Healthcare Data Security

HHS Releases Final Rules with Safe Harbors for Cybersecurity Donations

On Friday last week, the Department of Health and Human Services’ Centers for Medicare and Medicaid Services (CMS) and Office of Inspector General (OIG) published final rules that aim to improve the coordination of care and reduce regulatory barriers. Both final rules contain safe harbor provisions that allow hospitals and healthcare delivery systems to donate cybersecurity technology to physician practices.

The CMS released the final version of the 627-page Modernizing and Clarifying the Physician Self-Referral Regulations, commonly called Stark Law, and the OIG finalized revisions to the 1,049-page Safe Harbors Under the Anti-Kickback Statute and Civil Monetary Penalty Rules Regarding Beneficiary Inducements.

Physician practices often have limited resources, which makes it difficult for them to implement solutions to address cybersecurity risks. Without the necessary protections, sensitive healthcare data could be accessed by unauthorized individuals, stolen, deleted, or encrypted by threat actors. Threat actors could also conduct attacks on small physician practices and use them to gain access to the healthcare systems to which they connect.

When the rules were first proposed, commenters emphasized the need for a safe harbor to allow non-abusive, beneficial arrangements between physicians and other healthcare providers, such donations of cybersecurity solutions to help safeguard the healthcare ecosystem. The CMS first proposed the changes in October 2019 as part of the Regulatory Sprint to Coordinated Care.

The CMS final rule clarifies the Stark Law exceptions concerning donations of electronic health record donations to physicians, expanding the EHR exception to include cybersecurity software and services. A standalone exception has also been introduced for broader cybersecurity donations, including donations of cybersecurity hardware.

“These finalized exceptions provide new flexibility for certain arrangements, such as donations of cybersecurity technology that safeguard the integrity of the healthcare ecosystem, regardless of whether the parties operate in a fee-for-service or value-based payment system,” said the CMS.

The changes recognize the risk of cyberattacks on the healthcare sector and create a safe harbor for cybersecurity technology and services to protect cybersecurity-related hardware, and will help to ensure that cybersecurity software and hardware are available to all healthcare providers of all sizes.

The safe harbor applies to, but is not limited to, “software that provides malware prevention, software security measures to protect endpoints that allow for network access control, business continuity software, data protection and encryption and email traffic filtering.” The exception also covers the “hardware that is necessary and used predominantly to implement, maintain or re-establish cybersecurity” and a broad range of cybersecurity services such as updating and maintaining software and cybersecurity training services. There is no distinction in the rule between locally installed and cloud-based cybersecurity solutions.

Under the cybersecurity exception, recipients are not required to contribute to the cost of the donated cybersecurity technology or services. Under the EHR exception, the cost contribution requirement for donations of EHR items or services is retained.

“It is our position that allowing entities to donate cybersecurity technology and related services to physicians will lead to strengthening of the entire health care ecosystem,” said the HHS.

The final rules are due to be published in the federal register on December 2, 2020 and are expected to take effect on January 19, 2021.

The post HHS Releases Final Rules with Safe Harbors for Cybersecurity Donations appeared first on HIPAA Journal.

ASPR Provides Update on Ransomware Activity Targeting the Healthcare Sector

The HHS’ Office of the Assistant Secretary for Preparedness and Response (ASPR) has issued an update on ransomware activity targeting the healthcare and public health sectors, sating, “At this time, we consider the threat to be credible, ongoing, and persistent.”

In late October, a joint alert was issued by the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the HHS warning of an imminent increase in ransomware activity targeting the healthcare sector. Within a week of the alert being issued, six healthcare providers reported ransomware attacks in a single day. More than a dozen healthcare organizations have reported being attacked in the past two months, with over 62 attacks reported by healthcare organizations so far in 2020.

Human-operated ransomware attacks have previously seen attackers gain access to networks many weeks and even months prior to the deployment of ransomware. ASPR notes that in many recent ransomware attacks, the time from the initial compromise to the deployment of ransomware has been very short, just a matter of days or even hours.

A long period between compromise and deployment gives victim organizations time to identify the compromise and take steps to eradicate the hackers from the network in time to prevent file encryption. The short duration makes this far more difficult.

“CISA, FBI, and HHS urge health delivery organizations and other HPH sector entities to work towards enduring and operationally sustainable protections against ransomware threats both now and in the future.”

A variety of techniques are now being used to deploy ransomware, including other malware variants such as TrickBot and BazarLoader, which are commonly delivered via phishing emails, as well as manual deployment after networks have been compromised by exploiting vulnerabilities.

Healthcare organizations should take steps to combat the ransomware threat by addressing the vulnerabilities that are exploited to gain access to healthcare networks. This includes conducting vulnerability scans to identify vulnerabilities before they are exploited and ensuring those vulnerabilities are addressed. Anti-spam and anti-phishing solutions should be implemented to block the email attack vector, and healthcare organizations should adopt a 3-2-1 backup approach to ensure files can be recovered in the event of an attack. The 3-2-1 approach involves 3 copies of backups, on two different media, with one copy stored securely off-site. The recent ransomware attack on Alamance Skin Center highlights the importance of this backup strategy. Patient information was permanently lost as a result of the attack when the ransom was not paid.

“Organizations should balance their operational needs with the current threat level and develop processes and postures for normal operating status and higher threat periods,” explained ASPR. “The threat from ransomware is ongoing and entities should develop effective deterrent procedures while maintaining effective care delivery.”

Indicators of Compromise (IoCs), suggested mitigations, and ransomware best practices are detailed in the October 28, 2020 CISA/FBI/HHS alert.

The post ASPR Provides Update on Ransomware Activity Targeting the Healthcare Sector appeared first on HIPAA Journal.

Vendor Access and HIPAA Compliance: Are you Secured?

It can be hard to remember a time before the Health Insurance Portability and Accountability Act, known as HIPAA, was enacted in 1996. These were the days that paper files were still stored in cabinets and sensitive information was generally delivered by hand, or if you were really sophisticated, it was sent via a fax machine.

Fast forward almost 25 years later and unsurprisingly, the world in the healthcare industry looks completely different, except some do still use fax machines. Nothing surprising here, but everything is now stored on computers and transmitted over the internet, which has led to obvious increases in terms of efficiency, but, with this comes risk. We’ve seen an increase in serious data breaches tied to healthcare entities that are exposing highly sensitive personal health information. And not just any type of data breach, these are the ones that are tied to third-party and vendor access, which are known to be more costly in terms of fines and reputational damage.

A hacker can quickly access hundreds of patient files and cause widespread damage, including a release of private information, deletion of crucial health reports, large-scale identify theft, and the increasingly popular route of ransomware.

Gone are the days where healthcare companies only had to deal with issues related to patient care because they now find themselves grappling with complicated cybersecurity issues far outside the medical space.

Considering the risks of HIPAA noncompliance, healthcare companies generally benefit from hiring third-party vendors that specifically handle HIPAA regulatory compliance. To fully protect patients, these vendors should have clear policies that restrict access, remain transparent and auditable, and maintain the most updated data security measures.

How to Restrict Vendor Access

Who has access to the patients’ information, how are they accessing the information, and how much access do they have (or should they have)? These are crucial questions for any technology vendor.

First, each member of the IT team should have only the level of access required to ensure both HIPAA compliance and data security, including restrictions on time, scope, and job function. Each vendor rep should use a unique username and password to log into the system and go through multi-level authentication that’s attached to their identities. On top of that, an automatic logoff upon a short period of inactivity can prevent unauthorized access under another’s credentials.

Why Auditable Reports are Necessary

An automatic audit system permits healthcare companies to screen for unauthorized access and to trace the source of the data breach. An effective audit system maintains detailed login information of every support connection system and delivers a complete history of every login, including time, place, personnel and scope of access to the patients’ records, and other sensitive information.

These reports are not only necessary for internal security purposes, but are integral for proving HIPAA compliance in relation to allowing vendors on your network.

The Importance of Data Integrity and Security

The weak link in data security generally occurs at the points of access and transmission. However, regular updates to security settings protect data from corruption and prevent a breach of data during transmission. To protect the data’s integrity and security, recommendations include customer control of configurable encryption, advanced transmission standards (AES) in 128-, 192-, and 256-bit modes, and data encryption standards (DES) of Triple DES10.

Be Sure, Be Secure

Ultimately, the healthcare business bears the burden if patient information is compromised. A third-party IT security vendor should, therefore, have the knowledge and experience to meet the highest standards for HIPAA compliance. If you’re worried about your vendors not having your compliance in mind, it is of the utmost importance to ensure you are vetting them before onboarding them, as well as checking in on them and doing an “audit” of some sort to make sure you have a ledger of all vendors.

Remote access to a healthcare facility’s networks and systems is an often overlooked area that can represent significant potential exposure for HIPAA breaches. Know your vendors, why they’re connecting, and ensure compliance.

Author: Ellen Neveux, SecureLink

SecureLink provides a remote-access platform that reduces the risks associated with providing remote access to internal networks to vendors and clients

The post Vendor Access and HIPAA Compliance: Are you Secured? appeared first on HIPAA Journal.

Hackers Blackmail Finnish Psychotherapy Provider and Patients and Leak Psychotherapy Notes

A major psychotherapy provider in Finland has suffered a cyberattack in which highly sensitive patient data were stolen. Threats have been issued to publish the stolen data if the ransom is not paid and some patient data has already been leaked online.

Vastaamo serves approximately 40,000 patients across more than two dozen clinics in Finland. Vastaamo started alerting patients about a data breach last week after three of its employees were contacted by an individual who demanded payment of 40 Bitcoin ($500,000) to prevent the publication of stolen patient data.

It is not only Vastaamo that has received ransom demands. After Vastaamo refused to pay the ransom, the attacker – who refers to himself/themselves as “the ransom guy” – also sent individual ransom demands to patients telling them to make a payment of €200 ($236) in Bitcoin to prevent the publication of their records. Initial reports suggested the data of approximately 300 patients were published on a dark net site, although later reports indicate a 10GB file containing the records of around 2,000 patients was uploaded to the dark web.

One patient contacted by the BBC claims he was given 24 hours to pay the initial ransom demand or face the publication of his teenage psychotherapy notes. He was told the payment would increase to €500 ($515) if it was not paid within 24 hours.

Vastaamo reported on its website that access to its systems appeared to have been gained at some point in November 2018; however, a further breach occurred in March 2019. The data stolen in the attack appears to relate to patients who received treatment prior to November 2018, although it is possible that data were stolen in the second breach in March 2019.

According to Vastaamo, the breach involved customer names, ID numbers, dates of visits, and information manually entered by the psychotherapy professional, which may have included notes from sessions, care plans, and statements made to the authorities or by the patients themselves.

It is currently unclear how many of Vastaamo’s patients have been impacted by the breach, although Robin Lardot, director of Finland’s National Bureau of Investigation, believes tens of thousands of patient records were stolen. It is also unclear why the threats have only just been issued. Potentially, the stolen records could have been sold on to a third party who has embarked on an extortion campaign.

Notes from psychotherapy sessions are among the most sensitive data held by healthcare providers. Patients discuss issues in their sessions in a confidential environment where they feel safe and secure. Information disclosed in sessions may not have been shared with anyone else. Finland’s interior minister called the incident a shocking act which hits all of us deep down,” going on to say that Finland needs to be a country where “help for mental health issues is available and it can be accessed without fear.”

“As a company providing psychotherapy services, the confidentiality of customer information is extremely important to us and the starting point for all our operations. We deeply regret the leak due to the data breach” said Vastaamo Chairman, Tuomas Kahri. Vastaamo also issued a statement saying it has fired its CEO, Ville Tapio, for concealing the March 2019 breach from its board of directors and parent company.

The post Hackers Blackmail Finnish Psychotherapy Provider and Patients and Leak Psychotherapy Notes appeared first on HIPAA Journal.

September 2020 Healthcare Data Breach Report: 9.7 Million Records Compromised

September has been a bad month for data breaches. 95 data breaches of 500 or more records were reported by HIPAA-covered entities and business associates in September – A 156.75% increase compared to August 2020.

Sept 2020 healthcare data breach report monthly breaches

Not only did September see a massive increase in reported data breaches, the number of records exposed also increased significantly. 9,710,520 healthcare records were exposed in those breaches – 348.07% more than August – with 18 entities suffering breaches of more than 100,000 records. The mean breach size was 102,216 records and the median breach size was 16,038 records.

Sept 2020 healthcare data breach report monthly breached records

Causes of September 2020 Healthcare Data Breaches

The massive increase in reported data breaches is due to the ransomware attack on the cloud software company Blackbaud. In May 2020, Blackbaud suffered a ransomware attack in which hackers gained access to servers housing some of its customers’ fundraising databases. Those customers included many higher education and third sector organizations, and a significant number of healthcare providers.

Blackbaud was able to contain the breach; however, prior to the deployment of the ransomware, the attackers exfiltrated some customer data. The breach was initially thought to only include limited data about donors and prospective donors, but further investigations revealed Social Security numbers and financial information were also exfiltrated by the hackers.

Blackbaud negotiated a ransom payment and paid to prevent the publication or sale of the stolen data. Blackbaud has reported it has received assurances that all stolen data were deleted. Blackbaud has engaged a company to monitor dark web sites but no data appears to have been offered for sale.

Blackbaud announced the ransomware attack in July 2020 and notified all affected customers. HIPAA-covered entities affected by the breach started to report the data breach in August, with most reporting in September.

It is currently unclear exactly how many U.S. healthcare organizations were affected by the breach and the final total may never be known. has been tracking the Blackbaud breach reports and, at last count, at least 80 healthcare organizations are known to have been affected. The records of more than 10 million patients are thought to have been compromised as a result of the ransomware attack.

Sept 2020 healthcare data breach report causes of breaches

Unsurprisingly, given the numbers of healthcare providers affected by the Blackbaud breach, hacking/IT incidents dominated the breach reports. 83 breaches were attributed to hacking/IT incidents and 9,662,820 records were exposed in those breaches – 99.50% of all records reported as breached in September.  The mean breach size was 116,420 records and the median breach size was 27,410 records.

There were 7 unauthorized access/disclosure incidents reported in September involving a total of 34,995 records. The mean breach size was 4,942 records and the median breach size was 1,818 records. There were 4 loss/theft incidents reported involving 12,029 records, with a mean breach size of 3,007 records and a median size of 2,978 records. There was 1 improper disposal incident reported involving 1,076 records.

Most of the compromised records were stored on network servers, although there were a sizable number of breaches involving PHI stored in email accounts.

Sept 2020 healthcare data breach report - location of PHI

Largest Healthcare Data Breaches Reported in September 2020

Name of Covered Entity Covered Entity Type Individuals Affected Type of Breach Breach Cause
Trinity Health Business Associate 3,320,726 Hacking/IT Incident Blackbaud Ransomware Attack
Inova Health System Healthcare Provider 1,045,270 Hacking/IT Incident Blackbaud Ransomware Attack
NorthShore University HealthSystem Healthcare Provider 348,746 Hacking/IT Incident Blackbaud Ransomware Attack
SCL Health – Colorado (affiliated covered entity) Healthcare Provider 343,493 Hacking/IT Incident Blackbaud Ransomware Attack
Nuvance Health (on behalf of its covered entities) Healthcare Provider 314,829 Hacking/IT Incident Blackbaud Ransomware Attack
The  Baton Rouge Clinic, A Medical Corporation Healthcare Provider 308,169 Hacking/IT Incident Ransomware Attack
Virginia Mason Medical Center Healthcare Provider 244,761 Hacking/IT Incident Blackbaud Ransomware Attack
University of Tennessee Medical Center Healthcare Provider 234,954 Hacking/IT Incident Blackbaud Ransomware Attack
Legacy Community Health Services, Inc. Healthcare Provider 228,009 Hacking/IT Incident Phishing Attack
Allina Health Healthcare Provider 199,389 Hacking/IT Incident Blackbaud Ransomware Attack
University of Missouri Health Care Healthcare Provider 189,736 Hacking/IT Incident Phishing Attack
The Christ Hospital Health Network Healthcare Provider 183,265 Hacking/IT Incident Blackbaud Ransomware Attack
Stony Brook University Hospital Healthcare Provider 175,803 Hacking/IT Incident Blackbaud Ransomware Attack
Atrium Health Healthcare Provider 165,000 Hacking/IT Incident Blackbaud Ransomware Attack
University of Kentucky HealthCare Healthcare Provider 163,774 Hacking/IT Incident Blackbaud Ransomware Attack
Children’s Minnesota Healthcare Provider 160,268 Hacking/IT Incident Blackbaud Ransomware Attack
Roswell Park Comprehensive Cancer Center Healthcare Provider 141,669 Hacking/IT Incident Blackbaud Ransomware Attack
Piedmont Healthcare, Inc. Healthcare Provider 111,588 Hacking/IT Incident Blackbaud Ransomware Attack
SCL Health – Montana (affiliated covered entity) Healthcare Provider 93,642 Hacking/IT Incident Blackbaud Ransomware Attack
Roper St. Francis Healthcare Healthcare Provider 92,963 Hacking/IT Incident Blackbaud Ransomware Attack

September 2020 Data Breaches by Covered Entity Type

88 healthcare providers reported data breaches of 500 or more records in September and 2 breaches were reported by health plans. 5 breaches were reported by business associates of HIPAA-covered entities, but a further 53 breaches involved a business associate, with the breach reported by the covered entity. Virtually all of those 53 breaches were due to the ransomware attack on Blackbaud.

Sept 2020 healthcare data breach report - covered entity type

September 2020 Data Breaches by State

Covered entities and business associates in 30 states and the district of Columbia reported data breaches of 500 or more records in September.

New York was the worst affected state with 10 breaches, 6 breaches were reported in each of California, Minnesota, and Pennsylvania, 5 in each of Colorado, South Carolina, and Texas, 4 in Florida, Georgia, Massachusetts, Ohio, and Virginia, 3 in each of Iowa, Kentucky, Louisiana, and Michigan, and 2 in each of Connecticut, Maryland, North Carolina, Tennessee, and Wisconsin.

One breach was reported in each of Alabama, Delaware, Illinois, Indiana, Missouri, New Hampshire, New Jersey, Oklahoma, Washington, and the District of Columbia.

HIPAA Enforcement Activity in September 2020

Prior to September, the HHS’ Office for Civil Rights had only imposed three financial penalties on covered entities and business associates to resolve HIPAA violations, but there was a flurry of announcements about HIPAA settlements in September with 8 financial penalties announced.

The largest settlement was agreed with Premera Blue Cross to resolve HIPAA violations discovered during the investigation of its 2014 data breach that affected 10.4 million of its members. OCR found compliance issues related to risk analyses, risk management, and hardware and software controls. Premera agreed to pay a financial penalty of $6,850,000 to resolve the case. This was the second largest HIPAA fine ever imposed on a covered entity.

CHSPSC LLC, a business associate of Community Health Systems, agreed to pay OCR $2,300,000 to resolve its HIPAA violation case which stemmed from a breach of the PHI of 6 million individuals in 2014. OCR found compliance issues related to risk analyses, information system activity reviews, security incident procedures, and access controls.

Athens Orthopedic Clinic PA agreed to pay a $1,500,000 penalty to resolve its case with OCR which stemmed from the hacking of its systems by TheDarkOverlord hacking group. The PHI of 208,557 patients was compromised in the attack. OCR’s investigation uncovered compliance issues related to risk analyses, risk management, audit controls, HIPAA policies and procedures, business associate agreements, and HIPAA Privacy Rule training for the workforce.

Five of the September settlements resulted from OCR’s HIPAA Right of Access enforcement initiative and were due to the failure to provide patients with timely access to their medical records.

Entity Settlement
Beth Israel Lahey Health Behavioral Services $70,000
Housing Works, Inc. $38,000
All Inclusive Medical Services, Inc. $15,000
Wise Psychiatry, PC $10,000
King MD $3,500


There was one settlement to resolve a multistate investigation by state attorneys general, with Anthem Inc. agreeing to pay a financial penalty of $48.2 million to resolve multiple violations of HIPAA and state laws in relation to its 78.8 million record data breach in 2015, which is on top of the $16 million financial penalty imposed by OCR in October 2018.

The post September 2020 Healthcare Data Breach Report: 9.7 Million Records Compromised appeared first on HIPAA Journal.

Exposed Broadvoice Databases Contained 350 Million Records, Including Health Data

Comparitech security researcher Bob Diachenko has discovered an exposed cluster of databases belonging to the Voice over IP (VoIP) telecommunications vendor Broadvoice that contained the records of more than 350 million customers.

The exposed Elasticsearch cluster was discovered on October 1, 2020, the day the database cluster was indexed by the search engine. The Elasticsearch cluster was found to contain 10 collections of data, the largest of which consisted of 275 million records and included information such as caller names, phone numbers, and caller locations, along with other sensitive data. One database in the cluster was found to contain transcribed voicemail messages which included a range of sensitive data such as information about financial loans and medical prescriptions. More than 2 million voicemail records were included in that subset of data, 200,000 of which had been transcribed.

The voicemails included caller names, phone numbers, voicemail box identifiers, internal identifiers, and the transcripts included personal information such as full names, phone numbers, dates of birth, and other data. Voicemails left at medical clinics including details of prescriptions and medical procedures. Information about loan inquiries were also exposed, along with some insurance policy numbers.

Diachenko reported the exposed Elasticsearch cluster to Broadvoice, which took prompt action to prevent any unauthorized access. According to Broadvoice CEO Jim Murphy, “We learned that on October 1st, a security researcher was able to access a subset of b-hive data. The data had been stored in an inadvertently unsecured storage service Sept. 28th and was secured Oct. 2nd.” Diachenko confirmed on October 4, 2020 that the Elasticsearch cluster had been secured.

“At this point, we have no reason to believe that there has been any misuse of the data. We are currently engaging a third-party forensics firm to analyze this data and will provide more information and updates to our customers and partners. We cannot speculate further about this issue at this time,” said Murphy.

Broadvoice reported the breach to law enforcement and is investigating the breach. It is currently unclear if anyone other than Diachenko found and accessed the databases.

While most of the databases contained only limited information, it would be of value to cybercriminals who could easily target customers of Broadvoice in phishing scams. The information in the database could be used to convince customers that they were in contact with Broadvoice, and they could be fooled into revealing further sensitive information or making fraudulent payments.

Individuals whose information was detailed in the voicemail transcripts would be most at risk, as the additional data could be used to create convincing and persuasive phishing campaigns.

Comparitech researchers have previously demonstrated individuals are constantly scanning for exposed databases and that they are often discovered within hours of them being exposed. Their research showed that attempts were made to access their Elasticsearch honeypot within 9 hours of the data being exposed. Once databases are indexed by search engines such as Shodan and BinaryEdge attacks occur within a matter of minutes.

Comparitech researchers scan the internet to identify exposed data and report breaches to the owners of the databases. “In order to help raise awareness of data exposures in general and inform affected parties of this particular incident, we publish a report,” explained Comparitech. “Our aim is to have the data secured and all relevant parties informed as quickly as possible to minimize the potential damage caused.”

The post Exposed Broadvoice Databases Contained 350 Million Records, Including Health Data appeared first on HIPAA Journal.

Community Health Systems Pays $5 Million to Settle Multi-State Breach Investigation

Franklin, TN-based Community Health Systems and its subsidiary CHSPCS LLC have settled a multi-state action with 28 state attorneys general for $5 million.

A joint investigation, led by Tennessee Attorney General Herbert H. Slatery III, was launched following a breach of the protected health information (PHI) of 6.1 million individuals in 2014. At the time of the breach, Community Health Systems owned, leased, or operated 206 affiliated hospitals. According to a 2014 8-K filing with the U.S. Securities and Exchange Commission, the health system was hacked by a Chinese advanced persistent threat group which installed malware on its systems that was used to steal data. PHI stolen by the hackers included names, phone numbers, addresses, dates of birth, sex, ethnicity, Social Security numbers, and emergency contact information.

The same breach was investigated by the HHS’ Office for Civil Rights, which announced late last month that a settlement had been reached with CHSPCS over the breach and a $2.3 million penalty had been paid to resolve potential HIPAA violations discovered during the breach investigation. In addition to the financial penalty, CHSPCS agreed to adopt a robust corrective action plan to address privacy and security failures discovered by OCR’s investigators.

Victims of the breach took legal action against CHS over the theft of their PHI and CHS settled the class action lawsuit in 2019 for $3.1 million. The latest settlement means CHS and its affiliates have paid $10.4 million in settlements over the breach.

“A patient’s personal information—especially health information—deserves the highest level of protection,” said Attorney General Slatery. “This settlement will require CHS to provide that moving forward.”

CHS and its affiliates were found to have failed to implement reasonable and appropriate security measures to ensure the confidentiality, integrity, and availability of protected health information on its systems. “The terms of this settlement will help ensure that patient information will be protected from unlawful use or disclosure,” said Iowa Attorney General Tom Miller.

The states participating in the action were Alaska, Arkansas, Connecticut, Florida, Illinois, Indiana, Iowa, Kentucky, Louisiana, Massachusetts, Michigan, Mississippi, Missouri, Nebraska, Nevada, New Jersey, North Carolina, Ohio, Oregon, Pennsylvania, Rhode Island, South Carolina, Tennessee, Texas, Utah, Vermont, Washington, and West Virginia.

In addition to paying the financial penalty, CHS and its affiliates have agreed to adopt a corrective action plan and implement additional security measures to ensure the security of its systems. Those measures include developing a written incident response plan, providing security awareness and privacy training to all personnel with access to PHI, limiting unnecessary or inappropriate access to systems containing PHI, implementing policies and procedures for its business associates, and conducting regular audits of all business associates.

CHS must also conduct an annual risk assessment, implement and maintain a risk-based penetration testing program, implement and maintain intrusion detection systems, data loss protection measures, and email filtering and anti-phishing solutions. All system activity must be logged, and those logs must be regularly reviewed for suspicious activity.

“Community Health Systems is pleased to have resolved this six-year old matter,” said a spokesperson for CHS in a statement about the settlement. “The company had robust risk controls in place at the time of the attack and worked closely with the FBI and consistently with its recommendations after becoming aware of the attack.”

The post Community Health Systems Pays $5 Million to Settle Multi-State Breach Investigation appeared first on HIPAA Journal.

CISA Releases Telework Toolkit to Help Businesses Transition to a Permanent Telework Environment

The Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA) has published a Telework Essentials Toolkit to help business leaders, IT staff, and end users transition to a permanent teleworking environment.

The COVID-19 pandemic forced businesses to rapidly change from having a largely office-based workforce to allowing virtually all employees to work from home to reduce the risk of infection. The speed at which the transition had to be made potentially introduced security vulnerabilities that weakened organizational cybersecurity defenses. The CISA Toolkit is intended to provide support to organizations to help them re-evaluate and strengthen their cybersecurity defenses and fully transition into a long-term teleworking solution.

The Toolkit includes three personalized modules that include best practices for executive leaders, IT professionals and teleworkers, and include the security considerations appropriate to each role.

Executive leaders are provided with information to help them drive cybersecurity strategy, investment, and develop a cyber secure hybrid culture in their organization. Resources are provided to help business leaders develop organizational policies and procedures for remote working, implement cybersecurity training to improve understanding on risks and threats when accessing organizational systems and data remotely, and moving organizational assets beyond the traditional perimeter where they may not be accessible to the organization’s monitoring and response capabilities. Advice is provided on addressing the basics of cyber hygiene with the workforce and providing clear and regular updates on cybersecurity best practices.

Guidance for IT professionals is focused on the policies, procedures, and tools that need to be implemented to ensure teleworkers can work and access the resources they need remotely. The guidance explains the importance of patching promptly and implementing effective vulnerability management practices, the need for zero trust architecture, multi-factor authentication, regular data backups, and DMARC validation to address the risks of phishing and business email compromise in relation to remote working environments. IT leaders must also stipulate the tools and applications that must be used when working remotely and provide training on how to use those tools securely.

Everyone has a role to play in the transition from temporary to permanent remote working, including end users. The third module is aimed at teleworkers and provides advice on the steps that need to be taken to work securely from home. These include making sure home networks are properly configured and hardened, following organizational secure practices and policies, increasing awareness of phishing and social engineering threats, and promptly communicating any suspicious activities to the IT security team.

The CISA Telework Essentials Toolkit can be downloaded on this link.

The post CISA Releases Telework Toolkit to Help Businesses Transition to a Permanent Telework Environment appeared first on HIPAA Journal.

August 2020 Healthcare Data Breach Report

37 healthcare data breaches of 500 or more records were reported to the HHS’ Office for Civil Rights in August 2020, one more than July 2020 and one below the 12-month average.

The number of breaches remained fairly constant month-over-month, but there was a 63.9% increase in breached records in August. 2,167,179 records were exposed, stolen, or impermissibly disclosed in August. The average breach size of 58,572 records and the median breach size was 3,736 records.



Largest Healthcare Data Breaches Reported in August 2020


Name of Covered Entity Covered Entity Type Individuals Affected Type of Breach Location of Breached PHI Incident
Northern Light Health Business Associate 657,392 Hacking/IT Incident Network Server, Other Blackbaud ransomware attack
Saint Luke’s Foundation Healthcare Provider 360,212 Hacking/IT Incident Network Server Blackbaud ransomware attack
Assured Imaging Healthcare Provider 244,813 Hacking/IT Incident Network Server Ransomware attack
MultiCare Health System Healthcare Provider 179,189 Hacking/IT Incident Network Server Blackbaud ransomware attack
Imperium Health LLC Business Associate 139,114 Hacking/IT Incident Email Phishing attack
University of Florida Health Healthcare Provider 135,959 Hacking/IT Incident Network Server Blackbaud ransomware attack
Utah Pathology Services, Inc. Healthcare Provider 112,124 Hacking/IT Incident Email Phishing attack
Dynasplint Systems, Inc. Healthcare Provider 102,800 Hacking/IT Incident Network Server Ransomware attack
Main Line Health Healthcare Provider 60,595 Hacking/IT Incident Network Server Blackbaud ransomware attack
Northwestern Memorial HealthCare Healthcare Provider 55,983 Hacking/IT Incident Network Server Blackbaud ransomware attack
Richard J. Caron Foundation Healthcare Provider 22,718 Hacking/IT Incident Network Server Blackbaud ransomware attack
UT Southwestern Medical Center Healthcare Provider 15,958 Unauthorized Access/Disclosure Other Unconfirmed
City of Lafayette Fire Department Healthcare Provider 15,000 Hacking/IT Incident Network Server Ransomware attack
Hamilton Health Center, Inc. Healthcare Provider 10,393 Unauthorized Access/Disclosure Email Misdirected Email


Causes of August 2020 Healthcare Data Breaches

Hacking/IT incidents dominated the breach reports in August, with the 24 reported incidents making up 64.9% of the month’s data breaches. 2,127,070 records were compromised in those breaches, which is 98.15% of all records breached in August. The average breach size was 88,628 records and the median breach size was 11,550 records.

There were 8 unauthorized/access disclosure incidents involving 32,205 records. The average breach size was 4,026 records and the median breach size was 992 records. There were 5 loss (2) and theft (3) incidents reported. The average breach size was 1,581 records and the median breach size was 1,768 records.

While phishing attacks usually dominate the healthcare data breach reports, in August, attacks on network servers were more common. The increase in network server attacks is largely due to ransomware attacks, notably, an attack on Blackbaud, a business associate of many healthcare organizations in the United States. Blackbaud offers a range of services to healthcare providers, including patient engagement and digital data storage related to donors and philanthropy.

Between February 7, 2020 and May 20, 2020, hackers had access to Blackbaud’s systems and obtained backups of several of its clients’ databases before deploying ransomware. Blackbaud paid the ransom to ensure data stolen in the attack were destroyed.

Only a small percentage of its clients were affected by the attack, but so far at least 52 healthcare organizations have confirmed that their donor data were compromised in the attack. We have data for 17 of those attacks and so far, more than 3 million individuals are known to have been affected. That number is likely to grow significantly over the next few weeks now the deadline for reporting the breach is approaching.

There were also two major phishing incidents reported in August. Imperium Health suffered an attack in which the records of 139, 114 individuals were potentially compromised, and Utah Pathology Services suffered an attack involving the records of 112,124 individuals.

Healthcare Data Breaches by Covered Entity Type

Healthcare providers were the worst affected covered entity with 24 data breaches reported in August. Three breaches were reported by health plans and five breaches were reported by business associates; however, a further 9 breaches had some business associate involvement.

States Affected by August 2020 Data Breaches

Data breaches were reported by entities in 24 states in August. Pennsylvania was the worst affected state with 6 breaches of 500 or more healthcare records, followed by Kentucky with 4, Texas with 3, and Arizona, Ohio, and Washington with 2.  One breach was reported in each of Arkansas, California, Colorado, Connecticut, Florida, Iowa, Idaho, Illinois, Indiana, Maryland, Maine, Michigan, Missouri, New York, Oklahoma, South Carolina, Utah, and Wisconsin.

HIPAA Enforcement Activity in August 2020

There were no HIPAA enforcement actions announced in August by either the HHS Office for Civil Rights or state attorneys general.

The post August 2020 Healthcare Data Breach Report appeared first on HIPAA Journal.