Healthcare Cybersecurity

Vulnerability Identified in BD FACSLyric Flow Cytometry Solution

Posted by HIPAA Journal

Becton, Dickinson and Company (BD) has identified an improper access control vulnerability in its BD FACSLyric flow cytometry solution. If the flaw is exploited, an attacker could gain access to administrative level privileges on a vulnerable workstation and execute commands. The vulnerability requires a low level of skill to exploit.

BD extensively tests its software for potential vulnerabilities and promptly corrects flaws. BD is currently taking steps to mitigate the vulnerability for all users of vulnerable FACSLyric flow cytometry solutions.

The flaw (CVE-2019-6517) is due to improper enforcement of user access control for privileged accounts. It has been given a CVSS v3 base score of 6.8 – Medium severity. BD self-reported the vulnerability to the National Cybersecurity & Communications Integration Center (NCCIC).

The vulnerability is present in the following cytometry solutions:

  • BD FACSLyric Research Use Only, Windows 10 Professional Operating System, U.S. and Malaysian Releases (Nov 2017 and Nov 2018)
  • The U.S. release of BD FACSLyric IVD Windows 10 Professional Operating System.

FACSLyric flow cytometry systems on Windows 7 are unaffected.

BD is contacting all affected users and will perform remediation activities to correct the flaw. These include disabling the admin account for users with BD FACSLyric RUO Cell Analyzer units on Windows 10 Pro. Computer workstations with BD FACSLyric IVD Cell Analyzer units on Windows 10 Pro will be replaced.

Users of the vulnerable solutions that have not yet been contacted by BD can contact BD Biosciences General Tech Support for further information.

To minimize the risk of exploitation of vulnerabilities such as this, NCCIC recommends locating medical devices and systems behind firewalls, minimizing network exposure for medical devices and systems, restricting access to authorized individuals, applying the rule of least privilege, adopting defense in depth strategies, and disabling unnecessary accounts and services.

The post Vulnerability Identified in BD FACSLyric Flow Cytometry Solution appeared first on HIPAA Journal.

GDPR Incorporated into the HITRUST CSF

Posted by HIPAA Journal

HITRUST has combined the European Union’s General Data Protection Regulation (GDPR) into the HITRUST Cybersecurity Framework (HITRUST HSF) and is working toward the creation of a single framework and assessment covering all regulatory requirements.

Many countries have introduced new data privacy and security regulations that require companies to implement new policies, procedures, and technologies to keep consumers’ and customers’ data private and confidential. Organizations that wish to conduct business globally must ensure they comply with these country-specific regulations and should conduct assessments to make sure they are fully compliant. The penalties for violations of these regulations can be considerable. GDPR violations can attract a fine up to 4% of global annual turnover, or €20 million, whichever is greater.

Meeting complex compliance requirements and assessing compliance efforts can be a major challenge, although HITRUST’s “one framework, one assessment” model makes the process as simple as possible.

“As countries around the world continue to adopt and advance data protection laws, the challenge of doing business on a global scale grows increasingly complex,” said HITRUST chief privacy officer, Anne Kimbol. “Many countries have their own unique regulatory requirements, creating costs and challenges for organizations to determine if they are compliant to conduct business globally.”

HITRUST has completed the formal application process to the Irish Data Protection Commission and the EU Data Protection Board to have the HITRUST CSF officially recognized as meeting GDPR certification standards and hopes to be confirmed as an accredited certification body for GDPR.

In addition to GDPR, HITRUST has incorporated the Singapore Personal Data Protection Act (PDPA) into the HITRUST HSF and is currently working toward becoming an Accountability Agent under Asia-Pacific Economic Cooperation (APEC) Cross Border Privacy Rules and Procedures for Processing programs.

“Businesses leveraging the HITRUST Approach will be able to leverage a single HITRUST CSF Assessment to report their security, privacy and compliance posture to various audiences globally,” explained HITRUST VP of standards and analysis, Bryan Cline.

The post GDPR Incorporated into the HITRUST CSF appeared first on HIPAA Journal.

Multiple Flaws Identified in LabKey Server Community Edition

Posted by HIPAA Journal

Security researchers at Tenable Research have discovered multiple flaws in LabKey Server Community Edition 18.2-60106.64 which could be exploited to steal user credentials, access medical data, and run arbitrary code through the Labkey browser.

LabKey Server is an open source collaboration tool that allows scientists to integrate, analyze, and share biomedical research data. While the platform serves as a secure data repository, vulnerabilities have been identified that allow security controls to be bypassed.

CVE-2019-3911 – Reflected XSS

Multiple flaws have been identified in all versions of LabKey Server Community Edition prior to v 18.3.0 related to the validation and sanitization of query functions, in particular, the query.sort parameter. The parameter is reflected in output to the user and is interpreted by the browser, which opens to door for a cross site scripting attack. If the flaws are exploited, an attacker could run arbitrary code within the context of the browser. Attacks are possible with and without authentication.

CVE-2019-3912 – Open Redirects

Open redirects via returnURL are present throughout LabKey Server which could be manipulated to redirect users to a location under the control of the attacker. __r paths are the easiest to manipulate.

CVE-2019-3913 – Network Drive Mapping Logic Flaw

Improper sanitization of supplied values in the mount function allows a user to manipulate arguments in the ‘net use’ command when mapping network drives. Tenable has illustrated one of the vulnerabilities in a proof of concept exploit, which allows a user to supply any valid drive letter which will result in the application ending the connection, even if the remainder of the mapping command is not correct. Admin access to the web interface would be required for this vulnerability to be exploited. This flaw could be exploited to map a malicious drive to the server.

Tenable Research disclosed the vulnerabilities to LabKey and patches were developed to correct the three flaws. Updates correcting each of the vulnerabilities were released on January 16, 2019.

To prevent the flaws from being exploited, all users should update to LabKey Server Community Edition 18.3.0-61806.763 or later as soon as possible.

The post Multiple Flaws Identified in LabKey Server Community Edition appeared first on HIPAA Journal.

Analysis of 2018 Healthcare Data Breaches

Posted by HIPAA Journal

Our 2018 healthcare data breach report reveals healthcare data breach trends, details the main causes of 2018 healthcare data breaches, the largest healthcare data breaches of the year, and 2018 healthcare data breach fines. The report was compiled using data from the Department of Health and Human Services’ Office for Civil Rights (OCR).

2018 Was a Record-Breaking Year for Healthcare Data Breaches

Since October 2009, the Department of Health and Human Services’ Office for Civil Rights has been publishing summaries of U.S. healthcare data breaches. In that time frame, 2,545 healthcare data breaches have been reported. Those breaches have resulted in the theft, exposure, or impermissible disclosure of 194,853,404 healthcare records. That equates to the records of 59.8% of the population of the United States.

The number of reported healthcare data breaches has been steadily increasing each year. Except for 2015, the number of reported healthcare data breaches has increased every year.

Healthcare data breaches 2009-2018

In 2018, 365 healthcare data breaches were reported, up almost 2% from the 358 data breaches reported in 2017 and 83% more breaches that 2010.

2018 was the worst year in terms of the number of breaches experienced, but the fourth worst in terms of the number of healthcare records exposed, behind 2015, 2014, and 2016. The last two years have certainly seen an improvement in that sense, although 2018 saw a 157.67% year-over-year increase in the number of compromised healthcare records.

healthcare records exposed 2009-2018

2018 Healthcare Data Breaches by Month

Healthcare data breaches in 2018 by month

Healthcare Records Exposed Each Month in 2018

records exposed in healthcare data breaches in 2018 by month

Largest 2018 Healthcare Data Breaches

Rank Name of Covered Entity Covered Entity Type Individuals Affected Type of Breach
1  AccuDoc Solutions, Inc. Business Associate 2,652,537 Hacking/IT Incident
2 Iowa Health System d/b/a UnityPoint Health Business Associate 1,421,107 Hacking/IT Incident
3 Employees Retirement System of Texas Health Plan 1,248,263 Unauthorized Access/Disclosure
4 CA Department of Developmental Services Health Plan 582,174 Theft
5 MSK Group Healthcare Provider 566,236 Hacking/IT Incident
6 CNO Financial Group, Inc. Health Plan 566,217 Unauthorized Access/Disclosure
7 LifeBridge Health, Inc Healthcare Provider 538,127 Hacking/IT Incident
8 Health Management Concepts, Inc. Business Associate 502,416 Hacking/IT Incident
9 AU Medical Center, INC Healthcare Provider 417,000 Hacking/IT Incident
10 SSM Health St. Mary’s Hospital – Jefferson City Healthcare Provider 301,000 Improper Disposal

Click for further information on the largest healthcare data breaches of 2018.

Causes of 2018 Healthcare Data Breaches

The biggest causes of healthcare data breaches in 2018 were hacking/IT incidents (43.29%) and unauthorized access/disclosures (39.18%), which together accounted for 82.47% of all data breaches reported in 2018. There were 42 theft incidents (11.5%) reported in 2018, 13 cases (3.56%) of lost PHI/ePHI, and 9 cases (2.47%) of improper disposal of PHI/ePHI.

Causes of 2018 Healthcare Data Breaches

There was a 5.33% annual increase in hacking/IT incidents – 158 breaches compared to 150 in 2017. While the number of hacking/IT-related breaches rose only slightly, the breaches were far more damaging in 2018 and resulted in the theft/exposure of 161.89% more healthcare records. The mean breach size of hacking/IT incidents in 2017 was 23,218 records and in 2018 it rose to 57,727 records in 2018 – A year-over-year increase of 148.63%.

2018 saw an even larger increase in unauthorized access/disclosure incidents. 14.4% more incidents were reported in 2018 than 2017 and 146.49% more healthcare records were exposed in unauthorized access/disclosure incidents than the previous year. The mean breach size of unauthorized access/disclosure incidents in 2017 was 9,893 records and 21,316 records in 2018 – An increase of 115.47%.

Loss, theft, and improper disposal incidents all declined in 2018. Loss incidents fell from 16 to 13 year-over-year (-18.75%), improper disposal incidents fell from 11 to 9 (-18.18%), and theft incidents fell from 56 in 2017 to 42 in 2018 (-25%).

While there was a reduction in the number of cases of theft and improper disposal year-over-year, the severity of those two types of breaches increased in 2018. The mean breach size of theft incidents rose from 6,908 records in 2017 to 16,605 records in 2018 – A rise of 140.37%. Improper disposal incidents increased from a mean of 2,802 records in 2017 to 37,794 records in 2018 – A rise of 1,248.82%.

There was a slight reduction in the severity of loss incidents, which fell from an average of 2,461 records in 2017 to 2,305 – A fall of 6.33%.

records exposed by breach cause

Location of Breached Protected Health Information

The breakdown of 2018 healthcare data breaches by the location of breached PHI highlights the importance of increasing email security and providing further training to healthcare employees. 33.42% of all healthcare data breaches in 2018 involved email. Those breaches include phishing attacks, other unauthorized email access incidents and misdirected emails.
While healthcare organizations may be focused on preventing cyberattacks and improving technical defenses, care must still be taken with physical records. There were 81 breaches of physical PHI such as charts, documents, and films in 2018. Paper/films were involved in 22.19% of breaches.

The next most common location of breached PHI was network servers, which were involved in 20.27% of breaches in 2018. These incidents include hacks, ransomware attacks, and malware-related breaches.

Location of Breached Protected Health Information

2018 Healthcare Data Breaches by Covered Entity Type

Given the relative percentages of healthcare providers to health plans, it is no surprise that more healthcare provider data breaches occurred. 74.79% of the year’s breaches affected healthcare providers, 14.52% occurred at health plans, and 10.68% affected business associates of HIPAA-covered entities.

2018 Healthcare Data Breaches by Covered Entity

Business associate data breaches were the most severe, accounting for 42% of all exposed/stolen records in 2018, followed by healthcare provider breaches and breaches at health plans.  The mean breach size for business associate data breaches was 140,915 records, 53,471 records for health plan data breaches, and 17,974 records for healthcare provider data breaches.

2018 Healthcare Data Breaches by Covered Entity (records)

States Worst Affected By 2018 Healthcare Data Breaches

Being the two most populated states, it is no surprise that California and Texas were the worst affected by healthcare data breaches in 2018. Only four states avoided healthcare data breaches in 2018 – New Hampshire, South Carolina, South Dakota, Vermont.

Number of Breaches State
38 California
32 Texas
19 Illinois
18 Florida
18 Massachusetts
16 New York
14 Missouri
11 Pennsylvania
10 Iowa, Michigan, Minnesota, Wisconsin
9 Maryland, Ohio, Oregon
8 Arizona, North Carolina, Virginia
7 Georgia, New Jersey, Tennessee, Washington
6 Colorado, Kansas, Nevada
5 Arkansas, Indiana, Nebraska, New Mexico, Utah
4 Connecticut, Kentucky
3 Alaska, Louisiana, Mississippi, Montana, Rhone Island
2 Alabama, District of Columbia, Oklahoma, Wyoming
1 Hawaii, Idaho, Maine, North Dakota, West Virginia
0 New Hampshire, South Carolina, South Dakota, Vermont

HIPAA Fines and Settlements in 2018

The HHS’ Office for Civil Rights is the main enforcer of HIPAA Rules and has the authority to issue financial penalties for violations of Health Insurance Portability and Accountability Act (HIPAA) Rules. State attorneys general also play a role in the enforcement of HIPAA compliance and can also issue fines for HIPAA violations.

In 2018, OCR issued 10 financial penalties to resolve HIPAA violations that were discovered during the investigation of healthcare data breaches and complaints.

Summary of 2018 HIPAA Fines and Settlements

The financial penalties issued by OCR in 2018 totaled $25,683,400, making 2018 a record-breaking year for HIPAA penalties.

2018 HIPAA fines and penalties total

12 financial penalties were issued by state attorneys general over violations of HIPAA Rules.

You can read more about the – HIPAA fines and settlements in 2018 here.

The post Analysis of 2018 Healthcare Data Breaches appeared first on HIPAA Journal.

DHS Issues Emergency Warning About DNS Hijacking Attacks

Posted by HIPAA Journal

The U.S. Department of Homeland Security (DHS) Cybersecurity and Infrastructure Agency (CISA) has issued an emergency warning about DNS hijacking attacks. All government agencies have been instructed to audit their DNS settings in the next 10 days.

CISA reports that hackers have been targeting government agencies and modifying their Domain Name System records. DNS records are used to determine the IP address of a website from the domain name entered into the browser. By modifying the DNS records, web traffic and email traffic can be re-routed.

This method of attack allows sensitive data to be stolen without compromising a network and users are unlikely to be aware that their communications have been intercepted. Re-routed emails are likely to go unnoticed and web traffic could be re-routed to identical copies of legitimate sites.  Since those sites have TLS/SSL certificates, no warning would be triggered by browsers.

DNS attacks allow hackers to gather information about the websites visited by users and the information could be used in phishing campaigns. The attacks appear to be concerned with obtaining domain and login credentials.

The DNS attacks are not limited to the United States. Attacks have also been observed in the Middle East, North Africa, and Europe by FireEye and Cisco Talos researchers. The DNS hijacking campaign is extensive and many of the attacks have succeeded. Several executive brand agency domains have been impacted by the attacks. Those agencies have been notified by DHS but the campaign, but further attacks can be expected.

While the individuals behind the attacks have not been identified the campaign appears to be linked to Iran.

DHS has issued a four-step plan that must be enacted in the next 10 days.

  1. Audit all .gov and agency-managed domains on authoritative and secondary DNS servers and ensure that they direct traffic to the intended location. NS records and those associated with key agency services should be prioritized. If DNS changes are discovered, they must be reported to CISA.
  2. All federal agencies have been instructed to change DNS account passwords on accounts that can make changes to the agency’s DNS records. New unique, complex passwords should be set.
  3. All DNS accounts that can make changes to DNS records should have multi-factor authentication enabled. If MFA cannot be enabled on systems, CISA must be notified.
  4. CISA will begin regular delivery of newly added certificates to Certificate Transparency (CT) logs for agency domains via the Cyber Hygiene service in the next 10 days. CT logs must be immediately monitored for certificates that have been issued that have not been requested by the agency. If logs are found to be inaccurate, they must be reported to CISA.

Any agency that discovered anomalous DNS records will be provided with technical assistance by CISA.

A status report must be submitted to CISA by January 25, 2019 and a completion report must be submitted to CISA by February 5, 2019 confirming the above four steps have been implemented.

The post DHS Issues Emergency Warning About DNS Hijacking Attacks appeared first on HIPAA Journal.

New Report Reveals Spiraling Cost of Cyberattacks

Posted by HIPAA Journal

A new report from Radware has provided insights into the threat landscape in 2018 and the spiraling cost of cyberattacks. The report shows there was a 52% increase in the cost of cyberattacks on businesses in since 2017.

For the report, Radware surveyed 790 managers, network engineers, security engineers, CIOs, CISOs, and other professionals in organizations around the globe. Respondents to the survey were asked about the issues they have faced preparing for and mitigating cyberattacks and the estimated cost of those attacks.

The 2018 Threat Landscape

93% of surveyed firms said they had experienced a cyberattack in the past 12 months. The biggest threat globally was ransomware and other extortion-based attacks, which accounted for 51% of all attacks. In 2017, 60% of cyberattacks involved ransoms. The reduction has been attributed to cybercriminals switching from ransomware to cryptocurrency mining malware.

Political attacks and hacktivism accounted for 31% of attacks, down from 34% in 2017. The motive behind 31% of attacks was unknown, which demonstrates that attackers are now more purposeful about hiding their motives. 27% of attacks were insider threats, 26% were attacks by competitors, 19% were attributed to cyberwar, and 18% were conducted by angry users. The primary aim of the attacks was service disruption (45%), data theft (35%), and espionage (3%). 16% of attacks had another aim or the purpose had not been established.

One in five businesses reported being attacked daily: A 62% increase year over year. 13% reported weekly attacks, 13% monthly attacks, and 27% experienced one or two attacks in the past year. 19% were unsure how many times they had been attacked.

Healthcare was the second most attacked industry behind the government sector. 39% of healthcare organizations reported having to fend off daily or weekly cyberattacks by hackers. Only 6% of healthcare organizations claimed they had not been attacked in the past year.

The biggest threats were malware and bots (reported by 76% of organizations), social engineering attacks such as phishing (65%), DDoS attacks (53%), web application attacks (42%), ransom threats (38%), and cryptocurrency miners (20%).

Respondents from healthcare organizations felt they were best prepared for phishing and other social engineering attacks (58%), malware, bots and DDoS attacks (55%), and web application attacks (52%). Only 39% felt they were well prepared to deal with ransomware attacks and advanced persistent threats.

The Rising Cost of Cyberattacks

The Radware study asked respondents about the business cost of a successful cyberattack. According to the report, the cost more than doubled compared to last year and is now $1.1 million. Respondents that had a formalized calculation to determine the financial impact of a cyberattack reported the cost to be $1.7 million, compared to $880,000 for those with no formal calculation.

For SMBs with fewer than 1,000 employees, the average cost of a cyberattack was estimated to be $450,000. That rose to $1.1 million for enterprises with between 1,000 and 10,000 employees, and $2.1 million for large corporations with more than 10,000 employees.

The average cost of a successful cyberattack on a healthcare organization was determined to be $1.43 million. Fortunately, most healthcare organizations (82%) had a breach response plan in place, which can limit the cost of a cyberattack.

The True Cost of a Cyberattack

The cost of a cyberattack is likely to be significantly higher than the estimates. Radware notes that the estimates do not factor in direct costs such as extended labor, investigations, and the development of software patches, indirect costs such as the hiring of technical consultants, legal expenses, and stock price drops, and costs associated with the prevention of future cyberattacks.

Other costs that are difficult to calculate are lost revenue, brand reputation damage, and loss of customers – All real possibilities after a data breach. Radware notes that following a successful cyberattack, 43% of respondents said there had been a negative customer experience, 37% suffered brand reputation damage, and 23% reported a loss of customers.

“The cost of cyberattacks is simply too great to not succeed in mitigating every threat, every time,” explained Radware. “Customer trust is obliterated in moments, and the impact is significant on brand reputation and costs to win back business.”

The post New Report Reveals Spiraling Cost of Cyberattacks appeared first on HIPAA Journal.

Vulnerabilities Identified in Dräger Infinity Delta Patient Monitors

Posted by HIPAA Journal

The U.S. Department of Homeland Security Industrial Control Systems Cyber Emergency Team (US-CERT) has issued an advisory about three vulnerabilities affecting Dräger Infinity Delta patient monitoring devices.

The flaws affect all versions of Infinity Delta, Delta XL, Kappa, and infinity Explorer C700 patient monitoring devices. The flaws could lead to the disclosure of sensitive information stored in device logs, be leveraged to conduct Denial of Service (DoS) attacks, or could potentially allow an attacker to gain full control of the operating system of a vulnerable device. The flaws were discovered by Marc Ruef and Rocco Gagliardi of scip AG.

The vulnerabilities are detailed below, in order of severity:

CVE-2018-19014 (CWE-532) – Exposure of Information in Log Files

Log files are not appropriately secured and are accessible over an unauthenticated network. An attacker could gain access to device log files and view sensitive information relating to the internals of the monitor, location of the device, and its wired network configuration. The flaw has been assigned a CVSS v3 base score of 4.3.

CVE-2018-19010 (CWE-20) – Improper Input Validation

An error in the way input is validated could be exploited to cause the device to constantly reboot. An attacker could repeatedly send a malformed network packet causing a vulnerable device to repeatedly reboot until it reverts to its default configuration and network connectivity is lost. The vulnerability has been assigned a CVSS v3 base score of 6.5.

CVE-2018-19012 (CWE-269) – Privilege Escalation Through Improper Privilege Management

An attacker could break out of kiosk mode via a specific dialog and gain access to the underlying operating system and take full control of the operating system. The vulnerability has been assigned a CVSS v3 base score of 8.4.

All three vulnerabilities were addressed by Dräger in December 2018. Users should update the devices to Delta/Infinity Explorer VF10.1 which can be accessed on Dräger ServiceConnect.

Users have also been advised to review their network segmentation configuration and ensure that the devices are logically or physically separated from the hospital LAN and also check the Windows patch level of their Infinity Explorer.

The post Vulnerabilities Identified in Dräger Infinity Delta Patient Monitors appeared first on HIPAA Journal.

December 2018 Healthcare Data Breach Report

Posted by HIPAA Journal

November was a particularly bad month for healthcare data breaches, so it is no surprise that there was an improvement in December. November was the worst month of the year in terms of the number of healthcare records exposed (3,230,063) and the second worst for breaches (34). December was the second-best month for healthcare data breaches with 23 incidents reported, only one more than January.

2018 Healthcare Data Breaches

In total, 516,370 records were exposed, impermissibly disclosed, or stolen in breaches reported in December: A considerable improvement on November. Were it not for the late reporting of the Adams County breach, December would have been the best month of the year to date in terms of the records exposed. The Adams County breach was experienced in March 2018, confirmed on June 29, yet reporting to OCR was delayed until December 11.

2018 Healthcare Data Breaches - Records Exposed

Largest Healthcare Data Breaches in December 2018

Rank Name of Covered Entity Covered Entity Type Individuals Affected Type of Breach
1 Adams County Healthcare Provider 258,120 Unauthorized Access/Disclosure
2 JAND Inc. d/b/a Warby Parker Healthcare Provider 177,890 Hacking/IT Incident
3 University of Vermont Health Network – Elizabethtown Community Hospital Healthcare Provider 32,470 Hacking/IT Incident
4 The Podiatric Offices of Bobby Yee Healthcare Provider 24,000 Hacking/IT Incident
5 Choice Rehabilitation Business Associate 4,309 Hacking/IT Incident
6 Virtual Radiologic Professionals, LLC Healthcare Provider 2,568 Hacking/IT Incident
7 Kent County Community Mental Health Authority Healthcare Provider 2,284 Hacking/IT Incident
8 Butler County Board of County Commissioners Health Plan 1,912 Unauthorized Access/Disclosure
9 Barnes-Jewish Hospital Healthcare Provider 1,643 Hacking/IT Incident
10 Tift Regional Medical Center Healthcare Provider 1,045 Hacking/IT Incident

Causes of December 2018 Healthcare Data Breaches

The healthcare industry experiences more insider breaches than other industry sectors, although in December, hacking/IT Incidents outnumbered unauthorized/access disclosure incidents by almost two to one. Eight of the top ten data breaches for the month were hacks, ransomware attacks, and other IT incidents.

While unauthorized access/disclosure incidents usually impact fewer individuals that hacking breaches, that was not the case in December. The largest breach of the month was the unauthorized accessing of a network server by a former employee of Adams County, WI.

In total, 264,049 healthcare records were exposed in the 7 unauthorized access/disclosure incidents reported in December. The mean breach size was 37,721 records and the median breach size was 911 records.

250,404 healthcare records were exposed in the 13 hacking/IT incidents. The mean breach size was 19,261 records and the median breach size was 1,643 records.

There were two theft incidents reported in December and one case of improper disposal of paper records. No lost devices were reported.

Causes of December 2018 Healthcare Data Breaches

Location of Breached Protected Health Information

Phishing attacks continue to plague healthcare organizations and December was no exception. The largest phishing incident reported in December affected 32,470 patients of Elizabethtown Community Hospital. The PHI was contained in a single email account.

Three email accounts were compromised at Kent County Community Mental Health Authority, although they only contained the PHI of 2,200 individuals.

The most common location of breached PHI in December was email, although network server breaches were more severe. The two largest December 2018 healthcare data breaches were network server incidents which impacted 436,010 individuals – 84.43% of the total number of breached records in December.

Location of Breached Protected Health Information

Data Breaches by Covered-Entity Type

Health plans made it through November without reporting any data breaches, although they didn’t fare so well in December. 6 health plan data breaches were announced in December; however, all were relatively small, with only the breach at Butler County Board of County Commissioners impacting more than 1,000 plan members (1,912).

One data breach was reported by a business associate of a HIPAA-covered entity, although a further three breaches had some business associate involvement. The remaining 16 breaches were reported by healthcare providers.

Data Breaches by Covered-Entity Type

Healthcare Data Breaches by State

In December 2018, healthcare organizations in 13 states reported PHI breaches. Minnesota was the worst affected state with a total of four breaches followed by Arizona with three. There were two breaches reported by healthcare organizations based in each of California, Missouri, New York, Ohio, and Wisconsin, and a single breach was experienced in each of Georgia, Illinois, Kentucky, Massachusetts, Michigan, and Pennsylvania.

HIPAA Fines and Settlements in December 2018

The Department of Health and Human Services’ Office for Civil Rights (OCR) agreed two settlements with HIPAA-covered entities in December to resolve violations of HIPAA Rules. OCR finished the year on ten fines and settlements, the same number as 2017. (You can view all 2018 HIPAA fines and settlements here).

Advanced Care Hospitalists, a Florida Contractor Physicians’ Group, was investigated by OCR following the submission of a breach report in April 2014. The report stated the PHI of 400 patients had been subject to unauthorized access, although the number of individuals affected was subsequently increased to 8,855 patients.

OCR confirmed there had been a preventable impermissible disclosure of PHI, and found that a business associate had been engaged without first entering into a business associate agreement. Additionally, insufficient security measures had been implemented and there had been no effort to comply with HIPAA Rules prior to April 1, 2014. Advanced Care Hospitalists and OCR settled the HIPAA violation case for $500,000.

On June 7, 2013, OCR received a complaint about Pagosa Springs Medical Center, a critical access hospital in Colorado, which had failed to terminate access to a web-based scheduling calendar after an employee’s contract had been terminated. The OCR investigation confirmed the former employee accessed the calendar on two occasions after leaving employment.

For the failure to terminate employee access and the lack of a business associate agreement with Google covering Google Calendar resulted in a financial penalty of $111,400 for Pagosa Springs Medical Center.

There were two financial penalties issued by state Attorneys General in December to resolve violations of HIPAA Rules.

The Massachusetts Attorney General fined McLean Hospital $75,000 over a breach of 1,500 patients PHI. The information was stored on backup tapes that had been taken offsite by an employee. When the employee was terminated, McLean Hospital was unable to recover two of the backup tapes.

The New Jersey Attorney General issued a financial penalty of $100,000 to EmblemHealth over an impermissible disclosure of PHI. In 2016, an EmblemHealth mailing had Social Security numbers printed on the outside of envelopes. This was the second fine for EmblemHealth in relation to the breach. The New York Attorney General had previously settled its case with EmblemHealth for $575,000 earlier in the year.

 

The post December 2018 Healthcare Data Breach Report appeared first on HIPAA Journal.

State AG Proposes Tougher Data Breach Notification Laws in North Carolina

Posted by HIPAA Journal

Following an increase in data breaches affecting North Carolina residents in 2017, state Attorney General Josh Stein and state representative Jason Saine introduced a bill to update data breach notification laws in North Carolina and increase protections for state residents

The bill, Act to Strengthen Identity Theft Protections, was introduced in January 2018 and proposed changes to state laws that would have made North Carolina breach notification laws some of the toughest in the country. The January 2018 version of the bill proposed an expansion of the definition of a breach, changes to the definition of personal information, and a maximum of 15 days from the discovery of a breach to issue notifications to breach victims.

Attorney General Stein and Rep. Saine unveiled a revised version of the bill on January 17, 2019. While some of the proposed updates have been scaled back, new requirements have also been introduced to increase protections for state residents.

The updated bill coincides with the release of the state’s annual security breach report for 2018. The report shows there were 1,057 data breaches affecting state residents in 2018. Those breaches impacted 1.9 million state residents. While there was a 63% decrease in individuals affected by data breaches from 2017, the number of breaches increased 3.4% year over year.

The proposed update to the definition of a data breach remains unchanged from the 2018 version of the bill and defines a breach as “Any incident of unauthorized access to or acquisition of someone’s personal information that may harm the person.” As such, the new definition broadens the definition to include ransomware attacks.

Ransomware is typically used only to extort money from victims. However, in recent months there has been a growing trend of combining ransomware with other malware variants such as information stealers, making data theft more likely. Regardless of the nature of the ransomware attack, the bill requires notifications to be issued to allow state residents to make an informed decision about the actions that need to be taken to reduce the risk of harm.

The bill also requires businesses that own or license personal information to implement and maintain reasonable security procedures and practices, which must be appropriate to the nature of information collected and maintained. Of note to HIPAA-covered entities, the definition of personal information has been expanded to include medical information, genetic information, and insurance account numbers.

The 2018 version of the bill called for breach notifications to be issued within 15 days of the discovery of a breach. The latest incarnation has seen the timescale for issuing notifications changed to within 30 days of discovery of a breach.

Any business that experiences a data breach that is found to have failed to implement appropriate security measures or fails to issue notifications within the 30-day deadline will be in violation of the Unfair and Deceptive Trade Practices Act, and could be issued with a civil monetary penalty.

If the legislation is passed, state residents will be allowed to place a credit freeze on their credit reports free of charge. Credit agencies will be required to put in place “A simple, one-stop shop for freezing and unfreezing credit reports across all major consumer reporting agencies, without the person having to take any additional action.”

Companies doing business in the state of North Carolina will be required to provide breach victims with 2 years of free credit monitoring services in the event of a breach of Social Security numbers, and four years of free credit monitoring services for breaches at credit agencies.

Any business that wants to access or use a person’s credit report or credit score will be required to obtain consent from the person in advance and must explain why access to the information is required. State residents will also be given the right to submit a request to a consumer reporting agency for a list of all information the agency maintains, including credit and non-credit related information, and a list of all entities to which that information has been disclosed.

The post State AG Proposes Tougher Data Breach Notification Laws in North Carolina appeared first on HIPAA Journal.