Healthcare Cybersecurity

FBI and CISA Issue Joint Alert About Threat of Malicious Cyber Activity Through Tor

A joint alert was recently issued by the FBI and the DHS’ Cybersecurity Infrastructure Security Agency (CISA) regarding cybercriminals’ use of The Onion Router (Tor) in cyberattacks.

Tor is free, open source software that was developed by the U.S. Navy in the mid-1990s. Today, Tor is used to browse the internet anonymously. When using Tor, internet traffic is encrypted multiple times and a user is passed through a series of nodes in a random path to a destination server. When a user is connected to the Tor network, their online activity cannot easily be traced back to their IP address. When a Tor user accesses a website, rather than their own IP address being recorded, the IP address of the exit node is recorded.

Unsurprisingly, given the level of anonymity provided by Tor, it has been adopted by many threat actors to hide their location and IP address and conduct cyberattacks and other malicious activities anonymously. Cybercriminals are using Tor to perform reconnaissance on targets, conduct cyberattacks, view and exfiltrate data, and deploy malware, ransomware, and conduct Denial of Service (DoS) attacks. According to the alert, cybercriminals are also using Tor to relay commands to malware and ransomware through their command and control servers (C2).

Since malicious activities can be conducted anonymously, it is hard for network defenders to respond to attacks and perform system recovery. CISA and the FBI recommend that organizations conduct a risk assessment to identify their risk of compromise via Tor. The risk related to Tor will be different for each organization so an assessment should determine the likelihood of an attack via Tor, and the probability of success given the mitigations and security controls that have been put in place. Before a decision can be made about whether to block Tor traffic, it is important to assess the reasons why legitimate users may be choosing to use Tor to access the network. Blocking Tor traffic will improve security but will also block legitimate users of Tor from accessing the network.

CISA and the FBI warn that Tor has been used in the past by a range of different threat actors, from nation-state sponsored Advanced Persistent Threat (APT) actors to individual, low skill hackers. Organizations that do not take steps to either block inbound and outbound traffic via Tor, or monitor traffic from Tor nodes closely, will be at a heightened risk of being attacked.

In these attacks, reconnaissance is conducted, targets are selected, and active and passive scans are performed to identify vulnerabilities in public facing applications which can be exploited in anonymous attacks. Standard security tools are not sufficient to detect and block attacks, instead a range of security solutions need to be implemented and logging should be enabled to allow analysis of potentially malicious activity using both indicator and behavior-based analyses.

“Using an indicator-based approach, network defenders can leverage security information and event management (SIEM) tools and other log analysis platforms to flag suspicious activities involving the IP addresses of Tor exit nodes,” according to the report. A list of all Tor exit node IP addresses is maintained by the Tor Project’s Exit List Service, and these can be downloaded. Security teams can use the list to identify any substantial transactions associated with those IP addresses by analyzing their netflow, packet capture (PCAP), and web server logs

“Using a behavior-based approach, network defenders can uncover suspicious Tor activity by searching for the operational patterns of Tor client software and protocols,” such as Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) ports.

“Organizations should research and enable the pre-existing Tor detection and mitigation capabilities within their existing endpoint and network security solutions, as these often employ effective detection logic. Solutions such as web application firewalls, router firewalls, and host/network intrusion detection systems may already provide some level of Tor detection capability,” suggest the FBI and CISA.

While it is possible to reduce risk by blocking all Tor web traffic, this highly restrictive approach will not totally eliminate risk as additional Tor network access points are not all listed publicly. This approach will also block legitimate Tor traffic. Tailor monitoring, analysis, and blocking of web traffic to and from public Tor entry and exit nodes may be a better solution, although this approach is likely to be resource intensive.

Details of how to block, monitor and analyze Tor traffic are provided in the alert, a PDF copy of which is available for download here.

The post FBI and CISA Issue Joint Alert About Threat of Malicious Cyber Activity Through Tor appeared first on HIPAA Journal.

Microsoft Shuts Down COVID-19 Phishing Campaign and Warns of Malicious OAuth Apps

A large-scale phishing campaign conducted in 62 countries has been shut down by Microsoft.  The campaign was first identified by Microsoft’s Digital Crimes Unit (DCU) in December 2019. The phishing campaign targeted businesses and was conducted to obtain Office 365 credentials. Those credentials were then used to access victims’ accounts to obtain sensitive information and contact lists. The accounts were then used for business email compromise (BEC) attacks to obtain fraudulent wire transfers and redirect payroll.

Initially, the emails used in the campaign appeared to have been sent by an employer and contained business-related reports with a malicious email attachment titled Q4 Report – Dec19. Recently, the phishing campaign changed and the attackers switched to COVID-19 lures to exploit financial concerns related to the pandemic. One of the lures used the term “COVID-19 bonus” to get victims to open malicious email attachments or click malicious links.

When the email attachments were opened or links clicked, users were directed to a webpage hosting a malicious application. The web apps closely resemble legitimate web apps that are often used by businesses to improve productivity and security and support remote workers. Users were requested to grant Office 365 OAuth applications access to their Office 365 accounts.

When permission is granted, the attackers obtained access and refresh tokens that allowed them to gain access to the victims’ Office 365 accounts. In addition to gaining access to contact lists, emails, attachments, notes, tasks, and profiles, they also had access to the SharePoint document management system and OneDrive for Business, and any files in those cloud storage accounts.

Microsoft implemented technical measures to block the phishing emails and filed a civil case in the U.S. District Court for the Eastern District of Virginia to obtain a court order to seize six domains being used by the scammers to host the malicious apps. Recently, the court order was obtained and Microsoft has now disabled the domains. Without access to their infrastructure, the cybercriminals are no longer able to conduct cyberattacks. The campaign is believed to be the work of a cybercriminal organization rather than a nation state-sponsored group.

“This unique civil case against COVID-19-themed BEC attacks has allowed us to proactively disable key domains that are part of the criminals’ malicious infrastructure, which is a critical step in protecting our customers,” explained Microsoft.

Microsoft also shared best practices to help organizations to improve defenses against phishing and BEC attacks. The first step to take is to enable multifactor authentication on all email accounts, both business and personal. Businesses should provide training to employees to teach them how to identify phishing and BEC attacks and security alerts should be enabled for suspicious links and files.

Any email forwarding rules should be checked to identify suspicious activity and organizations should educate staff on how Microsoft permissions and the consent framework works.  Audits should be conducted on apps and consent permissions to ensure that applications are only granted access to the data they need.

The post Microsoft Shuts Down COVID-19 Phishing Campaign and Warns of Malicious OAuth Apps appeared first on HIPAA Journal.

NSA Issues Guidance on Securing IPsec Virtual Private Networks

The U.S. National Security Agency (NSA) has issued guidance to help organizations secure IP Security (IPsec) Virtual Private Networks (VPNs), which are used to allow employees to securely connect to corporate networks to support remote working.

While IPsec VPNs can ensure sensitive data in traffic is protected against unauthorized access through the use of cryptography, if IPsec VPNs are not correctly configured they can be vulnerable to attack. During the pandemic, many organizations have turned to VPNs to support their remote workforce and the large number of employees working remotely has made VPNs a key target for cybercriminals. Many attacks have been performed on vulnerable VPNs and flaws and misconfigurations have been exploited to gain access to corporate networks to steal sensitive information and deploy malware and ransomware.

The NSA warns that maintaining a secure VPN tunnel can be complex and regular maintenance is required. As with all software, regular software updates are required. Patches should be applied on VPN gateways and clients as soon as possible to prevent exploitation. It is also important for default VPN settings to be changed. Default credentials are publicly available and can be used by malicious actors to login and gain a foothold in the network.

Admins need to take steps to reduce the VPN gateway attack surface. Since VPNs are often accessible from the internet, they can be prone to brute force attacks, network scanning, and zero-day vulnerabilities. To reduce risk, admins should apply filtering rules to restrict ports, protocols, and IP addresses of network traffic to VPN devices. If it is not possible to restrict access, an intrusion prevention system should be implemented in front of the gateway to monitor for malicious traffic and inspect IPsec session negotiations.

IPsec VPN configurations require the Internet Security Association and Key Management Protocol (ISAKMP) or Internet Key Exchange (IKE) policy, along with an IPsec policy. It is important that SAKMP/IKE and IPsec policies do not allow obsolete cryptographic algorithms. If these weak algorithms are permitted, it could place the VPN at risk. A downgrade attack could be performed where the VPN is forced into using non-compliant or weak cryptography suites. The NSA notes that extra SAKMP/IKE and IPsec policies are often incorporated by default.

Organizations should check CNSSP and NIST guidance on the latest cryptographic requirements and standards and ensure that these cryptographic algorithms are being used.

The NSA guidance on securing IPsec VPNs can be found here.

The post NSA Issues Guidance on Securing IPsec Virtual Private Networks appeared first on HIPAA Journal.

Serious Vulnerabilities Identified in Apache Guacamole Remote Access Software

Several vulnerabilities have been identified in the remote access system, Apache Guacamole.  Apache Guacamole has been adopted by many companies to allow administrators and employees to access Windows and Linux devices remotely. The system has proven popular during the COVID-19 pandemic for allowing employees to work from home and connect to the corporate network. Apache Guacamole is also embedded into many network accessibility and security products such as Fortress, Quali, and Fortigate and is one of the most prominent tools on the market with more than 10 million Docker downloads.

Apache Guacamole is a clientless solution, meaning remote workers do not need to install any software on their devices. They can simply use a web browser to access their corporate device. System administrators only need to install the software on a server. Depending on how the system is configured, a connection is made using SSH or RDP with Guacamole acting as an intermediary between the browser and the device the user wants to connect to, relaying communications between the two.

Check Point Research evaluated Apache Guacamole and found several reverse RDP vulnerabilities in Apache Guacamole 1.1.0 and earlier versions, and a similar vulnerability in FreeRDP, Apache’s free implementation of RDP. The vulnerabilities could be exploited by remote attackers to achieve code execution, allowing them to hijack servers and intercept sensitive data by eavesdropping on conversations on remote sessions. The researchers note that in a situation where virtually all employees are working remotely, exploitation of these vulnerabilities would be akin to gaining full control of the entire organizational network.

According to Check Point Research, the flaws could be exploited in two ways. If an attacker already has a foothold in the network and has compromised a desktop computer, the vulnerabilities could be exploited to attack the Guacamole gateway when a remote worker attempts to login and access the device. The attacker could then take full control of the gateway and any remote connections. The flaws could also be exploited by a malicious insider to gain access to the computers of other workers in the organziation.

The vulnerabilities could allow Heartbleed-style information disclosure, as was demonstrated by the researchers, and also allow read and write access to the vulnerable server. The researchers chained the vulnerabilities together, elevated privileges to admin, then achieved remote code execution. The vulnerabilities, grouped together under the CVEs CVE-2020-9497 and CVE-2020-9498, were reported to the Apache Software Foundation and patches were released on June 28, 2020.

The researchers also found the vulnerability CVE-2018-8786 in FreeRDP could also be exploited to take control of the gateway. All versions of FreeRDP prior to January 2020 – version 2.0.0-rc4 – are using vulnerable versions of FreeRDP with the CVE-2020-9498 vulnerability.

All organizations that have adopted Apache Guacamole should ensure they have the latest version of Apache Guacamole installed on their servers.

The post Serious Vulnerabilities Identified in Apache Guacamole Remote Access Software appeared first on HIPAA Journal.

Serious Vulnerabilities identified in the OpenClinic GA Integrated Hospital Information Management System

12 vulnerabilities have been identified in the open source integrated hospital information management system, OpenClinic GA.

OpenClinic GA is used by many hospitals and clinics for the management of administrative, financial, clinical, lab and pharmacy workflows, and is used for bed management, medical billing, ward management, in-patient and out-patient management, and other hospital management functions.

Brian D. Hysell has been credited with finding the vulnerabilities, three of which are rated critical and 6 are rated high severity. Exploitation of the vulnerabilities could allow an attacker to bypass authentication, gain access to restricted information, view or manipulate database information, and remotely execute malicious code.

The vulnerabilities require a low level of skill to exploit, several can be exploited remotely, and there are public exploits for some of the flaws. The vulnerabilities have been assigned CVSS v3 base codes ranging from 5.4 to 9.8.

The flaws were identified in OpenClinic GA Versions 5.09.02 and 5.89.05b.

The most serious flaws include:

CVE-2020-14495 – The use of third-party components that have reached end of life and contain known vulnerabilities that could potentially lead to remote execution of arbitrary code – CVSS v3 – 9.8 – Critical

CVE-2020-14487 – Hidden default user account could be used by an attacker to login to the system and execute arbitrary commands, unless the account has been expressly turned off by an administrator – CVSS v3 – 9.4 – Critical

CVE-2020-14485 – Client-side access controls could be bypassed to initiate a session with limited functionality, which could allow admin functions to such as SQL commands to be executed – CVSS v3 9.4 – Critical

CVE-2020-14493 – Low privileged users could use SQL syntax to write arbitrary files to the server and execute arbitrary commands – CVSS v3 8.8 – High Severity

CVE-2020-14488 – A lack of verification of uploaded files could allow a low privilege user to upload and execute arbitrary files on the system – CVSS-v3 8.8 – High Severity

Further information on the vulnerabilities can be found in the CISA medical advisory.

OpenClinic GA has been made aware of the vulnerabilities and steps are being taken to correct the flaws, but no confirmation has been issued as to whether the flaws have been corrected.

All healthcare organizations that use OpenClinic GA have been advised to ensure that the software is updated to the latest version to reduce the risk of exploitation and to ensure the software is kept up to date.

CISA recommends applying the principle of least privilege, minimizing network exposure for control system devices/systems, and ensuring the system is not accessible over the internet. All systems should be located behind a firewall, and if remote access is required, access should require a VPN. VPNs should be updated to the latest version and patches applied promptly.

The post Serious Vulnerabilities identified in the OpenClinic GA Integrated Hospital Information Management System appeared first on HIPAA Journal.

University of California San Francisco Pays $1.14 Million Ransom to Resolve NetWalker Ransomware Attack

University of California San Francisco has paid a $1.14 million ransom to the operators of NetWalker ransomware to resolve an attack that saw data on servers within the School of Medicine encrypted. The attack occurred on June 1, 2020. UCSF isolated the affected servers, but not in time to prevent file encryption.

UCSF School of Medicine is engaged in research to find a cure for COVID-19 and the university is heavily involved in antibody testing. The ransomware attack did not impede the work being conducted on COVID-19, patient care delivery operations were not affected, and UCSF does not believe the attackers gained access to patient data, although some files were stolen in the attack.

The encrypted data was essential to research being conducted by the university, and since it was not possible to recover files from backups, UCSF had little option other than to negotiate with the attackers. “We therefore made the difficult decision to pay some portion of the ransom, approximately $1.14 million, to the individuals behind the malware attack in exchange for a tool to unlock the encrypted data and the return of the data they obtained,” explained UCSF.

The BBC received an anonymous tip-off about a live chat on the dark web between the negotiators and the NetWalker ransomware operators and followed the negotiations. According to the report, a sample of data stolen in the attack was posted online by the attackers, but after UCSF made contact via email the data was taken offline while the ransom was negotiated. Initially, a ransom payment of $780,000 was offered by UCSF, but the NetWalker gang demanded a payment of $3 million. A payment of 116.4 Bitcoin – $1,140,895 – was finally negotiated a day later.

The investigation into the ransomware attack indicates that neither UCSF nor the School of Medicine were targeted in the attack. “Our investigation is ongoing but, at this time, we believe that the malware encrypted our servers opportunistically, with no particular area being targeted,” explained UCSF on its website. UCSF reported the attack to the FBI and is assisting with the investigation.

UCSF was one of three Universities in the United States to be attacked with NetWalker ransomware in the space of a week in early June. Attacks were also conducted on Columbia College, Chicago and Michigan State University. Data stolen in the attack on Columbia College has now been removed from the NetWalker website, which suggests the college also paid the ransom.

The post University of California San Francisco Pays $1.14 Million Ransom to Resolve NetWalker Ransomware Attack appeared first on HIPAA Journal.

Surge in Attacks Prompts Fresh Warning to Patch Microsoft Exchange Server Vulnerability

Microsoft has issued a further warning to all Exchange users to patch the critical Microsoft Exchange memory corruption vulnerability CVE-2020-0688.

Microsoft released an update to correct the vulnerability in February 2020 and an alert was issued in March when the flaw started to be exploited by APT groups, yet even though the vulnerability was being actively exploited in the wild, patching was still slow. Now Microsoft has detected a surge in attacks on vulnerable Exchange servers and is advising all Exchange customers to ensure the flaw is patched immediately.

Any vulnerability in Microsoft Exchange should be treated as high priority. By exploiting Exchange flaws, an attacker can gain access to the email system, which often contains an extensive amount of highly sensitive information, and often protected health information in healthcare. As is the case with this vulnerability, attackers can gain access to highly privileged accounts and not only compromise the entire email system, but also gain administrative rights to the server and from there take control of the network.

“Exchange servers have traditionally lacked antivirus solutions, network protection, the latest security updates, and proper security configuration, often intentionally, due to the misguided notion that these protections interfere with normal Exchange functions,” warns Microsoft. “Attackers know this, and they leverage this knowledge to gain a stable foothold on a target organization.”

Microsoft explained that the CVE-2020-0688 vulnerability is an attacker’s dream. They do not need to use phishing and social engineering tactics to try to gain access to an admin account, they can simply attack the server directly.

An analysis of attacks conducted in April show APT groups are deploying web shells, running exploratory commands to perform reconnaissance, and uses EternalBlue to identify other machines on the network to attack. If the server has been misconfigured, attackers have been able to gain the highest level of privileges and access to the server without having to use remote access tools.

A new account is added that makes the attacker a domain admin with unrestricted access to users or group in the organization. The attackers have used the compromised servers to gain access to the credentials of some of the most sensitive users and groups in an organization.

Attackers are exploiting the vulnerability and gaining a stable foothold in the targeted organization’s network. They tamper with security tools, achieve lateral movement, establish remote access bypassing security restrictions, and have exfiltrated data, including entire mailboxes. The failure to apply the patch to correct the flaw could result in an extensive and costly data breach.

In addition to applying the patch, Microsoft recommends remediating any further vulnerabilities in Exchange servers immediately, installing antivirus software on Exchange servers and keeping the software up to date, and also turning on tamper protection features to prevent attackers from disabling security services.

The principle of least-privilege should be practiced, credential hygiene should be maintained, and reviews should be conducted to identify any highly privileged groups that have been added. Security teams are also advised to respond immediately to alerts about suspicious activities on Exchange servers.

The post Surge in Attacks Prompts Fresh Warning to Patch Microsoft Exchange Server Vulnerability appeared first on HIPAA Journal.

Vulnerability identified in Philips Ultrasound Systems

Philips has discovered an authentication bypass issue affecting Philips Ultrasound Systems that could potentially be exploited by an attacker to view or modify information. The flaw is due to the presence of an alternative path or channel that can be used to bypass authentication controls.

The flaw has been assigned CVE-2020-14477 but is considered a low severity flaw and has been assigned a CVSS v3 base score of 3.6 out of 10. To exploit the vulnerability, an attacker would require local access to a vulnerable system. The vulnerability cannot be exploited remotely and does not place patient safety at risk.

The flaw affects the following Philips Ultrasound Systems:

  • Ultrasound ClearVue Versions 3.2 and prior
  • Ultrasound CX Versions 5.0.2 and prior
  • Ultrasound EPIQ/Affiniti Versions VM5.0 and prior
  • Ultrasound Sparq Version 3.0.2 and prior and
  • Ultrasound Xperius all versions

The flaw has been corrected for Ultrasound EPIQ/Affiniti systems in the VM6.0 release. Users of these systems should contact their Philips representative for further information on installing the update.

Users of all other affected systems will have to wait until Q4, 2020 for an update to be released. Philips will correct the flaw in Ultrasound ClearVue Version 3.3, Ultrasound CX Version 5.0.3, and Ultrasound Sparq Version 3.0.3 release in Q4 2020.

In the meantime, as an interim measure, Philips recommends users ensure their services providers guarantee device integrity during service and repair operations. It is also advisable to implement physical security measures to prevent unauthorized access to the devices.

The post Vulnerability identified in Philips Ultrasound Systems appeared first on HIPAA Journal.

May 2020 Healthcare Data Breach Report

May 2020 saw a marked fall in the number of reported healthcare data breaches compared to April, with 28 data breaches of 500 or more records reported to the HHS’ Office for Civil Rights. That is the lowest number of monthly breaches since December 2018 and the first time in 17 months that healthcare data breaches have been reported at a rate of less than one per day. The monthly total would have been even lower had one breach been reported by the business associate responsible for an improper disposal incident, rather than the 7 healthcare providers impacted by the breach.

Several cybersecurity companies have reported an increase in COVID-19-related breaches, such as phishing attacks that use COVID-19-themed lures. While there is strong evidence to suggest that these types of attacks have increased since the start of the pandemic, the number of cyberattacks appears to have broadly remained the same or increased slightly. Microsoft has reported that its data shows a slight increase in attacks, but says it only represents a blip and the number of threats and cyberattacks has changed little during the pandemic.

Threat activity does not appear to have dropped, so the fall in reported cyberattacks and data breaches could indicate that threat actors have taken the decision not to attack healthcare providers on the front line in the fight against COVID-19. The Maze ransomware gang publicly stated that it would not target healthcare providers during the COVID-19 pandemic, but many other ransomware gangs appear to have stepped up their attacks and are making no such concessions.

It is also possible that rather than cyberattacks and data breaches falling, covered entities and business associates have not been detecting breaches or have delayed reporting. The reason for the fall in reported breaches is likely to become clearer over the coming weeks and months and we will see if this is part of a new trend or if the drop is simply a blip.

While it is certainly good news that the number of breaches has fallen, there was a significant increase in the number of exposed and compromised healthcare records. There were 10 fewer data breaches reported in May 2020 than April, but 1,064,652 healthcare records were breached in May. That is more than twice the number of records breached in April.

Largest Healthcare Data Breaches in May 2020

Name of Covered Entity State Covered Entity Type Individuals Affected Type of Breach
Elkhart Emergency Physicians, Inc. IN Healthcare Provider 550,000 Improper Disposal
BJC Health System MO Business Associate 287,876 Hacking/IT Incident
Saint Francis Healthcare Partners CT Business Associate 38,529 Hacking/IT Incident
Everett & Hurite Ophthalmic Association PA Healthcare Provider 34,113 Hacking/IT Incident
Management and Network Services, LLC OH Business Associate 30,132 Hacking/IT Incident
Sanitas Dental Management FL Healthcare Provider 19,000 Loss
Mediclaim, LLC MI Business Associate 14,931 Hacking/IT Incident
Woodlawn Dental Center OH Healthcare Provider 14,419 Hacking/IT Incident
Mat-Su Surgical Associates, APC AK Healthcare Provider 13,146 Hacking/IT Incident
Mille Lacs Health System MN Healthcare Provider 10,630 Hacking/IT Incident

Causes of May 2020 Healthcare Data Breaches

The largest healthcare data breach of the month affected Elkhart Emergency Physicians, Inc. and involved the improper disposal of paper records by business associate Central Files Inc. Elkhart Emergency Physicians was one of seven Indiana healthcare providers to be affected by the breach. In total, the records of 554,876 patients were exposed as a result of that improper disposal incident. There was one other improper disposal incident reported in May, making this the joint second biggest cause of data breaches in the month. Those improper disposal incidents accounted for 52.17% of breached records in May. The mean breach size was 69,434 records and the median breach size was 938 records.

There were 8 reported unauthorized access/disclosure incidents reported, although those breaches only accounted for 2.35% of breached records in May. The mean breach size was 3,124 records and the median breach size was 3,220 records.

Hacking/IT incidents once again topped the list as the main cause of healthcare data breaches, accounting for 39.28% of the month’s breaches and 43.69% of breached records in May. The mean breach size was 42,290 records and the median breach size was 14,419 records.

There was one loss incident involving a network server that contained the records of 19,000 patients. There were no reports of theft of physical records or devices containing electronic protected health information.

The graph below shows the location of breached protected health information. For the past several months, email has been the most common location of breached PHI due to the high number of healthcare phishing attacks. The number of reported phishing attacks dropped in May, hence the lower than average number of email-related breaches. While the number of incidents fell, there was one major phishing attack reported. An attack on BJC Health System saw 3 email accounts compromised. Those accounts included emails and attachments containing the PHI of 287,876 patients.

May 2020 Healthcare Data Breaches by Covered Entity Type

In line with virtually every other month since the HITECH Act mandated the HHS’ Office for Civil Rights to start publishing summaries of data breaches on its’ Wall of Shame’, healthcare providers were hardest hit, with 21 reported data breaches. It was a good month for health plans, with only one reported breach, but a particularly bad month for business associates. 6 business associates reported data breaches in May, and a further 8 breaches involved business associates but were reported by the covered entity.

Healthcare Data Breaches by State

Data breaches were reported by covered entities and business associates in 17 states in May. Indiana was the worst affected state with 7 reported breaches of 500 or more records, all of which were due to the improper disposal of records by business associate, Central Files, Inc.

There were 3 data breaches reported in each of Michigan and Ohio, two breaches reported by healthcare providers in Pennsylvania, and one breach was reported in each of Alaska, Arizona, California, Connecticut, Florida, Georgia, Illinois, Maryland, Minnesota, Missouri, Nebraska, New York, and Texas.

HIPAA Enforcement Activity in May 2020

There were no announcements about HIPAA penalties from the HHS’ Office for Civil Rights or state attorneys general in May 2020.

The post May 2020 Healthcare Data Breach Report appeared first on HIPAA Journal.