Theft at Loyola Medicine and Main Street Clinical Associates Affected Patients’ PHI

Because the devices were stolen from the offices of Main Street Clinical Associates, PA. based in Durham, NC, some patients received notifications concerning the likely compromise of their protected health information (PHI).

The theft transpired after the employees of Main Street evacuated the offices because of a dangerous gas explosion. The employees left the office after being instructed to do so on April 10, 2019 after an adjoining building exploded. The evacuation was so urgent that the employees just abandoned the records and equipment on the tables. They also did not lock the room where the patient records were kept. The property had substantial damages, hence until September 9, 2019, nobody was allowed to go within the building. When the employees went back to their workplaces, they found out that the equipment, which includes two laptop computers, a clinician’s mobile phone, and a printer containing patient data, were stolen by burglars.

Main Street gave a press release not too long ago saying that the laptop computers, the mobile phone and the files with patient information were protected with a password. Nevertheless, the devices had not been encrypted, therefore, an unauthorized person could have accessed the patient data. The data contained in the devices included names, medical insurance information, diagnosis and treatment data, Social Security numbers, and driver’s license numbers.

To stop further unauthorized access to patient data, Main Street already changed all passwords and is looking out for attempts of device misuse. Patients affected by the breach received notification letters via mail. Since there is no way of knowing accurately the affected patients, Main Street informed several media outlets about the security breach.

Autopsy Pictures of Loyola Medicine Patients Stolen

Maywood, IL Loyola Medicine reported that the Loyola University Medical Center camera was stolen. The camera stored the autopsy images of 18 deceased patients. The images of nine individuals were gone for good because they were not yet saved to their respective medical record files.

The photos were not yet saved to the hospital records system because the newly installed camera did not have a cable that connects to the records system to upload the images. Therefore, the photos are merely stored on the camera’s memory card.

A Loyola Medicine representative said that steps had been carried out to avert the same breaches. Employees received extra training and there had been improvements in physical security.

Loyola Medicine informed the patients’ families that the photos were lost and submitted a privacy breach report to the Department of Health and Human Services’ Office for Civil Rights.

Files of 93,000 California Addiction Treatment Center Patients Accessible Online

Sunshine Behavioral Health, LLC’s AWS S3 storage bucket was misconfigured resulting in the exposure of sensitive patient information. This network of drug and alcohol addiction rehabilitation centers is established in San Juan Capistrano, CA.

Databreaches.net was the first to receive the report about the misconfigured AWS S3 storage bucket in August 2019. Databreaches.net got in contact with Sunshine Behavioral Health and the addiction center immediately secured the bucket. Sunshine Behavioral Health did not submit the data breach report to the HHS’ Office for Civil Rights nor mentioned the breach on its website, although over 60 days have passed since it had known about the breach. The incident was also not published on the California Attorney General’s website.

Databreaches.net analyzed the incident in November and identified some files that stayed exposed. Anyone with the PDF file URLs could view the files from the bucket without needing a password. If the URLs were obtained simultaneously with the compromise of the bucket, the PDF files URLs of 93,000 patients probably have been accessed and downloaded.

According to Dissent, the PDF files and the 93,000 patients do not match. There were a number of patients with a few files and many files come with test findings or templates. Dissent tried to contact Sunshine Behavioral Health, but there was no reply. But the treatment center has read the email because the URLs are not available anymore.

The correct number of patients impacted, the time frame of the file exposure online, and the unauthorized individuals who accessed the URLs are not known at this time. The files were primarily billing information, that contains complete names, dates of birth, postal and email addresses, telephone numbers, credit card numbers, date of expiry, CVV codes, and health insurance information.

Greenbone Networks Gives An Updated Report on Unsecured PACS and the 1.19 Billion Exposed Medical Images

Greenbone Networks, a German vulnerability analysis and management platform provider, discovered 60 days ago the magnitude of the exposure online of medical images stored in Picture Archiving and Communication Systems (PACS) servers. In a current report, the company revealed the worsening problem.

Healthcare providers use Picture Archiving and Communication Systems (PACS) servers for storing and sharing medical images with doctors for their review. However, a lot of healthcare providers do not use PACS servers that are secured enough. Therefore, medical images (MRI, CT Scans, X-Ray), together with personally identifiable patient data, are exposed online. Anybody who knows where and how to search for the files could find them, access them and, oftentimes, download the medical images without authorization. The images aren’t accessible because of software vulnerabilities. Access to data is possible due to the wrong configuration of the system and PACS servers.

From July to September 2019, Greenbone Networks worked to identify unsecured PACS servers worldwide. The study revealed the enormity of the problem. In the U.S., there were 13.7 million data sets on unsecured PACS servers and 45.8 million of 303.1 million medical images were accessible.

On November 18, Greenbone Networks’ updated report showed that 1.19 billion medical images were already identified globally. The previous total of 737 million increased by 60%. The findings of 35 million medical exams are exposed online, it was 24 million previously.

In the U.S., the researchers identified 21.8 million medical exam results and 786 million medical photos. There were 114.5 million photos accessible from 15 systems that permit unsecured Web/FTP access and directory website listing. In just one PACS, the researchers discovered 1.2 million exam results and 61 million medical photos. The researchers were able to fully access the data, including the images and related personally identifiable information.

In early November, Sen. Mark. R. Warner expressed his concern over the obvious lack of action by OCR regarding the exposed files. It seems that not much is being done to protect the PACS servers and prevent more data exposure.

The types of data exposed in the images include Protected Health Information (PHI) such as names, birth dates, examination dates, the extent of the investigations, imaging techniques done, attending doctors’ names, scanning location, number of images and Social Security numbers for 75% of the exposed images.

Data exposure puts patients vulnerable to identity theft and fraud, though there are actually other risks. In the past, security researchers showed that the DICOM image format is flawed allowing the inclusion of malicious code. Hence, images can be downloaded, contain malicious code, and be uploaded to the PACS without the data owner’s knowledge. In the Greenbone Networks study, only reading access was investigated and not image manipulation or upload.

Access and viewing of images can be done using the RadiAnt DICOM Viewer. There is free information online on setting up the RadiAnt DICOM Viewer to view images, including the viewer and the listing of IPs of the stored images.

It is estimated by Greenbone Networks that the value of exposed medical images and PHI is over $1 billion dollars. The data might be utilized for different nefarious purposes such as social engineering and phishing, identity theft, and blackmail.

Data exposure violates the Health Insurance Portability and Accountability Act (HIPAA), the General Data Protection Regulation (GDPR) of the EU, and other data privacy and security regulations. The data exposure impacts people in over 52 countries.

Microsoft’s Second Warning Concerning the BlueKeep Vulnerability Patch

Microsoft released one more warning concerning the need to patch the BlueKeep vulnerability (CVE-2019-0708). The vulnerability required immediate patching considering the October 23 mass attack that took advantage of this vulnerability.

The attack was first identified on November 2, but the attacker was unable to totally exploit the vulnerability. It seems that the threat actor has a low skill level and launched the campaign to exploit the flaw to deploy cryptocurrency mining malware. Microsoft gave another warning that things could go worse.

The first try of mass exploitation acquired a great deal of attention from mass media, but it seems that it did not have a great effect on the seriousness of patching. SANS Institute performed a scan and observed that the speed of patching didn’t quite change after the mass attack. Microsoft released the patch in May and the number of unpatched devices diminished, yet there are still a lot of devices that can be exploited by BllueKeep.

Even though the attack was extensive, it had minimal success. In the majority of cases, the exploit employed failed to work properly and the devices merely crashed. In the event that an expert threat actor exploited the vulnerability with success, it’s possible to connect a vulnerable device via RDP services without the need for user interaction. Codes may be implemented on unsecured computer systems, in order that the attacker can access, modify, and steal data, install malware, and begin attacks on other unpatched devices connected to the network system, which include those that are not exposed on the web.

In 2017, security specialist Marcus Hutchins discovered and initialized a ‘kill switch’ to take care of the WannaCry ransomware damages. At this point, he is cautioning that a ransomware attack is capable of causing a big disruption even with no worm, considering that the vulnerable devices were servers.

Microsoft said that although it is unlikely to prevent the BlueKeep attacks, there are other more threatening exploits that could be made and used in massive attacks on vulnerable devices. Microsoft customers need to identify and update all vulnerable devices straight away.

NIST Launches the Latest Big Data Interoperability Framework

The National Institute of Standards and Technology (NIST) launched its final Big Data Interoperability Framework (NBDIF) to assist with the design of data analysis software applications which could operate on just about any computing platform and be conveniently transferred from one computing platform to a different one.

NBDIF is the end result of many years of work and joint venture of over 800 authorities from the government, academe, and private community. The final document consists of nine volumes talking about big data definitions and taxonomies, use circumstance & prerequisites, reference architecture, roadmap standards, privacy and security, a reference architecture interface, and adoption and modernization.

The primary intent behind NBDIF is to advise developers on the design and deployment of greatly helpful tools for big data examination that could be used on diverse computing platforms; from one laptop computer to multi-node cloud-based settings. Developers must make their big data analysis tools to enable them to immediately be migrated from platform to platform and enable data analysts to be changed to more complex algorithms without being forced to retool their computer settings.

Developers can use the framework to make an agnostic setting for big data analysis tool production to ensure their tools could help data analysts’ findings to run continuously, even when their targets change and technology improves.

The amount of files that require analysis has increased significantly recently. Data is presently obtained from a huge range of devices, such as an assortment of sensors hooked up to the internet of things. A few years ago, close to 2.5 exabytes which equal billion billion bytes, of information are generated daily around the world. By 2025, international information generation has been estimated to have 463 exabytes each day.

Data scientists may use large datasets to acquire precious observations and big data analysis tools will permit them to level up their analyses from just one laptop unit to distributed cloud-based settings that work through various nodes and analyze big amounts of information.

So as to do that, data analysts might be required to recreate their tools from the start and employ varied computer languages and algorithms to permit them to be employed on varied platforms. The usage of the framework will boost interoperability and substantially minimize the problem on data analysts.

The final copy of the framework comprises consensus definitions and taxonomies to be sure developers understand each other when talking over options for new analysis tools, besides data privacy and security prerequisites, and a reference architecture interface spec to direct deployment of their tools.

The reference architecture interface specification is beneficial to vendors when developing flexible settings where any tool could function in. In the past, no standard for developing interoperable options are available. At this time there is.

The big data analysis tools could be utilized in different ways, for instance in drug discovery where experts have to assess the behavior of some candidate drug proteins in one set of assessments, then utilize that information into the succeeding round. The flexibility to make changes immediately will help to hasten the analyses and minimize drug development expenditures. NIST, in addition, proposes that the tools can help analysts distinguish health scams with less effort.

The reference architecture will permit the user to pick whether to do analytics using the most recent machine learning and AI tactics or the conventional statistical methods.

Knowing about changes in HIPAA for better compliance

The American Recovery and Reinvestment Act of 2009 (ARRA), also known as the stimulus bill made quite a few amendments to the Health Insurance Portability and Accountability Act (HIPAA), which was enacted in 1996.

The most important and noticeable changes include the expansion of enforcement to states’ attorneys general and expansion of privacy and security provisions related to “business associates” and new breach notification provisions along with changes in penalties to be imposed in case of breach of HIPAA.

With changes in HIPAA, the penalties can now be imposed on covered entities along with individuals in position to the previous law where penalties could only be imposed on covered entities. As such, if someone within an organization willingly neglects and doesn’t comply with the rules and makes wrongful disclosures, he or she will be subject to fines, as well as possible imprisonment. Also, in the past, enforcement and violations were addressed solely at the federal level by the Office of Civil Rights. Now, attorney generals are empowered to deal with enforcement and violations as well.

Protected health information can be released by covered entities without authorization only for purposes of treatment, billing and health care operations. Covered entities can’t release information beyond those purposes without authorization of the patient. In addition, specific types of information are viewed as more sensitive (e.g., mental health and substance abuse information, information about certain diseases, such as HIV) in many states and more restrictions on disclosure exist at the state level.

With new laws, patients will have a greater ability to try to find out who has accessed their protected health information. This means that covered entities and business associates could be asked to account for a good deal of information if they get a request. New regulations are being considered in this area, so it is an area to watch.

In order to make sure that they are HIPAA compliant, the covered entities should keep an eye on releases from HSS about changes, consult with their legal representative, make sure that their designated privacy officer is properly trained and that he or she is training their employees and keep their lines of communication open with business associates and make sure any contracts they have with them include appropriate provisions that will require they comply with HIPAA and all other state laws which may come into play.

Forsythe To Offer Catbird’s Vsecurity® Software To Its Customers

Catbird is the pioneer in security and compliance for virtual, cloud and physical networks. The company has now entered into a partnership agreement with Forsythe, a leading IT infrastructure consultant and integrator, according to which Forsythe will offer Catbird’s vSecurity® software to bring PCI, HIPAA and SOX compliance to its customers who are moving to virtual and cloud-based infrastructure.

This software from Catbird harnesses the power of virtualization to deliver the industry’s most comprehensive security and compliance solution for virtual and cloud systems. The software introduces a new model for data center security and enforces controls on virtual machines, their network attributes, virtual networks, and the switch fabric – protecting the whole data plane.

“Security and compliance are critical components for every IT infrastructure. As environments are virtualized, new risks are introduced due to a loss of process control across four change dimensions,” says David Poarch, VP, security of Forsythe. “Catbird has developed a solution specifically for virtualized environments that delivers dynamic, elastic security and integrated compliance for sensitive and mission-critical applications.”

“Recent guidance from PCI, NIST and SANS proves that relying on traditional physical firewalls and physical network inspection is risky and will not pass an audit. Catbird vSecurity® was built from the ground up to do virtual and cloud security better, faster and cheaper,” said Edmundo Costa, Catbird CEO. “Forsythe’s extensive experience in integrating not only virtualized solutions, but also physical infrastructure solutions, across security, servers, networks and storage make them a strong partner in helping our virtualization clients with their security needs.”

“Virtualization security opens the door for mission-critical applications that have traditionally been left out of virtualization roll-outs,” added Costa. “vSecurity will provide Forsythe customers with the ability to meet the new requirements and maximize their virtualization and cloud ROI by being able to include in their deployment plans most applications that were previously excluded, such as, for example, applications that handle PCI data.”

Harris Corporation to support VA’s transition to new coding standards

The U.S. Department of Veterans Affairs (VA) has awarded Harris Corporation a $5.3 million two-year contract to provide remediation to the VA’s Health Administration Center (HAC) Cache System to address new medical coding standards. Harris will support the VA’s migration to new coding]]>

This transition will also help HAC to produce more accurate records as well as conduct more detailed population assessments and studies. Additionally, the ICD-10 migration will improve the HAC’s payment systems for veterans and their family members with more accurate billing information. The Harris team, along with subcontractors 7 Delta Inc. and Vangent Inc., will complete all phases of the ICD-10 integration and software development life cycle.

International Statistical Classification of Diseases and Related Health Problems (ICD) Codes are used to classify diseases and other medical problems under a single standard and promote international comparability with treatment and billing. As part of the Health Insurance Portability and Accountability Act (HIPAA) 5010 transition, the U.S. Department of Health and Human Services (HHS) has mandated that all covered healthcare entities be ICD-10 compliant by Oct. 1, 2013.

“The ICD-10 transition will enable the HAC to improve the accuracy and efficiency of claims processing for veterans and their family members,” said Jim Traficant, president, Harris Healthcare. “By migrating to ICD-10, the Health Administration Center continues to lead the healthcare industry in adopting the latest standards to better serve our veterans.”

97% of Americans want more control on their PHI: New survey reveals

Privacy advocate Dr Deborah Peel ‘s Patient Privacy Rights Foundation and Zogby International has conducted a new survey which has revealed that a whopping 97% of the 2,000 adults questioned want the right to control their own personal medical information and be allowed to limit with whom their “sensitive information” is shared.

In a press release accompanying the release of the survey results Dr Peel said “No matter how you look at it, Americans want to control their own private health information. They overwhelmingly believe that they are the only people in the right position to make decisions about how their information can be used. Researchers do not get a free pass.”

The survey reveals that many of the Americans want to be in control of all of their electronic medical records and have the right to limit with whom their doctors, insurance companies and even the government can allow the information to be given to. Some of them showed their worry about the fact that their sensitive information was at risk of being accessed by employers, researchers, ex-spouses and abusive partners.

Dr Peel’s Austin, TX based advocacy group is calling for the creation of a “do not release” list, something that would work along the same lines as the “do not call” lists that telemarketers must abide by. 73% of those surveyed said they would sign up if such a list were ever to be created.

HIMSS webinar on importance of HIPAA compliance to an IT manager

A Health Information & Management Systems Society (HIMSS) webinar based on the importance of HIPAA compliance for an IT manager is to be held on October 20, 2011, which will be sponsored by Axway, the Business Interaction Networks company.

The webinar which has been entitled, “What does HIPAA Compliance mean to an IT Manager?” will be a case study with Catholic Healthcare West. The webcast will explore how Catholic Healthcare West is managing the challenges of rapidly building their healthcare managed file transfer (MFT) ecosystem while continuing to adhere to Health Information Portability and Accountability Act (HIPAA) compliance. Catholic Healthcare West will share their secrets as to how they ensure patient privacy, and build partner networks that make end-to-end management of certain patient files possible.

The webinar will include discussions between Axway and Catholic Healthcare West on how to leverage technology in a way that allows to access critical health information while maintaining security and the public’s trust at the same time. Various companies participating in the webinar will also get an opportunity to share their experiences designing internal project support for building large-scale MFT infrastructure projects and impart lessons learned during deployment.