HIPAA Breach News

MongoDB and AWS Incorporate New Security Controls to Prevent Data Breaches

Posted by HIPAA Journal

Amazon has announced that new safeguards have been incorporated into its cloud server that will make it much harder for users to misconfigure their S3 buckets and accidentally leave their data unsecured.

While Amazon will sign a business associate agreement with HIPAA-covered entities, and has implemented appropriate controls to ensure data can be stored securely, but user errors can all too easily lead to data exposure and breaches. Those breaches show that even HIPAA-compliant cloud services have potential to leak data.

This year has seen many organizations accidentally leave their S3 data exposed online, including several healthcare organizations. Two such breaches were reported by Accenture and Patient Home Monitoring. Accenture was using four unsecured cloud-based storage servers that stored more than 137 GB of data including 40,000 plain-text passwords. The Patient Home Monitoring AWS S3 misconfiguration resulted in the exposure of 150,000 patients’ PHI.

In response to multiple breaches, Amazon has announced that new safeguards have been implemented to alert users to exposed data. While there are reasons why organizations would want their Amazon S3 buckets accessible over the Internet without the need for authentication, in most cases stored data should be protected.

To reduce the potential for data exposure, Amazon is implementing a warning system that will alert users when authentication controls are not active. A bright orange button will now appear throughout the AWS console to alert users when their S3 buckets are accessible without the need for authentication. Administrators will be able to control the privacy settings of each S3 bucket using an access control list, and publicly available buckets will be clearly displayed. Daily and weekly reports will also highlight which buckets are secure, and which are accessible by the public.

MongoDB Update Makes Databases Secure by Default

In addition to the data breaches resulting from exposed Amazon S3 buckets, many organizations have reported breaches involving unsecured MongoDB databases this year. Worldwide, more than 27,000 organizations had their databases accessed, data stolen, and their databases deleted. The attackers issued demands for payment to return the stolen data.

While MongoDB incorporates all the necessary safeguards to prevent unauthorized accessing of databases, those safeguards must be activated. Many organizations failed to realize that the default configuration was not secure.

MongoDB has responded to the breaches and has taken the decision to implement default security controls for the new version of the database platform, which is scheduled to be released next month. MongoDB 3.6 will only have localhost enabled by default. Users that require their databases to be accessible over the internet will be required to switch on that feature. Doing so will make the databases accessible by anyone, so to restrict access, authentication controls will need to be manually switched on. The new secure default configuration will make it harder for data to be accidentally exposed online.

The post MongoDB and AWS Incorporate New Security Controls to Prevent Data Breaches appeared first on HIPAA Journal.

Cook County Health and Hospitals System Patients Impacted by Experian Health Breach

Posted by HIPAA Journal

Cook County Health and Hospitals System, a health system comprising two hospitals and more than a dozen community health centers in Cook County Illinois, has alerted patients to a breach of their protected health information.

The breach occurred at Experian Health, a business associate of Cook County Health and Hospitals System. Experian Health is contracted to determine insurance eligibility and limited patient information is disclosed to the business associate for this purpose.

The breach occurred in March 2017 during an upgrade of Experian Health’s computer system. The protected health information of 727 patients was accidentally sent to other healthcare systems. The PHI disclosed was limited and did not include the types of information sought by cybercriminals to commit identity theft.

Due to the limited disclosure of PHI, and the fact that the information was sent to organizations covered by HIPAA Rules, the risk to patients is believed to be low. To date, Experian Health has not been notified of any unauthorized uses of the disclosed information. The breach was limited to patients’ names, medical record numbers, dates of birth, and account numbers.

Following discovery of the breach, Experian Health took steps to recover and secure the disclosed information and steps have been taken to prevent similar incidents from exposing the PHI of patients. Cook County Health and Hospitals System also reviewed the breach and is satisfied with the actions taken by Experian Health to prevent similar breaches from occurring in the future.

Cook County Health and Hospitals System was notified of the breach on August 1, 2017 and a substitute breach notice was posed on the health system’s website on October 2, 2017. All patients impacted by the breach have now been notified by mail and a breach report has been submitted to the Department of Health and Human Services’ Office for Civil Rights.

The post Cook County Health and Hospitals System Patients Impacted by Experian Health Breach appeared first on HIPAA Journal.

2017 Data Breach Report Reveals 305% Annual Rise in Breached Records

Posted by HIPAA Journal

A 2017 data breach report from Risk Based Security (RBS), a provider of real time information and risk analysis tools, has revealed there has been a 305% increase in the number of records exposed in data breaches in the past year.

For its latest breach report, RBS analyzed breach reports from the first 9 months of 2017. RBS explained in a recent blog post, 2017 has been “yet another ‘worst year ever’ for data breaches.”

In Q3, 2017, there were 1,465 data breaches reported, bringing the total number of publicly disclosed data breaches up to 3,833 incidents for the year. So far in 2017, more than 7 billion records have been exposed or stolen.

RBS reports there has been a steady rise in publicly disclosed data breaches since the end of May, with September the worst month of the year to date. More than 600 data breaches were disclosed in September.

Over the past five years there has been a steady rise in reported data breaches, increasing from 1,966 data breaches in 2013 to 3,833 in 2017. Year on year, the number of reported data breaches has increased by 18.2%.

The severity of data breaches has also increased. In 2016, 2.3 billion records were exposed in the first 9 months of the year. In 2017, the figure jumped to 7.09 billion.

The majority of the exposed records in 2017 came from five breaches, which exposed approximately 78.5% of all the records exposed so far in 2017.

The breach at DU Caller exposed 2,000,000,000 records; the River City Media breach saw 1,374,159,612 records exposed; An unnamed web breach exposed 711,000,000 records; and the EmailCar breach saw 267,000,000 records exposed.

Those five breaches made the top ten list of the worst data breaches of all time, and were ranked as the 2nd, 3rd,  4th, and 9th worst data breaches of all time. With the exception of one breach in 2014, all of the top ten data breaches of all time have been discovered in 2016 (4) and 2017 (5).

While the above five breaches involved the most records, the most severe data breach of the year to date was the breach at Equifax, which exposed the records of 145,500,000 individuals. The breach only ranks in 18th place in the list of the worst data breaches of all time, but RBS rates it as the most severe data breach of 2017 due to the nature of data obtained by the hackers.

The main cause of 2017 data breaches, by some distance, was hacking. 1,997 data breaches were due to hacks, 433 breaches were due to skimming, phishing was behind 290 breaches, viruses caused 256 breaches, and 206 breaches were due to web attacks.

Web attacks may have come in at fifth place in terms of the number of breaches, but the attacks resulted in the greatest number of exposed records – 68.5% of the total. Hacking accounted for 30.9% of exposed records.

The business sector has been worst affected by data breaches in 2017, accounting for 68.5% of the total, followed by ‘unknown’ on 12.6%. Medical data breaches were in third place accounting for 8.5% of the total.

RBS reports that there have been 69 data breaches reported in 2017 that involved the exposure or more than a million records.

The Risk Based Security 2017 Data Breach Report can be viewed here.

The post 2017 Data Breach Report Reveals 305% Annual Rise in Breached Records appeared first on HIPAA Journal.

Long-Term Malware Infection Discovered by Catholic Charities of the Diocese of Albany

Posted by HIPAA Journal

In August, while Catholic Charities of the Diocese of Albany (CCDA) was performing an upgrade of its computer security software, malware was discovered to have been installed on one of the computer servers used by its Glens Falls office, which served patients in Saratoga, Warren and Washington Counties in New York.

Fast action was taken to block access to the server and CCDA called in a computer security firm to conduct an investigation into the unauthorized access. The investigation, which took several weeks to complete, revealed that access to the server potentially dated back to 2015.

While access to the server was possible and malware had been installed, the investigation did not uncover evidence to suggest the protected health information of patients had been viewed or stolen.

An analysis of the server revealed the stored files contained the protected health information of 4,624 patients. The information potentially accessed by the attackers included names, addresses, birthdates, diagnosis codes, dates of service, and for some patients, their health insurance ID numbers which may have included Social Security numbers. Financial information and details of treatment and therapy were stored elsewhere on the network and were not accessible at any point.

The incident has been reported to law enforcement, the Department of Health and Human Services’ Office for Civil Rights, the Division of Consumer Protection, and the state Attorney General. Patients have been notified of the breach and have been offered credit monitoring and identity theft protection services for one year without charge.

Even when appropriate security solutions are implemented to safeguard the protected health information of patients, breaches can still occur. Sister Charla Commins, CSJ, Executive Director of Catholic Charities of Saratoga, Warren and Washington Counties, explained, “We have modern digital security measures in place, but every day it seems criminals’ intent on invading computer systems find new ways to do so.” Sister Commins also explained, “We take very seriously our responsibility for protecting private information, and we sincerely apologize for any inconvenience this may cause our clients and staff.”

To prevent future malware attacks and intrusions, CCDA has enhanced the security of its servers.

The post Long-Term Malware Infection Discovered by Catholic Charities of the Diocese of Albany appeared first on HIPAA Journal.

Aging Agency Reports Ransomware Attack: 8,750 Patients Impacted

Posted by HIPAA Journal

The Ottawa-based East Central Kansas Area Agency on Aging (ECKAAA) has experienced a ransomware attack that has resulted in the encryption of files on one of the agency’s servers. Those files contained the protected health information (PHI) of 8,750 patients.

The attack occurred on September 5, 2017 and was immediately recognized by ECKAAA, which took prompt action to limit the spread of the infection. As a result, only parts of the server had files encrypted. Those files were discovered to contain names, telephone numbers, addresses, birthdates, Medicaid numbers, and Social Security numbers.

ECKAAA hired a cybersecurity firm to assist with the investigation and determine the true extent and nature of the attack. The investigation revealed the ransomware variant used was a variant of Crysis/Dharma – a ransomware variant known to encrypt files stored locally, on mapped network drives, and unmapped network shares. Crysis/Dharma ransomware also deletes shadow volume copies to hamper recovery.

While the investigation uncovered no evidence of exfiltration of data, the possibility of data access and data theft could not be ruled out. ECKAAA reports that while not all files on the server were encrypted, the attackers potentially had access to all files saved on the server.

Prior to the ransomware attack, ECKAAA had implemented safeguards to protect against malware attacks and to ensure files could be recovered in the event of disaster. Consequently, it was possible to recover all the encrypted files without paying the ransom.

Since the protections in place were not sufficient to block the ransomware attack on this occasion, ECKAAA has implemented a number of new measures to improve security. Those measures include the use of CrowdStrike advanced malware agents and subscription to Cisco Umbrella Insights to improve security monitoring.

Additional training has also been given to staff to improve awareness of the threat from ransomware, a full password reset has taken place, and staff have been reminded about the importance of selecting strong passwords. A review of policies and procedures is also taking place and they will be updated accordingly to reduce the risk of future attacks occurring.

ECKAAA conducted a fully HIPAA-compliant breach response. The incident was reported to the Department of Health and Human Services’ Office for Civil Rights, a substitute breach notice was placed prominently on the ECKAAA website, and media reports were submitted to prominent newspapers serving each of the five counties in which the agency operates. All individuals have now been notified of the potential breach of their PHI by mail.

The post Aging Agency Reports Ransomware Attack: 8,750 Patients Impacted appeared first on HIPAA Journal.

Healthcare Data Breach Statistics Questioned

Posted by HIPAA Journal

Large healthcare providers experience more data breaches than smaller healthcare providers, at least that is what the healthcare data breach statistics from a spring Johns Hopkins University’s Care School of Business report show.

For the study, the researchers used breach reports submitted to the Department of Health and Human Services’ Office for Civil Rights. HIPAA-covered entities are required to submit breach reports to OCR, and under HITECT Act requirements, OCR publishes the breaches that impact more than 500 individuals.

The Ge Bai, PhD., led study, which was published in the journal JAMA Internal Medicine, indicates between 2009 and 2016, 216 hospitals had reported a data breach and 15% of hospitals reported more than one breach. The analysis of the breach reports suggest teaching hospitals are more likely to suffer data breaches – a third of breached hospitals were major teaching centers. The study also suggested larger hospitals were more likely to experience data breaches.

Now, a team of doctors from Vanderbilt University, in Nashville, TN have called the data breach statistics details in the Johns Hopkins study into question, pointing out a number of potential errors could have crept in due to the nature of the data available. Daniel Fabbri, PhD wrote to JAMA Internal Medicine pointing out that the claims made by Bai and his team may not be correct.

“Such a broad claim neglects inherent biases in data collection and reporting practices,” wrote Fabbri in the letter.  He explained that the data set available to the researchers only includes data breaches of 500 or more individuals, not smaller breaches which are not published. Larger hospitals have more patients, and could therefore be more likely to reach the 500-patient threshold for inclusion in the data set.

The researchers also argue, that in order for a breach to be reported, it must first be detected. Larger cybersecurity budgets mean more cybersecurity staff and better technology. Breaches are more likely to be detected by larger hospitals, whereas a breach at a smaller healthcare organization may remain undetected for longer. Regardless of size, hospitals are likely to be able to detect lost or stolen devices, but detecting insider breaches is likely to take much longer for smaller hospitals that lack technology and the resources to conduct internal audits of data access logs.

They also explain that there may be issues with the quality of the data. Just because it is a requirement of HIPAA to report data breaches, that does not necessarily mean that healthcare organizations will.

The Vanderbilt team explain “This nonuniform treatment of breaches based on size, instead of impact, offense, or rate-per-employee biases the results and can negatively impact perceived patient privacy and security risks. Small-scale violations are just as important and can be even more impactful.”

Bai and her team have responded to the letter and have agreed that there are issues with the 500-individual threshold for reporting, but explain that larger hospitals have more PHI and “combined with teaching hospitals’ need for broad data access, this creates significant targets for cyber criminals, compared with smaller institutions that might be the main reason for their relatively high risks of data breaches.”

It stands to reason that large healthcare organizations, with larger volumes of health data are an attractive target for cybercriminals. Large quantities of data mean a big payday for hackers. However, that does not necessarily mean they are targeted by cybercriminals much more than smaller organizations. Fort Knox holds significant gold reserves, but most bank robbers attack easier targets. TheDarkOverlord, a hacking group well known for targeting the healthcare industry, tends to attack smaller healthcare organizations – They are typically easier to attack as they do not have the resources or staff of their larger counterparts to devote to cybersecurity.

What is clear, is that based on the data available, obtaining meaningful healthcare data breach statistics is problematic. As the Vanderbilt researchers explained, it is difficult to conduct meaningful research based on the data set available, especially research that could be used as a basis to change hospital privacy practices.

The post Healthcare Data Breach Statistics Questioned appeared first on HIPAA Journal.

Former Employees of Virginia Medical Practice Inappropriately Used Patient Information

Posted by HIPAA Journal

Two former employees of Valley Family Medicine in Staunton, VA have been discovered to have inappropriately used a patient list, in violation of the practice’s policies.

The list was used to inform patients of a new practice that was opening in the area. One of the employees used the list to send postcards to Valley Family Medicine patients to advise them that a new practice, unaffiliated to Valley Family Medicine, was being opened. Patients were invited to visit the new practice.

The mailing was sent in mid-July this year, although it was not discovered by Valley Family Medicine until September 15. The discovery prompted a full investigation of the breach, which confirmed that the only information used by the employees was the information contained on the list. That information was limited to names and addresses. No other protected health information was taken or used by the employees.

Those two individuals are no longer employed at the practice and the list has now been recovered. Valley Family Medicine is satisfied that there have been no further misuses or disclosures of the information, and that no other copies of the list exist.

In compliance with HIPAA Rules, the breach has been reported to appropriate authorities, including the Department of Health and Human Services’ Office for Civil Rights. All 8,450 patients on the list have been sent a breach notification letter explaining the nature of the incident and informed that there should be no further consequences for patients.

The post Former Employees of Virginia Medical Practice Inappropriately Used Patient Information appeared first on HIPAA Journal.

TJ Samson Community Hospital Discovers Inappropriate Accessing of 683 Patients’ PHI

Posted by HIPAA Journal

An independent care provider who provides care for patients of TJ Samson Community Hospital in South Central Kentucky, has been discovered to have inappropriately accessed the protected health information (PHI) of 683 patients of TJ Samson Community Hospital in Glasgow, KY and the TJ Health Columbia Clinic.

The inappropriate access was discovered during a routine audit of PHI access logs on August 25, 2017. The subsequent investigation revealed two individuals from the healthcare provider’s office had accessed the protected health information of patients, without any legitimate work reason for doing so.

Access to patients PHI is necessary in order for independent health care providers to conduct their work duties, although in this case, the PHI of patients was accessed even though the patients were not being treated by the individuals.

TJ Samson interviewed both individuals about the alleged unauthorized access and is satisfied that no further uses or disclosures of PHI have occurred.

In response to the incident, TJ Samson has terminated access for the individuals in question. The breach notice posted to the TJ Samson website does not indicate any further action was taken against those individuals, although steps have been taken to prevent similar cases of unauthorized access, which included conducting a review of access procedures for independent health care providers. Individuals whose PHI was viewed have been notified of the breach of their confidential information by mail.

The types of information accessed included names, medical information, demographic information, and in some cases, Social Security numbers and insurance information. The access dated back to January 1, 2017. No financial information was accessed as the individuals’ login credentials did not permit them to access such information.

The post TJ Samson Community Hospital Discovers Inappropriate Accessing of 683 Patients’ PHI appeared first on HIPAA Journal.

Stop Hacks and Improve Electronic Data Security Act (SHIELD Act) Introduced by NY AG

Posted by HIPAA Journal

The Stop Hacks and Improve Electronic Data Security Act (SHIELD Act) has been introduced into the legislature in New York by Attorney General Eric T. Schneiderman. The aim of the act is to protect New Yorkers from needless breaches of their personal information and to ensure they are notified when such breaches occur.

The program bill, which was sponsored by Senator David Carlucci (D-Clarkstown) and Assembly member Brian Kavanagh (D-Manhattan), is intended to improve protections for New York residents without placing an unnecessary burden on businesses.

The introduction of the SHIELD Act comes weeks after the announcement of the Equifax data breach which impacted more than 8 million New Yorkers. In 2016, more than 1,300 data breaches were reported to the New York attorney general’s office – a 60% increase in breaches from the previous year.

Attorney General Schneiderman explained that New York’s data security laws are “weak and outdated” and require an urgent update. While federal laws require some organizations to implement data security controls, in New York, there are no obligations for businesses to implement safeguards to secure the personal identifying information of New Yorkers if the data held on residents does not include a Social Security number.

The SHIELD Act will require all businesses, regardless of where they are based, to adopt reasonable administrative, physical, and technical safeguards for if they hold the sensitive data of New Yorkers. The laws will also apply if entities do not do business in the state of New York.

While many states have introduced data breach notification laws that require individuals impacted by breaches of information such as username/password combos and biometric data to be notified of the incidents, in New York, there are no such requirements. The Shield Act will change that and bring state laws in line with many other U.S. states.

Breach notification requirements will be updated to include breaches of username/password combos, biometric data, and protected health information covered by HIPAA laws. Breach notifications will be required if unauthorized individuals are discovered to have gained access to personal information as well as in cases of data theft.

Attorney General Schneiderman is encouraging businesses to go above and beyond the requirements of the SHIRLD Act and receive independent certification of their security controls to make sure they exceed the minimum required standards.

A flexible standard is being introduced for small businesses to ease the regulatory burden. Safeguards can be appropriate to the organization’s size for businesses employing fewer than 50 members of staff if gross revenue is under $3 million or they have less than $5 million in assets.

HIPAA-covered entities, organizations compliant with the Gramm-Leach-Bliley, and NYS DFS regulations will be deemed to already be compliant with the data security requirements of the SHIELD Act.

The failure to comply with the provisions of the SHIELD Act will be deemed to be a violation of General Business Law (GBL § 349) and will allow the state attorney general to bring suit and seek civil penalties under GBL § 350(d).

The post Stop Hacks and Improve Electronic Data Security Act (SHIELD Act) Introduced by NY AG appeared first on HIPAA Journal.