Activate Healthcare Reports Security Breach Affects Up to 93,761 Patients

Posted by Steve Alder

The Illinois-based healthcare provider, Activate Healthcare, LLC, has recently confirmed that it suffered a security breach that resulted in the theft of patient data. Suspicious activity was detected within its IT systems on April 27, 2023, and the subsequent forensic investigation confirmed that an unauthorized third party had access to its network between April 22, 2023, and April 28, 2023.

On April 29, 2023, it was confirmed that files had been exfiltrated that included patient information such as names, dates of birth, addresses, Social Security numbers, driver’s license numbers, and clinical information, such as provider names, dates of service, and/or diagnoses. At the time of issuing notification letters, no evidence of misuse of patient data had been detected; however, as a precaution, affected individuals have been offered complimentary credit monitoring and identity protection services.  Activate Healthcare said steps will continue to be taken to enhance the security of its computer systems.

The breach has been reported to the HHS’ Office for Civil Rights as affecting up to 93,761 patients.

Community Research Foundation Confirms 30,000-Record Data Breach

Community Research Foundation (CRF), a San Diego, CA-based non-profit research foundation that develops and operates programs focused on the treatment, education, and rehabilitation of individuals with mental health problems and substance use problems, has recently confirmed that sensitive health data was accessed by an unauthorized individual last year.

CRF detected a security breach on October 13, 2022, and third-party cybersecurity experts were engaged to investigate the incident. CRF said the review of the affected files concluded on April 19, 2023, when it was determined that the protected health information of individuals who sought medical services through medical and/or social service programs that CRF supports was involved. That information included names, Social Security numbers, driver’s license numbers, dates of birth, medical treatment and/or diagnosis information, and/or health insurance information.

CRF said after confirming which individuals had been affected, contact information needed to be verified to allow notification letters to be mailed, hence the delay in issuing notifications. The breach notice makes no mention of when access to its systems was gained, and credit monitoring services do not appear to have been offered to affected individuals.

The data breach was recently reported to the HHS’ Office for Civil Rights as affecting up to 30,057 individuals.

Henrietta Johnson Medical Center Patients Affected by Data Breach at Delaware Health Network

The Henrietta Johnson Medical Center (HJMC) in Wilmington, DE, has been affected by a security incident at the healthcare-controlled network provider and electronic health records management provider, Delaware Health Network (DHN). According to the HJMC notice, unauthorized individuals gained access to certain DHN systems on or around April 5, 2023, and copied files from those systems. DHN is currently investigating the incident to determine the extent of the data breach but has notified HJMC and other clients that their data may have been impacted.

HJMC has not yet been informed of the number of patients that have been affected. Based on the findings of the forensic investigation to date, the following data types may have been exposed: full name, dates of birth, ethnicity, medical record number, diagnosis code, lab information, and health insurance information. DHN has confirmed that Social Security numbers and financial account information were not viewed or stolen.

HJMC said it is reviewing its policies and procedures relating to third-party vendors and will continue to pursue information from DHN about the event. Out of an abundance of caution, notifications will be sent to all patients. The breach has been reported to the HHS’ Office for Civil Rights as affecting 500 individuals. That number will be updated when DHN confirms how many patients have been affected.

The post Activate Healthcare Reports Security Breach Affects Up to 93,761 Patients appeared first on HIPAA Journal.

Shield Data Network Confirmed as HIPAA Compliant

Posted by Steve Alder

The Durham, NC-based digital medical record retrieval service, Shield Data Network, has recently been confirmed as HIPAA compliant by Compliancy Group.

Shield Data Network streamlines, centralizes and secures the process of obtaining medical records for cases or claims and saves its clients time, reduces the administrative burden of retrieving medical records, and ensures data privacy. The service is used by law firms, insurance companies, and other entities that require access to patient health records.

Since access is required to medical records, Shield Data Network is classed as a business associate under HIPAA and is required to comply with certain provisions of the HIPAA Rules. The team at Shield Data Network consists of experienced professionals who have spent years in the medical record retrieval industry, so they are well aware of the importance of HIPAA compliance. To ensure the company is fully compliant with the HIPAA Rules, Shield Data Network chose to adopt Compliancy Group’s HIPAA compliance methodology.

Compliancy Group has developed a HIPAA compliance software solution called The Guard, which HIPAA-regulated entities can use to track their compliance efforts and ensure that they address all appropriate provisions of the HIPAA Privacy, Security, Breach Notification, and Omnibus Rules and the HITECH Act. Compliancy Group has developed an implementation program that includes a 6-stage risk analysis and remediation process, and after completing the program, clients are assessed to determine if they are HIPAA-compliant.

Compliancy Group’s HIPAA experts assessed Shield Data Network and confirmed that it was fully compliant with the requirements of HIPAA and the HITECH Act and had implemented an effective program to ensure compliance is maintained over time. As such, Shield Data Network was awarded the HIPAA Seal of Compliance, which demonstrates to current and future clients that Shield Data Network is committed to ensuring the privacy and security of electronic protected health information and is fully compliant with the HIPAA Rules.

The post Shield Data Network Confirmed as HIPAA Compliant appeared first on HIPAA Journal.

Critical RCE Vulnerability Identified in Medtronic Paceart Optima System

Posted by Steve Alder

A critical vulnerability has been identified in the Medtronic Paceart Optima System, which is used to compile and manage patients’ cardiac data. The vulnerability is tracked as CVE-2023-31222 and is due to the deserialization of untrusted data. The vulnerability has been assigned a CVSS v3 base score of 9.8 out of 10.

The vulnerability affects all versions of Paceart Optima up to and including version 1.11 and can be exploited remotely by an unauthorized user by sending specially crafted messages to the Paceart Optima system. Successful exploitation of the flaw would allow an attacker to remotely execute arbitrary code and gain a foothold for network penetration. The flaw could also be exploited to trigger a denial-of-service condition resulting in the Paceart Optima system becoming slow and unresponsive, preventing healthcare delivery organizations from using the system.

The flaw can only be exploited if the Paceart Messaging Service is enabled in the Paceart Optima system, which is an optional service. An immediate mitigation to prevent the flaw from being exploited is to disable that service on the Application Server. Medtronic has provided instructions for manually disabling the Paceart Messaging Service on the Application Server and disabling message queuing on the Application Server, which will fully mitigate the vulnerability. Medtronic should be contacted for mitigation advice if a healthcare delivery organization is running a combined Application Server and Integration Server.

Medtronic has fixed the vulnerability in v1.12, and healthcare organizations should contact Medtronic to schedule the update; however, the recommended mitigation steps should be followed to prevent exploitation until the update is installed. Medtronic said the vulnerability was discovered during routine monitoring and there have been no detected instances of the vulnerability being exploited.

CISA recommends additional defensive measures to improve security and reduce the risk of exploitation of vulnerabilities. These include minimizing network exposure and ensuring control systems are not accessible from the Internet, locating control system networks and devices behind firewalls, and only using secure methods for remote access, such as VPNs.

The post Critical RCE Vulnerability Identified in Medtronic Paceart Optima System appeared first on HIPAA Journal.