Compliancy Group Confirms Trüpp is HIPAA Compliant

Posted by Steve Alder

Compliancy Group has recently assessed Trüpp HR Inc., an HR outsourcing, HR consulting, compensation consulting, and eLearning service provider, and has and has confirmed the company has achieved compliance with the federally mandated standards of the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health (HITECH) Act.

Any vendor that provides services to HIPAA-regulated entities that involve access to or contact with identifiable health information classed as protected health information under HIPAA is classed as a business associate and is required to be HIPAA compliant. Vendors that provide services to the healthcare industry that do not require contact with PHI may choose to ensure that they have appropriate policies and procedures in place that are compliant with HIPAA, to give their healthcare clients peace of mind and differentiate their services.

To achieve compliance with the HIPAA Rules, Trüpp partnered with Compliancy Group and used its proven HIPAA compliance methodology and proprietary HIPAA compliance solution, The Guard, which allows companies to track their progress toward compliance and implement an effective HIPAA compliance program. Through the use of The Guard, Trüpp completed Compliancy Group’s Implementation Program, adhering to the necessary regulatory standards outlined in the HIPAA Privacy Rule, Security Rule, Breach Notification Rule, Omnibus Rule, and the HITECH Act. Compliancy Group’s HIPAA compliance subject matter experts verified Trüpp’s good faith effort to achieve HIPAA compliance and awarded Trüpp the HIPAA Seal of Compliance.

“We are honored to be among the few HR organizations that have achieved HIPAA compliance and pleased to offer this added assurance to our healthcare partners,” said Jean Roque, Trüpp HR President and CEO. “The privacy of our client’s data is of utmost importance at Trüpp, and we are happy to offer this added level of security to all our clients.”

The post Compliancy Group Confirms Trüpp is HIPAA Compliant appeared first on HIPAA Journal.

Arizona Man Sentenced to 54 Months in Criminal HIPAA Violation Case

Posted by Steve Alder

An Arizona man has been sentenced to 54 months in jail for aggravated identity theft and criminal violations of the Health Insurance Portability and Accountability Act (HIPAA).  Rico Prunty, 41 years old, of Sierra Vista, Arizona, was previously employed at an Arizona medical facility where he unlawfully accessed the medical intake forms of patients between July 2014 and May 2017. The intake forms included information protected under HIPAA such as names, dates of birth, addresses, employer information, social security numbers, diagnoses, and medical information.

He then provided that information to his co-conspirators – Vincent Prunty, Temika Coleman, and Gemico Childress – who used the stolen information to open credit card accounts in the victims’ names. Federal prosecutors investigating the identity theft raided an apartment linked to the suspects and found evidence of the manufacture of credit cards and the opening of fraudulent accounts in victims’ names. Prunty and his co-conspirators attempted to steal more than $181,000 from the victims.

According to court documents, the protected health information of almost 500 patients was accessed without authorization, and their information was impermissibly disclosed to Prunty’s co-conspirators. Rico Prunty pleaded guilty to aggravated identity theft and criminal HIPAA violations for accessing and disclosing patients’ protected health information. The HIPAA violations carried a maximum jail term of 10 years, and aggravated identity has a mandatory sentence of 2 years, which runs consecutively to sentences for other felony crimes. Senior U.S. District Court Judge James Moody imposed a sentence of 54 months with 2 years of supervised release and Prunty was ordered to pay $132,521.98 in restitution to the victims.

His co-conspirators have already been sentenced for their roles in the identity theft scheme. Vincent Prunty pleaded guilty to wire fraud, mail fraud, and aggravated identity theft and was sentenced to 154 months, Gemico Childress pleaded guilty to wire fraud and aggravated identity theft and was sentenced to 134 months, and Temika Coleman pleaded guilty to wire fraud, mail fraud, and aggravated identity theft and was sentenced to 121 months. They were also ordered to pay $181,835.77 in restitution and will each have 2 years of supervised release.

The post Arizona Man Sentenced to 54 Months in Criminal HIPAA Violation Case appeared first on HIPAA Journal.

Mass Exploitation of MOVEit Transfer Zero-day Vulnerability Confirmed

Posted by Steve Alder

A zero-day vulnerability in the MOVEit Transfer managed file transfer (MFT) solution is being actively exploited by hackers to perform mass downloads of sensitive data from targeted organizations. MOVEit Transfer was developed by the Progress Software Corporation-owned company, Ipswitch, and is provided as an on-premise solution or cloud SaaS platform that is used by enterprises for securely transferring large files.

According to a recent security advisory from Progress, the flaw is an SQL injection vulnerability that affects the MOVEit Transfer web application. If exploited, a remote, unauthenticated attacker can gain access to the MOVEit Transfer database, infer information about the structure and contents of the database, exfiltrate data, and execute SQL statements that alter or delete database elements. Progress has confirmed that the vulnerability affects all MOVEit Transfer versions, including on-prem and MOVEit Cloud. There were many confirmed instances of mass data exfiltration over the Memorial Day weekend when monitoring was reduced, although it appears that the vulnerability was exploited weeks before in many of the cases that have been investigated. At present, it is unclear which threat group is exploiting the flaw as while there has been confirmed data theft, there has been no attempted extortion.

Progress has released a patch to fix the vulnerability in all supported versions, which are available here. Users have been recommended to immediately disable all HTTP and HTTPs traffic to the MOVEit Transfer environment by modifying firewall rules to deny HTTP and HTTPs traffic to MOVEit Transfer on ports 80 and 443. Simply blocking HTTP and HTTPs traffic will not prevent data exfiltration, which can still occur through SFTP and FTP protocols. After disabling traffic, a review should be conducted to identify any unauthorized files and user accounts, which should be deleted, then credentials should be reset. The patch can then be applied and HTTP and HTTPs traffic can be enabled after confirming that all unauthorized files and accounts have been successfully deleted.

According to Rapid7, there are approximately 2,500 instances of MOVEit that are exposed to the public Internet, the majority of which are located in the United States. All cases of exploitation have seen the same webshell (human2.asp) added to the c:\MOVEit Transfer\wwwroot\ public HTML folder. After patching, organizations should conduct a forensic analysis to look for Indicators of Compromise over the past 30 days to determine if the flaw has already been exploited and data exfiltrated.

The Clop ransomware gang is a prime suspect as the group was behind the exploitation of zero-day vulnerabilities in two other MFT solutions, Fortra’s GoAnywhere MFT in January 2023 and the Accellion FTA in December 2020.

The post Mass Exploitation of MOVEit Transfer Zero-day Vulnerability Confirmed appeared first on HIPAA Journal.