Electronic Health Records | SecurePC LLC - Computer Repair, Maintenance and Security

Equifax Announces Another 2+ Million Were Affected By Breach

Equifax’s problems just keep getting worse.

Not long ago, the company suffered a major data breach that ultimately resulted in the CEO stepping down and a painful congressional grilling. Initial estimates placed the number of impacted users at some 143 million, but as the investigation has continued, it turns out that the numbers are even higher than initially feared. Based on the forensic team’s final report, as many as 145.5 million users were impacted.

In our modern society, there are many who would argue that your credit score is as important, if not more important than your social security number. To arrive at your score, the “Big Three” credit reporting agencies necessarily have to collect a large amount of sensitive information about people, so when they suffer from a breach, it’s bad, and in Equifax’s case, it just keeps getting worse.

Based on the latest information, the compromised data included names, social security numbers, birthdays, and addresses. If that wasn’t bad enough, some 200,000 customers saw their credit card information exposed, along with an unknown number of electronic documents containing PII.

Most of the impacted customers live in the United States, but approximately 80,000 were Canadians.

To put these numbers in full context, Equifax maintains files on more than 800 million people around the world, along with more than 90 million businesses, so the breach, while catastrophic in size, wasn’t nearly as bad as it could have been.

That’s small consolation to the millions who have been impacted, but it’s important to understand that as bad as the breach was, it was quite far from the worst case scenario.

In the aftermath of the breach, the company has come under fire by the US Government, which has charged that the company actually stands to profit from it by selling a credit monitoring service after giving impacted consumers one year free.

In light of the recent congressional hearings on the matter, the future of that program is unclear, but this breach, and its root cause (an unpatched Apache Struts 2 vulnerability) serves to underscore how easy it is for even big multinational companies to fall victim to a determined hacker.

Even Minimal Exposure Can Result In Huge Fines

Data security is no laughing matter, and even small exposures can lead to hefty fines, no matter the size of your company.

Last year, the federal government sent shockwaves through the industry when they began an aggressive campaign of investigating and punishing companies for HIPAA infractions, logging more than a dozen high profile settlements.

While it’s true that this particular case did not involve a HIPAA violation, it has much in common with the hefty fines the federal government has been levying as of late for even small HIPAA infractions. This particular incident revolved around a spreadsheet which contained personal data on 660 ACA enrollees in the state of Vermont.

The spreadsheet was on a remote server managed by Samanage USA, a small North Carolina-based IT support service, and was improperly secured, allowing for unauthorized access to it.

As it happened, one of the people on the spreadsheet was doing a Google search of her own name and came across the entry in a search result. When she saw it, she immediately notified the state’s Attorney General, which prompted a formal investigation.

The search result was traced back to Amazon’s Web Services platform, and then to Samanage. An Amazon engineer emailed Samanage to inform them that it had PII improperly secured and publicly accessible, and asked them to remove it.

Samanage began an investigation of their own, found the problem and promptly corrected it, but failed to inform their client company, WEX Health about the breach.

Ultimately, this is what got Samanage in trouble. According to the settlement, the $264,000 fine was levied specifically for not notifying the proper authorities that the breach had occurred, which, under Vermont state law, included WEX Health.

The reason that this was not seen as a HIPAA breach was that Samanage was a subcontractor for the information services provider to a health plan offered through the ACA’s marketplace. As such, they were designated as a non-covered entity where HIPAA privacy, security and breach notification rules were concerned.

Imagine how much bigger the fine would have been if they had been in violation. A sobering thought indeed.

Breach Of Health Data Gets California Company $2M Fine

Cottage Health System, a company that operates five hospitals in the Santa Barbara area of California, is the latest firm to have been hit with a hefty fine for losing control of PHI and PII for patients that it serves.

In this case, more than 55,000 patients were impacted between 2013 and 2015.

Cottage Health discovered the breach late in 2013. The company received a voicemail message informing company officers that there was a large file containing PHI of an unspecified number of its patients available online, without encryption or password protection that could prevent unauthorized access. In 2015, the company suffered a second, much smaller breach that impacted 4,596 of its patients.

As a result of the investigation that followed, the California Attorney General determined that the Cottage Health System had violated California’s Confidentiality of Medical Information Act, as well as several federal HIPAA regulations.

Under the terms of the agreement, in addition to a $2 million fine, the company has been required to upgrade its data security practices, including:

• Training employees on the collection, storage and proper use of PHI and PII
• Maintaining a reasonable set of policies and protocols surrounding incident tracking reports, risk assessment, data retention, internal audits and incident management plans, subject to external review
• Encrypting all PHI and PII in transit
• Assessing all hardware and software used in Cottage Health’s network for potential vulnerabilities, and upgrading as appropriate
• And conducting periodic testing to identify and address additional vulnerabilities.

This most recent incident serves as a painful reminder to any company involved in the handling of PHI and PII. According to Elizabeth Hodge, a health care attorney of the law firm Akerman, LLP:

“Even if the Office for Civil Rights slows down its enforcement activities going forward, covered entities and business associates should still anticipate enforcement activity by state attorney’s general enforcing their respective state laws.”

Breach Of Health Data Gets California Company $2M Fine

In this case, more than 55,000 patients were impacted between 2013 and 2015.

Under the terms of the agreement, in addition to a $2 million fine, the company has been required to upgrade its data security practices, including:

This most recent incident serves as a painful reminder to any company involved in the handling of PHI and PII. According to Elizabeth Hodge, a health care attorney of the law firm Akerman, LLP:

Electronic Health Record Company “Allscripts” Hit By Ransomware

Another day, another high-profile ransomware attack. This time, the victim was Allscripts, an EHR (Electronic Health Record) company that hospitals, pharmacies, and ambulatory centers around the country rely on.

The company’s data was thought to be safe on the cloud, but that proved not to be the case. Disruptions of services were felt by Allscripts clients around the country.

At this point, reports are sketchy, incomplete, and in many cases, contradictory. According to Allscripts, the attack only impacted “a limited number” of applications, and that they were working to restore them. The company’s statement continued with, “most importantly, to ensure our clients’ data is protected. Although our investigation is ongoing, there is currently no evidence that any data has been removed from our systems. We regret any inconvenience caused by this temporary outage.”

According to Twitter, where many of Allscripts’ customers have been talking about the issue, the problem goes much deeper. Some clients reported an inability to access critical patient data now stretching into its third day, with predictable impacts on health care delivery.

To complicate matters further, some heath care providers preemptively disconnected from Allscripts servers in a bid to protect their own networks. Northwell Health, based out of New York, is an example.

In any case, as of the time of the writing of this piece, most, but not all of the disrupted services seem to have been restored. You can bet, based on the contradictory information surrounding the attack, that Allscripts’ handling of the incident will be discussed for a long while to come. This will probably filed under “how not to handle a ransomware attack.”

The company’s communication was spotty and their business continuity plan seems to have failed them. There are lessons here for all business owners. Take heed.

Fitbit and Google Partnership May Raise Privacy Concerns

Depending on which side of the privacy debate you’re on, you’re either going to love or hate this announcement:

“Fitbit intends to use Google’s new Cloud Healthcare API to help the company integrate further into the healthcare system, such as by connecting user data with electronic medical records.”

Rarely has a single sentence been so fraught with risk, while simultaneously promising such great opportunity.

On the plus side, the potential for innovation is virtually unlimited, and this new partnership will no doubt be a boon for the still-struggling wearables market. There are also potential increases in health care delivery efficiency, but the privacy concerns surrounding the issue are very real.

One has to only think back to the recent Allscripts fiasco, in which some 1,500 healthcare providers found themselves impacted by a nasty ransomware attack.

Google already collects copious amounts of data on its users, and with Fitbit angling to tap into healthcare records, the amount of private and personally identifiable information collected on users is bound to grow exponentially.

In addition to that, depending on exactly what data Fitbit attempts to link, it could very well make them a “business associate” from a HIPAA perspective. This can expose one or both companies to increased liabilities and vastly stricter standards on how the data can be used, and the steps that must be taken to safeguard it.

Right now, those details are very much in the air, and the issue could go either way. But there are some legal experts who believe that Google and Fitbit will be able to skirt the issue sufficiently so that they will not gain the “business associate” classification.

For Fitbit’s part, the company had this to say: “We have a longstanding commitment to privacy and data, and our data practices will continue to be governed by the Fitbit Privacy Policy. We are not sharing our user data with Google, we are partnering with Google to host Fitbit user data, similar to other cloud/hosting service providers. We take our obligation to safeguard users’ personal information very seriously and are committed to protecting the privacy and security of our users, while being transparent about our data practices.”

Comforting words, but they have done little to allay the concerns of privacy advocates, who see any number of negative outcomes associated with the new partnership. This is a debate that will no doubt be continuing for quite some time to come.

Apple Releases Major iPhone and iOS Device Update 11.3

There’s a lot to talk about in Apple’s latest update to iOS. Version 11.3 boasts some significant changes and is well worth getting. We’ll go over the highlights below.

Battery management is the biggest and most significant change. Last year, the company found itself in hot water when they began quietly throttling older phones and slowing down their performance because older phones have batteries that begin to degrade. In the absence of throttling, it’s entirely possible that a user’s phone will simply shut down when it attempts to run a process that requires more power than the aging battery can provide.

Despite the company’s good intentions, their decision to throttle older phones met with serious backlash from their normally adoring customer base, and the company has changed their approach in 11.3. Now, throttling is optional and under user control if you have an iPhone 6, 6S/6S Plus, 7, or 7 Plus SE. However, all users, regardless of model now have access to a new battery health screen so they can keep tabs on the condition of their battery and make good decisions about if and when to replace.

Another significant change is the addition of a new Health Records section, which allows users to get easy access to their medical records if their doctor also utilizes the app.

On the business side, the 11.3 update comes with Business Chat, which allows select businesses to communicate with customers directly in the iMessage app, rather than via social media or email. While there aren’t a lot of companies taking advantage of this feature yet, you can bet that in coming weeks, you’ll see a slew of big names signing up to take advantage of the service.

There is a raft of other, smaller features in 11.3, but even if there weren’t, the “Big Three” mentioned here would make the update well worth getting. Kudos to Apple!

Attacks on Health Organizations Increasing At Alarming Rate

It used to be the case that credit card companies and retail outlets were the primary targets of hackers around the world. Make no mistake, they still get attacked with regularity, but the hackers have found a new and even more lucrative target: Health Organizations.

According to a new report jointly produced by the Ponemon Institute and Merlin International, the medical/healthcare industry suffered nearly a quarter (23 percent) of all the data breaches that occurred in 2017. It gets worse. Those breaches exposed PHI and PII of more than five million individuals.

The reason for the shift away from credit card data to medical records comes down to profits. PHI and PII can often be sold on the Dark Web for ten times the amount that credit card information will bring. The hackers are simply obeying the laws of economics and going where the money is.

Brian Wells, the Director of Healthcare Strategy at Merlin International had this to say about the report:

“In an increasingly connected, digitally centric world, hackers have more opportunities and incentive than ever to target healthcare data, and the problem will only increase in scope over time.

Healthcare organizations must get even more serious about cyber security to protect themselves and their patients from losing access or control of the proprietary and personal information and systems the industry depends on to provide essential care.”

Worst of all, a shocking percentage of medical/healthcare companies don’t seem to be serious about cyber security at all. Although the average cost of a medical data breach is approximately four million dollars, a staggering 49 percent of companies in the industry don’t have an incident response plan of any kind. There’s no process in place to properly respond to an attack, or to mitigate the fallout if a breach occurs. These companies are sitting ducks.

Healthcare Sector Facing Rise In Ransomware Attacks

The Department of Health and Human services has issued a warning to healthcare providers to be on high alert for the SamSam strain of ransomware, which has been used to attack eight different health care entities so far this year.

SamSam made its first appearance in 2016 and is seeing increasingly widespread use so far this year. Unfortunately, the healthcare industry is considered by most to be a soft target. On the Dark Web, healthcare data has become more highly sought after than credit card data, which is only going to put more healthcare entities at risk.

The most tragic component of this is that when a hospital’s network goes down, they stand to lose more than just money and control over patient data. Lives are also at risk. Although none of the attacks to this point have resulted in patient deaths, it’s statistically inevitable. As these attacks continue to increase in frequency, scope and scale, sooner or later, someone will die because of them.

According to security experts, the root of the problem lies in the fact that guarding against such attacks is seen as fundamentally an IT issue. The truth is that it is an organization-wide issue, and should be treated as such, because attacks like these pose an existential threat. Treating the issue as something for a single department to be responsible for inevitably leads to a lack of funding and an inadequate incident response plan. This leaves most organizations completely unprepared to deal with an attack and its aftermath.

Even more worrisome is the fact that an increasing number of ransomware attacks simply destroy the data. Sure, the ransom note still gets displayed, but the hackers simply have no intentions of unlocking the files, and they build their software accordingly. Most recently, hackers have taken to corrupting encrypted data files, which can cause lingering problems for months or even years after they’re unlocked.

This problem is only going to get worse until we all start taking data security more seriously.