Daviess Community Hospital Investigating Potential Cyberattack

Posted by Steve Alder

Daviess Community Hospital, an Ascension St. Vincent affiliated hospital in Washington, IN, has recently announced that it has launched an investigation after being notified by the U.S. Department of Homeland Security (DHS) about a possible security breach. According to the DHS, a security issue was identified during routine monitoring which may have been exploited by cyber actors.

Hospital CEO, Tracy Conway, said all internal systems have been shut down while the incident is investigated by a third-party digital forensics firm. Conway said no evidence has been found to date to indicate unauthorized access to its network or patient data, and no ransom demand has been received by the hospital. Disruption has been caused due to IT systems being taken offline, including phone lines to outpatient clinics and email, and the hospital has effectively been temporarily non-computerized. As a result, services have been limited until systems are restored and some appointments have been cancelled and will have to be rescheduled. The biggest impact is on radiology, as it is not possible to send images to be read. Conway said they are working around the clock to bring IT systems back online and are prioritizing the radiology and pharmacy interfaces.

Wyoming County Community Health System Reports March 2023 Cyberattack

Wyoming County Community Health System in Warsaw, NY, has recently notified 24,016 patients about a security incident that was detected on March 28, 2023. While not referred to as a ransomware attack, legal counsel for the health system said the attack disrupted its network. The forensic investigation revealed files containing patient information had been exposed and may have been viewed or acquired by unauthorized individuals in the attack.

A review of the files was completed on November 8, 2023, and confirmed they contained information such as names, Social Security numbers, driver’s license or state identification numbers, dates of birth, biometric data, medical information, health insurance information, and account numbers. The health system has implemented additional security measures to prevent similar breaches in the future and has offered affected individuals complimentary credit monitoring and identity theft protection services.

Southland Integrated Services Notifies Patients About October 2023 Cyberattack

Southland Integrated Services (SIS), a Californian community-based non-profit organization that operates a Federally Qualified Health Center, has recently notified certain individuals about the exposure of some of their protected health information. SIS explained in its November 10, 2023, breach notification letters that suspicious activity was detected within its computer systems on October 18, 2023.

The forensic investigation confirmed its systems had been accessed by an unauthorized third party between October 16 and October 18, 2023, and during that time, documents were viewed that contained patient data such as names, addresses, dates of birth, vaccination statuses, Social Security numbers, driver’s license numbers, and/or financial account information. Additional safeguards have been implemented to prevent similar breaches in the future and complimentary credit monitoring and identity theft protection services have been offered to the affected individuals. The incident has been reported to regulators but is not yet shown on the HHS’ Office for Civil Rights breach portal, so it is currently unclear how many individuals have been affected.

The post Daviess Community Hospital Investigating Potential Cyberattack appeared first on HIPAA Journal.

Republicans and Democrats Introduce Bills to Improve Consumer Privacy Protections

Posted by Steve Alder

In the absence of a federal privacy law, it is left to individual states to introduce consumer privacy laws and ensure that companies that collect, process, and sell personal data are adequately protecting that information. While attempts to pass a federal data privacy bill have stalled, Republican and Democratic lawmakers are continuing to push for greater privacy protections for consumers.

Congresswoman Anna Paulina Luna Introduces U.S. Data on U.S. Soil Act

Congresswoman Anna Paulina Luna (R-FL) recently introduced the U.S. Data on U.S. Soil Act, to protect the data security of Americans and prevent their personal information from being exploited by foreign adversaries. It is no secret that foreign countries are attempting to collect and use the personal data of U.S. citizens. In March 2023, the House Committee on Energy and Commerce explored the role that social media, and specifically TikTok, plays in data collection and how the Chinese Communist Party has access to the data of U.S. citizens that is collected by TikTok, through TikTiok’s parent company, ByteDance.

The European Union has a comprehensive data privacy and protection law, the General Data Protection Regulation (GDPR), which protects the rights of individuals and limits the data that can be collected and used by companies such as TikTok, but there is currently no comparable federal privacy and data protection law in the United States, only a patchwork of laws introduced by individual states.

“Americans daily face the threat of exposing their personal data to bad-actor countries who are looking for a chance to exploit us, simply by opening our phones,” said Luna. “The protections in my bill are long overdue. A military leader would never hand over his tactics and intelligence to the enemy on a silver platter, and neither should we. My bill would make sure our adversaries can’t have a free-for-all with our personal lives, national security, and strength as a country.”

The U.S. Data on U.S. Soil Act seeks to prohibit companies such as TikTok from storing the data of any U.S. national in a physical data center that is located within a foreign adversary, including China, Cuba, Iran, North Korea, Russia, and Venezuela. The bill also seeks to prevent government officials in foreign adversary countries from accessing covered data. The bill would set a national minimum standard for data privacy and would not pre-empt state law, ensuring that individual states could implement more stringent data privacy protections. The bill would seek penalties of $50,120 per violation under the Unfair or Deceptive Act under the Federal Trade Commission Act. The bill, which currently has no companion Senate bill, was co-sponsored by Reps. Mary Miller (R-IL), Ralph Norman (R-SC), and George Santos (R-NY)

Democratic Senator Reintroduces Three Data Privacy Bills

U.S. Sen. Catherine Cortez Masto (D-NV) has recently reintroduced three bills that aim at strengthening consumer data privacy protections. The first bill, The DATA Privacy Act, is concerned with improving privacy protections for consumers and ensuring that large tech firms implement data security and privacy protections. The bill would give consumers the right to request, dispute the accuracy, and transfer or delete their personal data without retribution. All data collection, processing, storage, and disclosure would require three standards to be met:

  • The data collected must be reasonable, and for a legitimate business or operational purpose that is contextual and does not subject an individual to unreasonable privacy risk.
  • The data must not be used in a discriminatory way.
  • And businesses must not engage in deceptive data practices.

The DATA Privacy Act would give new authority to state Attorneys General and the Federal Trade Commission (FTC) to impose civil penalties for violations.

Sen Cortez Mastro, along with Sen. Deb Fischer (R-Neb.), reintroduced The Promoting Digital Privacy Technologies Act, which requires the National Science Foundation (NSF) to support research into privacy-enhancing technologies (PET) to help protect consumer data. The bill also calls for the National Institute of Standards and Technology (NIST) to work with academic, public, and private sectors to establish standards for the integration of PET into business and government.

The third bill, like the U.S. Data on U.S. Soil Act, takes aim at the collection, access, and use of consumer data by foreign adversaries, specifically China. The Internet App ID Act aims to improve the digital security of Americans by requiring operators of Internet websites and mobile applications to disclose if the applications being used by consumers have been developed or store data within China, or are under the control of the Chinese Communist Party.

“Big technology companies are collecting massive amounts of Americans’ personal information, from social security numbers to health care data. It’s clear we need stronger privacy laws to make sure this information isn’t shared or sold without consumers’ permission,” said Sen. Cortez Masto. “My bills will hold corporations and foreign actors accountable, protect the data privacy of vulnerable consumers, and ensure that our emerging AI and other innovative technology industries grow responsibly.”

The post Republicans and Democrats Introduce Bills to Improve Consumer Privacy Protections appeared first on HIPAA Journal.