Latest HIPAA News

Estes Park Health Ransomware Attack Highlights Risks of Paying Ransoms

Posted June 18, 2019 by HIPAA Journal

Estes Park Health (EPH) in Colorado has suffered a ransomware attack that resulted in widespread file encryption across the network.

The attack was noticed by employees on Sunday June 2, 2019 who reported that their computers were behaving strangely. EPH contacted its on-call IT technician who logged in and experienced the same issues, as the ransomware systematically encrypted files on the network. EPH, Chief Information Office, Gary Hall, witnessed the ransomware locking files and taking control of programs on his computer, according to a recent report in the Estes Park Trail Gazette.

IT staff responded quickly and started locking systems down, but it was not possible to prevent widespread file encryption. Software in the clinic was the first to go offline, followed by its digital imaging software, which stores all X-rays and other medical images. The attack wiped out the network and its phone service.

EPH activated its incident response center and switched to emergency mode procedures while its computer system was down. EPH uses software that constantly monitors the network and detects any attempts to exfiltrate data. Between the attack commencing and access being terminated, the event logs show no attempts were made to exfiltrate data. EPH believes the main motivation behind the attack was extortion through the prevention of access to critical files.

EPH holds a cybersecurity insurance policy that covers attacks such as this. EPH used a cyber security firm recommended by its insurance company. The firm gave advice on recovery and helped manage the response.

The IT company made contact with the attackers and the ransom demand was paid. The keys to unlock the encrypted files were provided and EPH has been able to regain access to the encrypted files.

The ransom amount has not been disclosed publicly. EPH will be required to pay a $10,000 deductible. The investigation into how access was gained to its network is ongoing.

A Warning to all Healthcare Organizations

Boardman, OH-based N.E.O Urology recently announced that it had been attacked with ransomware. The decision was taken to pay the $75,000 ransom demand. Even with the keys, the extent of the encryption was such that it took more than 3 days to decrypt its files.

In that case, recovery was possible but the decision to pay a ransom is not without risk. The attackers may not hold viable keys to unlock the encryption and, as EPH discovered, payment of the ransom does not always guarantee an easy recovery.

EPH said an initial ransom payment was made and keys were supplied to unlock files. However, while unlocking files, EPH found further files had been encrypted. EPH had to then contact the attackers and make a further payment in order to get the keys to unlock all encrypted files.

The post Estes Park Health Ransomware Attack Highlights Risks of Paying Ransoms appeared first on HIPAA Journal.

House Overturns Ban on HHS Funding HIPAA National Patient Identifier Development

Posted June 17, 2019 by HIPAA Journal

One of the requirements of the HIPAA Administrative Simplification Rules was the development of a national identifier for all patients. Such an identifier would be used by all healthcare organizations to match patients with health records from multiple sources and would improve the reliability of health information and ensure it could be shared quickly and efficiently.

That national patient identifier has failed to materialize. For the past two decades, the Department of Health and Human Services has been prohibited from using funds to develop or promote a unique patient identifier system out of concerns over privacy and security of patient data.

Just as was the case in 1996, the benefits of using national patient identifiers remain and the need for such a system is greater than ever. Many hospitals, healthcare and health IT groups have been urging Congress to lift the HHS ban due to the benefits that would come from using a national identifier.

They argue it would make it much easier to match medical information from multiple sources with the correct patient and the potential for errors would be greatly reduced. Together with the cost savings, adoption of a national patient identifier would improve the quality of care provided to patients and patient safety.

Now, 20 years after the ban was put in place, it is closer to being lifted. The U.S. House of Representatives recently voted on several amendments to a $99.4 billion HHS appropriations bill. The amendment calling for the lifting of the ban was proposed by Rep. Bill Foster (D-Ill.) and was passed on Wednesday 12, June in a 246 to 178 vote. Until now, neither chamber in Congress has ever voted to lift the ban.

“For the last 21 years, this misguided policy has been in place, and thousands of Americans have died due to getting the wrong drug to the wrong patient or due to incorrect or incomplete electronic medical records, all arising from the inability to simply and correctly merge health records from different systems,” said Rep. Foster.

The passing of the amendment is the first step toward a national identifier being developed, but there are plenty of hurdles to overcome before the ban is finally lifted. The appropriations bill must first be passed, and the senate would need to give its approval, then the president would need to sign the bill into law.

Even though the benefits of a national patient identifier are clear, many privacy advocates believe the privacy and security risks are too great and that adoption of a national identifier would result in loss of control of patient data and more frequent, larger, and more damaging healthcare data breaches.

The post House Overturns Ban on HHS Funding HIPAA National Patient Identifier Development appeared first on HIPAA Journal.

Alabama Jury Awards Woman $300,000 Damages over HIPAA Breach

Posted June 14, 2019 by HIPAA Journal

A woman in Alabama has been awarded $300,000 in damages after a doctor illegally accessed and disclosed her protected health information to a third party.

Plaintiff Amy Pertuit filed a lawsuit against Medical Center Enterprise (MCE) in Alabama, a former MCE physician, and an attorney over the violation of her privacy in January 2015.

According to lawyers for the plaintiff, Amy Pertuit’s husband was experiencing visitation issues and was involved in a custody battle with his former wife, Deanna Mortenson.

Mortenson contacted Dr. Lyn Diefendfer, a physician at MCE, and convinced her to obtain health information about Amy Pertuit for use against her husband in the custody battle. The information was disclosed to Mortenson’s attorney, Gary Bradshaw.

Dr. Diefendfer accessed Pertuit’s records through the Alabama Prescription Drug Monitoring Program website. Since Dr. Diefendfer had no treatment relationship with Pertuit, she was not authorized to access her medical information. The access and disclosure were violations of hospital policies and HIPAA Rules.

After discovering that her health information had been disclosed, Pertuit lodged a complaint with the Department of Health and Human Services’ Office for Civil Rights which put the hospital on notice. However, the hospital failed to implement appropriate sanctions against Diefendfer. Dr. Diefendfer is alleged to have accessed further health information in 2016 and again disclosed that information to Bradshaw.

The plaintiff’s lawyers also said that the hospital’s privacy officer had investigated Dr. Diefendfer and discovered 22 separate violations of hospital policies and HIPAA Rules.

The lawsuits filed against Dr. Diefender, Deanna Mortensen, and Gary Bradshaw were all settled out of court. The case against MCE went to a jury trial.

The jury unanimously found that MCE had failed to take appropriate action against Dr. Diefender after the discovery of the privacy violation, and awarded the plaintiff $295,000 in punitive damages and a further $5,000 as compensation for pain, suffering, and humiliation.

The post Alabama Jury Awards Woman $300,000 Damages over HIPAA Breach appeared first on HIPAA Journal.

AMCA Breach Sparks Flurry of Lawsuits and Investigations

Posted June 12, 2019 by HIPAA Journal

The dust has barely settled after the news of the massive data breach at American Medical Collection Agency (AMCA) broke last week, but already more than a dozen lawsuits have been filed by victims of the breach.

The breach was officially announced by Quest Diagnostics on June 3, 2019 through a 8-K filing with the Securities and Exchange Commission (SEC), and a SEC filing by LabCorp on June 4, 2019, shortly followed by BioReference Laboratories. Currently, the personal of up to 20 million individuals has potentially been compromised.

The data breach at AMCA was identified by security researchers at Gemini Advisory who found a batch of 200,000 payment card numbers for sale on a popular darknet marketplace. The numbers included dates of birth and Social Security numbers. AMCA and law enforcement were notified, and systems were secured. However, the investigation revealed hackers had access to its web payment portal for 7 months.

It would appear that the hackers behind the breach have at least made an effort to monetize some of the stolen data so it is no surprise that there has been a flurry of class action lawsuits filed on behalf of victims of the breach. Plaintiffs in the lawsuits claim to have been harmed as a result of the data breach.

Most of the lawsuits name one or more of the laboratories where testing occurred – Quest Diagnostics, LabCorp and BioReference Laboratories. A small number also name AMCA and the company Optum360. Optum360 was a business associate of Quest Diagnostics. Under certain circumstances, when a patient did not pay a bill, Quest Diagnostics sent the patient’s information to Optum360, which passed the data to AMCA for collection.

Several of the class action lawsuits allege negligence and breach of implied contract for failing to secure personal information. One complaint alleges the use of encryption and the adoption of national and industry standards were warranted to prevent reasonably foreseeable harm to patients. However, even though the defendants had the funds available to implement controls to prevent the breach, they failed to adequately invest in their security programs.

The lawsuits allege various violations of state laws and are seeking damages, monetary relief, and penalties to be issued over the privacy violation.

Only a small percentage of the individuals have been notified about the breach by AMCA – mostly individuals who had their financial information exposed. The healthcare organizations that provided AMCA with health information are still waiting to receive details of all individuals affected. As more notification letters are sent, is likely that the numbers of affected individuals in these class-action lawsuits will swell and further lawsuits will be filed.

In addition to battling the class action lawsuits, all of the entities involved now face scrutiny by state and federal regulators and Congress. The breach will certainly be investigated by the HHS’ Office for Civil Rights to determine whether HIPAA Rules have been violated. So far, at least six state attorneys general have launched investigations into the breach: Michigan, New York, Minnesota, North Carolina, Illinois and Connecticut and have demanded answers about the breach.

If the investigations do uncover noncompliance with state or federal laws, financial penalties may be pursued. Already this year, state attorneys general have joined forces and filed a multi-state HIPAA lawsuit against Medical Informatics Engineering over its 2014 data breach. That breach resulted in a settlement of $900,000.

The post AMCA Breach Sparks Flurry of Lawsuits and Investigations appeared first on HIPAA Journal.

Ransomware and Data Destruction Attacks Dominate Healthcare Threat Landscape

Posted June 11, 2019 by HIPAA Journal

A recent report from Carbon Black has revealed 66% of healthcare organizations have experienced a ransomware attack in the past year and 45% experienced an attack in which data destruction was the main motivation behind the attack.

The figures come from Carbon Black’s latest report: Healthcare Cyber Heists in 2019. Carbon Black sought input from 20 industry leading CISOs and questioned them about the cyberattacks they had experienced in the past year, the tactics used in the attacks, and how the threat landscape is evolving.

Last year was a record-breaking year for healthcare data breaches and attacks are continuing at an unprecedented level. April 2019 was the worst ever month for healthcare data breaches with 46 major breaches (500+ records) reported to the HHS’ Office for Civil Rights.

“The potential, real-world effect cyberattacks can have on healthcare organizations and patients is substantial,” explained Rick McElroy, Carbon Black’s Head of Security Strategy and co-author of the report. “Cyber attackers have the ability to access, steal and sell patient information on the dark web. Beyond that, they have the ability to shut down a hospital’s access to critical systems and patient records, making effective patient care virtually impossible.”

83% of surveyed CISOs believe there has been an increase in cyberattacks over the past 12 months and 66% of CISO’s think attacks have grown in sophistication in the past year.

Two thirds of surveyed organizations have had to deal with an attempted ransomware attack in the past 12 months. A variety of ransomware variants were used although Kryptik/GenKryptik ransomware variants were most common and were used in 74% of attacks.

Almost half of respondents experienced a data destruction attack. These attacks involved the destruction of data in an attempt to paralyze business operations. The attacks are commonly associated with nation-state sponsored hacking groups in Russia, China, and North Korea.

While there were many different methods used to attack healthcare organizations, one of the most common was the use of Excel spreadsheets containing macro-enabled PowerShell to download malware.

One third of CISOs said they had experienced an ‘island hopping’ attack in the past year. This is where hackers have compromised a third party and used it to attack their organization. For example, an attack via partner-provisioned Virtual Desktop Infrastructure access, VPNs, or private network links. One third of CISOs also said counter incident response tactics were used by the hackers to prevent mitigation of a breach and to try to maintain persistent access.

CISOs were also asked about their biggest concerns. Compliance was the most stated area of concern (33%) followed by budget restrictions (22%), loss of patient data (16%), and vulnerable devices (16%).

Compliance as the main concern is worrying. It suggests healthcare organizations believe that becoming compliant with HIPAA equates to robust cybersecurity when that is not the case. Compliance with HIPAA only means an organization has achieved a baseline level of security. Many healthcare organizations that were HIPAA-complaint have still experienced data breaches. It is important for compliance to be viewed as a starting point in an organization’s security program. Once HIPAA compliant, security programs must be developed further.

The report shows organizations have realized the importance of staff security awareness training, not just for compliance but for improving security posture. 84% of organizations provide staff security awareness training at least annually with 45% providing more frequent training sessions.

When asked to rate their security posture, most CISOs believed there was still considerable room for improvement. 74% gave their organization a B or less (25% B, 16% B-, 33% C).

While the majority of organizations that engage in threat hunting say that it has significantly improved their cybersecurity posture, only one third of respondents said they had a threat hunting team. Carbon Black notes that threat hunting is no longer reserved for the security elite. Threat hunting software is available to help businesses of all sizes gain better visibility and find and address threats before they result in a data breach.

The post Ransomware and Data Destruction Attacks Dominate Healthcare Threat Landscape appeared first on HIPAA Journal.

AMCA Data Breach Tally Passes 20 Million as BioReference Laboratories Added to List of Impacted Entities

Posted June 7, 2019 by HIPAA Journal

The total number of victims of the American Medical Collections Agency (AMCA) data breach has now passed 20 million, as yet another healthcare organizations has been confirmed as being affected by the breach.

New Jersey-based laboratory and clinical testing company BioReference Laboratories is the latest confirmed victim, with approximately 422,600 of its customers having had their personal information exposed in the AMCA data breach.

BioReference Laboratories joins Quest Diagnostics/Optum360 (11.9 million records) and LabCorp (7.7 million records), with the total number of compromised records now standing at 20,022,600 records. That number may well continue to grow as the investigation progresses and more healthcare entities are notified that their data has also been compromised.

BioReference Laboratories confirmed the breach in an 8-K Security and Exchange Commission (SEC) filing on Monday. The OPKO Health subsidiary was notified it has been impacted by the breach on June 3, 2019.

The breach at AMCA occurred between August 1, 2018 and March 30, 2019, during which time hackers had access to the AMCA web payment page, which included data of several healthcare clients.

Patients who had received BioReference Laboratories testing services had the following information compromised: Name, address, phone number, date of birth, date of service, email address, provider information, balance information, and bank account information. No Social Security numbers, medical information, test results, or passwords/security questions and answers were exposed.

AMCA has confirmed that approximately 6,600 customers of BioReference Laboratories whose financial information has been exposed have been notified by AMCA and offered complimentary credit monitoring and identity theft protection services for 2 years.

As is the case with the other affected entities, only basic information has so far been provided by AMCA. No company affected by the breach has so far been provided with full details of the individuals affected, so breach notification letters cannot yet be sent.

BioReference Laboratories said it is attempting to obtain further information about the breach from AMCA and when that information is received additional steps will be taken. BioReference Laboratories notes that no collection requests have been sent to AMCA since October 2018 and a request has been submitted to AMCA to stop working on any pending collections requests.

Several state Attorneys General have confirmed that they have launched investigations and have contacted AMCA and the breached entities demanding further information.

“This data breach is yet another example of how fragile our information infrastructure is, and how vulnerable all of us are to cyber hacking,” said Michigan Attorney General Dana Nessel. “Here in Michigan, we continue to rely on media reports that alert us to these terrible situations because – unlike most other states – we have no law on the books that requires that our office be notified when a breach occurs.”

Nessel is particularly concerned about the length of time hackers had access to the AMCA payment page before the breach was detected and that the attack appears to have been conducted specifically to obtain sensitive patient information, which places affected individuals at a high risk of fraud.

New York Attorney General Letitia James, Minnesota Attorney General Keith Ellison, and North Carolina Attorney General Josh Stein have also confirmed that they have started investigating the data breach. Two New Jersey senators have also demanded answers New Jersey-based Quest Diagnostics. However, it appears that the affected companies are still very much in the dark about what exactly has happened and who has been affected. Only limited information has been provided as AMCA continues to investigate.

AMCA has confirmed it has already taken steps to improve security, including taking its web payments page offline, migrating its services to another third-party vendor, and has hired a cybersecurity firm to assess cybersecurity protections and install additional security measures. Third-party forensics experts are continuing to investigate the breach and identify other data that may have been affected.

The post AMCA Data Breach Tally Passes 20 Million as BioReference Laboratories Added to List of Impacted Entities appeared first on HIPAA Journal.

Coffey Health System Agrees to $250,000 Settlement to Resolve Alleged Violations of False Claims and HITECH Acts

Posted June 6, 2019 by HIPAA Journal

Coffey Health System has agreed to a $250,000 settlement with the U.S. Department of Justice to resolve alleged violations of the False Claims and HITECH Acts.

The Kansas-based health system attested to having met HITECH Act risk analysis requirements during the 2012 and 2013 reporting period in claims to Medicare and Medicaid under the EHR Incentive Program.

One of the main aims of the HITECH Act was to encourage healthcare organizations to adopt electronic health records. Under the then named Meaningful Use Program, healthcare organizations were required to demonstrate meaningful use of EHRs in order to receive incentive payments. In addition to demonstrating meaningful use of EHRs, healthcare organizations were also required to meet certain requirements related to EHR technology and address the privacy and security risks associated with EHRs.

In 2016, Coffey Health System’s former CIO, Bashar Awad, and its former compliance officer, Cynthia McKerrigan, filed a lawsuit in federal court in Kansas against their former employer alleging violations of the False Claims Act.

Both alleged Coffey Health System had falsely claimed it had conducted risk analyses in order to receive incentive payments and was aware that those claims were false when they were submitted. As a result of the false claims, Coffey Health System received payments of $3 million under the Meaningful Use program which it did not qualify for.

Awad found no documentation that demonstrated risk analyses had been performed and had personally conducted some basic tests on network security and made an alarming discovery: The health system shared a firewall with Coffey County municipalities. That security failure allowed anyone to login to its system and see patient records from locations protected by the same firewall, including schools and libraries, by using its IP address and logging in. Any attempt to do so required no username or password – A major security failure and violation of the HIPAA Security Rule.

In 2014, Awad arranged for a third-party firm to conduct a risk analysis for the 2014 attestation. The risk analysis revealed several security issues including 5 critical vulnerabilities that had been allowed to persist unchecked. While some attempts were made to correct the issues identified in the risk analysis, Awad was not provided with sufficient resources to ensure those vulnerabilities were properly addressed. He claimed that few of the identified vulnerabilities had been corrected.

When the time came to submit the 2014 attestation, Awad refused to do so as several vulnerabilities had not been addressed. As a result of the failure to support the attestation, Awad was terminated. Awad and McKerrigan then sued Coffey Health System.

Under the whistleblower provisions of the False Claims Act, individuals can sue organizations on behalf of the government and receive a share of any settlement. Awad and McKerrigan will share $50,000 of the $250,000 settlement.

Coffey Health System settled the case with no admission of liability.

The post Coffey Health System Agrees to $250,000 Settlement to Resolve Alleged Violations of False Claims and HITECH Acts appeared first on HIPAA Journal.

Fresh BlueKeep Warning Issued by Microsoft: Public Exploits Exist and Attacks Imminent

Posted June 5, 2019 by HIPAA Journal

Microsoft has issued a fresh warning about the recently discovered BlueKeep vulnerability in Remote Desktop Services (CVE-2019-0708) following the online publication of proof-of-concept exploits for the flaw.

Microsoft released fixes for the flaw on May 14, 2019. As was the case with the vulnerability that was exploited in the WannaCry ransomware attacks in 2017, patches were also released for unsupported Windows versions.

The vulnerability is critical and could be exploited remotely via Remote Desktop Protocol (RDP) without any user interaction required. As one security researcher has shown, finding devices that have not been patched is far from difficult. Robert Graham of Errata Security performed a scan of the internet and found almost 1 million devices that have still not had the patch applied or protected using Microsoft’s recommended mitigations. Graham is not the only person to have performed scans for vulnerable devices. There has been a major increase in scans in recent days. It appears that cybercriminals are preparing for attacks.

The fresh warning is an unusual step for Microsoft to take. It has satisfied its obligations through the release of patches and has even issued patches for unsupported Windows versions. The decision to release a further warning was due to the growing risk of exploitation of the vulnerability. Several security firms claim to have developed exploits for the flaw and proof-of-concept exploit code has now been leaked online. Microsoft is confident that viable exploits exist for the vulnerability.

Several people have posted fake POC code for the vulnerability online, although security researcher Chase Dardaman tested one public DOS POC for BlueKeep which he confirmed to be genuine.

“It’s been only two weeks since the fix was released and there has been no sign of a worm yet. This does not mean that we’re out of the woods,” said Simon Pope, Director of Incident Response, Microsoft Security Response Center (MSRC) in a recent TechNet blog post. “If we look at the events leading up to the start of the WannaCry attacks, they serve to inform the risks of not applying fixes for this vulnerability in a timely manner.”

It took just two months from the MS17-010 patch being released before the global WannaCry ransomware attacks were conducted using the EternalBlue exploit. Yet even with major attacks occurring, many organizations still failed to take action. Now two years on, WannaCry ransomware attacks are still occurring and patches still are not being applied. One report last week indicated 40% of healthcare organizations have been attacked with WannaCry in the past 6 months and the attacks show no sign of stopping.

The latest flaw does not affect Windows 8 and Windows 10, but older Windows versions – Windows XP, Windows 7, Windows 2003 and Windows Server 2008 – are vulnerable. Many businesses have upgraded to Windows 10, but legacy Windows operating systems are still extensively used in healthcare, at least on some devices.

The advice from Microsoft has not changed. “We strongly advise that all affected systems should be updated as soon as possible,” said Pope. “It only takes one vulnerable computer connected to the internet to provide a potential gateway into these corporate networks, where advanced malware could spread, infecting computers across the enterprise.”

The NSA has also issued an alert via its Central Security Service division in an attempt to prevent another global malware attack like WannaCry, which used the NSA-developed EternalBlue exploit.

The post Fresh BlueKeep Warning Issued by Microsoft: Public Exploits Exist and Attacks Imminent appeared first on HIPAA Journal.

Up to 7.7 Million Patients of LabCorp Impacted by AMCA Breach

Posted June 5, 2019 by HIPAA Journal

Following the news that the data breach at American Medical Collection Agency (AMCA) exposed the records of 11.9 million Quest Diagnostics patients, comes news of another healthcare company that has been affected by the breach.

On June 4, 2019, LabCorp, another national network of blood testing centers, announced that 7.7 million individuals whose blood samples were processed by the company may have had their sensitive information exposed.

As was the case with Quest Diagnostics, LabCorp disclosed the breach through a U.S. Securities and Exchange Commission (SEC) filing. LabCorp said it had been notified by AMCA that its data had also been exposed as a result of the cyberattack on AMCA’s web payment portal, which saw hackers gain access to the system between August 1, 2018 and March 30, 2019. LabCorp said AMCA held data on 7.7 million of its customers.

According to the AMCA website, the company manages more than $1 billion in annual receivables for a diverse client base, which includes “”laboratories, hospitals, physician groups, billing services, and medical providers all across the country.”

It is therefore unsurprising that another healthcare organization has announced that it too has been impacted by the data breach at AMCA. It is likely that over the course of the next few days and weeks that there will be several other announcements by healthcare organizations that have also been impacted by the breach.

The number of healthcare records known to have been exposed is now 19.6 million and only two healthcare companies have so far announced that they have been affected.

The LabCorp data did not include Social Security numbers, unlike Quest Diagnostics, but did include names, addresses, phone numbers, dates of birth, dates of service, provider information, balance information, and some banking and credit card information. LabCorp notes that no diagnostic information, medical test results, or insurance information were provided to AMCA. As was the case with Quest Diagnostics, LabCorp has stopped using AMCA for billing collections.

Around 200,000 individuals whose financial information was exposed are being notified by AMCA and have been offered 2 years of credit monitoring and identity theft protection services. LabCorp has not yet received full details on the individuals that have been impacted by the breach, so notifications to other customers cannot yet be issued.

As reported yesterday, Gemini Advisory discovered around 200,000 credit cards listed for sale on a darknet marketplace and tipped off AMCA to the breach. Those credit card numbers were not from LabCorp customers as the data set included Social Security numbers, which were not provided by LabCorp to AMCA.

The post Up to 7.7 Million Patients of LabCorp Impacted by AMCA Breach appeared first on HIPAA Journal.

Daily HIPAA News, HIPAA RSS Feeds, HIPAA Information