Grace Lutheran Communities Falls Victim of ALPHV/Blackcat Ransomware Attack
Grace Lutheran Communities in Wisconsin, a provider of rehabilitation services, assisted living, independent living, and skilled nursing, has experienced a ransomware attack. The incident was detected on January 22, 2024, and while the investigation is ongoing, Grace Lutheran Communities has confirmed that patient data was stolen including names, addresses, Social Security numbers, and health insurance information.
On February 17, 2024, Grace Lutheran Communities discovered that a ransomware group – ALPHV/Blackcat – had published some of the stolen data on its data leak site. Grace Lutheran Communities said it is committed to ensuring the privacy and security of patient data and is enhancing network security to prevent similar attacks in the future. Grace Lutheran Communities has yet to confirm how many individuals have been affected.
Washington County Hospital and Nursing Home Falls Victim to Ransomware Attack
Washington County Hospital and Nursing Home has notified 31,125 individuals about a December cyberattack that may have resulted in an unauthorized third party accessing their sensitive information. On December 24, 2023, network disruption occurred which prevented access to internal systems. A third-party cybersecurity firm was engaged to help secure its systems and conduct a forensic investigation, and evidence was found of unauthorized access to files containing patient data. Those files included tax forms and Social Security numbers (SSNs); however, no reports have been received of any actual or attempted identity theft or fraud as a result of the data breach.
Washington County Hospital and Nursing Home has augmented its security measures and is offering the affected individuals complimentary access to Single Bureau Credit Monitoring/Single Bureau Credit Report/Single Bureau Credit Score services.
Bay Area Anesthesia Patients Affected by Cyberattack on Business Associate
Bay Area Anesthesia in Clearwater, FL, has been affected by a data security incident at a former business associate, Bowden Barlow Law. The law firm identified suspicious activity within its network and the investigation confirmed that there had been unauthorized access by a third party between November 17, 2023, and December 1, 2023, and during that time, files were exfiltrated from its network that contained the protected health information of 15,196 individuals. Bay Area Anesthesia has notified the affected individuals and has offered them complimentary credit monitoring and identity theft protection services for 12 months.
Cardiothoracic and Vascular Surgeons Alerts Patients About December Data Breach
Cardiothoracic and Vascular Surgeons in Austin, TX, has confirmed that unauthorized individuals accessed its network between October 12, 2023, and October 13, 2023, and exfiltrated files containing patient data. A review of the affected files was completed on January 22, 2024, and confirmed that the protected health information of 2,345 individuals was present in those files, including names, driver’s licenses, and/or government-issued IDs. Notifications were issued to the individuals on February 16, 2024, and credit monitoring and identity theft protection services are being made available.
The post Grace Lutheran Communities Falls Victim of ALPHV/Blackcat Ransomware Attack appeared first on HIPAA Journal.
Indiana Attorney General Files Lawsuit Against Apria Healthcare Alleging HIPAA Violations – HIPAA Journal
Indiana Attorney General Files Lawsuit Against Apria Healthcare Alleging HIPAA Violations
Indiana Attorney General Todd Rokita has filed a lawsuit against Apria Healthcare alleging violations of the Health Insurance Portability and Accountability Act (HIPAA) and state laws following a cyberattack and data breach that affected 1,869,598 individuals, including 42,000 Hoosiers.
Apria Healthcare is an Indianapolis, IA-based provider of home healthcare equipment and related services. Apria Healthcare was notified by the Federal Bureau of Investigation (FBI) on September 1, 2021, about unauthorized access to its internal systems. The investigation confirmed that between April 5, 2019, and May 7, 2019, and again from August 27, 2021, to October 10, 2021, an unauthorized third party accessed its internal systems, including several employee email accounts. The electronic protected health information exposed included names, birth certificates, financial information, Social Security numbers, medical histories, and health information. Apria Healthcare determined that the reason for the intrusion was to obtain funds from Apria Healthcare rather than patient data. Notifications were mailed to the affected individuals in May 2023, more than 20 months after being notified about the breach by the FBI.
Attorney General Rokita alleged that Apria Healthcare deliberately concealed the data breach by failing to issue notifications for 629 days and that the delay violated the HIPAA Breach Notification Rule, which requires individual notifications to be issued to the affected individuals within 60 days of the discovery of a data breach. The delayed notification also violated Indiana’s Disclosure of a Security Breach Act, which requires notifications to be issued without undue delay and not more than 45 days after the discovery of a data breach. Owens and Minor acquired Apria Healthcare in March 2022. Attorney General Rokita alleged that Owens and Minor was aware of the data breaches yet still failed to issue timely notifications.
Attorney General Rokita also alleged violations of the HIPAA Privacy and Security Rules – the failure to implement appropriate technical safeguards to ensure the confidentiality, integrity, and availability of ePHI, and the impermissible disclosure of the ePHI of more than 1.8 million individuals – and violations of the Indiana Deceptive Consumer Sales Act. “Patients should be able to trust their medical providers at all times,” said Attorney General Rokita. “All Hoosier patients deserve their privacy, especially when it comes to medical care. When your private information is accessible or leaked to a stranger, you’re susceptible to life-altering threats, such as identity theft and financial ruin. Our office has adamantly fought back against careless companies who disregard major cybersecurity threats.”
The post Indiana Attorney General Files Lawsuit Against Apria Healthcare Alleging HIPAA Violations appeared first on HIPAA Journal.
At HIMSS24, perspective on safeguarding ePHI and restricting unauthorized access – Healthcare IT News
Five Eyes Agencies Warn of Ongoing Exploitation of Ivanti Connect Secure and Policy Secure Flaws
The Five Eyes Cybersecurity Agencies have issued a warning that previously disclosed vulnerabilities in Ivanti Connect Secure and Ivanti Policy Secure gateways are being actively exploited by multiple threat actors and have been since early December 2023.
The flaws – CVE-2023-46805, CVE-2024-21887, and CVE-2024-21893 – affect all supported versions (9.x and 22.x) and can be chained to bypass authentication, craft malicious requests, and execute arbitrary commands with elevated privileges. According to the alert, Ivanti’s internal and previous external Integrity Checker Tool (ICT) failed to detect malicious activity associated with exploitation. CISA demonstrated in a test environment that the ICT is not sufficient to detect compromise and that it is possible to gain root-level persistence despite issuing factory resets.
Alphabet’s Mandiant has been investigating the exploitation of the zero day vulnerabilities and said the exploitation had likely impacted thousands of devices across multiple industry verticals. Some of those attacks were linked with a suspected Chinese cyber espionage group it tracks as UNC5325. The threat actor used living-of-the-land techniques and novel malware to achieve persistence. Mandiant said the patches released by Ivanti are effective at preventing exploitation, provided UNC5325 did not exploit the vulnerability before the patches were applied. Mandiant said UNC5325 has maintained access even after customers have initiated factory resets, patching, and applying the recommended security updates.
The Five Eyes agencies recommend that network defenders assume that user and service account credentials stored in affected Ivanti VPN appliances are likely compromised and should hunt for malicious activity using the detection mechanisms and IoCs details in its alert, and should also run the latest version of Ivanti’s external ICT. If the vulnerabilities have yet to be patched, network defenders should ensure they are applied as soon as possible and should follow the recommendations detailed in the latest Ivanti security advisory. Mandiant also recommends following the guidance provided in its updated Ivanti Connect Secure Hardening Guide.
The post Five Eyes Agencies Warn of Ongoing Exploitation of Ivanti Connect Secure and Policy Secure Flaws appeared first on HIPAA Journal.
High Severity Vulnerabilities Identified in MicroDicom DICOM Viewer
Two high-severity vulnerabilities have been identified in the free-to-use MicroDicom DICOM Viewer, which is used to view and manipulate DICOM images. Successful exploitation of the vulnerabilities could lead to remote code execution and memory corruption.
The first is a heap-based buffer overflow vulnerability tracked as CVE-2024-22100 which can be exploited in a low-complexity attack by tricking a user into opening a malicious DCM file, which would allow a remote attacker to execute arbitrary code on vulnerable versions of the DICOM Viewer.
The second vulnerability is an out-of-bounds write issue due to a lack of proper validation of user-supplied data. Successful exploitation of the flaw could result in memory corruption within the application. The vulnerability is tracked as CVE-2024-25578.
The vulnerabilities affect MicroDicom DICOM Viewer versions 2023.3 (Build 9342) and prior versions and have been fixed in version 2024.1. Users have been advised to update to the latest version as soon as possible. There are currently no indications that the vulnerabilities have been exploited in attacks.
The post High Severity Vulnerabilities Identified in MicroDicom DICOM Viewer appeared first on HIPAA Journal.
Grimm Discusses Telehealth Best Practices, HIPAA Compliance, and Patient Education – ArentFox Schiff
How to Write an HHS OIG Complaint
The best way to write an HHS OIG complaint to increase the chances of the complaint being investigated is to prepare a narrative explaining the nature, scope, and time frame of the activity being complained about, and how you came to learn about the activity. When you submit the complaint, the chances of the complaint being investigated are further improved if you can provide supporting evidence and the contact information of a third party who can corroborate the narrative.
Each year, the Department of Health and Human Services (HHS) Office of Inspector General (OIG) receives thousands of complaints, tips, and reports of alleged fraud, waste, and abuse in Federal healthcare programs. HHS OIG does not have the resources to investigate every one, so it prioritizes complaints according to the type of activity and the evidence submitted to support the complaint.
In addition, HHS OIG only has the authority to investigate complaints relating to certain activities, and many complaints can be rejected after being reviewed for relevance. The activities HHS OIG has the authority to investigate include:
- Whistleblower complaints about fraud, waste, and abuse in HHS programs.
- False or fraudulent (overpriced) claims submitted to Medicare or Medicaid.
- Kickbacks or inducements for referrals by Medicare or Medicaid providers.
- Medical identity theft involving Medicare and/or Medicaid beneficiaries.
- The failure of a hospital to evaluate and stabilize an emergency patient.
- Patient abuse or neglect in nursing homes and long-term care facilities.
- Human trafficking by HHS employees, grantees, and contractors.
- Crimes, gross misconduct, or conflicts of interest involving HHS employees, recipients of HHS grants, or HHS contractors.
Complaints relating to Medicare policies, coverage, claims, and payment decisions, Social Security fraud, identity theft unrelated to HHS programs, and discrimination within HHS departments are not investigated by HHS OIG. Complaints of this nature will be rejected on review without the complainant being notified of the decision. Therefore it is important that when you write an HHS OIG complaint, the nature of the activity is one that HHS OIG has the authority to investigate.
How to Submit an HHS OIG Complaint
There are various ways to submit an HHS OIG complaint. The most effective is the online OIG HHS Hotline because this method of submitting an HHS OIG complaint allows complainants to upload documents in support of the complaint electronically. Alternative methods such as mail and fax are not so easy to use; and, if you use mail, you are advised not to send original documents, digital media, or physical devices because these will not be returned even if the complaint is rejected.
When you submit an HHS OIG complaint online, you also have the option of requesting confidentiality inasmuch as your identity is only known to HHS OIG investigators (unless a disclosure is required by law). You may also submit complaints anonymously, but this course of action precludes HHS OIG from investigating a complaint as a whistleblower retaliation complaint, and may hinder the initial review and/or the subsequent investigation into your compliant.
If your complaint is investigated and upheld, there are several potential outcomes depending on the nature of the activity. Most upheld fraud, waste, and abuse complaints and violations of the HHS OIG anti-kickback regulations are resolved by a civil monetary penalty and/or a Corporate Integrity Agreement. However, more serious complaints, criminal complaints, and the failure of a hospital to evaluate and stabilize an emergency patient are likely to result in exclusion from HHS programs.
Individuals concerned about the potential consequences of submitting an HHS OIG complaint – or who need help to write an HHS OIG complaint – are advised to speak with an HHS OIG advisor on 1-800-477-8477 (1-800-HHS-TIPS). Alternatively, if you would prefer independent advice before speaking with an HHS OIG advisor, it is recommended you speak with a legal professional who has experience in healthcare regulatory compliance.
The post How to Write an HHS OIG Complaint appeared first on HIPAA Journal.