This is the ProactiveIT Podcast. This Week: The latest in IT and Cyber Security news plus The DoD hacked? A new data breach protection bill proposed and the January HIPAA breach report.
This is Episode 18!
Hi Everyone and welcome to the Proactive IT Podcast. Each week we talk about the latest in tech and cyber news, compliance and more. We also bring you real-world examples to learn from so that you can better protect your business and identity.
This podcast is brought to you by Nwaj Tech – a client-focused & security-minded IT Consultant located in Central Connecticut. You can find us at nwajtech.com.
Thanks for listening to this podcast. Show us some love on Apple or Google Podcasts. Subscribe and leave us some positive feedback. What are you waiting for?
Also, go join the Get HIPAA Compliance Facebook Group. Search for Get HIPAA Compliance
QOTW: If PHI is accessible only from within the EHR software, and users have unique logins to the EHR software, would you consider that sufficient?
Is it OK to allow shared logins on the practice’s computers if the employees all have unique logins to the EHF?
Patch Tuesday Update:
Google Chrome 80.0.3987.87
Critical Cisco ‘CDPwn’ Flaws Break Network Segmentation
Microsoft’s February 2020 Patch Tuesday Fixes 99 Flaws, IE 0day
Firefox 73.0.1 Released With Fixes for Linux, Windows Crashes
Cyber Security News
This is the proactiveit podcast this week the latest in it in cybersecurity news plus the god hacked a new data breach protection bill proposed and the January HIPAA breach report. This is Episode 18. Hi, everyone, welcome to the productive it podcast. Each week we talk about the latest in tech and cyber news compliance and more. We also bring your real world examples to learn from so that you can better protect your business and your identity. This podcast is brought to you by new watch tech a client focused and security minded consultant located in Central Connecticut, you can find us at unwashed check. com that’s NW Aj tech.com Welcome to Episode 18. Before we jump into things, I want to ask that if you are listening to this, thank you first of all, but if you could just go over it wherever you’re listening to, if it’s on Apple, Google Stitcher, wherever you listen to this, just review like us, share it, share it out, whatever the the platform allows you to do. Spread the word, because we really appreciate it. Also, if you are in a HIPAA compliant business, meaning you’re a business associate, or a covered entity, hop on over to Facebook, type in get HIPAA search compliance in the search. And like our join our group, I shouldn’t say like join our group. And in this way, you get to get all the latest HIPAA news that we share out, and the podcast and everything else in the group. Also some education as we do on this podcast, HIPAA education right before jumpin a Patch Tuesday. I do have a question this week. If pH AI is accessible only from within the EHR software and users have unique passwords, logins to and logins to the HR software, would you consider that sufficient? So what they’re asking is, can the they use the shared login to the desktops around the office? And is that sufficient protection? The answer to that is no. And the reason that is there’s there’s multiple reasons. One is you need to, you need to isolate pH I as much as possible. So that means unique logins. So if you did have a shared login, let’s say, and somebody’s logged into a workstation, and they’re logged into the EHR software, and then they didn’t log out for whatever reason. Well, now that person is exposed because everybody in office knows the password to that desktop to that login. That’s number one. Number two, you should have multi factor authentication on the EHR. Hopefully they all allow it at this point. And number three, you should have privacy screens on the desktops around the office no matter where they are in the office because you don’t want to expose anything that shouldn’t be exposed. There. There are lots of ways that could go wrong using the same login across all desktops can be a disaster in more ways than one. So hopefully that answers the question. Let’s jump into Patch Tuesday here. So we reported that Patch Tuesday, last week included Microsoft’s 2020 up February 2020 rollout included 99 flaws, a few critical there have been some reports of issues with with Microsoft update. And so Microsoft has actually removed one of the cavies and I think there was an issue with a second one. So if you have some ups if you have some issues after the updates, one of the issues I know was brand new login everything was missing. Your data screen. Everything on the screen was missing icons were missing. It was almost like a new profile on the computer. That was one of the issues. The other issue I believe was I believe it couldn’t boot up or rebooted or something like that. There are some fixes and one of the KBS was removed. So Google Chrome was updated last week. So critical as a critical Cisco CD pw and flow was fixed last week that broke network segmentation. We had Microsoft Office rollout last week, or I started office rolled out the week before Firefox was updated this week that was updated to 73 point 0.1 released with fixes for Linux and Windows crashes. Cisco did release some more security updates. I believe just yesterday or the day before Adobe released updates for After Effects in Media Encoder and VMware released security updates for V realized Operations for horizon adapter. So those all came out this week, including Firefox. So if you are using any of those, get those addressed immediately. That is the update section of our show. Let’s jump into the news. some good, some bad, some ugly, some not so ugly. First up, reported NZD. NET Iranian hackers have been hacking VPN servers to plant backdoors and companies around the world. So as we know there have been some VPN servers that have been our VPN. clients that have been found to have compromises vulnerabilities in the last few weeks and months. Post secure for the net Palo Alto Citrix VPNs while Iranian, the Iranian hacker groups have been targeting news VPNs if you haven’t patched already, they’re still targeting you. If you did patch, you may want to check that they didn’t already get in and now have set of backdoor. So 2019 will be remembered as the year when major security bugs were disclosed in a large number of enterprise VPN server switches those sold by pulse secure Palo Alto Networks. For tonight and Citrix in a report published today, which this was published on the 16th. In New report post today reveals that Iran’s government backing hack backed hacking units have made a top priority last year to exploit VPN bugs. As soon as they became public in order to infiltrate implant backdoors in companies all over the world, as you can imagine us is probably a big target. According to report from Israeli cyber security firm, clear sky Armenia hackers have targeted companies from the it telecommunications oil and gas aviation, government and security sectors. Some attacks happened hours after public disclosure. The report comes to dispel the notion that Iranian hackers are not sophisticated and less talented than their Russian, Chinese or North Korean counterparts. Clear Sky says the Iranian abt groups have developed good technical offensive capabilities and are able to exploit one day vulnerabilities in relatively short periods of time. In some instances clear sky says that observed Iranian groups, excluding VPN flaws within hours after the bugs have been have been publicly disclosed. At P stands for advanced persistent threat and his term often used to describe nation state hacking units. Clear Sky says that in 2018, and rhenium, hackers were quick to weaponize vulnerabilities disclosing the pulse secure Connect VPN, the affordance for iOS 40, iOS 40 s VPN and Palo Alto Networks global protect attacks against the systems again last summer when details about the bugs were made public but they also continued in 2020. For the more details about vpm flaws are made public Iranian groups also included these exploits in their attacks. So that is not good news especially if you have still not updated your VPN you’ll want to make sure that even if you did update it you’ll want to make sure that you scan the network for any other vulnerable or not vulnerabilities any other anomalies because that is a problem that is the ones that I was talking about sleeping computer plastic surgery patient photos info exposed by leaky database because as your health brand slider is not I thought I’d share it on hundreds of thousands of come shared and the girl health and clear there was actually similar issue was a burglary and I’ll get to that in a second. Why is why is finally having hundreds of thousands of plastic surgery patients don’t pay for personal information is highly sensitive photos were exposed online by improperly secured Amazon’s AWS as time documents so here we go again let’s do one file properly social data first motion is Friday gnostic surgeon stategy teaches me Services compared helping 170 plastic clinics 35 countries and a documented procedure size limit on how many market their practice each is a comfortable shoes. And now be sure your patients simplify your data, mental health care and substance use services in Colorado based on its internet is cloud allows you to store your data wherever you are, it was the second essence all your data 2019 and a brick house was long as it was holding the patient’s permission was to read author I try to avoid it’s possible to force a song permission of 1000 patients was research by the thieves as the French Health Authority trust in our case a DB AWS who was certified in an elastic So talk about so there was some sort I was exposed to health data breach reporting pH I was exposed but it was Amazon’s is certified and authorized w in this scenario and it reaches they have to correct between say curtain placed up to the increase of visual whose settings are turned on hundred 47,000 will tell you that so we’ll go 2019 as your GP 335,808 is not Amazon’s fault as it is the number of Healthcare’s is 500 or more record, not know what they were doing here or somebody understood 10 The other thing is now this isn’t the same as a ransom attack that occurred in Florida. 2018 was 371 additional direction line since 2000. Practice they were the largest lot healthcare. Largest watches and information they found was actually called the ransom that was 61 with quest. So this reason why you want to make sure that these things are secure because now you’re looking at doing it over 1780 Or laboratory Corporation America lions that was lobby 14 to the world and that was the first one data breach 60 was a lot of issues here. And this is somebody that was both of those were hacked and it’s on by default one which is great dental services Inc to media in the bucket National Insurance made public which is a turn at 64. By default, it is secure. And I was also not allow the pathology lab see another lab healthcare provider. So moving along with 700 pure computer windows 10 X to future faster 32 apps supports windows 10 x is a new media overhaul of Windows 10 design for dual comedia dual screen devices, such as Microsoft Surface Neo Microsoft 10. x arriving later this year, but we’ve already gotten a closer look at the new OS thanks to Microsoft emulator and Microsoft they’re doing much more windows 10 access and disclosing what’s under the hood and how it will run when you go to As soon as I heard it 73,024 most mulcair apps to the app cell towers 180 Windows updates to get faster. Ready for drivers and apps which allows windows 10 update practice, traditional version of Windows 10 is University of Microsoft 365. Windows 10 office three if you continually improved updates to Microsoft Windows, Linux can install it in less than a second at nine hack and it requires only one readout windows doesn’t just download the files online. partition and then on the device with the files up to the data’s morning or another partition and majority of them we know we are a system update sprinkled during the reboot which allows us to install it let’s talk about our transitions affected by the basic windows Linux. That was drivers and it uses virtual machine like container. Right. So there, I keep saying containers. So yeah, quest diagnostics lab calm theatre has its own pathology drivers writers, always from American esoteric labs sunrising warm tools, diagnostics TBL labs but laboratory was because of dad is hot sauce always good. also going to panel making so that you can be health apologist hospital and medical school and not have to install all the seacoast pathology Arizona dermatology computer reports, college courses to FA cameras from masters of theological is one or two ago during that there were a number of incidents where ring cameras were compromised in the HHS Office or whatever where one of the five different carriers trying to talk to each other in Washington always access disclosure who whatever produce various activities they proper disposal think those last 15 on that are turned off. The reason all those compromise closer was done and hacking on its owners. The cameras were not using good strong passwords, passwords that were not used enough. And so they were compromised. And and now there’s interest rates if tax rates are not for us top four for electronic medical restaurants. Okay, so today’s numbers and letters to numbers, servers 102. In the clear warrior characters, the better now 14 Now that means there is Amazon is forcing users to use tuition which is good, good stuff. Awesome. You needed to have states with worse not happening. enabler not enabling it. Texas, California, Illinois, New York, Ohio, Minnesota, Florida. cyberware. And then we’re actually going to and again, that was that’s, that’s another hot topic, anywhere. 10,000 seediness exclusive details of 10.6 million MGM hotel guests posted on hacking forum. MGM resorts said security incident took place last summer and notified impacting the guests last year. So so that you could go read it there were they were had a lot of records expose expose 10.6 million users going down to it fortunately for active it podcasts out notification to the 10.6 million people and hope we’ve provided is actually almost 10 points, tons of information a gold 3180 or a hotel guests clients life. Next week, stay secure. I don’t know. I don’t remember seeing this last year. So I don’t know if if it was reported to the media last year. It’s hard to believe that if 10.7 million people were impacted, and it wasn’t reported, but it did happen, and now that data is on a hacking form. So now all of that data has been dumped, and was shared to the world. So included in the leak files are personal details such as full names, home addresses, phone numbers, emails and dates of birth. CD net reached out to and this includes normal guests, you know the the general public but it also includes celebrities, tech CEOs, reporters, government officials and employees of some of the largest world’s largest tech companies. So some what, what we’ll see from this is sim swapping and spearfishing. So that information will now get used because now it’s available to the world. And you’ll start to see sim swapping and spearfishing. So if you’re not aware of sim swapping is the not really swapping, you’re actually cloning a sim and then spearfishing is targeted phishing. So we’re now saying I have as an example, Mark Zuckerberg, email Justin and for phone number and I’m going to target him with fishing. All right, and also NZD. net and God This was reported just this morning, as I’m recording this just a few hours ago, God departed Defense Desa which is Defense Information Systems agency, discloses data breach. The Defense Information Systems agency handles it and telecommunications support for the White House and military troops. The Defense Information digital the Defense Information Systems agency, a Department of Defense Agency tasked with providing secure telecommunications, and IT support for the White House US diplomats and military troops was has disclosed a data breach. According to breach notification letters sent to employees last week. security incident took place between May and July of 2019 when a distance system may have been compromised. This This says that employee personal information, including social security numbers was exposed during this timeframe but did not say how many were impacted. To do the agency did not provide any other details about the breach. However, it did add that had no evidence to suggest an employee’s personal data was misused prior to sending a notification letter. And there is actually a tweet from someone with the notification letter. So you can read the notification letter. A little gentle Eric and we saw I saw an example of one this week from a local Connecticut company. I don’t know if it’s been made public yet, but I do know that some of their clients received an email saying that they were compromised, but very little detail. So very generic. So in one step becomes public, I will probably share it diso employs around 1000 military and civilian employees. According to Reuters, which first spotted the Notification Letter earlier today. The agency in accordance with US law has now offered free credit credit monitoring to all impacted the second data breach the God has disclosed in the last two years in October 2018 more than 30,000 God military and civilian personnel how their personal payment card details exposed via security breach at a third party contractor. So this is the Department of Defense This is the people that are supposed to be ahead of the game was security and if so if they’re vulnerable, everybody’s vulnerable. That means you need to up your game, you know it’s not about it’s, it’s more about mitigating the risks, so reducing the risk as much as possible, because there’s always a risk. Instead of 100% risk, let’s make a 10% risk or I’m just throwing numbers out there but you get the idea. Let’s Let’s reduce the risk as much as possible. And then also make it the recovery as easy as possible. Alright, that’s the news that we’re going to move on to our hot topics for the week. Alright, it’s time to get thrown into the fire. Not really going into the fire, but we have some hot topics I wanted to go over and maybe get your feedback but let’s start with this that have found on West fare online. dot com. This is this was reported last year in artists but it’s important to illustrate this because of conversations I’ve had this week alone about, you know, what is my how much money am I going to make if my it is better off so if I if an IT vendor comes in and improves all my computers and you know improves all my processes for for technology and secures it. If there’s compliance involved, we’re more compliant now. How much money is that going to make me? Well, the answer is probably not going to improve your your revenue, but it will deter the possibility of this happening. And so IBM average data breach cost us companies $8.19 million. IBM the Armonk headquarter pioneer and information technology has issued a report examining the financial impact of what are among the hazards most feared by businesses that rely on modern computers. systems that is data breaches. 2019 report on the cause of data breaches was sponsored by IBM Security and research by the quantum Institute in Traverse City, Michigan, part of them reached out to 507 companies around the world that sustained data breaches between July 2018 in April 2019, and conducted 30 211 separate interviews, data breaches ranged from a low of 2000 compromised records to slightly more than 100,000 Records. And now so we know there are data breaches larger than that. numerous factors were examined, such as legal, regulatory and technical cause loss of brand equity, which I’ve stated multiple times. It’s not just about recovery and and technical upgrades. It’s also you’re going to lose some of your brand equity, customer turnover, you’ll lose some of that too, and the train on employee productivity. The study examined both accidental breaches and deliberate actions such as hacking. The report found that the average data breach involve 25 Thousand 575 computer records. It found on an average it took a company 279 days to realize that his data had been hacked or otherwise compromised and take action dealing with the breach. Each effective computer record costs companies an average of $150 according to the report, so if you have 100,000 Records, you’re now looking at $15 million. US had the highest average cost of data breach per company at eight point $19 million, compared with average worldwide costs per company of $3.92 million. That healthcare industry had the highest cost of all industries industries studied as $6.45 million per data breach, about 60% higher than the average of the other industries. 17 industries were examined, such as transportation, communication, pharmaceuticals and hospitality when IBM began reporting on the cost of data breaches in 2006, so 13 years ago, the average impact on us business was $3.5 million. So it has more than doubled since then. The report said to Class figures of data breaches that were studied do not apply to catastrophic mega data breaches such such those which affect major collectors of data such as Equifax or Facebook. So Equifax was back in 2017. And Facebook has had a few incidents so the study found that small and midsize businesses suffered the worst financial consequences from data breaches when viewed in the context of their financial situations. The average loss for companies with fewer than 500 employees was $2.5 million per breach, quite significant in the view of study categorizing these businesses having annual revenues of less than 15 million. This is the 14th year that IBM has issued the report and for the first time It examines the longer term impacts of data breach, while on average. 67% of data breach costs were handled in the first year after the breach 22% accrued in the second year with another 11%, accumulating more than two years after the breach took place. So it’s an ongoing expense. malicious attacks such as hacking via the internet costs companies an average of 4.4 Four or $5 million, which was an average of $1 million more than the cost of data breaches resulting from systems, system problems or human error. These inadvertent breaches were responsible for about 49% of the losses. Having automated security technologies and place was a cost saver according to report, with average cost of breach being cut to about $2.65 million. If a company made extensive use of encryption, the total cost of data breach was cut by about $360,000. So these are, you know, automated security, encryption, extensive use of encryption, these are all things that cut the cost of of a data breach if it happens, it also reduces the chance that you are breached before said that an organization’s ability to respond effectively after a data breach is strengthened by the presence of an incident response team that follows a plan, called statements are produced when there has been extensive testing with the IR plan. Organizations conducting extensive testing of an iron plan had breach costs that were $1.23 million less than cost faced by other organizations. So now have a plan reduces your costs. The 2019 report showed that it businesses 31% more likely to experience a data breach today than it would have in 2014. Back then, and organization had 22.6% chance of experiencing data breach was two year period within a two year period in 2018. That increased to 27.9% chance that means more, you have more than 25% chance. If so, let’s put that in perspective. If you had almost 20% chance of winning the lotto, would you play it? I would. And so that means you’re playing with with fire if you’re not doing your part in trying to mitigate the risk. cyberware US Senator proposes new data protection bill. So I shared this and on a daily podcast that I do Then a peer of mine sent it to me in an email said you should share this out over LinkedIn. And so I did at her request. And it really is important to have these conversations whether this bill comes to fruition or not, I don’t know what whether it comes to be as it is at the moment, I don’t know. But it’s important to have these conversations not just in the government, but in it in in business because data breaches are reaching astronomical numbers. And I don’t know that privacy exists anymore. That’s the scary thing. So the sent the senator so this is Senator Gillibrand. I’m looking for Kirsten Gillibrand, or Gillibrand. I’m not sure how to say her last name is Gillibrand or Gillibrand. She’s a US senator from New York. She argues that the FTC Act does not address data protection challenges, which I would agree the law of past would apply to any company with revenues over 25 million or which manages the personal data of 50,000 or more people, I would argue we need to lower those numbers. To be honest with you, we need to hold this accountable because as I discussed in the daily podcast this morning, businesses, not all businesses, but some business owners don’t value don’t put a value to client data. So that is if you’re a client of a business and so they have your information, your name, email address, physical address, your birthdate, your social security number, your driver’s license number, your credit card information, those things. Some business owners do not think that that has any dollar amount attached to it doesn’t have any value to them. And so if they were to be compromised, and that information is stolen to them, it’s like, okay, so despite the fact that they will probably be fined and, you know, reputation will they’ll take a repetition Hit and all of these things, they’re not concerned with it. And so I actually spoke to a business owner who feels this way and he did not, did not really care to do anything with it, even though there were some glaring holes and as it security did not really care to do anything with it, because it wasn’t going to make them any money. And that is how some business owners operate. The US Senate from New York announced drafters of legislation known as the Data Protection Act to establish an independent Data Protection Agency in the country. Kristen Gillibrand, the US Senator for New York, released the draft legislation last week according to Gillibrand, the US lags behind in addressing data protection challenges and many other challenges with digital digital age. us also doesn’t have a single dedicated by for enforcing data privacy rules. My legislation would establish an independent federal agency, the data protection agency that would serve as a referee to define arbitrary and enforce rules to defend the protection of our personal data. Roads. Gillen, brand in the media. blog that she posted before announcing a Data Protection Act. So alleged flaws in the FTC act as a senator argued FCC act can’t issue fines for privacy violations immediately in case of a privacy violation. Instead of consent decree, the violator has to agree that it won’t be won’t violate rules again, is issued to the defaulter and then a fine is imposed when a company violates that decree. So it’s sort of like HIPAA, the HIPAA, OCR will come in and say we will. Here’s what you need to fix. If you fix it. Great. If you don’t mind, we’ll be back. This was the reason behind Facebook being fined $5 billion after eight years for privacy infractions in 2011. The Senate argues that FCC is not focused on privacy issues hence the need for federal data protection agency dedicated to the task with three core missions. And so here are the three core missions The first would give Americans control over their own data by enforcing data protection rules. authorities who would be able to not just conduct investigations and shares findings but in post civil penalties. The second mission would aim at promoting privacy innovations, including technologies that minimize the collection of personal data or eliminate it all together. And finally, the third mission would be to prepare American government for the digital age through advising on emerging emerging privacy issues and presenting to us at international privacy forums. The law of pass would apply to any company that revenues over $25 million, or which manages the personal data 50,000 or more. A noteworthy clause in the bill states and an organization deriving half of its revenue from the sale of personal data are covered under this law, this clause me many of the large social media or search platforms that collect user data and use it internally to target ads for its clients. So that I mean, I would think that they would fall into that anyway, but so that’s interesting that Maybe they’re taking shots at Google, Facebook and Twitter and things like that. So, again, I think there there may be some things here that need to change. I don’t think $25 million is I think that’s too high of a threshold. And 50,000 or more people I think is also too high of a threshold. I think it needs to change a little bit but I think this is a start the conversation has started and it needs to continue. And we have the January 2020. healthcare data breach report round up good news with we are down from the previous month. In January healthcare data breaches of 500 or more records were reported to the Department of Health and Human Services Office of silver is at a rate of more than one per day as our as our 2019 healthcare data breach report show 2019 it was particularly bad year for healthcare data breaches. With 510 data breaches reported by HIPAA covered entities and their business associates that equates to rate of 12 42.5 breaches per month genuis figures were an improvement with a reporting rate of one point or three breaches per day. That was also a 15.78% decrease in reported breaches compared to December of 2019. So that is good news however. And I don’t see here the comparison to January of last year, but February of last year was 32. Since January of this year is 33. So we’ll have to wait and see if if the numbers Well, here we go. Okay, so January of last year had 35 and this year was 32. So January of last year was the worst January on record. Since 2015, while the number of breaches was down the number of breached records increased by 17.71% month over month 462,856 healthcare records were exposed on or impermissibly disclosed across 32 report a data breach as the graph shows so there is a graph here. The severity of data breaches has increased in Recent years so in 2019, there were 577,511 Records breached in January. And this this January was four and a 62, which is actually less than 2018 even, but it’s still significantly higher than before 2018 and the largest healthcare ever, data breaches in January 2020. We have pih health, which was hacking it incident email. You know what I’m only going to tell you, I’ll just tell you which ones were not email because most of them are email, Douglas County Hospital, dva alum your health 49,351 and your med pa 33,000. Fondren orthopedic group, LLP 30,049. That was a network server that was hacked. Native American rehabilitation association with Northwest ink was 25,187 central Kansas City, orthopedic Group LLC 17,214 that was also a network server that was hacked. hospitals, sisters health systems 16,001 67 Spectrum Health care partners for 11,308 Original Medicare I’m not sure what that is but it says health plan. That was other neces unauthorized access and disclosure. But it says other so not sure what other is. I don’t remember seeing that. In the on The Daily Show. Lawrenceville internal medicine Association, LLC 8031. So of the 10 Top 10 reported seven of them were email. This is a big problem. January 2020. healthcare data breaches causes a breaches to or theft to or improper disposal. Nine unauthorized access or disclosure and 19 hacking it incident and breach type. Number records expose so 416,000 275 records were hacking 26,450 unauthorized access or disclosure 20 812 and proper disposal an 11,284 with theft, and then a location of the breach data 16 overall 16 of them email 18 paper films five other five network server two network to electronic medical records and one desktop computer to work business associates this year, or this month, January, five of them were health plans and 25 were covered entities that it’s so that’s the round of for January. Numbers slightly better than than 10 January of last year and slightly better than December. But I don’t think it’s I think it’s just the tip of the iceberg. I think you know, I don’t I think this year will be worse than last year. That is going to do it for our hot topics of the day. Let’s move on. All right, we’re going to talk about another settlement from last year. This time OCR secures $2.175 million HIPAA settlement, after hospitals fail to properly notify HHS of breach of unsecured protected health information. So that this is sentara hospitals, which we’ve talked about before, but we haven’t really gone through the actual settlement in detail, and I think it’s going to help you understand why the breach security breach report rules are in place, and why you can’t ignore them. So let’s jump in. So here’s the press release from the OCR OCR secures $2.175 million HIPAA settlement after hospitals failed to properly notify HR of a breach of unsecured protected health information, and an agreement with the Office of Civil Rights at the US Department of Health and Human Services. sentara hospitals have agreed to take corrective actions and pay $2.175 million to settle potential violations of the health and for health insurance, Portability and Accountability Act. breach notification of privacy rules, since heart is compromised are comprised of 12 acute care hospitals with more than 300 sites of care throughout Virginia and North Carolina. In April of 2017, notices it took a little over two years to come to the settlement By the way, in April 2017, HHS received a complaint alleging that sentara had sent a bill to an individual containing another patient’s protected health information. one complaint is all took us years investigation to determine that sentara Mail 577 patients PHR two wrong addresses that included patient names. So I want everybody to pay attention to the numbers here. So one complaint five Hundred and 77 patients not a lot by any stretch of the imagination. Right. PHR two wrong addresses that include a patient names, account numbers and data service. sentara reported this incident as a breach affecting eight individuals because sentara concluded incorrectly then unlisted disclosure included patient diagnosis, treatment information or other medical information no reportable breach of pH I had occurred. sentara persisted in its refusal to properly report the breach even after being explicitly advised of their duty to do so by the OCR. OCR also determined that sentara failed to have a business associate agreement in place with sentara healthcare entity that performed business associate services for sentara. So sentara healthcare is likely a subsidiary of sentara so they probably felt well it’s the same company. I don’t need to this business associate agreement, but they are wrong. So one complain 577 total patients impact Did and eight individuals that they believe sentara believe were impacted. sentara insisted that they were right and as a result now have this large $2.175 million settlement and they have a cap the corrective action plan. HIPAA compliance depends on accurate and timely self reporting of breaches because patients in the public have a right to know when sensitive information has been exposed, said Roger Severino OCR director, when healthcare providers blatantly failed to report breaches as required by law, they should expect vigorous enforcement action by those car. So that’s a pretty strong statement there. And that means if you don’t do what you’re supposed to do when you are breached, and I can promise you, there are healthcare providers and other businesses out there that don’t report when they shouldn’t be. If you don’t do your part, you’re looking at big money. Now sentara hospitals is 12 Hospitals more than 300 sites, and $2.175 million is probably a drop in a bucket. And I would imagine the cap probably cost more than that. In addition to the monetary settlements sentara will undertake a corrective action plan that includes two years of monitoring the resolution agreement, corrective action plan that we’re going to review now is linked to the press report. And so here it is the resolution agreement just going to skim to the important parts here. On April 17 2017, a Privacy Rule complaint was filed with HHS against sentara hospitals. The complaint alleges that sentara Hospital sent a bill to the complainant with another patient’s protected health information and close investigation revealed that the billing statement of 577 patients were merged with 16,342 different guarantors mailing labels, resulting in disclosure of pH I of 577 individuals again, not a big number. Remember, the reporting threshold is 500. So it’s not a big number, and it’s only one complaint. But because they stood their ground and said, No, we’re right and you’re wrong. Do now they’re on the hook for $2.175 million into our two year corrective action plan after conducting a risk assessments and Tara hospitals notified HHS HHS of the breach of pH I affecting eight other individuals. Further the investigation revealed the sentara Hospital provides services involving the receipt maintenance disclosure pH I for its member covered entities, but since our hospitals did not enter into any business associate agreements with their business associate until October 17 2018, so a year and a half after this breach. So Tara hospitals allowed their parent corporation of business associates entire healthcare to create receive, maintain it or choose a pH on your behalf and to provide services involved in disclosure pH without obtaining satisfactory assurances and sentara hospitals failed to notify the secretary of breach unsecured pH I. Not that they fail. That’s what it says here not a defeat, but they failed to notify the correct amount. HHS has agreed to accept the sentara hospitals have agreed to pay HHS the amount of $2.175 million sentara. Hospitals agree to pay the resolution amount of the effective date of the scream as defined in paragraph ii 14 by Automated Clearing House transaction pursuant to written instructions to be provided by HHS. Sounds like an opportunity for BC. But anyway, the corrective action plans sentara hospitals have inserted into and agrees to comply with the corrective action plan attached to Appendix B which is incorporated into this agreement by reference it is a two year corrective action plan as I reported earlier. So that’s some of the Really so that here’s the following, who’s the covered entities designated as part of the sentara affiliate covered entity for collectively referred to here in as sentara hospitals. So you have sentara Norfolk General Hospital Center lay hospital sentara care Plex hospital sentara Williamsburg Regional Medical Center center, Virginia Beach, General Hospital Center OBC. Hospital Center in Northern Virginia medical center center, Martha Jefferson Hospital Center rmh Medical Center since our princess and hospital have been one of those hospitals could afford $2.175 million. So I would imagine this is a drop in the bucket for them. I think the corrective action plan will probably cost them more so that you know that just it really shows us two things. It shows us one that if the OCR says No, you’re wrong, this is what what it really is. Just listen. Just listen. You’re not right. And it shows that you cannot you cannot improperly. You can’t improperly notify HHS, you can’t say it’s eight when it’s 577. If they tell you it’s 577, it is what it is. And you need to, you need to deal with it the way you’re supposed to deal with it. But it also shows that it doesn’t matter what the size of the where the complaint comes from, or how it started, how it how it became noted, noted by the HHS by OCR that there’s an issue because it took one person to make a complaint, and it seems minor or I got the wrong information in the mail and in the bill. A lot of people would just rip it up and throw it away. But it’s not minor. It’s one complaint to the HHS and as a result, you now have to pay $2.175 million and deal with the OCR for two years. And OCR the way they do things is they’ll say you need to accomplish this in 30 days and this is your 60 day. milestone and this is your hundred and 20 day milestone. So you you’re going to be under their their thumb for two years and 10 hospitals, it’s probably pretty expensive to do that. So that is our our HIPAA education piece for the week. We’re going to move on to the breach report. We have a lot to report today. So more popped up this morning. All right, the HIPAA breach report. Let’s get started lots of stuff here. Criminal HIPAA violation. Casey’s healthcare worker charged on 415 counts. former employee of ACM global labs, part of Rochester Regional Health has been accused of accessing the medical records of a patient without authorization on hundreds of occasions in an attempt to find information that could be used in child custody battle. A criminal investigation was launched. entity alleged HIPAA violations by just a mere 4041 of him in New York, when it was suspected that she had been abusing her access rights to patient information for malicious purposes. Christina pIace was previously in relationship with minors, half brother and it has been in lengthy child custody battle in court catchy or I’m not sure we’re saying that see Ochio or heard about a historic visit by her own brother to the emergency room at Rochester Regional Health when she herself was unaware of the visit. suspecting snooping on her family’s medical records. shachi reported the matter to Rochester Regional Health. According to court documents, the Rochester Regional Health audit revealed Meyer had access to private medical records of jianchi on more than 200 occasions between March 2017 and August 2019. Without any legitimate work purpose for doing so. It was also confirmed that Meyer had access to medical records of members of judges family Chachi reported the criminal HIPAA violations to the police and investigation was launched. was arraigned in gates town court on Tuesday February 11 2019. On 215 felony counts of computer trespass and 215 Council misdemeanor unauthorized use of a computer. Myron pleaded not guilty to all accounts in the cases is expected to go before a grand jury. If you go into somebody’s medical records, you deserve to be charged you deserve to be held accountable. Chachi told news 10 NBC charts you also believes Rochester Regional Health should be held accountable not for the breach itself but for the failure to identify an ongoing privacy violation that’s been more than two years. Unauthorized medical record access was only discovered after Chachi reported the potential privacy violation to Rochester Regional Health. I feel like Rochester regional pay pay her all year to go in my medical records said shachi. Upon discovery unauthorized access Rochester Regional Health took disciplinary action against my HIPAA requires healthcare org organizations to implement safeguards to ensure the confidential integrity and availability of patient information. Even if access controls and other measures are implemented, it’s not possible to prevent all cases of improper accessing of medical records by employees. However, when instances occur, they should be identified quickly. If it requires audit logs to be maintained to track access to protected health information, those logs allow artists to take place, as was the case when the matter was brought to the attention of Rochester. Regional Health by chacha, if a requires all also requires audit logs to be regularly checked to identify unauthorized accessing pH I had two auto logs have been monitored more closely the privacy violation could have been identified and sanctions could have been applied against my or sooner. So that’s where Rochester Regional Health is going to take a hit is because they were not monitoring their logs. Apparently, and so they should have been monitoring those and they would have caught it before it was identified by the The victim herself. We have the 2020 pretenses breach parameter report reveals 49% increase in healthcare hacking incidents. So 49%, this is from from over 2018. So 2019 over 2018. And they expect that number to actually go up even more because there are some that still haven’t identified the number of records, and so forth. And we still have a week left in in reporting for 2019. Even though this report does say that it took an average of 80 days, I think it said 80 days to report when you’re supposed to report in 60 days. So the average was 80 days, there was 174.5% increase in the number of breach records from 2018 to 2019. There was 41.4 million total records breached but that number is expected to go up to were the number of breaches over 500 was 572. And what other information can I tell you from this? So it’s really not good information, it’s gone up and I expect it to go up again this year. So the 80 days is is a little bit higher than the previous year of 73 days. And the one good to one good thing that came out of last year is the average time to discover a breach went from 255 days in 2018, to 225 days in 2019. So that’s a little bit of an improvement. Still not great. That’s still you know, two thirds of a year that somebody’s sitting on your records and you’re not even aware of it. ph I have 109,000 patients potentially compromised and Washington phishing attack in Bellevue, Washington based over Lake Medical Center and clinics is notifying 109,000 patients that some of their personal and protected health information was potentially compromised as a result of a December 2000 19 phishing attack. The phishing attack was detected on December 9 2018, and a password reset was performed to prevent further unauthorized access. over Lake determine that one email account was compromised in December 6 2019, and access remain possible until December 9, when the account was secured. Further email accounts were compromised on December 9, but access only was only impossible for a few hours. So this illustrates the fact that there’s no MFA if multiple accounts are compromised just definitely no I’m affair even if one just probably no MFA but multiple would definitely and there’s no education because we’re multiple employees are being compromised then they have not been educated. vibrant care rehab phishing attack impact 1600 55 patients to California physical therapy provider vibrant care. Rehab has discovered an employee email account has been compromised following response to a phishing email. unusual activity was detected in an email account and third party computer specialist were called into investigated potential breach investing revealed the email account was accessed by unauthorized an individual between August 20 and August 27 to August 20 and August 27 of 2019. So not sure why it took six months to report. And then it goes on to say painstaking analysis of the email account revealed and contained to protect the formation of 1600 and 55 patients. They also know that in so data access or data death was found in reports have been received to suggest a patient information had been misused. Generic stuff when they say those things, I will say that a lot of times this information doesn’t get used right away mode most of the time, it doesn’t. So we have my eye doctor, which is based in Colorado, had two different HIPAA breaches to report the first network. The first was 1400 75 Colorado residents that’s that had their information potentially compromised due to a ransomware attack. Certain my eye doctor systems were accessed by the attacker on December 11 2019 and ransomware was downloaded and deployed. steps were immediately taken by my eye doctor to prevent further unauthorized access and restore all affected records. The ransom was not paid, which is good. While it was possible to restore the majority of the encrypted data, some files could not be recovered and remain encrypted a third party computer forensics firm was engaged to investigate the attack and determine whether any data had been stolen prior to the file encryption. The forensics firm found no evidence to suggest that it had been exfiltrated an attack is believed to have only involved in file encryption with if with a view to extorting money from my eye doctor. So all in all, all said they did pretty good. They reported just over 60 days. They were able to restore most of the data pretty quickly. They didn’t pay the ransom and it doesn’t look like there was any theft of the data though. You can never be sure. So good job. There. With that being said, let’s move on to the second one improper disposal incident After Effects 70 983 patients of today’s vision Willowbrook. My eye doctor has announced his separate incident that resulted in exposure to protected health information. 7983 patients of today’s vision Willowbrook, which is acquired by capital vision services DBA my eye doctor in February 2019. On around May 21 2019, my eye doctor discovered historic records of today’s vision Willowbrook patients had been disposed of an improper manner. The records had been discarded in a dumpster near tomball, Texas instead of being securely destroyed. The records contain information such as names addresses, dates of birth, social security numbers fit clinical information and billing information and related to patients who visited today’s vision Willowbrook between 1997 and 2003. The the incorrect disposal was reported by the media local law enforcement officers visited and collected the records my doctor said based on the production of Tombow police Securing the records there is no indication that any authorized third parties had or will have opportunity to the misuse any of the patient information contained in the records at issue. No. I don’t know why we’re still throwing medical records in the garbage. That should not happen. Again, and then it took them 10 months, nine, well, nine months to report, why did it take so long to report? That seems like an issue to me, but there’s probably some mitigating factors here that we’re not aware of. Monroe County hospitals and clinics email breach another one of the impact 7500 patients, I’ll be a Idaho based Monroe County Hospital and clinics has discovered an unauthorized individual has gained access to its email system and potentially viewed or obtain the protected health information of approximately 7500 patients. The attack was discovered on December 19 2018, and a computer forensic expert was engaged to investigate the breach and determine the size and scope of the attack. investigation revealed several employees email accounts had been accessed by unknown individuals between October 28 and January 20. The compromised accounts were discovered to contain protected health information. Expose information vary from patient to patient and may have included name, address, date of birth, medical record number dates, service insurance status, pair type diagnosis codes or reason for visits and other treatment related information. Some patients also had their social security number exposed, and those patients were offered credit monitoring of course. So yet another phishing attack and we have wise health system notifies 66,934 patients of phishing attack. Surprise surprise Weiss health systems indicator Texas is notifying 66,934 patients that some of their protected health information was potentially compromised and a phishing attack that occurred on March 14 2019 was held system previously reported that phishing attack to the Department of Health and Human Services Office of Civil Rights on July 13 2019, as having affected 35,899. So they originally reported about half of what they’re now reporting the total has now been updated following the completion of a data audit. Data audit commenced on June 2019. It has only just been completed new notification started to be sent to effective patients on February 13 and march 2019, several employees responded to phishing emails and disclose their account credentials, not smart. No education yet again, and no MFA yet again. The attackers use those credentials to access the employee kiosk and attempted to reroute payroll direct deposits. So it doesn’t sound like you’re after healthcare records. It sounds like they were just asked after some money, security protocols required to checks be issued to employees. It’s amazing how they have the security protocols in place for payroll but not for client data that that’s impressive. So they have a system to protect payroll but not protect client data. Moving on PSL services discovered employee email account breach, Tara grind Corporation DBA PSL services discovered unauthorized individuals have gained access to email accounts of several employees from December 16 to December 19. a breach was suspected one suspicious activity was detected in the email account of an employee a third party computer forensics firm, was engaged to investigate the breach and discovered several email accounts had been compromised. type of information contained in a compromised email accounts vary from patient to patient, and include a names date of birth, social security numbers, driver’s license numbers, medical information and Medicare numbers to compromise accounts are being reviewed to determine which patients have been affected. Incidents still being investigated. And final number of individuals affected has not yet been determined. affected individuals are being offered free identity theft protection services and written notices will be sent to affected individuals as soon as possible. Here’s the part that gets me PSL services is reviewing a security Measures unwilling to implement additional safeguards to prevent similar breaches from occurring in the future. So we don’t know what those safeguards are, according to them. I mean, it should really be cut and dry at this point. And then we have I don’t remember if I reported this that last week, I believe it did. So I have a malware attack disabled services physician network affiliate with Boston Children’s Hospital, and in central Kansas orthopedic group suffers ransomware attack. I’m pretty sure we talked about this in last week’s episode, so I’m not going to talk about those on this week’s episode, so that is going to do it for the productivities podcast. Until next week, stay secure
Transcribed by https://otter.ai