Latest HIPAA News

100 Million+ Devices Affected by NAME:WRECK DNS Vulnerabilities

Posted by HIPAA Journal

Researchers at Forescout and JSOF have identified 9 vulnerabilities in Internet-connected devices that could be exploited in denial-of-service and remote code execution attacks. The flaws have been identified in certain implementations of the Domain Name System (DNS) protocol in TCP/IP network communication stacks.

The flaws are mostly due to how parsing of domain names occurs, which can breach DNS implementations, and problems with DNS compression, which devices use to compress data to communicate over the Internet using TCP/IP.

This class of vulnerabilities has been named NAME:WRECK. They affect common IoT and operational technology systems, including FreeBSD, IPnet, Nucleus NET, and NetX. While the use of these IoT/OP systems does not necessarily mean devices are vulnerable, many will be. The researchers suggest that around 1% of IoT devices are likely to be susceptible to the flaws, which is more than 100 million devices worldwide.

Vulnerable devices are used in a range of industry sectors, including healthcare, retail, manufacturing, and the government, with healthcare organizations and government agencies two of the top three worst affected sectors. Fortunately, the vulnerabilities are not straightforward to exploit. A malicious packet must be sent in response to a legitimate DNS request, so exploitation would require a man-in-the-middle attack or the use of an exploit for a different vulnerability between the target device and the DNS server. E.g., DNSpooq.

The 9 vulnerabilities are detailed in the table below, along with the products and TCP/IP stacks affected:

Vulnerability CVE Stack Impact CVSS Score
CVE-2016-20009 IPnet Remote Code Execution 9.8
CVE-2020-15795 Nucleus NET Remote Code Execution 8.1
CVE-2020-27009 Nucleus NET Remote Code Execution 8.1
CVE-2020-27736 Nucleus NET Denial of Service 6.5
CVE-2020-27737 Nucleus NET Denial of Service 6.5
CVE-2020-27738 Nucleus NET Denial of Service 6.5
CVE-2020-25677 Nucleus NET DNS Cache Poisoning 5.3
CVE-2020-7461 FreeBSD Remote Code Execution 7.7
Awaiting CVE NetX Denial of Service 6.5

The flaws range in severity, with the most serious vulnerabilities rated critical. The vulnerabilities can also be chained. For example, with CVE-2020-27009, an attacker can craft a DNS response packet and write arbitrary data in sensitive parts of the memory. CVE-2020-15795 allows the attacker to craft meaningful code to be injected, and CVE-2021-25667 allows a bypass of DNS query-response matching to deliver the malicious packet to the target.

FreeBSD is also used in pfSense firewalls and network appliances such as Check Point IPSO and McAfee SecurOS. NetX is used in wearable patient monitors such as those manufactured by Welch Allyn. Nucleus NET is used extensively in healthcare devices, including ZOLD defibrillators and ZONARE ultrasound machines. The flaw in FreeBSD is of particular concern as the network stack is used in many embedded devices and millions of higher performance IT servers, including those used by major websites such as Yahoo and Netflix.

The flaws could be used for extortion in denial-of-service attacks on mission-critical systems, to steal sensitive data, or could allow modifications to devices to alter functions and could cause significant damage. Since vulnerable devices are used in heating, ventilation, lighting, and security systems, critical building functions could also be tampered with.

While patches have now been released to correct the flaws, applying those patches may be problematic. Many of the vulnerable affected internet-enabled devices are used to control mission-critical applications that are always running and cannot easily be shut down.

Mitigating NAME:WRECK Vulnerabilities

The first stage is to identify all vulnerable devices. Forescout is developing an open-source script that can be used to fingerprint all vulnerable devices. Devices will not be protected until the patches are applied, so after identifying all vulnerable devices, mitigations should be implemented until the patches can be applied. Those measures should include device and network segmentation, restricting external communication with vulnerable devices, and configuring the devices to run internal DNS servers. Network traffic should also be monitored for malicious packets attempting to exploit the vulnerabilities and other flaws in DNS, mDNS, and DCHP clients.

Patches have been released for FreeBSD, Nucleus NET, and NetX and device manufacturers, including Siemens, have already started releasing patches to correct the flaws in their products.

The post 100 Million+ Devices Affected by NAME:WRECK DNS Vulnerabilities appeared first on HIPAA Journal.

Immediate Patching Required for 4 New Critical Microsoft Exchange Server Vulnerabilities

Posted by HIPAA Journal

The U.S. National Security Agency (NSA) has identified four zero-day vulnerabilities in Microsoft Exchange Server versions 2013, 2016, and 2019 which are used for on-premises Microsoft Exchange Servers. Immediate patching is required as the flaws are likely to be targeted by threat actors.

The Cybersecurity and Infrastructure Security Agency (CISA) has ordered all federal agencies to patch all vulnerable on-premises Exchange Servers by 12.01 AM on Friday April 16, 2021 due to the high risk of exploitation of the flaws. At the time of issuing the patches there have been no known cases of exploitation of the flaws in the wild, but it is likely that now the flaws have been publicly disclosed, the patches could be reverse engineered and working exploits developed.

All four of the vulnerabilities could lead to remote execution of arbitrary code and would allow threat actors to take full control of vulnerable Exchange Servers as well as persistent access and control of enterprise networks.

Two of the vulnerabilities can be exploited remotely by unauthenticated attackers with no user interaction required. Both of those flaws, tracked as CVE-2021-28480 and CVE-2021-28481, have been assigned a CVSS v3.1 rating of 9.8 out of 10. The third flaw, CVE-2021-28483 has a CVSS rating of 9.0 out of 10, and the fourth, CVE-2021-28482, a rating of 8.8 out of 10.

If any vulnerable Microsoft Exchange Servers cannot be updated before the Friday deadline, CISA has instructed federal agencies to remove those servers from federal networks until the updates can be applied. Technical and/or management controls must be implemented to ensure newly provisioned and previously disconnected endpoints are updated prior to connecting them to agency networks. CIOs or equivalents are required to submit a report to CISA by Noon ET on Friday confirming that all vulnerable Exchange Servers have been updated or disconnected, and should any cyber incidents be detected, Indicators of Compromise must be submitted to CISA.

Patches to correct all four flaws were released by Microsoft on April 2021 Patch Tuesday, along with patches for a further 15 critical flaws across its product suite and 88 flaws that were rated important. One zero-day vulnerability has been patched – a Win32K elevation of privilege vulnerability: CVE-2021-28310 – which Kaspersky believes is being actively exploited in the wild by at least one threat group. In combination with browser exploits, attackers can escape sandboxes and gain system privileges for further access. Exploitation would allow the remote execution of arbitrary code, the creation of new accounts with full privileges, information disclosure and destruction, and the ability to install new programs.

The post Immediate Patching Required for 4 New Critical Microsoft Exchange Server Vulnerabilities appeared first on HIPAA Journal.

HHS Information Blocking and Interoperability Regulations Now in Effect

Posted by HIPAA Journal

The new information blocking and interoperability regulations developed by the Department of Health and Human Services as part of the 21st Century Cures Act took effect on Monday this week. It has been over a year since the final rule was released, and now the benefits of the information blocking and interoperability provisions can now be realized.

The final rule defines information blocking and stipulates the penalties for providers that engage in activities that interfere with access, exchange, and use of electronic health information (EHI). The final rule also gives patients new rights over their healthcare data and allows them to request it be sent to the application of their choosing.

The compliance date was April 5, 2021, after which healthcare providers, certified health IT developers, and health information exchanges must comply with the provisions of the final rule. For the first 18 months from April 5, 2021, the information blocking provision only applies to a subset of EHI detailed in the US Core Data for Interoperability (v1). Core EHI includes clinical notes, immunization records, lab test results, medications, and other EHI. The initial 18-month period is intended to help the regulated community get used to the information blocking regulation before the full scope of the regulation’s definition of EHI comes into effect on October 5, 2022. Covered entities and business associates are encouraged to share all EHI if possible, and not restrict sharing to the data represented by the USCDI until the final compliance date in 18 months.

Under the final rule, the deadline for data sharing has been changed from 30 days from the request being received to “without unnecessary delay.” There is an expectation to make EHI immediately available via the platform of the connected covered entity to allow that information to be downloaded. It is important for policies and procedures to be reviewed and updated to ensure that EHI can be obtained as soon as possible, and not to continue to operate on the 30-day deadline, which could now be viewed as information blocking.

The final rule also gives patients further rights over their healthcare data and requires covered entities and business associates to provide patients with their electronic health information, on request, to an application of the patient’s choosing. Patient health information can be sent to these applications without much manual effort by clinicians through secure, standardized application programming interfaces (APIs). As with requests from other healthcare providers, for the first 18 months it is not necessary to provide full records to patients’ chosen applications, only data represented by the USCDI.

Under the HHS HIPAA Right of Access enforcement initiative, the HHS has imposed 18 penalties for failures to provide patients with a copy of their requested medical records in a timely manner. The HHS may well start enforcing compliance with the requirements of the final rule to allow patients to have their EHI send to a health application with similar vigor.  The HHS Office for the National Coordinator for Health IT (ONC) will be working with the HHS Office of Inspector General to enforce compliance with the information blocking provisions, although the final enforcement rule is still pending.

The post HHS Information Blocking and Interoperability Regulations Now in Effect appeared first on HIPAA Journal.

Vulnerabilities in Mission Critical SAP Systems Actively Exploited by Multiple Threat Groups

Posted by HIPAA Journal

Researchers at security firm Onapsis have observed cybercriminals exploiting multiple vulnerabilities in mission-critical SAP systems. Since mid-2020, there have been more than 300 observed attacks exploiting one or more of six unpatched vulnerabilities.

Vulnerabilities in SAP systems are highly sought after by cybercriminals due to the widespread use of SAP systems. SAP says 92% of the Forbes Global 2000 use SAP to power their operations, including the majority of pharmaceutical firms, critical infrastructure and utility companies, food distributors, defense contractors and others. Over 400,000 organizations use SAP globally and 77% of the world’s transactional revenue touches a SAP system.

Onapsis reports critical SAP vulnerabilities are typically weaponized within 72 hours of patches being released. Unprotected SAP applications in cloud environments are often discovered and compromised in less than 3 hours. Despite the high risk of exploitation, many organizations are slow to apply patches. One of the vulnerabilities currently being exploited is 11 years old, while the others were patched promptly by SAP and the patches have been available for months.

The severity of the flaws and the extent to which they are being targeted by multiple threat groups has prompted the DHS’ Cybersecurity and Infrastructure Security Agency (CISA) to issue an alert to all SAP users about the threat of attack, following the coordinated release of a report by Onapsis/SAP.

The six vulnerabilities are a mix of critical and medium-severity vulnerabilities that can be exploited on their own or chained together to access and exfiltrate sensitive information, conduct financial fraud, disrupt mission-critical systems, download malware and ransomware, and take full control of vulnerable SAP systems. Chaining the vulnerabilities could result in attackers gaining OS-level access, which could allow the expansion of the attack beyond vulnerable SAP systems. Onapsis researchers observed one attack where an attacker chained three of the vulnerabilities and within 90 minutes downloaded a credential store of logins for high-privileged accounts and the core database, resulting in a full system compromise.

The vulnerabilities are:

  • CVE-2020-6287 – Authentication bypass issue in SAP NetWeaver Application Server Java – Allows full takeover of vulnerable SAP systems.
  • CVE-2020-6207 – Authentication bypass issue in SAP Solution Manager – Allows full takeover of vulnerable SAP systems.
  • CVE-2018-2380 – Insufficient validation of path information issue in SAP CRM – Allows database access and lateral network movement.
  • CVE-2016-9563 – Flaw in SAP NetWeaver AS Java used for XML External Entity (XXE) – Allows DoS attacks and theft of sensitive information.
  • CVE-2016-3976 – Directory traversal flaw in SAP NetWeaver AS Java – Allows reading of arbitrary files.
  • CVE-2010-5326 – Vulnerability in the Invoker Servlet on SAP NetWeaver AS Java – Allows arbitrary code execution via HTTP/HTTPS requests.
SAP Vulnerabilities

Source: Onapsis/SAP

The attacks are being conducted by multiple threat actors from a range of countries, including Hong Kong, India, Japan, Netherlands, Singapore, South Korea, Sweden, Taiwan, United States, Vietnam and Yemen. The attackers appear to have advanced domain knowledge of SAP systems, access to patches, and the ability to reconfigure systems. In some cases, the attackers have exploited the vulnerabilities, installed backdoors for persistence, and then patched the vulnerabilities themselves.

“SAP promptly patched all of the critical vulnerabilities observed being exploited,” Explained Onapsis in the alert. “Unfortunately, SAP and Onapsis continue to observe many organizations that have still not applied the relevant mitigations, allowing unprotected SAP systems to continue to operate and, in many cases, remain visible to attackers via the internet.”

Patches should be applied immediately to prevent exploitation of the flaws. Once updated to a secure SAP version, a compromise assessment should be performed to determine if systems have already been compromised. When future patches and software updates are released by SAP, they should be applied within 72 hours. If that is not possible, mitigations should be implemented to reduce the risk of exploitation. Further information is available in the Onapsis report.

The post Vulnerabilities in Mission Critical SAP Systems Actively Exploited by Multiple Threat Groups appeared first on HIPAA Journal.

PHI from Multiple Covered Entities Published on GitHub

Posted by HIPAA Journal

Med-Data Inc. has confirmed that the protected health information of patients of several of its clients has been uploaded to the open-source software development hosting website GitHub, where it could have been accessed by unauthorized individuals.

The Spring, TX-based revenue cycle management services vendor assists healthcare providers and health plans by processing Medicaid eligibility, third party liability, workers’ compensation and patient billing. On December 10, 2020, Med-Data was notified by security researcher Jelle Ursem that some data of its data had been discovered on GitHub. Dissent Doe of Databreaches.net provided a link to the uploaded data on December 14, 2020, according to the Med-Data breach notice.

An investigation was immediately launched, and it was determined that one of its employees had saved files containing protected health information to personal folders on GitHub Arctic Code Vault between December 2018 and September 2019. Med-Data said the files were removed from GitHub on December 17, 2020.

The files contained names, addresses, dates of birth, Social Security numbers, diagnoses, medical conditions, claims information, dates of service, subscriber IDs, medical procedure codes, provider named, and health insurance policy numbers. Med-Data notified all covered entities on February 8, 2020 and affected individuals were notified on March 31, 2021. All individuals affected have been offered complimentary credit monitoring and identity protection services through IDX.

To prevent similar breaches in the future, Med-Data has blocked the use of all file sharing websites, updated its internal data policies and procedures, implemented a security operations center, and deployed a managed detection and response solution.

The Department of Health and Human Services was notified about the breach on February 8, 2021; however, the breach has not yet been listed on the OCR breach portal, so it is unclear how many individuals have been affected. Covered entities that have confirmed they were affected include OSF HealthCare, UChicago Medicine, Aspirus, King’s Daughters’ Health System, SCL Health, and Memorial Hermann Health System.

While Med-Data has confirmed that the files have been deleted from GitHub, that does not necessarily mean that the information is now secured. The files were uploaded to the GitHub Arctic Code Vault, which is a public data repository used for long term archiving of files. The storage facility was developed to securely store data for up to 1,000 years. The storage facility involved saving data to physical storage media – hardened film – which was shipped to the GitHub Arctic Code Vault, located in a coal mine in Svalbard, Norway.

The films contain a huge volume of data which was current up until February 2nd, 2020 when the archive was finalized. Since Med-Data had the files removed from GitHub on December 17, 2020, it is probable that some of the data has also been stored on film and sent to the archive. Med Data contacted GitHub and asked for the logs of the vault to determine if any of its data had been saved to the films and to arrange its removal, but it is unclear what happened after the request was made. “We do not know what transpired after that, although there had been some muttering that MedData might sue GitHub to get the logs,” explained Ursem and Doe in an April 1, 2020 report.

This is not the only GitHub data breach to be discovered by Jelle Ursem and Dissent Doe. They reported in August 2020 that the medical records of between 150,000 and 200,000 individuals had also been uploaded to GitHub and could have been accessed by anyone.

The post PHI from Multiple Covered Entities Published on GitHub appeared first on HIPAA Journal.

Ransomware Attack on Home Healthcare Service Provider Affects 753,000 Individuals

Posted by HIPAA Journal

Personal Touch Holding Corp, a Lake Success, NY-based provider of home health services, is alerting 753,107 patients about a breach of their protected health information.

Personal Touch Holding Corp operates around 30 Personal Touch Home Care subsidiaries in more than half a dozen U.S. states. On January 27, 2021, Personal Touch discovered it was the victim of a cyberattack involving its private cloud hosted by its managed service providers. The attackers encrypted the cloud-stored business records of Personal Touch and 29 of its direct and indirect subsidiaries.

The investigation into the ransomware attack is ongoing. At this stage it is unclear to what extent individual’s protected health information was compromised; however, it is possible that the attackers obtained data stored in its private cloud prior to the use of ransomware.

An analysis of its cloud environment revealed the following types of patient information may have been compromised in the attack: names, addresses, telephone numbers, dates of birth, Social Security numbers, financial information, including check copies, credit card numbers, bank account information, medical treatment information, health insurance card, health plan benefit numbers, and medical record numbers.

Employee information was also compromised, including names, contact information, dates of birth, Social Security numbers (including dependent and spouse Social Security numbers), driver’s license numbers, passport numbers, birth certificates, background and credit reports, demographic information, usernames and passwords used at the Company, personal email addresses, fingerprints, insurance cards, health and welfare plan benefit numbers, retirement benefits information, medical treatment information, check copies, and other financial information necessary for payroll.

Following the discovery of the breach, outside counsel and was retained and independent forensics experts were engaged to assist with the investigation. The FBI has been alerted, along with state attorneys general and the HHS’ Office for Civil Rights. Personal Touch said it has now implemented advanced monitoring and alerting software.

This is the second ransomware attack to affect Personal Touch subsidiaries in a little over a year. In January 2020, Personal Touch announced that the protected health information of patients of 16 of its subsidiaries had been compromised in a ransomware attack on its cloud vendor, Crossroads Technologies. Crossroads Technologies hosted the Personal Touch cloud-based electronic health records. 156,400 medical records were compromised in that ransomware attack.

The post Ransomware Attack on Home Healthcare Service Provider Affects 753,000 Individuals appeared first on HIPAA Journal.

New Jersey Plastic Surgery Practice Pays $30K to OCR Settle HIPAA Right of Access Case

Posted by HIPAA Journal

The HHS’ Office for Civil Rights has announced a settlement has been reached with Ridgewood, NJ-based Village Plastic Surgery to resolve potential violations of the HIPAA Right of Access. Under the terms of the settlement, Village Plastic Surgery will pay a $30,000 penalty and will adopt a corrective action plan that requires policies and procedures to be implemented related to access to protected health information (PHI). OCR will also monitor Village Plastic Surgery for compliance for 2 years.

OCR launched an investigation into Village Plastic Surgery following receipt of a complaint from a patient of the practice on September 7, 2019. The patient had requested a copy of the medical records held by the plastic surgery practice but had not been provided with those records within the maximum time allowed by the HIPAA Privacy Rule. OCR intervened and, during the course of its investigation, Village Plastic Surgery did not provide the patient with the requested records.

OCR investigators determined that the delay in providing the records, which exceeded the 30 allowed days for acting on patient requests for their medical records, was in violation of the HIPAA Right of Access, as detailed in 45 C.F.R. § 164.524. As a result of OCR’s intervention, the patient did receive a copy of the requested records. The case was settled by Village Plastic Surgery with no admission of liability.

“OCR’s Right of Access Initiative continues to support and enforce individuals’ vital right to receive copies of their medical records in a timely manner,” said Acting OCR Director Robinsue Frohboese. “Covered entities must comply with their HIPAA obligations and OCR will take appropriate remedial actions if they do not.”

This is the 18th financial penalty to be imposed by OCR to resolve violations of the HIPAA Right of Access under its Right of Access enforcement initiative that was launched in late 2019. This is the 6th HIPAA penalty to be imposed in 2021, and the 5th to resolve a HIPAA Right of Access violation.

The post New Jersey Plastic Surgery Practice Pays $30K to OCR Settle HIPAA Right of Access Case appeared first on HIPAA Journal.

SalusCare Takes Legal Action Against Amazon to Obtain AWS Audit Logs to Investigate Data Breach

Posted by HIPAA Journal

SalusCare, a provider of behavioral healthcare services in Southwest Florida, experienced a cyberattack in March that saw patient and employee data exfiltrated from its systems. The exact method used to gain access to its servers has not been confirmed, although the cyberattack is believed to have started with a phishing email that was used to deliver malware. The malware was used to exfiltrated its entire database to an Amazon AWS storage account.

The attack occurred on March 16, 2021 and the investigation into the breach established that the attacker, an individual who appeared to be based in Ukraine, gained access to its Microsoft 365 environment, downloaded sensitive data, and uploaded the stolen data to two Amazon S3 storage buckets.

Amazon was notified about the illegal activity and it suspended access to the S3 buckets to stop the attacker accessing the stolen data.  SalusCare requested access to the audit logs, which it requires to continue to investigate the breach and determine exactly what data was stolen. SalusCare also wants to make sure that the suspension is permanent and will not be lifted by Amazon.

The S3 buckets may have been used to store SalusCare data, but Amazon will not voluntarily provide copies of audit logs or a copy of the data stored in the S3 buckets as they do not belong to SalusCare. The two S3 buckets are understood to include almost 86,000 files that were stolen in the attack.

To get access to the audit logs and data, SalusCare filed a lawsuit in federal court seeking injunctive relief under Florida’s Computer Abuse and Recovery Act. SalusCare seeks a ruling that will compel Amazon to provide the audit logs and a copy of the content of the two S3 buckets. SalusCare also wants the courts to order Amazon to make the suspension of access permanent to prevent the attacker from accessing the data or copying the stolen information to another online storage service. SalusCare has also sued the individual behind the attacks – John Doe.

The lawsuit argued that the data stolen in the attack and hosted by Amazon is extremely sensitive and could be used to commit identity theft, could be sold by the hacker on darknet marketplaces, or leaked to the public.

“The files contain extremely personal and sensitive records of patients’ psychiatric and addiction counseling and treatment,” explained SalusCare in its petition to the U.S. District Court in Fort Myers. “The files also contain sensitive financial information such as social security numbers and credit card numbers of SalusCare patients and employees.”

The lawsuit requests that after Amazon provides a copy of the data and audit logs to SalusCare the S3 buckets should be purged to prevent any further unauthorized access.

Amazon did not oppose any injunctive relief sought by SalusCare and The News-Press reports that a District Court federal judge granted the requests on March 25, 2021.

The post SalusCare Takes Legal Action Against Amazon to Obtain AWS Audit Logs to Investigate Data Breach appeared first on HIPAA Journal.

Massachusetts Mental Health Clinic Settles HIPAA Right of Access Case for $65,000

Posted by HIPAA Journal

Arbour Hospital, a mental health clinic in Boston, MA, has settled a HIPAA Right of Action investigation with the HHS’ Office for Civil Rights (OCR) and has agreed to pay a $65,000 penalty.

OCR was informed about a potential violation of the HIPAA Right of Access on July 5, 2019. A patient of Arbour Hospital alleged he had requested a copy of his medical records from the hospital on May 7, 2019 but had not been provided with those records within two months.

When a healthcare provider receives a request from a patient who wishes to exercise their HIPAA Privacy Rule right to obtain a copy of their healthcare records, a copy of those records must be provided as soon as possible and no later than 30 days after the request is received. A 30-day extension is possible in cases where records are stored offsite or are otherwise not easily accessible. In such cases, the patient requesting the records must be informed about the extension in writing within 30 days and be provided with the reason for the delay.

OCR contacted Arbour Hospital and provided technical assistance on the HIPAA Right of Access on July 22, 2019 and the complaint was closed. The patient then submitted a second complaint to OCR on July 28, 2019 when his medical records had still not been provided. The records were eventually provided to the patient on November 1, 2019, almost 6 months after the written request was submitted and more than 3 months after OCR provided technical assistance on the HIPAA Right of Access.

OCR determined the failure to respond to a written, signed medical record request from a patient in a timely manner was in violation of the HIPAA Right of Access – 45 C.F.R. § 164.524(b). In addition to the financial penalty, Arbour Hospital is required to adopt a corrective action plan that involves implementing policies and procedures for patient record access and providing training to the workforce. Arbour Hospital will also be monitored by OCR for compliance for 1 year.

“Health care providers have a duty to provide their patients with timely access to their own health records, and OCR will hold providers accountable to this obligation so that patients can exercise their rights and get needed health information to be active participants in their health care,” said Acting OCR Director Robinsue Frohboese.

The HIPAA Right of Access enforcement initiative was launched in late 2019 to ensure patients are provided with timely access to their medical records at a reasonable cost. This is the sixteenth financial penalty to be paid to OCR to resolve HIPAA Right of Access violations under this enforcement initiative and the 4th HIPAA Right of Access settlement to be announced in 2021.

The post Massachusetts Mental Health Clinic Settles HIPAA Right of Access Case for $65,000 appeared first on HIPAA Journal.