Premera Blue Cross HIPAA Penalty of $6.85 Million is the 2nd Largest HIPAA Violation Penalty Ever

The Department of Health and Human Services’ Office for Civil Rights (OCR) has required a $6.85 million HIPAA fine on Premera Blue Cross to settle the HIPAA violations uncovered during its investigation of a 2014 data breach regarding the electronic protected health information (ePHI) of 10.4 million people.

Premera Blue Cross in Mountainlake Terrace, WA is the major health plan within the Pacific Northwest and serves over 2 million people in Washington and Alaska. In May 2014, a state-of-the-art persistent threat group acquired access to Premera’s computer network and continued to be undetected for about 9 months. The hackers sent the health plan with a spear-phishing email that deployed malware. The malware enabled the APT group to access ePHI that include names, dates of birth, addresses, email addresses, Social Security numbers, bank account details, and health plan clinical data.

Premera Blue Cross uncovered the breach in January 2015 and notified OCR concerning the breach in March 2015. OCR began an investigation and found “systemic non-compliance” with the HIPAA regulations.

OCR learned that Premera Blue Cross was not able to:

  • Carry out a thorough and accurate risk analysis to find all risks to the integrity, confidentiality, and availability of ePHI.
  • Lessen risks and vulnerabilities to ePHI to a good and ideal level.
  • Use adequate hardware, software application, and procedural systems to log and examine activity relating to information systems that contain ePHI, prior to March 8, 2015.
  • Block unauthorized access to the ePHI of 10,466,692 persons.

Considering the nature of the HIPAA violations and the severity of the breach, OCR determined that a financial fine was just right. Premera Blue Cross resolved the HIPAA violation case with no liability admission. Aside from paying the HIPAA violation penalty, Premera Blue Cross consented to execute a corrective action plan to take care of all areas of non-compliance identified by OCR. Premera Blue Cross will be under close supervision by OCR for two years to make certain of its compliance with the CAP.

Roger Severino, OCR Director, said that in case big health insurance entities do not devote the time and effort to recognize their security vulnerabilities, be they technical or human, hackers definitely will. This situation clearly reflects the problems that result when attackers are granted to roam unnoticed in a computer system for approximately nine months.

Last year, Premera Blue Cross accepted to pay a $10 million HIPAA violation legal action due to the breach. 30 state attorneys general had reviewed the health plan and established that Premera Blue Cross failed to meet its requirements under Washington’s Consumer Protection Act and HIPAA. Premera Blue Cross furthermore agreed to resolve a $74 million lawsuit filed by people whose ePHI was disclosed in the breach.

The latest penalty is OCR’s second greatest HIPAA penalty required of a covered entity or business associate in connection to HIPAA violations. The biggest financial penalty is the $16 million imposed on Anthem Inc. because of a 2015 data breach that involved the ePHI of 79 million persons.

The fine is the 11th penalty to be reported by OCR in 2020. It is the 8th to be published this month. Thus far in 2020, OCR received $10,786,500 to resolve HIPAA violations uncovered during investigations of security breaches and HIPAA complaints.

Athens Orthopedic Clinic Settles its HIPAA Violation for $1.5 Million

The HHS’ Office for Civil Rights made an announcement regarding a settlement it has arrived at with Athens Orthopedic Clinic PA to take care of multiple Health Insurance Portability and Accountability Act (HIPAA) rules violations.

OCR performed an investigation into a data breach that a healthcare provider based in Athens, GA reported on July 29, 2016. On June 26, 2026, Dissent of notified Athens Orthopedic Clinic that a database that contains the electronic protected health information (ePHI) of its patients had been posted for sale on the internet by a hacking group identified as The Dark Overlord. The hackers are noted for infiltrating systems, data theft, and demanding ransom payments. If the victims don’t pay the ransom, the stolen information is published online.

Athens Orthopedic Clinic looked into the breach and confirmed that the hackers acquired access to its systems on June 14, 2016 by using vendor credentials and stole records from its EHR system. The data of 208,557 patients were taken in the attack, which includes names, Social Security numbers, birth dates, procedures performed, test findings, clinical data, payment details, and medical insurance information.

OCR admits that it’s not possible to stop all cyberattacks, nevertheless when data breaches take place due to the inability to adhere to the HIPAA Rules, financial charges are issued.

Hacking is the top source of big healthcare data breaches. When medical companies are not able to adhere to the HIPAA Security Rule, their patients’ health information become an appealing target for threat actors.

The OCR breach investigation uncovered the following systemic non-adherence with the HIPAA regulations:

Athens Orthopedic Clinic didn’t conduct an appropriate and detailed review of the potential risks and vulnerabilities to the confidentiality, availability, and integrity of ePHI, which violates 45 C.F.R. § 164.308(a)(1)(ii)(B).

Security measures were not put in place to decrease the potential risks to ePHI to a good and suitable level, which infringes 45 C.F.R. § 164.308(a)(1)(ii)(A).

Between September 30, 2015 and December 15, 2016, Athens Orthopedic Clinic was unable to employ the correct hardware, software program, and processes for documenting and examining information system activity, which violates 45 C.F.R. §§ 164.312(b).

The provider took until August 2016 for HIPAA guidelines and procedures to be kept, which infringes
45 C.F.R. § 164.530(i) and (j), and before August 7, 2016, the clinic didn’t enter into business associate agreements with three vendors, which violates 45 C.F.R. § 164.308(b)(3).

Before January 15, 2018, Athens Orthopedic Clinic did not have a HIPAA Privacy Rule training to its existing employees, which infringes 45 C.F.R. § 164.530(b).

Due to the failure to comply, Athens Orthopedic Clinic was unable to avoid hackers from obtaining unauthorized access to the PHI of 208,557 patients, which violates 45 C.F.R. §164.502(a)).

Aside from the financial fine, Athens Orthopedic Clinic has consented to adopt a corrective action plan that covers all areas of noncompliance found in the OCR audit. The clinic resolved the violation without admission of liability.

This is OCR’s 6th HIPAA settlement reported in September and the 9th HIPAA penalty in 2020. Prior to this month, OCR published having five settlements with HIPAA-covered entities in accordance with its HIPAA Right of Access initiative for being unable to provide patients with their health records copy.

OCR Issued Five HIPAA Fines for HIPAA Right of Access Failures

The Department of Health and Human Services’ Office for Civil Rights reported five settlements that resolved HIPAA violations related to patient complaints on getting a copy of their medical records.

The HIPAA Privacy Rule states that individuals have the right to get prompt access to their medical records at a reasonable price. When a person submits a request to obtain a copy of his/her medical records, a healthcare service provider should give those records with no reasonable delay and within 30 days following the date of request.

OCR received several complaints from people who were unable to obtain a copy of their medical records, so in 2019, OCR prioritized its HIPAA right of access enforcement activities.

In 2019, there were two settlements between HIPAA covered entities and OCR over HIPAA right of access violations. Korunda Medical, LLC and Bayfront Health St Petersburg each paid $85,000 as a financial penalty and implemented a corrective action plan to process access requests promptly.

The most recent 5 settlements involved Housing Works, Inc., Beth Israel Lahey Health Behavioral Services, King MD, All Inclusive Medical Services, Inc., and Wise Psychiatry, PC. The entities paid financial penalties ranging from $3,500 to $70,000 depending on a number of factors determined by OCR.

OCR is sending a message to healthcare providers by means of the settlements that compliance with the HIPAA right of access is a must. Whenever OCR receives complaints alleging non-compliance, investigations will be conducted and entities will be penalized as deemed appropriate.

Housing Works

Housing Works, Inc. is a non-profit healthcare organization based in New York City that offers healthcare, advocacy, job training, homeless services, re-entry services, and legal support for men and women residing with and afflicted by HIV/AIDS.

In June 2019, a Housing Works patient submitted a request a copy of his healthcare records. In July 2019, the patient filed a complaint with OCR indicating Housing Works’ failure to provide the records. OCR investigated the complaint, gave the needed technical assistance, then closed the case. But Housing Works still did not provide the patient with a copy of his healthcare records. So, in August 2019, the patient filed a second complaint with OCR.

OCR re-investigated the case and issued Housing Works a financial penalty for violating the HIPAA right of access. In November 2019, Housing Works furnished the complainant his healthcare records and paid $38,000 to resolve the violation. Housing Works also adopted a corrective action plan and is under monitoring by OCR for one year.

Beth Israel Lahey Health Behavioral Services

Beth Israel Lahey Health Behavioral Services (BILHBS) is the biggest mental health and substance use disorder service provider in eastern Massachusetts. In April 2019, OCR got a complaint stating that BILHBS did not respond to a request sent by a personal representative for a copy of her father’s health records. The complainant asked for the information in February 2019, but did not provide even after two months.

OCR investigated the complaint and the patient got the requested health records in October 2019. OCR issued a financial penalty on BILHBS for violating the HIPAA Right of Access. BILHBS paid $70,000 to settle the violation and followed a corrective action plan under the monitoring of OCR for a year.

King MD

King MD is a small psychiatric services provider in Virginia. In October 2018, OCR got a complaint from a patient who did not receive a copy of medical records within two months of filing the request. OCR provided technical assistance on the case but got a second complaint in February 2019 because King MD still did not provide the requested medical records. The patient got the records in July 2020.

King MD paid OCR $3,500 as case settlement. King MD has implemented a corrective action plan under two-year monitoring by OCR.

All Inclusive Medical Services, Inc.

All Inclusive Medical Services, Inc. (AIMS) in Carmichael, CA is a family medicine clinic offering multiple specialty services such as internal medicine, rehabilitation, and pain management.

In January 2018, a patient requested a copy of her medical records, but AIMS did not provide the records. In April 2018, the patient complained to OCR, which prompted an investigation. AIMS was found to have violated the HIPAA right of access. The patient got her copy of the records in August 2020.

OCR received $15,000 from AIMS as a penalty to resolve the HIPAA violation. A corrective action plan was also undertaken to be monitored by OCR for 2 years.

Wise Psychiatry, PC.

Wise Psychiatry is a small psychiatric services provider located in Colorado. In November 2017, a personal representative requested a copy of her young son’s health records. By February 2018, no records were still provided and so she filed a complaint with OCR, which prompted an investigation. OCR gave technical assistance and closed the case.

In October 2018, OCR received a second complaint from the same person. Finally, a copy of the health records was given in May 2019 after OCR’s investigation. Wise Psychiatry paid $10,000 to settle the case and adopted a corrective action plan under OCR’s monitoring for one year.

CISA Releases Technical Guidance on Finding and Remediating Malicious System Activity

The Cybersecurity and Infrastructure Security Agency (CISA) has fairly recently given guidance for network defenders and incident response teams on uncovering malicious activity and mitigating cyberattacks. The guidance specifies recommendations for uncovering malicious activity and comprehensive directions for inspecting at possible security occurrences and safe-guarding compromised systems.

The reason for providing the guidance is to optimize incident response among partners and network staff as well as offer a playbook for researching incidents. The document can guide incident response groups obtain the data required to look into suspicious activity inside the network, host-based artifacts, carry out a host analysis assessment and analysis of network tasks, and take the proper measures to offset a cyberattack.

The guidance document was produced in cooperation with cybersecurity professionals in the United Kingdom, United States, Australia, Canada and New Zealand and comes with technical assistance for security staff to help them determine ongoing malicious attacks and abate attacks while lessening the prospective adverse outcomes.

As soon as incident response teams discover malicious activity, the concentration is usually on blocking the access of threat actors to the network. Though it is vital to stop a threat actor from accessing a device, or system, it is very essential that the right procedure is undertaken to refrain from notifying the attacker regarding the detection of their presence.

While well-intentioned to control the problems of the compromise, a number of those activities could have damaging effects by altering volatile facts that could present a sense of what has been done and notifying the threat actor that the prey organization recognizes the compromise and compelling the threat actor to either cover their tracks or take on more harmful actions (including detonating ransomware.

When reacting to an assumed attack it is initially needed to acquire and take away pertinent artifacts, logs, and records that will enable the detailed scrutiny of the incident. In case these elements aren’t secured before the implementation of any mitigations, the data may readily be gone, which will impede any work to check out the breach. Systems likewise must be secured, as a threat actor may become aware that the breach was seen and adjust their methods. As soon as systems are safeguarded and artifacts gathered, mitigating actions can be done with care so as not to forewarn the threat actor that their presence in the network has been found.

Whenever a suspicious activity is found, CISA advises seeking help from a third-party cybersecurity organization. Cybersecurity organizations have the essential knowledge to get rid of an attacker from a system and make certain that security concerns are prevented that can be taken advantage of in further attacks on the firm as soon as the incident is actually remediated and finished.

Resolving a security breach calls for different technical techniques to discover malicious activity. CISA proposes doing a hunt for identified indicators of compromise (IoCs), employing proven IoCs from a large collection of sources. A frequency study is beneficial for determining anomalous activity. Network defenders have to estimate standard traffic patterns in network and host systems which may be employed to recognize the inconsistent activity. Algorithms could be utilized to discover whenever there is an activity that’s not according to normal patterns and determine disparity in timing, source position, destination place, port use, protocol observance, file storage, integrity using hash, file size, figuring out convention, and other features.

Pattern analysis is valuable for uncovering automatic activity by malicious scripts and malware, and regular reproducing behavior by human threat actors. An analyst review must likewise be carried out according to the security team’s knowledge of system operations to recognize issues in collected artifacts and locate anomalous activity that may be an indicator of hacker activity.

The guidance specifies a number of common blunders that are made if resolving incidents and gives technical measures and recommendations for scrutiny and remediation processes.

CISA likewise makes basic advice on defense tactics and programs that could make it harder for a threat actor to acquire access to the network and continue to be there undiscovered. While these actions may not prohibit a threat actor from compromising a system, they will help to slow the pace of an attack that will grant incident response squads the time they required to know and act in response to an attack.

You can read the CISA guidance Technical Approaches to Uncovering and Remediating Malicious Activity (AA20-245A) on this page.

PHI of Almost 19,000 Individuals Affected by Breaches at Cook Children’s Medical Center, D&S Residential Holdings and City of Lafayette

1,768 Persons Affected by Cook Children’s Medical Center Breach

Cook Children’s Medical Center based in Fort Worth, TX discovered that a box of radiology images stored in a locked storage room was missing. Despite conducting a search for the missing items, Cook Children’s Medical Center did not succeed in locating them. The storage discs contained the protected health information (PHI) which included names, birth dates, medical record numbers, scan types, service dates, and names of physicians.

To view the images, specialist software is necessary. However, some of the PHI may be viewed even with no specialist software. The images belonged to 1,768 people who had hip and spine scans from 2005 to 2014. There is no report received that indicate the misuse of any data contained on the discs. The medical center already notified all the persons affected by the incident.

PHI of 2,102 People Potentially Compromised Due to a D&S Residential Holdings Phishing Attack

D&S Residential Holdings based in Austin, TX has found out about the unauthorized access by an individual to the email accounts of some employees from April 20, 2020 to June 15, 2020 because employees responded to phishing emails.

D&S Residential Holdings carried out a thorough investigation, with the support of a respected computer security company. However, it was not possible to establish if the attackers viewed or stole any information.

An analysis of the employees’ email accounts showed that they contained protected health information. D&S Residential Holdings offered free credit monitoring and identity theft protection services for 12 months to the individuals who had their Social Security numbers compromised in the attack. The breach report sent to the HHS’ Office for Civil Rights showed that the breach affected 2,102 individuals.

15,000 Lafayette Fire Department Ambulance Users Affected by Ransomware Attack

On July 27, 2020, City of Lafayette, CO suffered a ransomware attack that affected its email, telephone, online billing, and reservation systems so that essential systems data was inaccessible. After assessing the cost and advantages of all feasible solutions, the city opted to pay the attackers $45,000 just to steer clear of the big interruption to its online operations.

Before ransomware deployment, it’s possible that the attackers accessed personal information stored on the computer system of Lafayette, including the usernames and passwords of its online service users and the Social Security numbers of city employees. Moreover, the attackers might have obtained the names and the health insurance identification numbers of 15,000 men and women whom the Lafayette Fire Department ambulance transported prior to January 1, 2018.

The city already removed the ransomware and re-established its network servers and computers. It has also deployed crypto-safe backup systems and enforced extra cybersecurity options to block other ransomware attacks.

New FritzFrog P2P Botnet Targets SSH Servers of Banking Institutions, Educational Organizations, and Medical Centers

A new peer-to-peer (P2P) botnet was found targeting SSH servers located in IoT devices and routers that allow connections from remote devices. The botnet, known as FritzFrog, propagates like a computer worm by means of brute-forcing credentials.

Guardicore Labs security researchers analyzed the botnet and determined that it has successfully breached over 500 servers, and the number is still growing fast. FritzFrog is multi-threaded, modular, and fileless leaving no clue on its infected devices. FritzFrog sets up and deploys malicious payloads fully in the memory, so infections are difficult to identify.

Whenever a computer is attacked, a backdoor in the form of an SSH public key is produced. This key gives attackers continual device access. More payloads may then be downloaded, for example, a cryptocurrency miner. As soon as a device is compromised, the self-replicating activity begins to deploy the malware all through the host server. The device is put in the P2P network, could acquire and implement commands coming from the P2P network, and is employed to pass on the malware to other SSH servers. Since January 2020, the botnet has been working to target government, education, healthcare, and the finance industries.

Compared with other variants of a botnet, FritzFrog has more resiliency, because the command of the botnet is decentralized amid various nodes, thus there’s no one command and control (C2) server, that means no one point of failure as well. As per Guardicore Labs, FritzFrog used the Golang language, and the P2P protocol was totally exclusive, with practically everything about the botnet unique and not shared with any other P2P botnet.

To evaluate how FritzFrog worked as well as study its functionalities, Guardicore Labs’ researchers created an interceptor written in Golang which permitted them to take part in the malware’s key-swapping process and get and transmit commands. The program named frogger helped them to study the nature and extent of the network. Frogger allowed them to be a part of the network by ‘injecting’ their own nodes and contributing to the P2P traffic. Through frogger, the researchers confirmed that FritzFrog already had brute-forced millions of SSH IP addresses at banks, medical centers, educational organizations, government agencies, and telecom firms.

The malware communicates through port 1234, though not directly. Traffic at port 1234 is simple to recognize, therefore the malware utilizes a netcat utility program that is commonly employed to keep track of network traffic. A command that is transmitted via SSH is going to be utilized as netcat’s input, therefore sent to the malware. FritzFrog likewise communicates through an encrypted channel and could carry out more than 30 commands that include making a backdoor, linking to other corrupted nodes and servers in the FritzFrog network, and checking resources like CPU use.

Though the botnet is presently being utilized for planting cryptocurrency mining malware (XMRig) on products to mine Monero, the botnet can simply be repurposed to deliver other types of malware and can be utilized for many other purposes. Security researcher Ophir Harpaz at Guardicore Labs doesn’t think cryptocurrency mining is the major goal of the botnet, because of the amount of code specific to mining Monero. Harpaz is convinced the main goal is to access the organizations’ networks and sell access to the breached servers or use for other profitable attacks.

It is uncertain who made the botnet or where it came from. It has propagated worldwide, however, the geographic origin of the first attacks is unknown. FritzFrog likewise undergoes active development, as researchers identify over 20 FritzFrog binary versions.

The botnet depends on network protection solutions that impose traffic only through port and protocol, therefore process-based segmentation guidelines are needed. Networks with weak passwords are more prone to brute force attacks, thus it is essential to use strong passwords and to utilize public key authentication. The botnet locates IoT devices and routers that have exposed SSH keys, and so companies can secure themselves by altering their SSH port or deactivating access to SSH whenever not using the service. The researchers additionally suggest that it’s important to take FritzFrog’s public key from the file of authorized_keys to keep the attackers from accessing the device.

Guardicore Labs has released a script on GitHub which could be activated to determine FritzFrog infections, together with known IoCs.

657,392 Northern Light Health Foundation Donors Impacted by Blackbaud Ransomware Attack

The 10-hospital integrated healthcare system called Northern Light Health Foundation, which is located in Brewer, ME, has reported that the latest ransomware attack on Blackbaud Inc. has impacted its databases.

The impacted databases held the data of donors, would-be donors, and persons who might have gone to a fundraising event before. Patient medical information was kept separately and was not affected. The databases comprised the data of 657,392 people.

Blackbaud in South Carolina is one of the biggest companies providing education, fundraising, financial management, and administration software programs. An organization as great as Blackbaud is obviously hunted by cybercriminals. Blackbaud stated it runs into numerous attacks every month but its cybersecurity group excellently protects the corporation against those cyberattacks, even though in May 2020 one attack became successful.

The ransomware attack might have been much worse. Blackbaud became aware of the ransomware attack fairly quickly and took steps to stop the attack. Blackbaud had held back the ransomware from completely encrypting its data, and merely a part of the corporation’s 25,000+ customers was impacted. The attack didn’t have an effect on its online system and most of its self-hosted environment was not impacted.

As is currently well-known in manual ransomware attacks, before encryption of records, the attackers exfiltrated information. Blackbaud explained in its breach notice that the attackers merely copied a part of the information and didn’t steal highly sensitive data including bank account details, Social Security numbers, and credit card data.

Since securing customers’ records is Blackbaud’s number one priority, the company gave the cybercriminal’s demand with a guarantee of destroying the copied data. Based upon the result of the investigation, it is assumed that the cybercriminal had no information, and will not misuse, share, or make it available publicly.

It is at present not clear how many Blackbaud clients were affected by the cyberattack. Northern Light Health Foundation mentioned in its breach notice that it was affected. A few other healthcare institutions in Maine claimed the same. Other healthcare institutions discovered to have been affected include the Cancer Research Institute in New York City and the Prostate Cancer Foundation in Santa Monica, CA.

The BBC reports that around 10 universities in the UK, US, and Canada were affected, such as Emerson College in Boston, Harvard University, and the Rhode Island School of Design, as well as charities, media organizations, and a bunch of private-sector corporations. Though the attack happened in May 2020, the impacted clients did not get notifications until July 16, 2020. It is uncertain why notifying the affected clients was delayed, especially considering a lot of those clients are from the EU. The EU General Data Protection Regulation (GDPR) calls for the issuance of notifications to data protection regulating authorities within 72 hours of a breach occurring. Data controllers should also be notified immediately.

Children’s Hospital Colorado Phishing Attack and Hoag Clinic Laptop Computer Theft

Children’s Hospital Colorado is informing 2,553 patients concerning the possible access of their protected health information (PHI) because of unauthorized use of an email account between April 6 and April 12, 2020.

The attacker acquired the username and password to sign into the account following the employee’s response to a phishing email. The hospital discovered the attack on June 22, 2020 and promptly secured the account. An evaluation of the messages and the attachments in the account showed that they had records of patient names, medical record numbers, dates of service, clinical diagnosis details and zip codes.

Since the breach, the hospital implemented measures to fortify email security protection and assessed the platforms for training personnel with regard to cybersecurity. Technical settings linked to email were likewise evaluated.

Laptop That Contains Unencrypted PHI Thieved From Hoag Clinic

On June 5, 2020, a thief stole the laptop computer given to a worker of Hoag Clinic located in Costa Mesa, CA. The laptop computer was left in a vehicle located in the worksite parking lot in Newport Beach. The clinic found out about the thievery immediately and informed the law enforcement, nevertheless, the device was not retrieved.

The IT security team confirmed that the laptop computer comprised the PHI of 738 persons, such as first and last names, middle initial, telephone number, address, email address, birth date, age, medical record number, doctor’s name, if the patient is being observed by case management, whether a COVID-19 test was done, whether the person was moved to case management, whether a telehealth appointment was slated, communication status records, and whether the person was concerned in home health.

The Hoag clinic has re-trained its personnel on security precautions, improved policies that cover the transport of laptops to and from worksites, and an extensive security analysis was done to make sure all suitable cybersecurity measures are set up. The clinic provided the impacted persons with free one-year membership to the Experian IdentityWorks identity theft recognition and resolution service.

Breaches at Beaumont Health, Southcare Minute Clinic and Samaritan Medical Center

Beaumont Health, which is the leading healthcare organization in Michigan, began informing about 6,000 patients concerning the potential access to their protected health information (PHI) by unauthorized persons.

On June 5, 2020, Beaumont Health found out that unauthorized persons accessed email accounts between January 3, 2020 and January 29, 2020. The email accounts held the protected health information of patients including names, dates of birth, procedure and treatment data, type of treatment delivered, diagnoses, diagnosis codes, prescription details, patient account numbers, and medical record numbers.

Though unauthorized persons accessed the email accounts, there is no evidence determined that implies the hackers viewed or stolen the emails or email attachments in the accounts. There is also no report received that indicate the misuse of patient data.

This is Beaumont Health’s second notification of a phishing-related breach this year. Last April, Beaumont Health began informing 112,211 persons about the breach of their PHI held in email accounts in late 2019.

Beaumont Health already took action to enhance its internal procedures to permit it to know and avert threats a lot quicker later on. More precautions were enforced to better email security, which includes the usage of multi-factor authentication. More training on determining and controlling of malicious emails was also given to personnel.

Samaritan Medical Center Checking out Probable Security Breach

Samaritan Medical Center based in Watertown, NY announced a security event that has caused it to shut down its computer systems. Workers have used pen and paper while the breach is remediated at the same time giving medical care to patients. Patients were not transported to other hospitals, nevertheless, certain non-urgent visits were rebooked. No other details regarding the precise nature of the security breach is provided during this period.

Improper Disposal of Medical Documents by Southcare Minute Clinic

The North Carolina Department of Health and Human Services is examining the Southcare Minute Clinic based in Wilmington, NC concerning the incorrect disposal of medical documents. The Wilmington Police Department took action on a call telling them that sensitive files and unsafe waste were dumped in an ordinary dumpster in the back of the old Southcare Minute Clinic situated at 1506 Market Street.

The dumpster was identified to comprise files with patient data, used needles, and other harmful waste products. The police stated that there was HIPAA Rules violation, however, established that there was no crime undertaken. Since then, the dumpster has been cleaned up and there’s no longer any danger to people’s safety. The North Carolina Department of Health and Human Services is going to decide if it is proper to charge a financial penalty.

Cyberattacks at Highpoint Foot and Ankle Center and the University of Utah Affects 35,000+ Patients’ PHI

Highpoint Foot and Ankle Center based in New Britain Township, PA encountered a ransomware attack in May 2020 during which the attackers encrypted and probably accessed or exfiltrated patient information. Highpoint Foot and Ankle learned the attack on May 20, 2020 when personnel was kept from getting particular files on the system.

The investigation started and found out that an unauthorized person had downloaded ransomware remotely on its computer networks. There is no evidence obtained that suggest the attacker accessed patient data before encrypting the files. There was also no report received that suggest the misuse of patient data.

A third-party computer forensics agency was engaged to aid with the investigation and confirmed that the possible compromise of files containing the PHI of 25,554 patients. The files comprised names, dates of birth, addresses, social security numbers, treatment information, diagnoses, and release conditions.

Further precautions have now been put in place to secure patient data and all patients impacted by the data breach already received notifications via mail.

Phishing Attack on the University of Utah Affects Up to 10,000 Patients

The University of Utah has suffered a phishing attack that has most likely impacted the protected health information (PHI) of about 10,000 patients. This is the University of Utah’s fourth data breach report to be submitted to the Department of Health and Human Services in 2020. All four incidents are stated as hacking/IT incidents involving email. The previous breach reports were submitted on June 8, 2020 (impacting 1,909 persons), April 3, 2020 (impacting 5,000 persons), and March 21, 2020 (impacting 3,670 persons).

Unauthorized persons got access to personnel email accounts between January 22, 2020 and May 22, 2020, as indicated by the substitute breach notice posted on the University of Utah Health webpage. It is uncertain at this time if the most current breach report also involved getting access to personnel email accounts in an identical time period.

Kathy Wilets, Public Relations Director at the University of Utah Health gave a report to mentioning that the phishing occurrences were being regarded as independent incidents but might have been a part of a synchronized campaign. She explained the most current incident probably involved getting access to some amount of patient information and the number of persons affected of 10,000 is an estimation. The investigation could confirm whether fewer persons were affected. Action has been done to strengthen email security, such as the setup of 2-factor authentication.