HIPAABreachCyber SecurityHealthcare ITInformation SecurityPodcast

ProactiveIT Ep 17 – 10 Easily Recognizable HIPAA Compliance Issues

By February 14, 2020 No Comments
Episode 17 - 10 Easily Recognizable HIPAA Compliance Issues FB

Episode 17 – Another Busy Patch Tuesday, FBI Cyber Crime Stats for 2019 & 10 Easily Recognizable Signs Your Healthcare Provider is not HIPAA Compliant

This is the ProactiveIT Podcast.  This Week: The latest in IT and Cyber Security news plus another busy Patch Tuesday, FBI Cyber Crime Stats released for 2019 and 10 Easily Recognizable Signs Your Healthcare Provider is not HIPAA compliant

This is Episode 17!  

Intro

 Hi Everyone and welcome to the Proactive IT Podcast.  Each week we talk about the latest in tech and cyber news, compliance and more.  We also bring you real world examples to learn from so that you can better protect your business and identity. 

This podcast is brought to you by Nwaj Tech – a client-focused & security-minded IT Consultant located in Central Connecticut.  You can find us at nwajtech.com.

 Thanks for listening to this podcast.  Show us some love on Apple or Google Podcasts.  Subscribe and leave us some positive feedback. What are you waiting for?

Also, go join the Get HIPAA Compliance Facebook Group.  Search for Get HIPAA Compliance

Patch Tuesday Update:

Google Chrome 80.0.3987.87
Critical Cisco ‘CDPwn’ Flaws Break Network Segmentation
https://www.us-cert.gov/ncas/current-activity
Microsoft’s February 2020 Patch Tuesday Fixes 99 Flaws, IE 0day

Cyber Security News

BEC Scams Accounted For $1.7 Billion, Half Of Total Cybercrime Losses In 2019: FBI Report.  FBI: $3.5B Lost in 2019 to Known Cyberscams, Ransomware

Ransomware Attacks Have Cost US Healthcare Organizations Over $157 Million Since 2016

Operational Technology Attacks Increased By Over 2000% In 2019, Reveals IBM Report

Chinese tech giant Huawei can reportedly access the networks it helped build that are being used by mobile phones around the world. It’s been using backdoors intended for law enforcement for over a decade, The Wall Street Journal reported Tuesday, citing US officials. The details were disclosed to the UK and Germany at the end of 2019 after the US had noticed access since 2009 across 4G equipment, according to the report.

Emotet Hacks Nearby Wi-Fi Networks to Spread to New Victims

Altice (Cablevision) suffered a data breach in November 2019 through phishing.  It was determined in January that one of the accounts compromised included a report that was password protected.  That report included names, employment information, social security numbers, date of birth and in some instances drivers license numbers.  They did not state how many people were included in that breach but numerous ex-employees were sent notification.

Dell SupportAssist Bug Exposes Business, Home PCs to Attacks

Ragnar Locker Ransomware Targets MSP Enterprise Support Tools

Windows Server 2008 Servers Don’t Boot After KB4539602 Update

U.S. Charges Chinese Military Hackers for Equifax Breach

Hot Topics

Topic 1:  Facebook encrypted messaging will ‘create hiding places for child abuse’

Topic 2:  Obvious signs your healthcare provider is not HIPAA compliant

Topic 3:  Hacking group publishes ‘full dump’ of law firm’s data; another responds to cybersecurity incident

HIPAA Corner: 

https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/korunda/index.html

Breach Report

https://www.hipaajournal.com/category/hipaa-breach-news/

Episode 17 - 10 Easily Recognizable HIPAA Compliance Issues PIN

Transcription

This is the ProactiveIT podcast this week the latest in it and cyber security news plus another busy Patch Tuesday, FBI cyber crime stats released for 2019 and 10. easily recognizable signs your health care provider is not HIPAA compliant. This is Episode 17. Hi everyone and welcome to the productive it podcast. Each week we talk about the latest in tech and cyber news compliance and more. We also bring your real world examples to learn from so that you can better protect your business and your identity. This podcast is brought to You’ve been watch tech, a client focused and security minded IT consultant located in Central Connecticut. You can find us at unwashed check. com that’s NW Aj tech.com. Always thanks for everybody listening to the podcast yet again this week as this is Episode 17. As you’re probably already been made aware, I do appreciate all the listeners that we have already. And if you could share it with other people, that’d be great. You know, we try to bring you the latest so that you’re up to date and so that you’re protected, your business is protected and you’re ready for what’s coming next. So thank you for that. If you could show some lovin Apple or Google podcasts or whatever podcast platform you listen to this on, it would be really great. And, you know, I would maybe I’ll shut you out. If you give us a review on Apple or Google I’ll shout you out on the on the podcast. But if you want more on HIPAA compliance, you’re a healthcare provider or an IT provider that provides business associate type HIPAA Compliance stuff. You can also join the Facebook group it’s HIPAA compliant, it’s get HIPAA compliance on Facebook, just search for get HIPAA compliance. And we update that all the time. Now Patch Tuesday, very busy Patch Tuesday yet again this month. I reported last week to Google Chrome should be updated to Google Chrome at point 0.3 97.87. And there is also a critical Cisco flaw that should have been updated last week for fear CD pw and flaw that breaks network segmentation so you’ll want to take care of those. In addition, this week, we have of course, Microsoft updates that I’ll review in a moment, Intel released some security updates. Adobe released some security updates, the biggest ones being for Adobe Acrobat and reader and Flash Player if you’re still using it, but there are others so you’ll want to review those. And Mozilla released a security update from multiple products. Including Firefox, Firefox, ESR, and Thunderbird. So if you’re still use Thunderbird, you’ll want to get that updated. Now for the Microsoft. It In total, there were 99 flaws that were addressed including in an Internet Explorer is zero day yet another Internet Explorer zero day. So you want to, you’ll want to update, you’ll want to apply those Microsoft updates as soon as possible. So it’s been, you know, as you’re listening to this, it’s been three days already. You’ll want to take care of them ASAP. For the critical flaws, we have Microsoft scripting engine. We see this quite often. And what else we have here we have a critical flaw in remote desktop protocol again, remote desktop client remote code execution vulnerability, remote desktop client, again, remote code execution vulnerability and Hyper V Media foundation memory corruption vulnerability in Windows Media and an lnk remote code execution vulnerability and Windows shell. Those are the critical flaws and of course there’s an Internet Explorer zero day. And then there’s some important and other updates that you’ll want to apply. ASAP so test it get rolled out, protect your business. That’s going to do it for Patch Tuesday update. I don’t have any questions of the week sent in this week. So we’ll move on to the news. Alright, so let’s start out with reported in the introduction that there was some FBI crime cyber crime stats released and so I’m going to go through those real quick we have bc scams accounted for $1.7 billion in 2019. Half of all of the cyber crime losses for 2019 So that means everything else ransomware phishing and everything else was equivalent to B EC scam. So in case you’re not aware BC, is when a lot of times it’s a municipality, but it could be a business receives an email that I guess you could say spoofs a business. So they claim to be a business that that municipality or that business works for. And then says something along the lines, you know, we’re changing our bank information. This is our new bank information if you could forward payments to this bank account. And then of course, somebody unwittingly sends the money to to this new bank account. And it turns out that was not the business at all. vc is short for business email compromised and counted for $1.7 billion in cyber cyber last last last year. That again, is half of the total cyber crime loss for 2019. You know, there have been ransomware and other cyber scams. ransomware attacks have cost us healthcare organizations over 150 $7 million since 2016. And I saw another report today that they believe that number is going to dramatically increase for 2020. Operational technology attacks increased by over one over 2,000% in 2019 death that was revealed by IBM. This is going to continue folks this is going to be until it’s not profitable. These attacks are going to continue and they’re going to get worse. We have Chinese tech giant who a can reportedly access to networks that help build that are being used by mobile phones around the world. It’s been using backdoors intended for law enforcement for over a decade. The Wall Street Journal reported Tuesday citing US officials The details were disclosed to the UK and Germany at the end of 2019, after the US had noticed access since 2009 across 4g equipment according to the report. Also another note ulties, which bought out Cablevision A few years ago, offered suffered a data breach in November of 2019. Through phishing attacks, it was determined in January that one of the accounts compromised included a report that was password protected that report included names, employment information, social security numbers, date of birth, and in some instances, driver’s license numbers did did not state how many people were included in that breach. But numerous ex employees ex employees were sent notification so that you know that that could be a little disheartening if you haven’t worked there in years and now you are now subject to potential data breach. Email hacks nearby Wi Fi reported this earlier this week. But email tech email to malware is now capable of hacking nearby. I find networks to spread to new victims. This is the another perfect reason to not use public Wi Fi or guest Wi Fi hotspots in a business. Because this is the this is the way it’s going to spread. This is one way it’s going to spread us spreads, you know bunch of different ways, but I recently spotted emotes at chosen simple features in Wi Fi module that allows the malware to spread to new victims connected to near my insecure wireless networks. According to researchers at binary defense. This newly discovered email test train starts to spreading process by using w LAN API DLL calls to discover wireless networks around an already infected Wi Fi enabled computer and attempting to brute force its way in if they are password protected. So if this is not a case to use a hotspot, your own personal hotspot then I don’t know what is. Dell support a sister reported earlier this week as well. There’s a bug with Dell support, assist that There is a patch for it. So you’ll want to update that immediately if you’re still using it. I will tell you that we disable that on Dell computers because it is also resource intensive software. And there’s other ways to so Dell support assist is used to advise on any issues that may exist as far as software is concerned any Dell Software that needs to be updated. So you’ll I again, we disable it on all our computers, you should be on Dell support assist version 2.1 point four for business PCs and Dell support assist version two 3.4 point one for home PCs, that those will fix the vulnerability because I should have reported that in the Patch Tuesday update, but I did not so here you have it. Ragnar lock locker ransomware targets MSP enterprise support tools, and I don’t like to beat up on MSP because you know, I own an MSP, but it’s important that we are aware that the world is aware ransomware called Ragnar locker is specifically targeting software commonly used by managed service providers to prevent their attack from being detected and stop. Attackers first began using the Ragnar locker ransomware towards the end of December. As part of attacks against compromised networks. When the attackers first compromised network, they will perform reconnaissance and pre deployment tasks before executing the ransomware. According to the attackers, one of these pre deployment tasks is this first deal a victim file and upload it to their service. They then tell the victim that they will release the files publicly if your ransom is not paid. Also, all of your sensitive and private information were gathered and if you do, if you decide not to pay, we will upload it for public view the attacker state in the Ragnar locker ransomware. So you can imagine they don’t want to have to deal with this. The msps don’t want to have to deal with this. So what does that mean? more likely to pay? bleeping computer has seen various ransom notes for Ragnar locker with ransom demands ranging from 200 to $600,000 and So here are some of the programs that it is targeting VSS SQL. m toss. That’s, I’m sorry, mentor, me MTS, MEP OCS I’m not sure what that is. So first veem backup pulse wave, LogMeIn, LogMeIn Connect wise splashtop and Cassia so some of the bigger names in the industry are being targeted Connect wise because say a LogMeIn, these are big names. So folks is a big name. So these are things to keep an eye out for, especially if you’re an MSP it’s it’s time to, to eat the vegetables that you’re dishing out every day. Windows Server 2008 servers don’t boo after k before 539602 I’m see I’ve seen a few reports for this. This isn’t bleeping computer. I’ve seen a few reports and this does impact windows seven as well. So if you have KB for 539602 installed, you are not able to to boot up after that update and Windows Server and Windows Server 2008. Windows seven, there is a fix on official fixes there’s two fixes, according to the article on bleeping computer, so, hop on over to bleeping computer. It’ll be a link in the show notes and get the fix. If you are impacted by that. Now, you should not be on Windows seven or Windows Server 2008 anymore because they’re no longer supported. But that’s neither here nor there. And then finally, US charges Chinese military hackers for Equifax breach, also reported on bleeping computer earlier this week, the US Department of Justice announced today that four members of the Chinese People’s Liberation Army peel a 54th Research Institute were charged for hacking the credit reporting agency, Equifax in 2017. On January 28 2020, a federal grand jury in Atlanta returned an indictment alleging that Woozi on Wang, Qin zukie and Lu Lu lei broken to Equifax is complete Systems install sensitive information sensitive personal information. of nearly half of all US citizens and Equifax trade secrets under the global settlement agreed upon with the FTC, the Consumer Financial Protection Bureau and 50 US states and territories on July 22, Equifax said that it will spend up to 425 millions to help to breach victims. And it goes on to explain the details. But we’ve seen the details of the Equifax hack multiple times now. So no need to rehash that. I will say again. This is partly the fault of Equifax because they were not following security best practices as it relates to protecting servers and client information. So the settlement was agreed upon a couple of weeks ago, I think January 22, was the date. And so if you planned on applying for you know, whatever remediate And have it’s too late now. And last bit of news for the week on threat post Puerto Rico government hit by $2.6 million phishing scam. It’s actually as a BC scam. So again bc we talked about his business email compromised and phishing scam has wonderlic Puerto Rico government agency out of more than $2.6 million. According to reports, according to reports, the email based phishing scam hit Puerto Rico’s Industrial Development Company, which is a government owned Corporation in the driving economic development to the island along with local and foreign investors agency reportedly received an email alleging to change alleging a change to a banking account tied to remittance payments, which is a transfer of money, often by foreign worker to an individual in their home country. The agency sent this payment to a fraudulent account on January 17. It’s very serious situation. extremely serious. Manolo boy, Executive Director of the agency told The Associated Press we want it to be investigated until the last consequence Is he filed a police complaint on Wednesday regarding the scam. But further questions regarding how the scam was discovered whether the agency operations have been impacted and more still remain. Threat post has reached out to the industrial development company for further details. So continues to happen and we need to be careful there should be some type of verification in place when these things come up. That’s going to wrap it up for the news for the week. Alright, so first hot topic for the week. saw this earlier in the week I thought it would be interesting to discuss because it is a very sensitive topic, and so on and so forth naked security website. Facebook encrypted messaging will create hiding places for child abuse. That is that is a very hot topic and in our world today is something that I believe is important to discuss, especially if you have children. And it’s important for parents to understand the dangers that exists. So it is something that I educate families on. When I get a chance, I do try to. And, you know, I’m working through these seminars that I’m scheduling out for the year. So this will probably be probably be at least one maybe two this year on this topic alone. But last year, Facebook announced that it would stitch the technical infrastructure of all of its chat apps. That means messenger, WhatsApp, and Instagram together so that users of each app can talk to each other more easily. Let’s save Instagrams messaging is kind of behind the other two. The plan includes slathering the end to end encryption of WhatsApp which keeps anyone including law enforcement and even Facebook itself from reading the content and messages. messenger and Instagram at this point Facebook Messenger supports end to end encryption and secure connections mode, a mode that’s off by default and has to be enabled for every chat. Instagram has no intent encryption, honest chats at all. So those of you that think it’s secure at this point it’s not but that’s not what we’re here to discuss. As you would expect, there’s a lot of discussion and debate. As we begin the long process of figuring out all the details of how this will work. Facebook has said including, of course, the fact that law enforcement would be shut out of viewing messages on yet more chaps. That discussion now includes an open letter signed by 129 Child Protection organizations around the world and sent to CEO Mark Zuckerberg on Thursday. Markets hard to be king, isn’t it? Their groups led by the UK is National Society for the Prevention of Cruelty to Children and spcc are urging the company to stop its plans until sufficient safeguards are in place. According to news outlets that have been seen the letter it says the Facebook could be building on years of sophisticated efforts to protect children online, but it’s instead inclined to blindfold itself. More from the letter we urge you to recognize and accept that an increased risk of child abuse being facilitated on or by Facebook is not a reasonable trade off to make. Children should not be in put in harm’s way either as a result of commercial decision or design choices. Dan spcc said in December 2019, that police in UK recorded over 4000 instances an average of 11 per day where Facebook apps were used in child abuse image and online sexual offenses during the prior that is, that’s a little scary. Group porn that end to end encryption on all this messes messaging apps will allow child abuse to go undetected unless Facebook first puts clear safeguards and placing that encrypted messaging creates hiding places for child abuse. The platform will no longer be able to see and report illegal content to law enforcement so police will be left with In the dark, more serious child abuse will likely take place on Facebook owned apps as accusers, as abusers will have to move their victims off the platform to other encrypted ones to groom them. Government push back against encryption while some digital rights groups have applauded Facebook’s moved to a stronger encryption. Some governments those are the US Britain and Australia have not in December 2019, a select committee of members of US Congress told Facebook and Apple that they had better put backdoors into their end to end encryption or laws will be passed that forced tech companies to do so. So that’s going to be a big battle. And although Open Letter the child protection groups told I’m sorry, in Thursday’s open letter, okay, hold on, lost my spot here. Yeah, in the open and they’re open letter, the child protection groups told Facebook that they recognize users legitimate interest in ensuring that their data is protected, but that doesn’t negate the platform’s responsibility to Help in investigations. However as you yourself as stated Facebook has responsibility to work with law enforcement to prevent the use of your sites and services for sexual abuse in January. The UK is Information Commissioner Officer iceo for short, published a code to ensure that online companies protecting kids from harm via showing kids suicidal content, grooming by predators illegal collection and pollute profiteering off of child children’s data, or all the smart toys and gadgets that enable children’s locations to be checked for creeps to eavesdrop on them. And Thursdays open letter to Facebook Child Protection groups urged Facebook to back off of its encryption plans until safeguards for children’s safety are in place. And so here’s Facebook’s response David miles Facebook’s head of safety for Europe, the Middle East and Africa said in a statement that encryption does in fact protect people strong encouraged strong encryption is critically important to keep everyone safe from hackers and criminals and Facebook will work on protecting children online. As part of the long slog to getting into encryption everywhere, the rollout of end to end encryption is a long term project. protecting children online is critically important to this effort and we are committed to building strong safety measures into our plans milestone that Facebook is already working with law enforcement, government and tech companies to keep children safe online. Not the first time, not the first letter Facebook’s received in October 2019. Three governments warn Facebook that it had better and or at least pause its encryption on everything plan. It was Attorney General William Barr and law enforcement use of the UK and Australia signed an open letter calling on Facebook to pause it until it figures out a way to give law enforcement officials backdoor access so they can read messages. No Facebook said with all due respect to law enforcement, and its need to keep people safe. Facebook responded by releasing its own Open Letter pent in response to bar in the letter WhatsApp and messenger heads will Karthik Karthik will Catholic And stand chuttan offski said that any backdoor access into Facebook’s product created for law enforcement would weaken security letting bad actors and would exploit that access. That’s why Facebook has no intention of complying with bars request that the company make its products more accessible, they said. So this is interesting because it’s really shows both sides of the coin here. We want privacy. We don’t want our data to be out there. You know, and Facebook’s come under fire already several times for for privacy concerns. And at the same time, we want to keep children safe online. I you know, until I saw that, the stat therefore how many how many times they’ve found these incidents on Facebook in the UK. I wasn’t aware because I don’t think too many children are actually on Facebook. I know maybe Instagram to some degree, but there are other apps and we need to be Looking at other apps even more carefully Tick Tock Snapchat. And I’m sure there’s tons of other apps that are out there, where children are using them more frequently than using Facebook. But I understand as a father myself, I completely understand where, where these groups are coming from. So I’d be interested to hear what what you guys think, you know, leave me a comment on the website or shoot me an email, however you want to communicate with me. Feel free. I’d be really would be interested to hear what you guys think. Alright, so next up 10 easily recognizable signs that you’re not HIPAA compliant. This really is directed at HIPAA health care patients. So 10 signs that your health care provider is not HIPAA compliant. And so blog posts on the watch, check calm that’s my company’s website. It’s MW ha tech.com. It is the most recent blog post. There was some social media images shared and I didn’t realize that After I posted there was a couple of grammatical errors. So there’s a new image on the blog post itself if you want to, if you’re so inclined to share that image out, feel free. So again, 10 signs that your healthcare provider is not HIPAA compliant. And the idea here is if you walk into your health care provider and recognize any of these things use this should raise a little bit of a red flag, someone some bigger red flags and others. So when I visit a dentist, chiropractor, physician, psychologist or any other healthcare provider, even the local pharmacist, I always look for obvious signs that they’re in need of help with HIPAA. I do this because their conversation starters obviously, this is the business I’m in. So I want to start these conversations because it could mean business. If there are obvious signs, to a lack of HIPAA, HIPAA compliance, then I’ve come to the right place. Here’s something to think about in today’s high tech world. HIPAA exists to protect healthcare patients. All businesses should put the best foot forward When it comes to protecting their clients information, HIPAA is really the tip of the iceberg when it comes to cyber security. If you’re only doing HIPAA, you’re doing the bare minimum required to protect your patients information and it’s not enough. looking for signs that your healthcare provider is not doing. The best to protect your most sensitive information should be just as important as not giving your social security number over the phone. So here’s the 10 things you can easily spot when you’re at your doctor’s office. First one, Windows seven or 2008. Still in the environment, if you happen to be at the receptionist desk and you happen to notice using Windows seven, you probably won’t see server 2008 because servers are not usually an in ice shot of a patients. But if you see windows seven now should be the first sign. They are not HIPAA compliant because server 2000 server 2008 and windows seven are no longer supported by Microsoft, which means they won’t be getting patch especially for security which means security wise They are no longer compliant. And let’s remember that when it comes to HIPAA when it and when it comes to your business security, HIPAA is really at the bottom rung of cyber security. If you’re not even doing that, then your practice is not secure and you’re risking your business but you’re also risking your patients who are your clients, you’re risking their information being breached, breach sorry, and the heartache that will have to that they will have to deal with now this applies to really any business, but more so healthcare, healthcare, four out of five data breaches are healthcare. So if you’re not doing if you’re not even willing to upgrade to Windows 10, you don’t even need a new computer, most likely. But if you’re not willing to do that, then you’re really not taking care of your patients. All of our patients were moved, all of our clients were moved off of windows seven, except for the clients we picked up in the last year, but any clients we’ve had for any length of time, were moved off of windows seven, three at least three years ago. Windows 10 not patched or outdated software. So we had Patch Tuesday a couple days ago, three days ago. You know, you should be patched by the middle of next week. The latest most will probably be probably patch over the weekend most eyeties would do that. I typically patch on Friday nights. However, I did roll out my patches on Tuesday this week after testing it. So windows 10 patches are outdated. Or you have outdated software. Maybe you haven’t updated Java in a while. Maybe you haven’t updated Adobe PDF readers. We just heard a few minutes ago that Adobe there is an update for reader and Acrobat. Maybe you haven’t an Adobe products are also commonly compromised. So if you have them, update them when there’s updates available. Maybe you haven’t updated. Hopefully you’re not using Flash player but maybe you haven’t updated flash player in a while. These are bare minimums. If you’re not doing it, you’re putting your patients information at risk. Last week I shared 10 of the most exploited vulnerabilities are in social Cases five to eight years old, all 10 were either Adobe Flash Microsoft Office Internet Explorer or winner. So three out of four were Microsoft, the other. The other one was Adobe. Three they’re using free antivirus and it’s easy to spot Free Antivirus because there’s always pop ups saying hey bye bye our our paid version and get these features with it. If you’re using free antivirus, for example, that’s free or a VG free or whatever other free antivirus that’s out there today. If you’re using any of these, you they are not. They’re not doing the job that you want them to do. And they’re not ensuring the security of your systems today, you need something that’s a little more proactive. You need security software doesn’t wait for updates. Let’s face it, if you’re using a free antivirus program updates or even less frequent than a paid antivirus, you need something that’s anomaly based something that’s going to look for things that aren’t aren’t normally there. If you see a computer with a VG and it pops up with an ad and it’s free ABG this would be a little disheartening to me. I would be concerned that the health care practice does not have your best interest and and to have a Solid anti malware security software does not cost that much. So the cost as an excuse is a poor to use. Wi Fi router shares guest Wi Fi. It’s easy to buy a Wi Fi router and sort of guest Wi Fi now should not happen in any business but especially healthcare I know or any compliance businesses should not especially I know most businesses offer guest Wi Fi it’s available almost everywhere you go. I always tell people don’t hop on just any Wi Fi if you are absolutely if you absolutely need to use wireless on the road, have a hotspot with you. Most phones have hotspot capabilities now, use that instead of public Wi Fi or guest Wi Fi. If you happen to notice it’s something I check anytime I walk into a business and I do check to see how easy it is to become that business can be compromised because it’s an important message to send to the business. There’s a guest Wi Fi and the same route as the inner internal Wi Fi. This is a sign that a recent security analysis has not been conducted because any good IT consultant or compliance officer or both would say you need to segment your network. Internal Wi Fi should only be available to the staff and not potentially exposed to the guest Wi Fi, it’s a little bit closer to being able to be easily compromised. The internal network needs to be segmented by utilizing a separate router and segmenting the network from the guest Wi Fi. Five using a free email account and this one I see all the time. And this is a pet peeve of mine. If you if you’re in business, you should not be using a free email account for communicating with clients. It just looks unprofessional. Let’s forget that for a minute. If you’re using a free email account and a healthcare practice is not HIPAA compliant, because they will not sign a business associate agreement. Google will sign one with a GC would account and it’s a certain level of G Suite of tickets. It might be G Suite business. I think I’m not sure. But it’s a certain level of G Suite Microsoft will sign one with an office 365 They will not sign one with an Outlook. com account or gmail.com account. It will Yahoo and all other free email account options will not sign a business associate agreement. And in most cases, they will also not offer encryption, which is important when you’re sending email you need encryption clipboard with a sign in sheet. This one drives me nuts still see it here and they’re not as often but my physician used to do this. You would walk in there’d be a clipboard at the window, you’d put your name, the reason you’re there, and who you’re there to seeing and what time you got there. This is a HIPAA violation. I now have you know that if there’s 10 people that signed in before me, I now know why they’re there who they are. And the approximate time I have enough information now to to compromise them. This is a clear HIPAA violation. Just walk away if you see this at this point. Number seven, no privacy screens a dental practice I recently walked into had nobody at the reception desk and four computers unlocked. The computers had no privacy screens on them. I could see the schedules, I could see the names, I could see the all kinds of things. I took a picture of it to share with the practice. If you’re able to see patient name schedules and why they’re coming in to see the healthcare provider, this is a clear HIPAA violation. Remember the Facebook group I belong to shared an image of a pharmacist, a well known chain, I won’t say what chain but as a well known chain who did nothing to protect the prescriptions waiting to be picked up, you were able to clearly see names addresses in the name of the prescription. There was no privacy wall or anything to protect this information. This falls into the same category. Number eight private conversations with patients and staff in the waiting area. This happens all the time. I’ve walked into my kids pediatrician, and asked me to clarify my name, address, phone number, and if any of any information has changed right at the front counter, just a few feet away from where people are waiting. There should be a separate area for conversations that are sensitive. This happens a lot in pharmacies. There should be a separate area where the pharmacist or the healthcare practice staff can have a conversation with all other people being in earshot range. Not Next cubby number nine little to no physical security if they’re, if they don’t have locks, motion sensors, and locked room with all the files or cameras, they’re not doing everything they can to protect paper files they may have for their patients. Here’s why I mentioned this on episode 64. The productive it cyber security daily, which I have linked in the blog post. I had to report two different practices in two different states that were burglars. This wasn’t a stolen lap them they were laptop, they were not hacked, not fishing. They were burglarized. Somebody physically broken. In one case, they didn’t they did steal healthcare files. And the other case, it does not appear that it did but we don’t know if they took pictures. We don’t know what they were doing. It still happens there still needs to be some level of physical security. those files cannot be easily accessible to someone who breaks into the practice. If you walk in and you see the files right there behind the front desk with no locks on them. No cameras no additional security that’s a red flag. And finally, no privacy disclosure. When you visit a doctor you should be given Privacy disclosure, the first time you visit and then every so often after that, just as a refresher, they’re not going to ask you to do this every time but I believe they must do it at least once a year. It should have you signed a document explaining their Privacy Practices. This is part of HIPAA. They usually have you signed a document explaining their HIPAA practices to as they should. If they don’t do this, then I wouldn’t use their healthcare practice because they’re not taking your privacy seriously. So why is recognized the HIPAA compliance issues are important to you as a patient. If your health care practices, taking insurance and transmitting your information electronically to the insurance carrier than they are supposed to be HIPAA compliant. If you see any of these in your healthcare practice. If you see any of these things, give us a call. We’ll give them a call and ask them what’s going on. All it takes is one call to HHS OCR and an investigation will be open this could mean anything from finding Mutual funds are settlements to a corrective action plan to technical advice. No matter what the outcome of that call it puts the health care practice on the OCR radar. They don’t want to be on the radar. Forget the OCR for a minute. They should want to protect a patient’s data because they are in the business of caring for people. So be on the lookout for those things in your health care providers office. And then finally, not to leave lawyers out but lawyer lawyers have been kind of getting the spotlight on them the last few weeks. So this is on a bureau ABA journal, ABA journal calm. hacking group publishes fold number of law firms data and other response to cyber security incident to law firms are grappling with the effects of recent cyber intrusions. The 11 lawyer of Texas law firm Baker watering had its data exposed by hackers including fee agreements diaries, from personal injury cases. That’s according to law.com a sec. From Wilson Iser Moscow with Adelman and deker responded to suspicious activity on its network by taking it offline law 360 reports. Law Firm press releases here there’s a link to it. Wilson elzar said lawyers are accessing emails through a remote system, its phone system is working and its offices are open. There is no indication at this point that any client data has been compromised. The firm said in February 10 statement, bigger waterings.on the other hand was exposed when in what the hacking group called maze which means we know if you’ve listened to me on any of my podcast, we know me is taking that data and exposing it if you don’t pay up. So me it’s called a full done, according to law.com is hacked into targets and seizes their data then seeks to expose it unless a ransom is paid. Baker watering is one of the least one of at least five law firms targeted by May since last month. In past incidents Mase has sought ransom in the range of one to $2 million I trying to remember if software was made or if it was sold on a Caribbean, I believe it was sold in a kb. They are looking for $6 million southwire being a, I guess, a manufacturer of wiring, and so forth. This is just seems to be I’ve been saying it for months now the law firms are a target. And we haven’t been seeing a lot of law firms in the news when it comes to ransomware. But this now we’re starting to see a little bit more of it each each week. And it says one of at least five law firms targeted by May since last month. And so this is a problem. law firms need to be ready for these types of things. You need to have business continuity and disaster recovery. You need to have ransomware mitigation, we need to have education. We need to have fishing mitigation, there’s a lot that goes into it. It’s not just throwing in a virus program on your computer and be done. It that’s not how it works these days, it just doesn’t work that way anymore. That is going to do it for our hot topics. I hope hopefully you guys find that useful and can apply it to your business, whatever it may be. It doesn’t need to be a law firm or healthcare. Practice in any business you need to be be alert to what’s out there and be ready to protect your business. For the HIPAA education piece, this week I decided to review a settlement from last year the OCR subtle second case in HIPAA right of access initiative we did talk about in a previous episode, the HIPAA right of access, which essentially states that if I asked for my healthcare records, that health care provider needs to provide it to me in a reasonable manner. with reasonable costs, you know like five or $10 that’s reasonable. And in the in the manner I want it to be in this shouldn’t be any delays 30 days is the target date and 60 if the healthcare provider can provide a significant as a good reason as to why it was delayed. So this case this is OCR, subtle second case in HIPAA right of access initiative, this is from last year. This is kuranda Medical LLC. And so the OCR announced this initiative earlier this year promising to vigorously enforce the rights of patients to get access to medical records properly without being overcharged and in readily producible format of their choice, which is pretty much what I just said. So kuranda Medical did agree to a corrective action plan and pay $85,000 to settle a potential violation of HIPAA is right of access. provision currently is a Florida based company that provides comprehensive Primary Care and interventional pain management to approximately 2000 patients annually. Now that is not a big healthcare provider 2000 patients is not a lot for healthcare practice. So let’s read the press release from the OCR. The Office of Civil Rights at the US Department of Health and Human Services is announcing its second enforcement action and settlement under its HIPAA. Right of Access Initiative. OCR announced this initiative earlier this year promising to vigorously enforce the rights of patients to get access to their medical records property without being overcharged and readily producible format of their choice. cringer Medical LLC has agreed to take corrective actions of pay $85,000 to settle a potential violation of HIPAA is right of access provision currently is a Florida based company that provides Comprehensive Primary Care and interventional interventional pain management to approximately 2000 patients annually. In March of 2018, OCR received a complaint concerning a current drug patient alleging that despite repeatedly Asking kuranda failed to afford a patient’s medical records and electronic format to a third party. Not only did current a failed to timely provide the records to the third party, but currently also failed to provide them in the requested electronic format and charged more than raised reasonably cost based fees allowed under HIPAA, so they just basically violated every part of the right of access rules. OCR provided crona with technical assistance on how to correct these matters and closed the complaint. Despite OCR as assistance. kuranda continued to fail to provide the requested records, resulting in another complaint to OCR. As a result, the OCR second intervention request records were provided for free in May of 2019 in the format requested. For too long healthcare providers have slow walk their duty to provide patients to medical records out of a sleepy bureaucratic inertia. We hope our shift to the position of corrective actions and settlements under the right of access initiative will finally wake up health care providers to their obligations on Under the law, said Roger Severino OCR director, he holds no punches. In addition to the monetary settlement kuranda will undertake a corrective action plan that includes one year of monitoring. The resolution agreement is I’m going to go through I’m going to skim it in a moment, but it is linked to this article, which is on hhs.gov. The press releases, so let’s let’s dissect that for a moment. So first of all, kuranda failed to provide the medical records in electronic format to a third party. They failed to provide in a in the format that was requested and charged more than reasonably cost based fees. So reasonably cost is how much does it cost to provide that record in labor and in you know, whatever format to request. So it’s usually like five it’s nominal five or $10. You know, when I knew my kid Well, now when I knew my kids healthcare records, I just go on the app that they the healthcare provider provides and before that it was $5. Now, the OCR provided kuranda with technical assistance, and we’ve talked about this before, when the OCR provides technical technical assistance. That means you need to listen you got offered a slap on the wrist. They said do this, and that’ll be the end of it. And it’s essentially what it says here that to provide a technical assistance on how to correct these matters and closed the complaint. The complaint was closed. So here’s what you’re going to do. Here’s what you need to do. Get it done, and you won’t see us again. Well, they didn’t get it done. Because then they OCR received another complaint for the same issue. Open a second investigation and found that the complaint was legitimate. And now you have a $85,000 fine. I don’t know how big 400 Medical it doesn’t sound like a very big operation. So $85,000 could be fairly significant cost. And in addition, you have one year corrective action plan. Now, one year corrective action probably close to more than 85,000 because now you’re going to have to do everything no car says you need to get done. So implement a HIPAA program, make sure your technology is up to date. And they’re going to watch over you and they’re going to set milestones and say this is what needs to happen over the next year. It’s fairly straightforward, is simply supply the record that the patient is asking for and you’re out of the out of the woods for something that could have cost you a few dollars now cost you $85,000 plus one year of monitoring, and so silly, silly is an understatement, but it’s silly. So then I have the resolution agreement here. And let’s just look at what Roger Severino says for for too long for too long, which means we’ve let these health care providers slip too long on some of these things. Health care providers have slow off their duty to provide patients with their medical records out of a sleepy bureaucratic inertia. essentially saying they just felt like they didn’t have to do it. You know, we’ll just take our time and give give the patient a run around. And who knows the reason behind it, was it an incomplete record where they not documenting everything as they should they just want to be difficult. Who knows? We hope our shift to the imposition of corrective actions and sentiments under the right of access initiative will finally wake up health care providers to their obligations under the law. In other words, we’re going to continue to enforce this do your part. The resolution agreement. In this all happened within a two month period, by the way, so between March and May of 2019, two months, in two months, you only get 30 days to supply the records. So within two months you failed miserably. So on March 6 2013, OCR received a complaint alleging corruption medicals, not in compliance with the Privacy Rule complaint allege kuranda refuse to provide an individual with access to our protected health information in the requested format. On March 18 2018, OCR provide a Corona medical with technical assistance regarding two individuals right of access to Protected Health. So March 18. Remember that. So 14 days later, I’m sorry, 12 days later, they provide it. So that’s pretty quick, on March 22. Now, four days later, or CR received a second complaint concerning kroners continued non compliance with the requirements of the Privacy Rule concerning access, and that’s 45 CFR 164, or five to four. On May 8, HHS notify Crota medical of its investigation of Corona medicals compliance with the HIPAA rules promulgated by the HHS pursuant to administration Administrative Simplification provisions of the Health Insurance Portability and Accountability Act of 1996. Part A current medical field to provide timely access to the protected health information from April 22. May 12. And that’s you know, that’s only 10 days. I’m sorry 20 days and the agreement is intended to resolve OCR transaction number 19 dash 33736 in any violations of the HIPAA rules related to the covered conduct specified in paragraph 1.2. I point to sorry, this is the of disagreement in consideration the party’s interest in avoiding the uncertainty burden and extensive further investigation of formal proceedings the parties agreed to resolve this matter according to the terms and conditions below so that the payment is $85,000. As I said, there is a one year cap corrective action plan. And the details of that are in the agreement. You know, they they fail crona Medical failed to do something as simple as provide a record this is not a longer agreement. So it’s actually pretty, pretty straightforward. They failed to provide the record and here’s some of the what’s They have to do under the corrective action within 60 calendar days of the effective date for the medical shelf provide training materials regarding individual right of access to pH I consistent with 45. So now we’re talking about education that costs money, but should have already been doing it. So it’s not really an additional cost at that point. Within 30 calendar days of HHS is approval annually, while under the term of the cap. Current a medical shall provide training to all workforce members at its facilities on the Privacy Rule requirements were concerning divid individuals right of access to pH i. So it sounds like current a medical does have HIPAA in place. They just didn’t do this for whatever reason. And I don’t know what the reason was. It doesn’t say within 90 calendar days of receipt of HHS is approval the policies and procedures required by section VA one and every 90 calendar days thereafter, while under the term of this cap, current medical shall submit to HHS a list of requests for access to pH I received. So now that’s a little bit I’ll side of the normal scope accredited medical denied any request for access in whole or in part for the medical shall submit to HHS all documentation consistent with 45 CFR 164524. During the compliance term current a medical Sharon upon receiving information that a workforce member may have failed to comply with access policies and procedures promptly investigate this matter of current medical determines after review investigation that a member of its workforce has failed to comply with these policies or procedures. current medical shall notify HHS in writing within 30 calendar days. Such violations shall be known as reportable events. A complete description of the event, including the relevant facts the persons involved and the provisions of the policies and procedures implicated in or description of the actions taken and any further steps current or medical plans to take to adjust a matter to mitigate any harm and to prevent it from recurrent, including application of appropriate sanctions against workforce members would fail to comply with his privacy rule policies and procedures within 120 days after receipt of HHS is approval of the policies and procedures required by section VA one Crota medical shall submit a written report to HHS summarizing the side effects implementation requirements of this capsule. Now that’s a little bit you know, that’s outside of normal scope of HIPAA. So now you’re you’re doing extra work and and attestation signed by an owner of Officer of kuranda. medical testing, the policies and procedures approved by HHS in Section VA are being implemented, and attestation signed by an officer or owner of crona medical testing that all members of the workforce have completed the initial training and an attestation signed by an owner or owner or Officer of Corona medical is stating that he or she has reviewed the information implementation report has made a reasonable inquiry regarding its content and believes that upon such inquiry, the information is accurate and truthful. And then there’s some annual reporting and document retained tension that they have to maintain all these documents for six years. So something to think about six years, data retention for HIPAA and goes on to talk about some breach provisions. So you know, all this because you fail to supply a record to a patient. It’s a it’s really a simple fix. And it’s really not complicated to provide a record as long as a record exists. So, hopefully that helps some healthcare providers and or patients because patients need to know these things too. And that is going to wrap it up for the HIPAA education piece. We’re going to move on to our breach reports. Alright, we have a lot of HIPAA breach news to report this week. So let’s get on the weekly breach report. The first one Let me start by saying February 29, which is just over two weeks away. 15 days away from the time the is recorded. That is the cutoff date for reporting any breaches for 2019. Obviously, that’s 60 days from the end of the year, and you have 60 days. That is the breach report rules, it is 60 days to report any breach that you may have had if you’re if you’re covered under HIPAA. So let’s just get into it. The first one was actually Friday, and not sure if I reported this last week. So I’m going to report it now health share of Oregon notifies 654,000 members about business associate data breach. And I did mention I’ve mentioned this a few times now. The OCR is is planning to have target business associates in more enforcement related stuff. So you can bet that this is going to be one of them except as one minor detail, that might be a problem. So I’ll get to that organians Medicaid Coordinated Care Organization health care of Oregon is noticing notifying approximately 654,000 current and former Members, as some of their protected health information was stored on a laptop computer stolen from its transportation vendor grid works. So here’s where it’s a problem. So the laptop obviously, if it’s reported means it’s not encrypted. If it was encrypted, then that’s the end of the story right there. We don’t even have to report but it was not encrypted. They don’t know what that it was on that laptop. So they’re gonna err on the side of caution and report that potentially 654,000 records were exposed. The laptop was stolen in a burglary at grid works office in November of 2019. Grid works did notify health share about the laptop depth on January 2. I’ll show started sending notification letters on February 5, to all individuals whose pH II was stored on the laptop affected individuals have been offered one year of complimentary credit monitoring and identity theft protection services. So that is, that’s going to be costly. And so this is what we say when we when we say are hidden costs not really hidden but there are additional costs beyond a HIPAA fine. So that’s going to cost a shiny nickel. How share conducts so health share was actually doing their job. They do conduct security audits and did conduct 100 works on March of 2019. And in response to the breach, health shares will expand its vendor security audit program. And steps have been taken to ensure only the minimum amount of patient information is trend transmitted to its vendors. Training policies have also been enhanced. The other part of that is that they are no longer using good works for their for the rideshare program and are using another company. I can’t see it here but grid works has ceased operations as of December. So I don’t know what that means as far as any potential HIPAA settlements or fines or Or corrective action plans. It’ll be interesting to see what comes of that and it may be a little while before we hear anything. Hospital sisters health system email breach impacts 16,167 patients. Hospital sisters health system has recently discovered an email security breach in August of 2019 potentially resulted in unauthorized individuals gaining access to emails and email attachments containing a protected health information of 16,167 patients. Hospital sisters health system is a 15 Hospital Health System serving patients in Illinois and Wisconsin. Between August 6 and August 9 of 2019. Unauthorized individuals gain access to the email accounts of several employees. prompt action was taken to security affected email accounts by changing passwords. And a leading computer forensic firm was retained to investigate the breach and determine whether the compromised accounts contained patient information. These firms should be brought in beforehand, not after him and this goes to the to the The fact that healthcare practices spend more on marketing after a breach than a do and trying to prevent the breach. On December 2, hospital sisters health system was informed that patient information had potentially been accessed by the attackers to compromise email accounts were found to contain patient names, birth dates and a limited amount of clinical information. Some patients also had their health insurance information, social security number in or driver’s license number exposed. A January 31 Hospital sisters health system started emailing notification letters to all affected patients. So here’s another failure because they knew about the breach in August six, or they knew about it in August 2019. So five months ago, and they did not fall breach reporting rules. Now I understand. You’re going to say well, they didn’t know until December 2 that patients were were compromised, but that’s not how it works once once you have identified that you’ve been breached, you supposed to notify any potential victims. slew of email security breach reported by healthcare organization so I think there was five total. So I’m just going to go through the list real quick real quick. email account breach reported at shields Health Solutions show shields Health Solutions and starting mass based provider of specialty pharmacy services to hospitals and other covered entities as discovered an unauthorized individual gain access to the email account of an employee and potentially viewed copied health protected health information. suspicious activity was detected an email account employee on October 24. Assisted by a cyber security firm shields Health Solutions determine an authorized individual access to account between October 22 and October 24. The breach was confined to a single email account, email account contain messages and attachments to include a patient names, dates of birth medical record numbers, provider names, clinical information, prescription information, insurance names and limited claims information. No evidence was uncovered that suggests patient information was accessed or copied. Lafayette regional rehabilitation hospital email breach impacts 1300 60 patients. So Lafayette regional Rehabilitation Hospital in Lafayette, Indiana has discovered that unauthorized individual gain access to the email counseling employee in July of 2019 and potentially viewed patients protected health information breach was detected on November 25 2019, prompting a thorough investigation to determine whether any patient information has been accessed by unauthorized individuals. No evidence was found to indicate patient information was viewed or copied. Isn’t that amazing that that’s never found. But it was not possible to rule out the possibility. A compromised account was found to contain names, dates of birth and clinical and treatment information related to medical services received at the hospital. a limited number of patients also had their social security number exposed 6524 individuals impacted by phishing attack on MH Mr. of Tarrant County. My health my resources and HMR for short of Tarrant County and Fort Worth, Texas has experienced efficient Attack evolved in the email accounts of small number of its employees. phishing attack was detected on December 3. investigation revealed the accounts were accessed by an unauthorized individual between October 12 and October 14. emails and account were found to include names social security numbers, driver’s license numbers and some other information about the care received em HMR. It was not possible to determine whether patient information was viewed and no information has been received to suggest to any patient information has been used misused. Out of the abundance of caution all individuals whose information was stored in emails in the compromised accounts have been notified by mail. individuals whose sole security number or driver’s license number was exposed had been offered complimentary complimentary credit monitoring and identity theft protection services. So let’s just say for us going to pause here for a second 6524 accounts, let’s say I don’t know 1000 of them had that information in their times $100 a year I think is the average cost For credit monitoring, and I could be off but, you know, now you’re looking at $100,000. Just for that. We have a phishing attack impacts. 1000 patients medical transportation service provider and we’re seeing more of these lately, has announced that protected health information of approximately 1000 patients has potentially been accessed by an unauthorized individual. As a result of a phishing attack. suspicious, suspicious activity was detected an email account of employee on September 12. The account was secured an investigation was launched, which revealed further email accounts had also been compromised. Those accounts had been subjected to unauthorized access between July 23 and September 13. view of the compromised accounts revealed that they contain patient names travel insurance information, dates of service, limited clinical information, passport numbers, driver’s license numbers and a small number of social security numbers. It’s funny how it’s always a small number of social security numbers. Complimentary credit monitoring and identity theft protection services have been offered before blah blah. They did not meet the requirements for breach notification rules. So Lawrenceville, internal medicine associates and with multiple accounts were fished and obviously do not have multi factor authentication turned on. They obviously have no fishing mitigation program in place. Lawrenceville internal medicine associates email Eric sposed 8031 patients email addresses. So this was a little bit different. But Lawrenceville internal medicine associates in Lawrence Township, New Jersey is alerting 8031 individuals about an email era that exposed patients in the email addresses basically to send an email out an email announcement out but did not put the email addresses in the BCC field. So additional training has been provided to the IT department, email security policies had procedures and procedures have been strengthened. So this one not too tragic. Huge. Just got a bunch of email addresses. If you paid attention, sunshine Behavioral Health Group discovers pH I exposed over internet. Portland Oregon you based sunshine Behavioral Health Group, a provider of business services to health care providers has discovered a cloud based system used to store patient information. patient health records was accidentally misconfigured misconfigurations allow patient information to be accessed over the internet. There was identified as September 4 and access controls were immediately implemented to prevent records from being accessed by unauthorized individuals. further actions were taken on November 14, to remove the records from general internet access on December 23. Sunshine Behavioral Health Group determine a folder and a cloud based system contain information such as names, addresses, credit debit card numbers, expiration dates, security codes and electronic digital signatures of individuals who had paid for health care services to expose data related to payers for medical services received at monarch shores, chapters chemistry Donna Willow Springs recovery and mountain springs addition tree addiction treatment and rehabilitation centers on an empty stole patient information in Lake County Behavioral Health, burglary. This is one of those ones that I was talking about. Earlier when I talked about the 1010 ways you can identify that your healthcare provider is not following your HIPAA compliance program. Lake County Behavioral Health and clearly California has announced it experience at burglary on December 5 2019. And thieves stole a locked filing cabinet containing client health information stolen paid for contain information such as patient names, contact telephone numbers, case numbers, medications, appointment dates, times of payments, and amounts to one file contain a patient’s date of birth, social security number, medical history, disability status, substance use history, income verification information and medical ID number. And then finally, Jefferson Center for Mental Health announces potential breach a pH is sort of similar situation here Jefferson Center for Mental Health and nonprofit provider of community focused mental health care and substance use. services in Colorado experienced the burglary at its independence corner facility in wheat Ridge on November 29. burglary was discovered in December 2 2019. And a breaking was reported to law enforcement no paperwork containing patient permission was taken by the perpetrators, but it’s possible that the personal and treatment information of 1319 patients was viewed by the thieves and you know, you can take pictures. And then the last thing we’re going to talk about today is there was some more numbers released for 2019 healthcare data breach report. There was an increase of 37 point 47%. of records breached between from 2019 over 2018 increasing from 13,946 I’m sorry 13,947,909 Records in 2019 to 41,335,889 in 2019, the number of healthcare breaches of 500 or more records worst year on record 510. Easily outdoors every other year. 2018 was 371 and it’s been a steady incline since 2015. What other numbers we have here? The largest data, healthcare data breaches of 2019 the largest one being What is this? 11,500,000 that was optim 316. That was the one with quest labs. second biggest one. So we got here 10,251,784 laboratory Corporation of America holdings that was labcorp. And that was so that was was the first one optimum optimum 360 was there a business associate? Second one is a health care provider that was both of those were hacking, third one, Dominion dental services, Inc, Dominion National Insurance, which is a health plan that was 2,964,000. So just short of 3 million and I was also hacking clinical pathology labs, another lab healthcare provider. That was 1,733,836. That was unauthorized access and disclosures. Immediate health. A meet immediate, immediate, immediate, immediate data. I’m not sure how to set it immediate Health Group Corp, which is a health care Clearinghouse. 1,565,338 also unauthorized access and disclosure. UW Madison health care provider 970 973,024 hacking, women’s care Florida healthcare provider 528,188 hacking, care centric healthcare provider 467,621 hacking, intramural practice plan, Medical Sciences Campus University of Puerto Rico healthcare provider 439,753 hacking bio reference labs health care provider for under 25,749 hacking, and then for that one who doesn’t say network server the previous nine were network service This is other and then so that’s the top 10 there’s it goes up to the top 20 and the majority of them were network servers. There’s a few emails sprinkled in there. But let’s talk about this organizations affected by the 2019 MCA data breach that was the biggest one, the optimum 360 right optim I keep saying optimum its optimum. So you have quest diagnostics labcorp clinical pathology, care centrex bio reference labs merican esoteric labs sunrise medical labs inform diagnostic CBO labs Laboratory Medicine console Wisconsin diagnostics campina clinical Austin pathology Mount Sinai Hospital integrated regional labs pedo Penobscot Community Health Center pathology solutions West Hills hospital and Medical Center. seacoast pathology Arizona dermatology derma pathology laboratory of Dermatology at x, Western pathology consultants natira and South Texas derma. pathology LLC. The HHS Office of Civil Rights assigns breaches to one of the five different categories hacking it incidents unauthorized access, disclosure, stuff, loss and proper disposal. Improper disposal with six loss 15 theft 39 unauthorized access disclosure 147 and hacking it incident 303 that is that means we’re not doing enough Protect the data and the data breach locations, other portable electronic device 15 laptop 24 desktop 34 electronic medical records 39 other 52 paper films 61 network servers 132 in the clear winner here, Email 214. That means there is a lack of fishing mitigation going on states forced affected in order just to the top 10. Here, Texas, California, Illinois, New York, Ohio, Minnesota, Florida, Pennsylvania, Missouri and Michigan. And then we’ve already talked about the HIPAA enforcement so I’m not going to go through that again. There was 10 HIPAA enforcement’s last year, ranging anywhere from 10,000 I believe was the smallest all the way up to I believe 3 million was the biggest this year, or 2019. I believe. So That’s all on HIPAA journal. com you can go read it there. That’s a lot of records exposed this year. That is going to do it for the product of it podcast for this week. Episode 17 is all done. We hope we’ve provided you with tons of information and go about your day, your busy week and your technology and compliance life. Until next week, stay secure

Transcribed by https://otter.aiti

Transcri

Scott Gombar

Author Scott Gombar

More posts by Scott Gombar

Leave a Reply