HIPAA News for Small and Mid-Sized Practices

New Ransomware and Phishing Warnings for Healthcare Organizations

Posted by HIPAA Journal

Warnings have been issued about a new ransomware variant that is being used in targeted attacks on healthcare organizations and IRS, FBI and Hurricane Harvey themed phishing attacks.

Defray Ransomware

A new ransomware variant is being used in highly targeted attacks on healthcare organizations in the United States and United Kingdom. Defray ransomware is being distributed in small email campaigns using carefully crafted messages specifically developed to maximize the probability of a response from healthcare providers.

The messages claim to have been sent from the Director of Information Management and Technology at the targeted organization and include the hospital’s logos. The documents claim to be patient reports detailing important information for patients, relatives and carers. The messages are being sent to specific individuals in organizations and via distribution lists.

The campaigns involve Microsoft Word documents with embedded OLE packager shell objects. Clicking the embedded executable to view the content of the document will see Defray ransomware downloaded. There is currently no free decryptor to unlock the encryption. Recovery will depend on backups being available, otherwise a ransom of $5,000 per encrypted device must be paid for the decryption keys.

The scams were uncovered by researchers at Proofpoint who believe the actors behind the campaigns are likely to continue to conduct highly targeted attacks rather than use the spray and pay tactics more commonly associated with ransomware distribution.

As always, the advice is to ensure backups are regularly performed and end users are made aware of the risks of clicking links or opening attachments from unknown senders.

Hurricane Harvey Phishing Scams

Natural disasters draw out the scammers and Hurricane Harvey is no exception. US-CERT has recently issued a warning to consumers and businesses to be alert to Hurricane Harvey phishing scams. Scammers take advantage of interest in natural disasters to phish for sensitive information, install malware and ransomware, and fraudulently obtain charitable donations from the public.

Email and social media scams can be expected and users should be alert to the risk of malicious cyber activity. Emails relating to the relief efforts or updates on Hurricane Harvey should be treated as suspicious. Links in the emails should not be clicked and attachments not opened.

Email requests for charitable donations to help the victims of the disaster should be treated as suspicious. Rather than using links in the emails, US-CERT recommends obtaining trusted contact information for the charity via the Better Business Bureau National Charity Report Index and to independently verify the legitimacy of any email request for donations.

FBI and IRS-Themed Phishing Emails

An alert has been issued about a new phishing scam that uses both the FBI and IRS emblems to fool users into installing ransomware. The emails relate to an FBI questionnaire that needs to be downloaded, printed, completed, scanned and returned.

A link is included in the email to download the form, which the scammers suggest is related to changes to tax laws. Clicking the link will result in ransomware being downloaded. The IRS has reconfirmed it does not initiate communication via email, text message or social media posts.

IRS commissioner John Koskinen said, “People should stay vigilant against email scams that try to impersonate the IRS and other agencies that try to lure you into clicking a link or opening an attachment. People with a tax issue won’t get their first contact from the IRS with a threatening email or phone call.”

The post New Ransomware and Phishing Warnings for Healthcare Organizations appeared first on HIPAA Journal.

New Ransomware and Phishing Warnings for Healthcare Organizations

Posted by HIPAA Journal

Warnings have been issued about a new ransomware variant that is being used in targeted attacks on healthcare organizations and IRS, FBI and Hurricane Harvey themed phishing attacks.

Defray Ransomware

A new ransomware variant is being used in highly targeted attacks on healthcare organizations in the United States and United Kingdom. Defray ransomware is being distributed in small email campaigns using carefully crafted messages specifically developed to maximize the probability of a response from healthcare providers.

The messages claim to have been sent from the Director of Information Management and Technology at the targeted organization and include the hospital’s logos. The documents claim to be patient reports detailing important information for patients, relatives and carers. The messages are being sent to specific individuals in organizations and via distribution lists.

The campaigns involve Microsoft Word documents with embedded OLE packager shell objects. Clicking the embedded executable to view the content of the document will see Defray ransomware downloaded. There is currently no free decryptor to unlock the encryption. Recovery will depend on backups being available, otherwise a ransom of $5,000 per encrypted device must be paid for the decryption keys.

The scams were uncovered by researchers at Proofpoint who believe the actors behind the campaigns are likely to continue to conduct highly targeted attacks rather than use the spray and pay tactics more commonly associated with ransomware distribution.

As always, the advice is to ensure backups are regularly performed and end users are made aware of the risks of clicking links or opening attachments from unknown senders.

Hurricane Harvey Phishing Scams

Natural disasters draw out the scammers and Hurricane Harvey is no exception. US-CERT has recently issued a warning to consumers and businesses to be alert to Hurricane Harvey phishing scams. Scammers take advantage of interest in natural disasters to phish for sensitive information, install malware and ransomware, and fraudulently obtain charitable donations from the public.

Email and social media scams can be expected and users should be alert to the risk of malicious cyber activity. Emails relating to the relief efforts or updates on Hurricane Harvey should be treated as suspicious. Links in the emails should not be clicked and attachments not opened.

Email requests for charitable donations to help the victims of the disaster should be treated as suspicious. Rather than using links in the emails, US-CERT recommends obtaining trusted contact information for the charity via the Better Business Bureau National Charity Report Index and to independently verify the legitimacy of any email request for donations.

FBI and IRS-Themed Phishing Emails

An alert has been issued about a new phishing scam that uses both the FBI and IRS emblems to fool users into installing ransomware. The emails relate to an FBI questionnaire that needs to be downloaded, printed, completed, scanned and returned.

A link is included in the email to download the form, which the scammers suggest is related to changes to tax laws. Clicking the link will result in ransomware being downloaded. The IRS has reconfirmed it does not initiate communication via email, text message or social media posts.

IRS commissioner John Koskinen said, “People should stay vigilant against email scams that try to impersonate the IRS and other agencies that try to lure you into clicking a link or opening an attachment. People with a tax issue won’t get their first contact from the IRS with a threatening email or phone call.”

The post New Ransomware and Phishing Warnings for Healthcare Organizations appeared first on HIPAA Journal.

Credit Monitoring Services Must Now Be Offered to Breach Victims in Delaware

Posted by HIPAA Journal

For the first time in the past 10 years, Delaware has amended its data breach notification law and has now introduced some of the strictest requirements of any state. Any ‘person’ operating in the state of Delaware must now notify individuals of the exposure or theft of their sensitive information and must offer breach victims complimentary credit monitoring services for 12 months. Connecticut was the first state to introduce similar laws, with California also requiring the provision of credit monitoring services to breach victims.

Breach victims must also be advised of security incidents involving their sensitive information ‘as soon as possible’ and no later than 60 days following the discovery of a breach. The new law also requires companies operating in the state to implement “reasonable” security measures to safeguard personal information – Delaware is the 14th state to require companies to adopt security measures to ensure sensitive information is protected.

The definition of ‘personal information’ has also been expanded and now includes usernames/email addresses in combination with a password/answers to security questions, password numbers, driver’s license numbers, mental health and physical condition, medical histories, health insurance policy numbers, subscriber identification numbers, medical treatment information, medical diagnoses, DNA profiles, unique biometric data (including fingerprints/retina scans), and tax payer identification numbers.

Companies can avoid sending notifications and providing credit monitoring services if data is encrypted prior to a cyberattack or other security incident, unless it is reasonably believed the breach also resulted in the encryption key being compromised.

Rep. Paul Baumbach, D-Newark, who sponsored the bill, said the new legislation is ” A meaningful step forward in addressing these breaches so that we guarantee better protections for our residents and help them rebuild their lives after a cyberattack.”

House Bill 180 was passed earlier this month. The new law has an effective date of April 14, 2018.

The post Credit Monitoring Services Must Now Be Offered to Breach Victims in Delaware appeared first on HIPAA Journal.

NIST Updates Digital Identity Guidelines and Tweaks Password Advice

Posted by HIPAA Journal

The National Institute of Standards and Technology (NIST) has updated its Digital Identity Guidelines (NIST Special Publication 800-63B), which includes revisions to its advice on the creation and storage of passwords.

Digital authentication helps to ensure only authorized individuals can gain access to resources and sensitive data. NIST says, “authentication provides reasonable risk-based assurances that the subject accessing the service today is the same as the one who accessed the service previously.”

The Digital Identity Guidelines include a number of recommendations that can be adopted to improve the digital authentication of subjects to systems over a network. The guidelines are not specific to the healthcare industry, although the recommendations can be adopted by healthcare organizations to improve password security.

To improve the authentication process and make it harder for hackers to defeat the authentication process, NIST recommends the use of multi-factor authentication. For example, the use of a password along with a cryptographic authenticator.

NIST suggests physical security mechanisms should be adopted to prevent the theft of cryptographic authenticators, while system security controls should be implemented to prevent malicious actors from gaining access to systems and installing malware such as keyloggers.

Security is only as good as the users of the system, so periodic training is required to ensure users understand their obligations and the importance of reporting suspected account compromises.

Out-of-band techniques (something you have) are also recommended to verify proof of possession of registered devices such as cell phones.

Passwords are categorized as ‘memorized secrets’ by NIST, which suggests a minimum of 8 characters should be used, although longer memorized secrets of at least 64 characters should be encouraged. UNICODE characters, special characters and spaces should be allowed.

The use of spaces does not add to password complexity, although it does help end users set strong passwords such as secret phrases. The longer the memorized secret, the harder it will be for malicious actors to guess.

Brute force attacks are used to gain access to systems by repeatedly guessing passwords. These automated attacks can involve many thousands of guesses, and start with commonly used passwords, dictionary words, repetitive and consecutive sequences of characters (aaaaaaaa, 12341234, 1234abcd), context specific words (server1, MRIpassword), and other weak passwords such as the use of the username in the password and passwords previously exposed in past data breaches.

Administrators should therefore set password policies that prevent these password choices. In the case of dictionary words, all words less than the minimum character requirement can be discounted. NIST says the use of password strength monitors helps end users select strong passwords.

While the forced use of special characters, lower case letters, and upper case letters can improve password strength, in reality, this may not be the case. Forcing users to use at least one lower case letter, one uppercase letter, one number and one special character may not result in the creation of stronger passwords.

NIST says, “Analyses of breached password databases reveal that the benefit of such rules is not nearly as significant as initially thought,” but “the impact on usability and memorability is severe.” Such a system means the password will be made much more difficult to remember and end users end up circumventing policies as a result. For example, with those controls in place, Password1! would be acceptable, even though the password is weak.

NIST says “Highly complex memorized secrets introduce a new potential vulnerability: they are less likely to be memorable, and it is more likely that they will be written down or stored electronically in an unsafe manner.”

By allowing the use of spaces in passwords, users can choose more complex secrets, especially if the upper character limit is not overly restrictive. NIST recommends allowing long passwords (within reason). (See Appendix A – Strength of Memorized Secrets).

NIST also points out that there are other methods that can be adopted that provide greater protection than strong passwords. “Blacklists, secure hashed storage, and rate limiting are more effective at preventing modern brute-force attacks.”

NIST also points out that while these measures – and strong passwords – can help to thwart brute force attacks, they are not effective against many forms of password-related attacks. Even if a 100-character strong password is used, it will still be obtained by a malicious actor who has installed keylogging malware or if an employee responds to a social engineering or phishing attack. Other security controls must therefore be implemented to prevent these sorts of attacks.

The post NIST Updates Digital Identity Guidelines and Tweaks Password Advice appeared first on HIPAA Journal.

Healthcare Hacking Incidents Overtook Insider Breaches in July

Posted by HIPAA Journal

Throughout 2017, the leading cause of healthcare data breaches has been insiders; however, in July hacking incidents dominated the breach reports.

Almost half of the breaches (17 incidents) reported in July for which the cause of the breach is known were attributed to hacking, which includes ransomware and malware attacks. Ransomware was involved in 10 of the 17 incidents.

The Protenus Breach Barometer report for July shows there were 36 reported breaches – The third lowest monthly total in 2017 and a major reduction from the previous month when 52 data breaches were reported – the worst month of the year to date by some distance.

In July, 575,142 individuals are known to have been impacted by healthcare data breaches, although figures have only been released for 29 of the incidents. The worst breach reported in July – a ransomware attack on
Women’s Health Care Group of PA – impacted 300,000 individuals.

While hacking incidents are usually lower than insider breaches, they typically result in the theft or exposure of the most healthcare records. July was no exception. Protenus reports that 21 times more records were exposed/stolen as a result of hacking incidents than breaches involving insiders. Hacking incidents impacted 516,053 of the 575,142 known victims in July.

There were 8 confirmed insider breaches (22.2% of the total) which resulted in the theft/exposure of 24,212 records. Three were attributed to errors by insiders with five caused by insider wrongdoing. 8.3% of the breaches were due to loss or theft, with three incidents involving the theft of physical records.

At the end of July, the Department of Health and Human Services’ Office for Civil Rights’ cybersecurity newsletter highlighted the risk from phishing attacks, reminding HIPAA-covered entities of the need to conduct security awareness training. July was a particularly bad month for phishing, with 5 phishing incidents reported.

The majority of breaches were experienced by healthcare providers (80.5%) followed by health plans (8.3%) and business associates (5.5%). More business associates may have been involved in the breaches according to Protenus, although insufficient data was available to confirm this. 5.5% of the breaches were attributed to other entities, including one fire dispatch center.

Over the past few months, the time taken by covered entities to report data breaches has improved, with June seeing virtually all breaches reported inside the 60-day window stipulated by the HIPAA Breach Notification Rule. However, there was a slight deterioration in July. The average time to report the breaches was 67.5 days, although the median was 60 days.

It should be noted that unnecessarily delaying breach reports is a violation of HIPAA Rules. Healthcare organizations should not wait until the 60-day deadline arrives before sending notification letters to patients/plan members and informing OCR.

The time taken to discover data breaches is poor in the healthcare industry. In July, the average time to discover a breach was 503 days (median was 79.5 days). The average time was skewed by a single breach that took an astonishing 14 years to discover – a breach involving an insider who had been snooping on patient records.

California, Georgia, and Indiana topped the list for the states worst affected by healthcare data breaches with three incidents apiece.

The post Healthcare Hacking Incidents Overtook Insider Breaches in July appeared first on HIPAA Journal.

August Sees OCR Breach Reports Surpass 2,000 Incidents

Posted by HIPAA Journal

Following the introduction of the HITECH Act in 2009, the Department of Health and Human Services’ Office for Civil Rights has been publishing summaries of healthcare data breaches on its Wall of Shame.  August saw an unwanted milestone reached. There have now been more than 2,000 healthcare data breaches (impacting more than 500 individuals) reported to OCR since 2009.

As of today, there have been 2,022 healthcare data breaches reported. Those breaches have resulted in the theft/exposure of 174,993,734 individuals’ protected health information. Healthcare organizations are getting better at discovering and reporting breaches, but the figures clearly show a major hike in security incidents. In the past three years, the total has jumped from around 1,000 breaches to more than 2,000.

The recent KPMG 2017 Cyber Healthcare & Life Sciences Survey showed that 47% of healthcare organizations have experienced a data breach in the past two years, up from 37% in 2015 when the survey was last conducted. An ITRC/CyberScout study showed there has been a 29% increase in data breaches so far in 2017.

In contrast to other industries, the biggest cause of data breaches is insiders (Protenus/databreaches.net): Both deliberate actions by ‘bad apples’ and accidental breaches as a result of simple errors and negligence. Hacking (including malware/ransomware attacks) is the second biggest cause.

Healthcare Organizations Should Not Ignore the Threat from Phishing

Many healthcare data breaches occur as a result of phishing. Research conducted by PhishMe suggests 91% of data breaches start with a phishing email, with the attackers using phishing to obtain login credentials or install malware/ransomware.

A recent Global Threat Intelligence Report released by NTT Security showed the extent to which phishing is used to distribute malware. In Q2, 2017, 67% of malware attacks saw malware delivered via phishing emails.

Jon Heimerl, manager of the Threat Intelligence communications team, pointed out that while phishing is used extensively to spread malware, it isn’t often rated as one of the biggest threats. Heimerl said, “I have not seen any studies where CISOs are saying their No. 1 concern is phishing attacks. If you went around a room, it would likely be ransomware and DDoS as the No. 1 and No. 2 things on their mind, in my view.”

Countering the threat from phishing requires software solutions to block spam emails from being delivered to end users, security awareness training to teach employees how to identify email threats, and phishing simulations to put security awareness training to the test and identify vulnerable individuals in need of further training.

New Exploit Kit and Recent Ransomware Attacks Highlight Importance of Prompt Patching

Email remains the main delivery vector for malware, although the WannaCry attacks showed that malware can easily be installed if patch management practices are poor. The ransomware attacks were made possible thanks to the release of exploits by the hacking group Shadow Brokers and poor patching practices.  Prompt patching would have protected organizations against WannaCry.

Exploit kits also pose a threat. Exploit kits are web-based tools that probe for vulnerabilities in browsers and plugins. Exploits are loaded to the kit that are used to silently download malware when a visitor to a domain hosting the kit is discovered to have a vulnerable browser.

This week, a new exploit kit has started to be offered on underground forums at cut price rates. For as little as $80 a day, cybercriminals can rent the new Disdain exploit kit and use it to spread malware. Exploit kit activity has fallen over the past 12 months, although the threat of web-based attacks should not be ignored.

The Disdain exploit kit can leverage at least 15 vulnerabilities to download malicious payloads, including vulnerabilities in Firefox (CVE-2017-5375, CVE-2016-9078, CVE-2014-8636, CVE-2014-1510, CVE-2013-1710), Internet Explorer (CVE-2017-0037, CVE-2016-0189, CVE-2015-2419, CVE-2014-6332, CVE-2013-2551), IE and Edge (CVE-2016-7200), Adobe Flash (CVE-2016-4117, CVE-2016-1019, CVE-2015-5119), and Cisco Web Ex (CVE-2017-3823). While many of these vulnerabilities are relatively new, patches have been released to address all of the flaws.

 

To reduce the risk of exploit kit attacks, healthcare organizations should ensure all browsers are updated automatically and regular checks are performed to ensure all employees are using the latest versions. A web filtering solution is also beneficial to block access to domains known to be used for malware distribution, host exploit kits or phishing.

The post August Sees OCR Breach Reports Surpass 2,000 Incidents appeared first on HIPAA Journal.

Want to Prevent Data Breaches? Time to Go Back to Basics

Posted by HIPAA Journal

Intrusion detection systems, next generation firewalls, insider threat management solutions and data encryption will all help healthcare organizations minimize risk, prevent security breaches, and detect attacks promptly when they do occur. However, it is important not to forget the security basics. The Office for Civil Rights Breach portal is littered with examples of HIPAA data breaches that have been caused by the simplest of errors and security mistakes.

Strong security must start with the basics, as has recently been explained by the FTC in a series of blog posts. The blog posts are intended to help businesses improve data security, prevent data breaches and avoid regulatory fines. While the blog posts are not specifically aimed at healthcare organizations, the information covered is relevant to organizations of all sizes in all industry sectors.

The blog posts are particularly relevant for small to medium sized healthcare organizations that are finding data security something of a challenge.

The blog posts are an ideal starting point to ensure all the security basics are covered.  They cover 10 basic security principles the FTC looks at when investigating complaint and data breaches. The blog posts use examples from FTC cases and 60+ complaints and orders, including settlements reached with organizations that have failed to implement appropriate security controls. The FTC has also listened to the challenges faced by businesses when attempting to secure sensitive information and offers practical tips to address those challenges.

While the FTC has taken action against organizations, in the majority of cases investigations have been closed without any further action necessary. Companies may have experienced data breaches, yet they got the basics right and had implemented reasonable data security controls. They may not have been enough to prevent cyberattacks and other security incidents, but they were sufficient to avoid a financial penalty.

The same applies to Office for Civil Rights investigations into HIPAA data breaches. OCR investigates all breaches of more than 500 records, yet only a very small percentage of the 2,000+ data breaches reported to OCR have resulted in a financial penalty. If you want to avoid a FTC or HIPAA fine, it is essential to get the basics right. Getting the basics wrong can prove very costly indeed.

The FTC blog services covers the following aspects of data security:

  1. Start with security.
  2. Control access to data sensibly.
  3. Require secure passwords and authentication.
  4. Store sensitive personal information securely and protect it during transmission.
  5. Segment your network and monitor who’s trying to get in and out.
  6. Secure remote access to your network.
  7. Apply sound security practices when developing new products.
  8. Make sure your service providers implement reasonable security measures.
  9. Put procedures in place to keep your security current and address vulnerabilities that may arise.
  10. Secure paper, physical media, and devices.

The blog posts have been combined into the FTC’s Start with Security brochure, which is a “nuts-and-bolts brochure that distills the lessons learned from FTC cases down to 10 manageable fundamentals applicable to companies of any size.” The blog posts and brochure can be viewed on this link.

HIPAA-covered entities should also sign up with OCRs cybersecurity newsletter, which details new threats and further steps that covered entities should take to improve security and keep ePHI secure. To sign up for the newsletter, visit this link and be sure to check out the Security Rule guidance material published by HHS.

The post Want to Prevent Data Breaches? Time to Go Back to Basics appeared first on HIPAA Journal.

HIMSS Research Shows Healthcare Organizations Have Enhanced Their Cybersecurity Programs

Posted by HIPAA Journal

HIMSS has published the findings of its 2017 Cybersecurity Survey. The survey was conducted on 126 cybersecurity professionals from the healthcare industry between April and May 2017. Most of the respondents were executive and non-executive managers who were primarily responsible or had some responsibility for information security in their organization.

The report shows healthcare organizations in the United States are increasingly making cybersecurity a priority and have been enhancing their cybersecurity programs over the past 12 months. More healthcare organizations have increased their cybersecurity staff and adopted holistic cybersecurity practices and perspectives in key areas.

The survey revealed 75% of respondents are now conducting regular penetration tests to identify potential vulnerabilities and determine how resilient they are to cyberattacks. In response to the considerable threat from within, 75% of respondents have implemented insider threat management programs and 85% are now conducting risk assessments at least once every 12 months.

While these results are encouraging, there is still considerable room for improvement. 15% of organizations are not conducting annual risk assessments and 25% do not have an insider threat management program, even though insiders are the biggest cause of healthcare data breaches.

HIMSS says, “Many CISOs and other senior information security leaders know that HIPAA compliance alone is not enough and that adopting and implementing a robust security framework is a necessary prerequisite for having a robust security program.”

A majority of respondents have adopted at least one cybersecurity framework, the most popular being the NIST CSF (62%) followed by HITRUST CSF (25%) and ISO (25%). Organizations that have hired a CISO are much more likely to implement a cybersecurity framework. Only 5% of organizations with a CISO have not adopted the NIST CSF.

Healthcare organizations now appreciate the importance of conducting regular security awareness training for the workforce, such as training employees how to recognize phishing emails and social engineering attacks and the importance of reporting potential security incidents to the IT department. 87% of respondents said they run security awareness training sessions for the workforce at least once a year.

60% of respondents said they now employee a senior information security leader such as a CISO to oversee their cybersecurity programs and 80% have dedicated cybersecurity staff.

71% of respondents said they divert some of their budget to cybersecurity, with 60% allocating 3% or more of their budget to their cybersecurity program.

When asked about the biggest threats, the greatest concerns were medical device security, patient safety – especially in relation to attacks on medical devices – PHI breaches, and malware.

Rod Piechowski, senior director, health information systems, HIMSS said, “This data is encouraging because it shows that many organizations are making security programs a priority; however, there is room for continued improvement. Our hope is that the new research will be an important resource for organizations navigating the complex security landscape.”

Full details of the findings of the HIMSS 2017 Cybersecurity Survey are available on this link.

The post HIMSS Research Shows Healthcare Organizations Have Enhanced Their Cybersecurity Programs appeared first on HIPAA Journal.

$5.5 Million Data Breach Settlement Highlights the Importance of Prompt Patching

Posted by HIPAA Journal

The importance of applying patches promptly to address critical security vulnerabilities has been highlighted by a recent $5.5 million data breach settlement.

Yesterday, New York Attorney General Eric T. Schneiderman announced a settlement has been reached with Nationwide Mutual Insurance Company and its subsidiary, Allied Property & Casualty Insurance Company, to resolve a multi-state data breach investigation involving New York and 32 other states.

Nationwide will pay a total of $5.5 million, $103,736.78 of which will go to New York State. The settlement will cover the costs of the investigation and litigation, with the remaining funds used for consumer protection law enforcement and other purposes.

The investigation was launched following a 2012 breach of the sensitive data of 1.27 million individuals, some of whom were customers, although many had only obtained quotes from Nationwide and its subsidiary and did not go on to take out insurance policies.

In 2012, hackers infiltrated Nationwide’s systems and stole the personal information of consumers along with highly sensitive data such as Social Security numbers, driver’s license numbers, and credit scoring information.

The hackers gained access to its systems via a vulnerability in a third-party web application. While not all data breaches are the fault of the breached entity, in this case the breach could easily have been prevented. A patch to address the critical vulnerability had been released by the third-party software company three years earlier. Nationwide had failed to apply the patch. The patch was only applied after the breach occurred.

The data breach investigation was led by Attorneys General for Connecticut, the District of Columbia, Florida and Maryland. Connecticut Attorney General George Jepsen said, “It is critically important that companies take seriously the maintenance of their computer software systems and their data security protocols.”

Attorney General Schneiderman said, “Nationwide demonstrated true carelessness while collecting and retaining information from prospective customers, needlessly exposing their personal data in the process.” Schneiderman went on to say, “This settlement should serve as a reminder that companies have a responsibility to protect consumers’ personal information regardless of whether or not those consumers become customers. We will hold companies to account if they don’t.”

The settlement was agreed under a no-fault agreement. In addition to the financial penalty, Nationwide is required to ensure its software is kept up to date, including third-party software applications, and data security must be improved. Nationwide is also required to hire a technology officer to monitor and manage patches and software updates and update its policies and procedures for storing and maintaining consumers’ personal information.

Nationwide must also make clear to consumers that their personal information is retained, even if they do not sign up for insurance policies with the company or its subsidiaries.

Nationwide is not a HIPAA-covered entity, but the settlement does serve as a warning for healthcare organizations that fail to adopt security best practices. OCR is not the only regulator that can issue large fines for the failure to protect sensitive information.

This is just one of several actions taken by attorneys general for data breaches and the response to them. Earlier this year, CoPilot Provider Support Services Inc., was fined $130,000 by the New York Attorney General.

In that case, the fine was not for the breach but the lack of action afterwards. The breach occurred in October 2015, CoPilot contacted the FBI about the incident in February 2016, then delayed the issuing of breach notification letters until January 2017. The fine was not for a HIPAA violation, but a breach of General Business Law § 899-aa for unnecessarily delaying breach notifications to consumers.

The post $5.5 Million Data Breach Settlement Highlights the Importance of Prompt Patching appeared first on HIPAA Journal.