PHI from A Number of Covered Entities Shared on GitHub

Med-Data Inc. has affirmed that the protected health information (PHI) of patients of a number of of its clients were published on GitHub, an open-source software creation hosting site. And unauthorized persons could have viewed the information.

The revenue cycle management services vendor located in Spring, TX provides support to healthcare providers and health plans by means of processing Medicaid qualification, third party liability, staff’ salaries and patient medical billing. On December 10, 2020, security researcher Jelle Ursem informed Med-Data regarding certain data found on GitHub. Med-Data’s breach notice mentioned that on December 14, 2020, Dissent Doe of Databreaches.net gave a URL to the uploaded records.

An investigation was promptly started, and it was confirmed that one of its staff had copied files comprising PHI to private folders on GitHub Arctic Code Vault from December 2018 to September 2019. Med-Data explained that on December 17, 2020, the files were taken from GitHub.

The information found in the files included names, birth dates, Social Security numbers, addresses diagnoses, medical ailments, claims data, subscriber IDs, dates of service, medical procedure codes, name of provider, and health insurance policy numbers. Med-Data informed all covered entities on February 8, 2020 and dispatched notifications to affected people on March 31, 2021. All persons impacted got offers of free credit monitoring and identity protection services via IDX.

To avert the same breaches down the road, Med-Data has blacklisted the usage of all file sharing sites, made upgrades to its internal data guidelines and procedures, set up a security operations center, and integrated a managed detection and response service.

The Department of Health and Human Services was advised concerning the breach on February 8, 2021; nonetheless, the breach is till not mentioned on the OCR breach website, thus it is not clear how many people were affected. Covered entities that have stated they were impacted consist of UChicago Medicine, Aspirus, OSF Healthcare, SCL Health, Memorial Hermann Health System And King’s Daughters’ Health System.

Though Med-Data has affirmed that the files were removed from GitHub, that doesn’t automatically mean that the data is already safe. The information were loaded to the GitHub Arctic Code Vault, which is an open data repository employed for ongoing storage of data files. The storage service was made to safely save files for 1,000 years. The storage service needed the files to be stored to a physical storage media, a hardened film, which was sent to the GitHub Arctic Code Vault, based in a coal mine in Svalbard, Norway.

The films include a big volume of files which was up-to-date until February 2nd, 2020 the date the archive was completed. Considering that Med-Data had the records taken from GitHub on December 17, 2020, it is possible that much of the information was also kept on film and brought to the archive. Med Data got in touch with GitHub and inquired for the records of activity of the vault to know whether any of its records had been kept in the films and to schedule its removal, nevertheless it is uncertain what took place after sending the request. Nevertheless, there was unconfirmed information that MedData may possibly sue GitHub to acquire the logs.

Jelle Ursem and Dissent Doe also discovered other GitHub data breaches. In August 2020, they said that the healthcare records of about 150,000 to 200,000 persons were likewise loaded to GitHub and made viewable to anyone.

FBI Issues Alert Concerning Mamba Ransomware

A rise in cyberattacks employing Mamba ransomware made the Federal Bureau of Investigation (FBI) and the Department of Homeland Security (DHS) to release a flash alert cautioning agencies and businesses in various sectors concerning the potential issues of the ransomware.

Unlike a lot of ransomware variants with their unique encryption activities, Mamba ransomware has adapted the free full disk encryption software DiskCryptor and used it as a weapon. DiskCryptor is a good encryption tool that isn’t malicious and is hence impossible to be noticed as such by security software programs.

The FBI hasn’t given any specifics about the severity to which the ransomware has been employed in attacks, which have thus far mainly targeted government bureaus and transportation, legal companies, commercial, technology, industrial, construction, manufacturing corporations.

Various strategies are utilized to obtain access to systems to install the ransomware, such as taking advantage of vulnerabilities in Remote Desktop Protocol (RDP) and other unsecured options of remote access.

Instead of looking for specified file extensions to encrypt, Mamba ransomware employed DiskCryptor to encrypt the complete drives, causing all affected devices to be out of service. Right after encryption, a ransom note is viewable that notifies the victim that their drive was corrupted. It gives an email address for communication, the victim’s Hostname And ID, and a space to type the decryption key to bring back the drive.

The Mamba ransomware package has a DiskCryptor, which is unpacked and put in. The system is rebooted after about two minutes to finish the installation, then the encryption routine starts. A second restart will occur approximately two hours after which wraps up the encryption activities and presents the ransom notice.

An attack in progress could be prevented before the second reboot. The encryption key as well as the shutdown time variable are kept in the myConfig.txt file, which continues to be readable prior to the second restart. The myConfig.txt is not accessible following the second restart and the system is going to necessitate the decryption key to gain access to files. This provides system defenders a limited time to prevent an attack and recover without needing to pay the ransom. A record of DiskCryptor files is provided in the notification to help network defenders recognize ongoing attacks. These files must be blacklisted in case DiskCryptor isn’t utilized.

The FBI TLP: White Alert furthermore recommends mitigations that will make it tougher for an attack to achieve good results, to control the consequence of a successful attack, and make certain that systems could be re-established without giving ransom payment.

Indicated mitigations comprise of:

  1. Making a back up data and saving the copies on an air-gapped product.
  2. Segmenting systems.
  3. Establishing systems to just letting administrators to install software program.
  4. Patching operating systems, applications, and firmware quickly.
  5. Using multifactor authentication.
  6. Implementing very good password hygiene.
  7. Switching off rarely used remote access/RDP ports and tracking access logs.
  8. Just employing protected networks and using a VPN for remote access.

Data Breaches at California Department of State Hospitals and Mendelson Kornblum Orthopedic and Spine Specialists

The Department of State Hospitals (DSH) in California has found out a worker got access to the protected health information (PHI) of 1,415 current/former patients and 617 workers without consent.

The staff had an Information Technology position and received access to data servers having sensitive patient and staff information so as to do work responsibilities. DSH discovered the improper access on February 25, 2021 while doing a routine annual analysis of access to data folders.

DHS immediately launched an investigation and discovered that the worker was accessing data without permission for about 10 months. Files with names, COVID-19 test data, and other health information required for tracking COVID-19 were duplicated directly from the server. The privacy breach investigation is ongoing and the staff went on administrative leave while awaiting the finalization of the investigation. Up to now, the investigation has not found any proof that suggest the misuse of the copied information or its disclosure to any other individual.

DSH stated that there were safeguards in place to determine unauthorized PHI access, however since the actions of the worker appear to be valid access, the unauthorized access was not detected when it occurred and was just identified through the yearly review.

It seems like the staff utilized the access they received to perform their regular job tasks to go straight to the server, duplicate files that contain the names of present and past patients, and employees, COVID-19 test results, and related medical data with no obvious connection to their job responsibilities, showing a high possibility of unauthorized access, mentioned by DSH in its data breach FAQs. It is unclear at this time whether this was an intentional breach.

DHS has since taken steps to avoid similar occurrences in the future, such as altering policies and procedures, limiting access to servers comprising PHI, and enhancing logging and assessments of data activity. DHS also improved the automatic detection of files that contain PHI when being copied to non-standard locations.

Mendelson Kornblum Orthopedic and Spine Specialists Identifies 28,658 Patients’ PHI in Vulnerable Server

Mendelson Kornblum Orthopedic and Spine Specialists lately reported the compromise of 28,658 patients’ PHI, which unauthorized persons may have accessed.

On January 5, 2021, the practice found out that one of its servers was vulnerable to accessing by unauthorized third parties. The server consisted of data like names of patients, medical record numbers, birth dates, gender of patients, and data relating to medical photos, for instance, image number,
the date/time the photo was taken, and the label of the body part in the image.

No medical images were accessible, nor very sensitive data like Social Security numbers, medical insurance details, diagnosis/treatment data, or financial data.

Although third party access to the server could have been possible, there was no evidence found during the investigation that confirm the misuse of patient information. Steps were taken to avoid the same occurrences down the road.

Email Security Breach at Saint Alphonsus Health System and Southeastern Minnesota Center for Independent Living

Saint Alphonsus Health System based in Boise, ID encountered a phishing attack that allowed the potential compromise of patient data. The attack likewise affected patients of Saint Agnes Medical Center in Fresno, CA.

Saint Alphonsus found abnormal activity in the email account of an employee on January 6, 2021. The provider promptly secured the account, and carried out an investigation to identify the impact of the activity. Saint Alphonsus confirmed that an unauthorized individual accessed the email account on January 4, 2021, and had access to the account and information stored in it for two days. The attacker employed the email account to distribute phishing email messages to other contact persons in an effort to get usernames and passwords.

The worker whose information was compromised helped with some business tasks that needed access to protected health information (PHI), such as carrying out billing functions for the West Region of Trinity Health, including Fresno.

An evaluation of all emails and attachments revealed the account included the PHI of a number of patients. The PHI in the account differed from patient to patient and had the full names combined with at least one of the following data elements: phone, birth date, address, email address, medical record number, treatment data, and/or billing details. The account likewise comprised a few Credit Card Numbers And Social Security Numbers.

Though the provider affirmed the unauthorized account access, it wasn’t possible to find out which email messages, if any, the hacker accessed. During the time of sending notices, no evidence was found that suggest the misuse of any patient data. Saint Alphonsus provided credit monitoring services to impacted people and gave personnel additional training about email and cybersecurity to avert identical breaches later on.

While notifying patients concerning the breach, an error with the mail merge occurred. Some patients have gotten a letter informing them regarding an email security incident and sadly, the letters created had the wrong status for certain patients, addressing them as dead or a minor due to the mail merge problem.

It’s not at this time known how many patients were affected by the incident. Updates will be presented as soon as there’s additional details available.

Southeastern Minnesota Center for Independent Living Phishing Attack Affects 4,122 Persons Impacted

Southeastern Minnesota Center for Independent Living (SEMCIL), a disability and support services provider in Rochester and Winona, has identified an unauthorized person who acquired access to the email account of an employee having the PHI of 4,122 persons.

A look into the breach showed the account was exposed on August 6, 2020 and the attacker got access to the email account up to September 1, 2020. The investigation established on December 22, 2020 the exposure of PHI, which include names, addresses, birth dates, driver’s license numbers, Social Security numbers, and a few medical treatment data. SEMCIL began mailing notification letters to impacted people on February 19, 2021.

The investigation didn’t find any proof that indicates the viewing or exfiltration of any PHI. There is additionally no report obtained that show the improper use of any PHI. As a preventative measure against identity theft and fraud, people who had their Driver’s License Number Or Social Security Number exposed got complimentary offers of identity theft protection services.

Two People Terminated for Impermissible Disclosures of Sensitive Data to Third Parties

Humana discovered that its business associate’s subcontractor had a worker who impermissibly disclosed the protected health information (PHI) of about 65,000 of members to a third-party for training purposes.

Humana hired Cotiviti to provide support in requesting medical records. And then, Cotiviti employed a subcontractor to check the requested health files. As per HIPAA, subcontractors of business associates also need to observe the HIPAA.

The privacy breach happened from October 12, 2020 to December 16, 2020. Cotiviti alerted Humana regarding the HIPAA breach on December 22, 2020. Jointly, Cotiviti and Humana took steps to make sure that safety measures are enforced to avert the same privacy violations later on. Also, the same safety measures are applied by any subcontractors it employs. The person who revealed the information is not working with the subcontractor anymore.

The types of records exposed consists of the member names’, telephone numbers, birth dates, addresses, email addresses, complete or incomplete Social Security Numbers, insurance identification numbers, medical record numbers, provider names dates of service, treatment details, and medical pictures.

Though the disclosures weren’t done for malicious reasons and it is considered that there were no more PHI disclosures, Humana is giving affected people two years of credit monitoring and identity theft protection services at no cost.

UPMC St. Margaret Terminates Worker for Impermissible Disclosure of Sensitive Data

UPMC St. Margaret has learned about the impermissible disclosure of the PHI of a number of of its patients by a worker to a third-party company without permission.

On August 2020, UPMC, St. Margaret found out that an organization received a medication management report even with no valid reason. The report comprised data for example names, UPMC ID numbers, and medicine administration information, like drug name, dosage, time/date of intake, and the rationale for medication intake.

Subsequent to the identification of the data breach, UPMC blocked the employee’s access to UPMC systems, and ended the individual’s job right after the investigation was over. The provider informed the impacted persons concerning the privacy violation on March 5, 2021. There was no explanation given for the late issuing the notification letters.

Data Breaches at Covenant Healthcare, University Hospital, And Fisher-Titus Medical Center

Covenant Healthcare based in Saginaw, MI has found out that an unauthorized person obtained access to two email accounts of staff members. The account contained the protected health information (PHI) of about 45,000 patients. The provider discovered the security breach on December 21, 2020, and the investigation of the email breach revealed that the first email account had been breached on May 4, 2020.

An assessment of the compromised email accounts showed they comprised these types of PHI: Names, birth dates, addresses, Social Security numbers, driver’s license numbers, medical diagnosis and clinical details, medical treatment data, medicine data, patient account numbers, medical record numbers, doctors’ names, and health insurance details.

Affected people were instructed to put a fraud notification on their accounts and to keep an eye on their account reports for indications of unauthorized transactions. It appears that the affected persons were not offered complimentary credit monitoring.

Covenant Healthcare’s website breach notification declares that it is dedicated to securing patients’ personal information and promised to constantly examine and alter procedures and internal controls to boost security and privacy.

University Hospital in Newark, New Jersey

University Hospital located in Newark, NJ, has learned that an unauthorized person obtained access to its computer system and possibly looked at and downloaded patient data. The hospital discovered the breach on September 14, 2020, and found out that the network had been compromised for four days already.

A forensic investigation showed the attacker most likely acquired access to names, dates of birth, addresses, Social Security numbers, passport numbers, driver’s license numbers, state ID numbers, insurance data, financial details, medical record numbers, and certain clinical data.

Impacted persons got offers of free one-year identity theft protection and credit monitoring services membership. University Hospital has already made steps to strengthen its safety practices to avert more breaches.

Fisher-Titus Medical Center in Norwalk, Ohio

An unauthorized individual has acquired access to the email account of a staff of Fisher-Titus Medical Center located in Norwalk, OH. The initial access of the email account happened in August 2020 and it stayed accessible probably up to October 2020 when the breach was uncovered and the email account was protected.

The long wait in distributing notices to impacted people was a result of the time consumed to inspect the breach. Third-party cybersecurity specialists carried out their enquiry on January 13, 2020. The medical center distributed breach notices on February 18, 2021.

The medical center confirmed the breach affected patient names, medical details including diagnoses, clinical data, medical insurance details, Social Security numbers, and debit/credit card numbers. impacted persons whose Social Security number was likely affected were given free of charge membership to credit monitoring services for A year.

Extra security measures have already been put in place, such as adjustments to the password policy, upgraded antivirus software program, enhancements to external firewalls, and email retention policies were adjusted and monitoring boosted. A new anti-phishing system was at the same time carried out.

Class Action Lawsuit Versus Wilmington Surgical Associates Because of the Netwalker Ransomware Attack

Wilmington Surgical Associates based in North Carolina is confronting a class action lawsuit in association with a Netwalker ransomware attack that caused a data breach in October 2020.

In the majority of ransomware attacks these days, files were exfiltrated just before deploying the ransomware. In this instance, the Netwalker ransomware group stole 13GB of information from two management servers of Wilmington Surgical Associates. Certain stolen data were posted on the data leak website of the threat actors and everyone can access them.

The leaked data files was distributed across countless files and contained financial details connected to the practice, staff data, and patient data including images, scanned records, laboratory test data, Social Security numbers, medical insurance data, and other sensitive patient data.

Wilmington Surgical Associates provided notifications to impacted persons in December 2020 and gave notice to the HHS’ Office for Civil Rights about the data breach on December 17, 2020 as having an effect on 114,834 people.

The Rhine Law Company; Morgan & Morgan; and Mason Lietz & Klinger submitted the legal action – Jewett et al. versus Wilmington Surgical Associates on February 10, 2021. The lawsuit was fairly recently taken to the US District Court for the Eastern District of North Carolina.

Allegedly, plaintiffs Sherry Bordeaux Katherine Teal, and Philip Jewett assert that their sensitive personal and health information is at this time in the control of cybercriminals, which puts them at an increased danger of identity theft and fraudulence as well as other damages for instance the reduction of credit scores and getting greater interest rates. The plaintiffs furthermore claim they have sustained ascertainable losses because of the security breach with regards to out-of-pocket expenditures and time used up remediating the consequences of the data breach.

The lawsuit states Wilmington Surgical Associates was responsible for its inability to properly secure patient information when it was informed concerning the higher risk of ransomware attacks. Furthermore, it is claimed that the North Carolina healthcare company didn’t thoroughly watch its systems for network infiltrations and failed to deliver prompt breach notices to patients and ample details on the types of data affected in the attack.

The plaintiffs want repayment of their out-of-pocket costs, payment for time expended addressing the impact of the breach, indemnification, injunctive help, and sufficient credit monitoring services for affected individuals. The lawsuit at the same time calls for the courts to mandate Wilmington Surgical Associates to strengthen data security and undertake yearly security checks.

Ransomware Gang Exposes Data Stolen from Two U.S. Healthcare Companies

The Conti ransomware gang has exposed a sizeable collection of healthcare records online that was purportedly thieved from Nocona General Hospital in Texas and Leon Medical Centers in Florida.

Leon Medical Centers encountered a Conti ransomware attack in the beginning of November 2020, which was in the beginning reported to the HHS’ Office for Civil Rights on January 8, 2021 as having an effect on 500 people. Leon Medical Centers discussed in its substitute breach notice that the breach involved the usage of malware and the investigation established that the attackers viewed the personal and protected health information (PHI) of selected patients.

It is uncertain when the attack took place on Nocona General Hospital, because there were no notification letters sent to compromised persons; there were no breach notice published on its site, and the occurrence is not mentioned on the HHS’ Office for Civil Rights breach webpage.

NBC after conversing with an attorney representing the hospital said that no system seemed to have been compromised, files were evidently not encrypted, and the hospital did not identify any ransom note. The Conti leak website had close to 20 files stored on February 3, 2021 which comprised patient details and Databreaches.net reports that the webwebpage contained more than 1,760 leaked information on February 10, many of which appeared to be old information. The hospital’s attorney called Databreaches.net and affirmed that the existing systems employed by the hospital were not compromised, but an old server that contains files related to patient or patient information transfers was breached. The event remains under inquiry.

The theft of patient records before file encryption, usually referred to as double extortion, is prevalent today. Based on the New Zealand cybersecurity organization Emsisoft, when 2020 began, merely one ransomware group was exfiltrating information before file encryption, however when the year ended, a minimum of 17 ransomware groups were exfiltrating information before deploying ransomware.

This strategy increases the likelihood of the ransom being paid. Healthcare organizations probably will recover information from backups, nevertheless they would have to pay the ransom to avert the stolen information from being posted on leak webweb pages or sold to other cybyer criminals.

There are indications, nevertheless, that this technique is now appearing to be less efficient. The latest report by Coveware implies trust was worn away and more victims are deciding on not to pay the ransom when they can easily get back their files from backups since there is no warranty that stolen records will be deleted when the ransom is paid.

Coveware ascribed the dramatic lowering in ransom payments in the 4th Quarter of 2020 to victims deciding on not paying as a result of not enough belief in the attackers. Coveware even now finds indicators that stolen information is not erased or destroyed after payment. Additionally, the groups are taking action to fabricate files exfiltration in situations where it didn’t take place.

7-Year Breach of Florida Medicaid Applicants’ PHI Because of Failing to Patch

Florida Healthy Kids Corporation, a Medicaid health plan based in Tallahassee, FL, learned that its web hosting service provider failed to patch vulnerabilities and cybercriminals exploited it to get access to its site and the protected health information (PHI) of persons applying for benefits in the past 7 years.

Florida Healthy Kids utilized Jelly Bean Communications Design, LLC. to host its website. The website features an online application that documented the information of individuals when they submitted applications for Florida KidCare benefits or applied to renew their medical or dental coverage on the internet.

On December 9, 2020, Jelly Bean Communications advised Florida Healthy Kids that unauthorized people had obtained access to the webpage and meddled with the addresses of thousands of applying individuals. Florida Healthy Kids had cybersecurity professionals who carried out an investigation to find out the extent and severity of the data breach.

Florida Healthy Kids needed to close the site in the course of the incident investigation to avert any more unauthorized access. The evaluation of the website host and databases that retained the Florida KidCare application showed a number of active vulnerabilities from November 2013 to December 2020, and that cybercriminals took advantage of the vulnerabilities to obtain access to the site.

Though evidence revealed the meddling of applicant addresses, it is additionally probable that the cybercriminals copied patient data files, however there was no proof of data theft identified.

The cyber criminals potentially accessed these types of data: full names, dates of birth, phone numbers, Social Security numbers, email addresses, mailing and physical addresses, financial details, family relationships of individuals contained in the application, as well as secondary insurance data.

The Florida KidCare online application is still offline until the health plan finds another web hosting provider. Florida Healthy Kids started informing affected persons on January 27, 2020 and instructed them to take the appropriate measures to secure their identities, which include having security freezes and fraud notifications. There is no exact number yet concerning the number of people impacted.

Micky Tripathi and Robinsue Frohboese Now Heads ONC and OCR at the HHS

The Biden government has designated Micky Tripathi to the position of the National Coordinator for Health IT at the Department of Health and Human Services’ Office.

Tripathi will lead the Office of the National Coordinator for Health IT, which is responsible for organizing work to carry out advanced health information technology to make sure the safe sharing of health data. The ONC is presently supervising efforts to give Americans quick access to their health information by means of their smartphones and is using the 21st Century Cures Act terms to boost health IT interoperability and forbid information blocking.

Tripathi has a lot of work experience in safe health information exchange and knows the present interoperability problems in the healthcare sector. Before becoming a member of the ONC, Tripathi was previously the chief alliance officer at Arcadia, a healthcare analytics and software firm. He was in charge of building partnerships to improve healthcare using innovative IT technology.

Tripathi was likewise the manager of Boston Consulting Group (BCG), a strategy and management consulting company, the CEO of the Massachusetts eHealth Collaborative, the first president and CEO of the Indiana Health information Exchange, and was part of the boards of the Datica, HL7 FHIR Foundation, Sequoia Project, the CARIN Alliance and the CommonWell Health Alliance.

Arcadia CEO Sean Carroll said that Micky has been an industry-wide leader on healthcare interoperability and has a vision for the value of prompt sharing of the correct data to improve healthcare delivery while minimizing costs. Tripthi is really best suited for this very crucial mission.
Tripathi took the place of Donald Rucker, M.D., who been in this position for the last 4 years.

The HHS has additionally confirmed that Robinsue Frohboese is now the Acting Director of the HHS’ Office for Civil Rights, the primary HIPAA compliance enforcer. Frohboese was formerly the principal deputy director of OCR and replaced acting director March Bell, who got the position on January 15, 2020 after the past OCR Director Roger Severino left the post.

Frohboese has had an important role in a lot of civil rights projects and the implementation of the HIPAA Privacy Rule by OCR.

Before taking on the position as OCR’s principal deputy director, Frohboese was with the Special Litigation Section of the Civil Rights Division of the U.S. Department of Justice for 17 years. He was the first Senior Trial Attorney and eventually became the Deputy Chief.