Lawmakers Accuse Oklahoma Department of Veteran Affairs of Violating HIPAA Rules

The Oklahoma Department of Veteran Affairs has been accused of violating Health Insurance Portability and Accountability Act (HIPAA) Rules by three Democrat lawmakers, who have also called for two top Oklahoma VA officials to be fired over the incident.

The alleged HIPAA violation occurred during a scheduled internet outage, during which VA medical aides were prevented from gaining access to veterans’ medical records. The outage had potential to cause major disruption and prevent “hundreds” of veterans from being issued with their medications. To avoid this, the Oklahoma Department of Veteran Affairs allowed medical aides to access electronic medical records using their personal smartphones.

In a letter to Oklahoma Governor Mary Fallin, Reps. Brian Renegar, Chuck Hoskin, and David Perryman called for the VA Executive Director Doug Elliot and the clinical compliance director Tina Williams to be fired over the alleged HIPAA violation.

They claimed Elliot and Williams “have little regard for, and knowledge of, health care,” and allowing medical aides to access electronic medical records via personal smartphones was “a direct violation of HIPAA” and potentially placed millions of dollars of federal funding in jeopardy.

State CISO Mark Gower is adamant that HIPAA Rules were not violated. He explained that only a limited number of medical aides were allowed to access electronic health records using their smartphones, and access was only granted for a limited period of time until the problem was resolved. When the issue was over, access to medical records via smartphones was blocked. It was just a case of temporarily swapping a laptop or desktop computer for a smartphone.

Gower explained that accessing medical records using a smartphone did not result in medical records being copied to the devices. The medical records system does not create a cache or store any information locally. Gower also said that the records system and the smartphones met the VA’s security requirements.

The three lawmakers do not believe Gower’s explanation and claim that during the outage, employees at all seven of the state’s care centers were allowed to copy medical records onto their personal cellphones.

Doug Elliot said the medical aides were “the best and brightest” and that it was “Unfathomable that any of the med aides have disclosed that information to a third party.” He also said it was “unconscionable” for the legislators to suggest that VA employees had violated HIPAA Rules and patient privacy.

While Elliot does not believe the allegations have any merit, they are being taken seriously. Elliot has reported the matter to the state’s IT security team which will be conducting a full investigation. The Office of Management and Enterprise Services, which oversees IT for state agencies, is also looking into the allegations.

The legislators are not happy with the matter being investigated by a state agency and believe that this incident can only be impartially investigated by the federal government. The legislators have also reported the matter to the Department of Health and Human Services, the Department of Veteran Affairs, and U.S. Attorney Robert Troester.

“The federal government’s going to be the one to determine this, not some state agency helping another state agency wash their hands of what they did,” said Rep. Renegar.

The post Lawmakers Accuse Oklahoma Department of Veteran Affairs of Violating HIPAA Rules appeared first on HIPAA Journal.

Identillect’s Delivery Trust® Implemented by Cornerstone Clinic for Women to Secure HIPAA Complaint Communications – Nasdaq

Identillect's Delivery Trust® Implemented by Cornerstone Clinic for Women to Secure HIPAA Complaint Communications
Delivery Trust® Email Encryption Solution Provides HIPAA Compliant Secure Communications to Cornerstone Clinic for Women. IRVINE, Calif., Aug. 13, 2018 (GLOBE NEWSWIRE) -- Identillect Technologies Corp. (the "Company" or "Identillect") (TSX-V:ID) ...

and more »

HIPAA Security Rule Turns 20: It’s Time for a Facelift –
HIPAA Security Rule Turns 20: It's Time for a Facelift
The HIPAA security rule made its debut 20 years ago, and it's time for a refresh to reflect the changing cyberthreat landscape and technological evolution that's taken place over the past two decades, says security expert Tom Walsh.
HHS: How to Properly Dispose of Electronic Devices with Sensitive InformationCampus Safety Magazine

all 2 news articles »

APWG Detects 46% Rise in Phishing Websites in Q1, 2018

The Anti-Phishing Working Group has released its Q1, 2018 Phishing Activity Trends Report which shows there was a substantial increase in unique phishing sites detected in the first few months of 2018 compared to the final quarter of 2017.

The report explores phishing attacks and methods used between January 1 and March 31, 2018.

In Q1, 263,538 unique phishing sites were identified – a 46% increase from the 180,577 unique sites identified in Q4, 2017 and a 38% increase from the 190,942 sites detected in Q3, 2017. There were 60,887 unique phishing sites detected in January 2018 which was on a par with December 2017, although a substantial increase in February (88,754) and a further major increase in March (113,897).

The number of unique phishing campaigns reported by APWG customers remained broadly the same in January (89,250) and February (89,010) with a slight fall in March (84,444). 235 brands were spoofed in January, rising to 273 in February, and falling to 238 in March.

APWG member MarkMonitor tracked the industry sectors that were most heavily targeted in phishing campaigns. Its figures show online payment services topped the list in Q1, 2018, accounting for 39% of all reported phishing attacks. Attacks involving SAAS and webmail providers accounted for 18.7% of the total, following by financial institutions (14.2%) and file hosting and cloud storage services on 11.3%.

As businesses have moved over to HTTPS sites, the phishers have followed. Each quarter has seen a substantial rise in the percentage of phishing sites that use HTTPS and secure the connection between the site and the browser. APWG member PhishLabs has been tracking the use of HTTPS on phishing sites and its figures show a third (33%) of all phishing sites were on HTTPS infrastructure in Q1, 2018 compared to just 10.5% in Q1, 2017.

Many consumers still believe that a website starting with HTTPS means the site is legitimate, when that is certainly not the case. It only means that the connection between the browser and the site is secured. If the site is owned by a phisher, or if a legitimate site has been hijacked, any information entered can be captured. Many phishers are registering their own domains and are taking advantage of the free SSL certificates that are offered to make their sites look more legitimate.

RiskIQ’s figures show that the phishing URLs used by phishers closely match TLD market share, with .com’s the most widely used TLD’s by phishers. .Coms accounted for 6,608 of the 13,594 unique domains used in phishing attacks in Q1, 2018. Those domains were widely distributed among different domain registrars.

Brazilian cybersecurity firm Axur provided a breakdown of internet-based attacks on individuals and companies in Brazil. The firm’s data show scam websites were the leading threat and accounted for 9,061 of the 17,065 attacks in Q1, 2018. They were followed by social media scams (4,209), mobile app scams (1,840) and phishing scams (1,816). 350 redirection URLs were detected that sent visitors to exploit kits and phishing sites and 257 URLs were being used to deliver malware.

The post APWG Detects 46% Rise in Phishing Websites in Q1, 2018 appeared first on HIPAA Journal.

MedSpring Urgent Care Breach Impacts 13,034 Patients

MedSpring Urgent Care, a network of urgent care clinics in Atlanta, Chicago, Austin, Dallas, Fort Worth, and Houston, has discovered an unauthorized individual has gained access to an email account as a result of an employee being duped by a phishing email.

The email account was compromised on May 8, 2018 but the security breach was not detected until May 17. Upon discovery of the breach, the email account was secured to prevent further unauthorized access and a leading cybersecurity forensics firm was contracted to conduct an investigation into the breach and assist with the breach response.

MedSpring discovered on May 22, 2018 that the attacker potentially gained access to the protected health information of patients through the emails and email attachments. The breach was limited to a single email account and no other systems were compromised.

A full review of all messages in the account was conducted to determine which patients had been affected and the types of information that had been exposed. MedSpring says the breach was limited to patients who had previously visited its urgent care clinics in Illinois.

The email account contained information such as names, medical record numbers, account numbers, dates of services, and other information related to the medical services provided to patients. The investigation did not uncover any evidence to suggest that emails in the account were viewed and MedSpring has not been informed of any cases of misuse of patient information to date.

All patients potentially affected by the phishing attack have now been notified by mail and 12 months of complimentary credit monitoring, identity protection and fraud resolution services have been provided through Experian.

As is required under HIPAA Rules, the Department of Health and Human Services’ Office for Civil Rights has been notified about the breach. The breach report indicates 13,034 patients have been affected.

The post MedSpring Urgent Care Breach Impacts 13,034 Patients appeared first on HIPAA Journal.