for its inpatient and outpatient sites, including UVM Medical Center and the ambulatory clinics at Central Vermont Medical Center, Champlain Valley Physicians Hospital, and Porter Medical Center.

While electronic patient data is now available and staff can record patient data electronically, the recovery process is far from over and a great deal of work still needs to be done. “Our teams continue to work around the clock towards full restoration as quickly and safely as possible,” explained UVM Health.

The phone system has been restored, but patients are still unable to use the MyChart patient portal so will not be able to access their health information online. There are hundreds of other applications used across the health network to deliver care to patients, and many of those systems remain offline. UVM Health is working hard at restoring those systems and they will be systematically restored over time, with the main focus being patient-facing systems.

Several other healthcare networks were attacked with ransomware around the same time as the attack on UVM Health. St Lawrence Health System in New York was able to restore its electronic health record systems within two weeks, but Sky Lakes Medical Center has been forced to replace the majority of its networks and workstations as a result of its ransomware attack.

Ashtabula County Medical Center (ACMC) in Ohio was particularly badly affected. ACMC was attacked with ransomware on September 24, 2020, with the attack affecting the medical center and 5 of its health centers. The EHR has still not been restored two months after the attack, and a full recovery is not expected until the end of the year.

The post UVM Health Restores Electronic Health Record System One Month After Ransomware Attack appeared first on HIPAA Journal.