Watch out for fake Office of Civil Rights investigators, hospitals warned HHS alerted hospitals and health systems of someone posing as an Office for Civil Rights (OCR) investigator to get patient health information, the American Hospital Association warned. In a notice last week, the association said HIPAA-covered entities should notify their staff. All OCR investigators have email addresses end with @hhs.gov. If staff receive a phony email, they should ask for a confirming email from the hhs.gov email account. The OCR has halted many investigations. In March, President Donald Trump announced that his administration would not be enforcing HIPAA penalties.
The Protenus Breach Barometer shows over 41.4 million patient records were exposed by 572 security incidents in 2019, while hacking incidents surged and insider-related events decreased. By Jessica Davis February 19, 2020 – More than 41.4 million patient records were breached by 572 healthcare data breaches in 2019, as hacking surged. And it’s likely those estimates are vastly underestimated given two significant security incidents have yet to be reported, according to the latest Protenus Breach Barometer. Protenus analyzed breaches reported to the Department of Health and Human Services, the media, or other sources. The researchers only had data for 481 of the 572 incidents. The two unreported incidents affected 500 dental offices and could impact a serious amount of patient data. According to the report, there was a slight increase in reported breaches in 2019 than in the previous year and a serious jump in the number of impacted records. Just 15 million records were reported exposed in 2018. “Despite innovations in healthcare compliance analytics, the healthcare industry has continued to experience an increase in the number of reported health data breaches, year over year, since Protenus started compiling statistics in 2016,” researchers explained. “This is an alarming trend which should change as more organizations deploy advanced patient privacy monitoring systems that can prevent future incidents,” they added. The American Medical Collection Agency breach was the largest seen last year, impacting about 21 million patient records from a wide range of covered entities, including Quest Diagnostics, LabCorp, BioReference, and Clinical Pathology. The breach went undetected for about eight months and exposed a trove of personal data, including Social Security numbers, personally identifiable information, and physical addresses. According to researchers, the breach was discovered when analyst found the information for sale on the dark web. Notably, hacking incidents were behind 58 percent of all healthcare data breaches in 2019 with 330 incidents, compared with 222 hacking incidents in 2018. Overall, hacking jumped 49 percent last year, an alarming trend that Protenus attributed to the increased creativity in the methods used to target healthcare organizations. “In contrast to previous hacking incidents, current ransomware threat actors have taken to naming victims who do not pay the ransom demands, and then publicly dumping the data if they refuse to pay,” researchers wrote. “To make matters worse, in 2019 there were incidents of hackers attempting to extort money from the breached patients, not just the affected healthcare organizations,” they added. “The healthcare industry should pay particular attention to these new types of threats in 2020.” There was also a 20 percent decrease in insider-related incidents, which researchers attributed to the adoption of healthcare compliance analytics in in US health systems and improved employee education. However, the number of records impacted by insider breaches did rise to 3.8 million this year, up from 2.8 million in 2018. In total, insiders were behind 19 percent of the total number of breaches in 2019, down from 28 percent the previous year. “Even with the decrease in the number of insider incidents, they still pose a significant threat with one insider-related incident going undetected for over seven years,” researchers explained. “While there were substantially fewer patient records breached by insider-wrongdoing, they are often more dangerous since employees with legitimate access to patient information can abuse their access with malicious intent, often undetected,” they added. Moving forward, Protenus recommended healthcare organizations turn to advanced technologies like compliance analytics that can leverage AI to detect when insider inappropriately access patient data and can potentially prevent insider breaches. Further, risk assessment and employee training are crucial to organizations getting ahead of the hackers, as well as ensuring they are testing their security measures to ensure effectiveness. Backups need to be separate from the main network, to ensure threats do not proliferate. Employee training is also key to preventing phishing attacks, as seen in an earlier study published in JAMA. “In 2020, it’s vital that health systems make health data security a top priority, gaining insight into how patient data moves through the organization and the ability to differentiate between appropriate and inappropriate access to patient information,” researchers wrote. “Armed with the latest information and utilizing the latest advances in technology, the healthcare industry can gain visibility into patient data access which will ultimately make their institutions more secure and further ensure patient trust,” they added.
Must Pay a $10,000 HIPAA Settlement
A dental practice in Texas that responded to patients’ Yelp
reviews by disclosing patient names and other health information has gotten a
bad review from federal regulators: A $10,000 HIPAA monetary settlement and a
corrective action plan.
Sodinokibi and Globelmposter Gangs Target Larger Victims, Coveware Warns Mathew J. Schwartz (euroinfosec) • November 1, 2019 Ransomware continues to be highly profitable for criminals.