Ohio Personal Privacy Act Launched to Increase Privacy Protections for Ohioans

A detailed new privacy framework was launched in Ohio to give better protection to the privacy of Ohio residents. The Ohio Personal Privacy Act lines up tightly with lately introduced laws in Virginia (CDPA) and provides Ohio locals a number of new rights relating to the personal information collected, saved, maintained, and sent by businesses.

Much like Virginia’s CDPA, the Ohio Personal Privacy Act has a limited definition of consumers and doesn’t include persons acting in an enterprise capacity or work context. Personal information protected by the Ohio Personal Privacy Act is categorized as any data that pertains to an identified or identifiable consumer the a business processes for a commercial reason.

The Ohio Personal Privacy Act is merely applicable to companies that do business in Ohio that satisfy at least one of these specifications:

  • Generates yearly gross income above $25 million
  • Derives over 50% of gross income from the selling of personal information and processes or manages the personal information of at least 25,000 Ohio customers
  • Manages or processes the personal information of 100,000 or more residents of Ohio in a calendar year

There is a lengthy list of exemptions, such as:

  • Covered entities and business associates governed by and compliant with the HIPAA
  • PHI under HIPAA
  • Activities controlled by the Fair Credit Reporting Act
  • Financial organizations and data governed by the Gramm-Leach-Bliley Act, if compliant
  • Data governed by the Children’s Online Privacy Protection Act
  • Higher educational organizations
  • Business-to-business transactions
  • Insurance companies and independent insurance providers

Consumers should be advised regarding how their personal information will be gathered and used. Consumers have access rights to the personal files stored by a company and have that data erased. Consumers should be advised regarding data collection and processing actions through a clear and obvious notice and are allowed to opt-out of the selling of their personal information. Businesses aren’t allowed to discriminate against any person dependent on the exercise of their rights as governed by the Ohio Personal Privacy Act.

The Ohio Attorney General has the capacity to impose compliance with the Ohio Personal Privacy Act and take legal actions versus any covered entity when there is sensible cause to think a covered entity has broken the Act. The state Attorney General can get a declaratory judgment, civil penalties, and injunctive relief, with three times the damages relating to being aware of violations.

Before taking any action, a 30-day period will be given to enable the correction of all issues. Businesses could additionally use an affirmative defense coming from the enforcement action by the OAG or a legal action submitted by a consumer, when the business generates, keeps, and complies with a written privacy plan that agrees with the National Institute of Standards and Technology (NIST) privacy framework.

Consumers who think that their rights under the Ohio Personal Privacy Act were violated aren’t allowed to file lawsuits against a business due to any violation.

Class Action Lawsuit Filed Against Radiology Specialists Due to PACS Data Breach

A radiology firm and its vendor are facing a class-action lawsuit filed with the New York Southern District Court. Allegedly, the radiology professionals have failed to protect their Picture Archiving Communication System (PACS) that has protected health information (PHI) and medical photos of patients.

In 2019, security researchers discovered vulnerabilities in the PACS utilized by clinics, hospitals, and radiology firms for sharing medical photos and information. The researchers analyzed over 2,300 medical photos, which were discovered to hold sensitive patient information. In December 2019, the researchers sent a notification about the exposed information to the affected companies including Northeast Radiology and Alliance Health, its vendor.

The two radiology companies utilized medical imaging archiving software programs that allowed unauthorized persons to obtain access to medical pictures and PHI. The researchers discovered 61 million exposed X-rays, MRIs and CT scans, which contained PHI such as names, medical record numbers, dates of service, test results, and, in certain cases, Social Security numbers.

In March 2020, Northeast Radiology submitted a data breach report associated with PACS to the Department of Health and Human Services Office for Civil Rights as impacting 298,532 persons. According to the breach report, Alliance Health had compromised medical photos and that hackers accessed its PACS from April 2019 to January 2020.

Two patients filed a lawsuit against Northeast Radiology and Alliance HealthCare for allegedly exposing patient information for over 9 months. Based on the legal action, the two companies were informed regarding the exposed information by the security researchers yet did not do anything to protect their PACS.

The lawsuit claims the defendants as negligent and committed a violation of the Health Insurance Portability and Accountability Act (HIPAA) and state data protection regulations by being careless in managing patient information and medical photos, and additionally breached the Federal Trade Commission (FTC) prerequisites. Because of the violations, the plaintiffs and class members were claimed to have suffered a direct injury and placed at a greater risk of identity theft and fraud. Besides the exposure of their PHI, the lawsuit claims inadequate notification was given to victims of the security breach.

The patients want compensatory and consequential damages as well as injunctive relief, such as necessitating the firms to enhance their data security and monitoring and subjecting to system audits in the future to make sure they are secured. The lawsuit likewise wants to provide all class members credit monitoring and identity theft protection services.

At the end of June, the U.S. Department of Health and Human Services cautioned 130 hospitals and health systems regarding the vulnerabilities in PACS that breached sensitive healthcare information and advised them to take immediate action to make certain their PACS are properly set up and patient information are protected. The PACS utilized by those hospitals held 275 million medical photos, including the PHI of over 2 million individuals.

Ex-Employee of Cedar Rapids Hospital Who Accessed Ex-Boyfriend’s PHI Gets 5-Year Probation

An ex-employee of Cedar Rapids Hospital is sentenced to 5 years’ probation for inappropriately accessing and sharing the protected health information (PHI) of her former boyfriend.

41-year-old Jennifer Lynne Bacor of Las Vegas, NV, was working at a Cedar Rapids hospital as a patient care technician. Her job allowed her to access systems that contain the individually identifiable data of patients. Although she was permitted to access that data, she was just allowed to access the data of patients so as to carry out her work responsibilities.

Bacor’s ex-boyfriend went to the hospital several times in 2017 to get treatment. Using her login credentials, Bacor accessed his health records created from October 2013 to September 2017 on a number of times from April to October 2017, even when there was no valid work reason to do so.

Accessing the PHI of a person when there’s no valid work reason to do so violates the Health Insurance Portability and Accountability Act (HIPAA), and criminal charges may be filed for such violation.

Bacor got a picture of a medical image that revealed injuries suffered by her former boyfriend and mailed the picture to a third party. Subsequently, the third party shared the picture with other people through Facebook Messenger, putting taunting words and emojis along with the picture. Bacor was likewise determined to have mentioned in social media messages to another individual that she was trying to get principal custody of two kids that she and her former boyfriend had.

After finding out about the privacy breach, the former boyfriend went to the hospital on October 4, 2017 and submitted a complaint alleging Bacor got access to his health records with no permission and got the picture from the hospital. The hospital made an investigation of the privacy violation and affirmed that Bacor got access to his health records 10 times. Bacor was at first suspended, subsequently, she was dismissed for her HIPAA violation.

In August 2020, Bacor confessed to the police officers that she just broke the federal privacy laws so as to defend her kids. Bacor sought a plea agreement and admitted to committing to one count of wrongfully acquiring individually identifiable information under false pretenses.

U.S. District Judge C.J. Williams stated that Bacor weaponized her former boyfriend’s private health information by sharing it with others and passed her sentence of 5 years’ probation and penalized her $1,000. Bacor was likewise forbidden from being employed in any work that allows her to get access to the private health records of other people.

Data Breaches at NorthWest Congenital Heart Care and Superior HealthPlan

NorthWest Congenital Heart Care based in Washington is notifying 1,166 patients concerning the potential breach of some of their protected health information (PHI) because of unauthorized access. On May 7, 2021, the office of a single NWCHC doctor was broken into by an unauthorized third party. An external hard drive utilized for backing up data was stolen. The provider reported the theft to law enforcement, however, the hard drive hasn’t been retrieved.

An analysis of the data backups showed they included patient data like names, birth dates, ages, medical and treatment details, dates and location of service, doctor names, services needed, procedures done, diagnosis codes, medical record numbers, diagnosis and treatment information, and, for one person, medical insurance details.

To minimize the risk of upcoming data breaches, NorthWest Congenital Heart Care is going to stop using external hard drives for backing up data.

Accellion Data Breach Affects Superior HealthPlan Members

2,781 members of Superior HealthPlan in Texas received notification about the compromise of a few of their PHI in the cyberattack on Accellion. The breach impacted the Accellion file transfer program, which was employed to send very big files that can’t be sent through email.

The attackers got access to the system from January 7 to January 20, 2021. On April 2, 2021, Superior HealthPlan found out the attackers could access and acquire files that contain names, addresses, birth dates, insurance ID numbers, and medical information including health condition and treatment details.

All impacted persons were provided free credit monitoring and identity theft protection services for one year. Superior HealthPlan is no longer using Accellion’s services. All information has been taken from Accellion’s systems, and file transfer procedures and tools are being evaluated and updated to avoid the same breaches later on.

Approved Colorado Privacy Act Only Awaits State Governor’s Signature

Colorado has joined up with California and Virginia in approving a complete data privacy legislation to protect state citizens. It required a number of amendments before the Colorado Privacy Act was eventually approved unanimously by the Colorado state Senate on June 8, 2021 and currently waits for state governor Jared Polis’ signature.

The Colorado Privacy Act is applicable to all data controllers that do business in Colorado and manage or process the personal information of at least 100,000 Colorado resident customers in a calendar year or get income or obtain a price cut on goods or services from the selling of personal information and process or manage the personal information of at least 25,000 Colorado resident customers.

Exclusions include protected health information (PHI) gathered, processed, or filed by HIPAA-covered entities and their business associates, and any personal information gathered, processed, sold, or shared pursuant to the Gramm-Leach-Bliley Act (GLBA), information managed by the Children’s Online Privacy Protection Act of 1998 (COPPA), and person[s] operating in a business or work context, as a job candidate, or as a beneficiary of somebody working in an employment setting.

The Colorado Privacy Act offers Colorado resident customers five rights with regards to their personal information.

  1. The right not to be included in the processing of personal information for targeted marketing purposes, the selling of their personal information, and programmed profiling in the advancement of decisions that create legal or similarly important results.
  2. The right to gain access to their personal information kept by a data controller.
  3. The right to correction of their personal information in case errors are discovered.
  4. The right to have their personal information removed.
  5. The right to get their information in a mobile and ready-to-use file format.

All entities under the Colorado Privacy Act have the following obligations when they gather and process information.

  • Transparency – Consumers should be informed concerning the rationale for collecting and processing their personal information. When personal information is sold or utilized for targeted marketing, consumers should be well informed. There shouldn’t be any need for consumers to make a new account to avail themselves of one of their rights, nor pay a higher cost or get lower accessibility when availing a consumer right.
  • Purpose of collecting information – Consumers should be advised regarding the particular reasons for which their personal data is being obtained and processed.
  • Data minimization – The personal data obtained and processed should be restricted to what is reasonably required to accomplish the objective for collecting and processing information.
  • Secondary data uses – This should be averted when they are not compatible with the objective for collecting data and the authorization given by consumers.
  • Data security – Data controllers should make sure of the security of personal data to avert unauthorized access.
  • Unlawful discrimination – Collected and processed data should not break federal anti-discrimination legislation.
  • Sensitive data – Sensitive data including information associated to religious beliefs, ethnic origin, sexual orientation, citizenship status, mental or physical wellness, genetic/biometric information, and the personal information of minors – may only be obtained and processed when consumers give their authorization via an opt-in process.
  • Contracts with processors – A data controller needs to sign an agreement with a data processor, and the contract expressing the processor’s duties as per the Colorado Privacy Act.
  • Data protection assessments – A data protection evaluation should be done before any processing activities that have an increased threat of harm to customers.

The Colorado Privacy Act will be effective on July 1, 2023. On July 1, 2024, a year after the effective date, consumers can opt-out of the processing of their personal information for targeted marketing or the selling of their information, through a user-chosen universal opt-out process.

In case of violation of any of the terms of the Colorado Privacy Act, the violation is going to be regarded as a deceitful trade practice. The state Attorney General and district attorneys are allowed to act against entities that committed violations.

Texas Legislature Approves Bill Requiring the State AG to Set up Data Breach ‘Wall of Shame’

The Texas Legislature copied what California and Maine did in passing a bill that calls for the Texas Attorney General to post notifications on the state Attorney General’s public-facing web portal concerning breaches of personal data that impact state residents.

House Bill 3746, an amendment of the Texas Business and Commerce Code § 521.053, received unanimous approval. It requires the Texas Attorney General to post incidents of data breaches that have impacted at least 250 Texas residents. The webpage must be updated with any breach notification received within 30 days.

When a company is posted on the web portal, the listing should remain there for one year. The listing can be deleted if the person or company hasn’t experienced any more data breaches impacting at least 250 Texas residents throughout that one-year period.

Texas legislation demands that notices of system security breaches must be given to the state Attorney General within 60 days of discovering the breach. The breach notifications should state a complete description of the nature of the incident, how it happened, and whether there was sensitive data obtained because of the breach. The notices ought to state the number of persons known to have been impacted by the breach during the issuance of the breach notification to the State Attorney General. It is also necessary to include in the notifications the details of the steps taken concerning the breach, potential actions that plan to be undertaken in connection with the breach, and if law enforcement is involved in the breach investigation.

The legislation updates current data breach notification standards to additionally necessitate the Attorney General to be advised of the number of Texas residents that were given breach notification through mail or other direct means of communication during the time of issuance of the notification to the Texas Attorney General.

The legislation is now pending the signature of Texas Governor Greg Abbott. When it is signed, the effective date will begin September 1, 2021.

Clinical Laboratory Resolves HIPAA Security Rule Violations with OCR By Paying $25,000

The Department of Health and Human Services’ Office for Civil Rights (OCR) reported that it has reached a settlement with Peachstate Health Management, LLC, also called AEON Clinical Laboratories resulting from multiple HIPAA Security Rule violations.

Peachstate is a CLIA-approved laboratory that offers a variety of services which include clinical and genetic testing services by means of AEON Global Health Corporation (AGHC), its publicly traded parent company.

OCR began a compliance investigation on August 31, 2016 after the U.S. Department of Veterans Affairs (VA) reported a breach of unsecured protected health information (PHI) that involve its business associates, Authentidate Holding Corporation (AHC), on January 7, 2015. The VA had partnered with AHC to take care of the VA’s Telehealth Services Program. The goal of the OCR investigation was to evaluate if the breach was due to the failure to adhere to the HIPAA Privacy and Security Rules.

Throughout the course of the breach investigation, OCR found out that on January 27, 2016, AHC had entered into a reverse merger with Peachstate and had acquired ownership of Peachstate. OCR subsequently carried out a compliance audit of Peachstate’s clinical laboratories to examine Privacy and Security Rule compliance. In that investigation, OCR determined several likely HIPAA Security Rule violations.

Peachstate was found not to have done a correct and comprehensive evaluation to find risks to the integrity, confidentiality, and availability of electronic protected health information (ePHI), as mandated by 45 C.F.R. § 164.308(a)(1)(ii)(A) and was unable to lessen risks and vulnerabilities to a good and proper level by employing correct security steps, as demanded by 45 C.F.R. § 164.308(a)(1)(ii)(B).

There were no software, hardware, or procedural mechanisms put in place to record and assess activity in information systems that contain or utilize ePHI, which violates 45 C.F. R. § 164.312(b). Policies and procedures hadn’t been executed to document actions, activities, and evaluations mandated by 45 C.F. R. § 164.312(b), which was in violation of 45 C.F.R. § 164.316(b) of the HIPAA Security Rule.

Peachstate decided to settle the case and pay a $25,000 penalty and will execute a thorough corrective action plan to address all facets of noncompliance discovered by OCR in the course of the investigation. Peachstate will be under 3 years of close monitoring by OCR to make sure of compliance.

Clinical laboratories, just like other covered health care providers, should adhere to the HIPAA Security Rule. The inability to implement fundamental Security Rule requirements makes HIPAA regulated entities appealing targets for malicious activity, and puts risks patients’ ePHI. This settlement demonstrates OCR’s dedication to making sure that entities comply with rules that safeguard the privacy and security of protected health information.

5 U.S. Bills Approved to Enhance Cyber Defenses of SLTT Governments and Critical Infrastructure Entities

In the aftermath of the ransomware attack on Colonial Pipeline, SolarWinds Supply chain attack, and the cybersecurity executive order of President Biden, the U.S. House Committee on Homeland Security has approved five bipartisan bills that strive to deal with cybersecurity and enhance the protection of critical infrastructure entities and state, local, tribal, and territorial (SLTT) governments.

The cyberattack on Colonial Pipeline compelled the firm to close its 5,500-mile fuel pipeline that provides 45% of the fuel needed in the East Coast. So as to accelerate recovery and lessen disruption, CEO Joseph Blount of Colonial Pipeline approved the ransom payment of $4.4 million to the DarkSide ransomware gang; but, despite paying the ransom, the fuel pipeline continued to be closed for 5 days, resulting in serious disruption to energy supplies.

These cyberattacks have underlined key vulnerabilities in cybersecurity defenses that must be dealt with to strengthen national security.

This week, the five bipartisan cybersecurity bills approved are the following:

1. The Pipeline Security Act (H.R. 3243), presented by Congressman Emanuel Cleaver (D-MO), was introduced two years ago however was unable to obtain traction. The primary objective of the reintroduced bill is to set out the function of the Transportation Safety Administration (TSA) in protecting the country’s natural gas and oil infrastructure to shield pipeline systems against threats including cyberattacks, and terrorist attacks.

2. The State and Local Cybersecurity Improvement Act (H.R. 3138), presented by Congresswoman Yvette D. Clarke (D-NY), allows the making of a new $500 million grant program to give finances to SLTT governments to assist them in securing their systems from ransomware and other forms of cyberattacks.

3. The Cybersecurity Vulnerability Remediation Act (H.R. 2980), presented by Congresswoman Sheila Jackson Lee (D-TX), provides the DHS’ Cybersecurity and Infrastructure Security (CISA) Agency the power to help critical infrastructure owners and operators in creating mitigation tactics to safeguard against identified, critical vulnerabilities.

4. The CISA Cyber Exercise Act (H.R. 3223), presented by Congresswoman Elissa Slotkin (D-MI), establishes a National Cyber Exercise program under CISA that is going to make sure regular testing of readiness and strength to cyberattacks on critical infrastructure.

5. The Domains Critical to Homeland Security Act (H.R. 3264), presented by Ranking Member John Katko (R-NY), provides the DHS the power to perform research and development on supply chain risks for critical domains of the U.S. economy, and give the findings to Congress.

There were two more bills presented that deal with non-cybersecurity problems – the DHS Blue Campaign Enhancement Act (H.R. 2795) and the DHS Medical Countermeasures Act” (H.R. 3263). Both reinforce DHS’s human trafficking reduction initiatives and DHS’s medical countermeasures in the event of biological, chemical, radiological, nuclear, or explosive attacks, pandemics, and disease outbreaks.

Data Breaches at SEIU 775 Benefits Group in Washington and Woodholme Gastroenterology Associates and an Identity Theft Case

SEIU 775 Benefits Group in Washington has advised about 140,000 of its members concerning the compromise of some of their protected health information (PHI). On April 4, 2020, SEIU 775 Benefits Group’s IT team noticed suspicious activity in the group’s data systems, which include the notable removal of a number of data files.

Third party digital forensics specialists were employed to support with the inquiry and established that an unauthorized individual had viewed the systems and removed selected files that had personally identifiable information (PII) and protected health information. The forensics professionals didn’t get any proof that suggests the download or viewing of any PHI. There was also no report obtained that indicates the improper use of PHI.

The types of data possibly accessed only contained names, addresses, and Social Security numbers. Health plan eligibility or enrollment data were likewise probably compromised. Impacted people were provided free credit monitoring and identity theft protection services via Kroll for one year.

50,000 Woodholme Gastroenterology Associates Patients Affected by Breach

Woodholme Gastroenterology Associates located in Baltimore, MD has uncovered that an unauthorized person obtained access to its networks and exfiltrated records that contained patients’ sensitive information on February 25, 2021.

The provider discovered the security breach on March 1, 2021 and quickly took action to avert any more unauthorized access. A comprehensive assessment of the files that were exfiltrated or likely accessed showed that they comprised patients’ names, birth dates, email addresses, addresses, patient ID numbers, diagnoses and/or treatment data. The driver’s license numbers, Social Security numbers and medical insurance details of some patients were also possibly affected.

Free credit monitoring and identity protection services were given to people whose driver’s license number or Social Security number was compromised. The HHS’ Office for Civil Rights breach website shows around 50,000 patients were impacted.

Employee of Vitality Senior Living Faced with Identity Theft Lawsuit

An accredited nursing assistant previously working at Vitality Senior Living in Arlington, VA was charged with theft of the identities of 6 residents she is taking care of.

In April, the female purportedly confessed to the executive director that she deceptively encashed a $1,200 check of one of the residents. Vitality Senior Living fired the nursing assistant from employment and alerted the police authorities. The victim filed a complaint to the police and claimed there were 6 blank checks taken from his checkbook and two were cashed out. The victim furthermore mentioned a few fraudulent payments were made using his debit card.

The name of the suspect was written on one cashed check and her brother’s name was signed on the other check. The brother was likewise working at Vitality Senior Living yet wasn’t charged relative to the case. The police obtained images of the victim’s debit cards and driver’s license on the suspect’s telephone as well as evidence that an additional 5 residents were targeted, three were defrauded. The law enforcement furthermore got proof that the woman had attempted to submit fake tax returns and unemployment claims for persons whose identities couldn’t be validated.

The woman is slated to be in court on May 25, 2021 about over a dozen identity theft cases.

Data of 200,000 Military Veterans Exposed On the Web

A database that contains the personal data and protected health information (PHI) of about 200,000 U.S. military veterans was found to be accessible on the internet by security researcher Jeremiah Fowler.

The database was discovered on April 18, 2021 and analysis revealed references to a firm known as United Valor Solutions based in Jacksonville, NC. United Valor Solutions is a service provider of the Department of Veterans Affairs (VA) that offers disability assessment services for the VA and some other government institutions. The database – which comprised veterans’ names, contact information, dates of birth, medical data, appointment details, unencrypted passwords, and billing details – can be accessed without having a password. Anyone could have viewed the database, downloaded the information and changed or deleted them.

Fowler informed United Valor Solutions regarding the breached data. The company responded the following day affirming the exposure of the database and that the incident had been reported to its contractors and public access was deactivated. It is uncertain for how long the database was exposed; nevertheless, United Valor Solutions said it seemed that the database was just used by internal IP addresses and Fowler’s.

Fowler mentioned he identified indications of a ransomware attack. Within the dataset was a note labeled “Read_me” which stated that data had been downloaded and would be exposed when a 0.15 Bitcoin ransom was not settled.

Threatpost reported that the VA has been looking into the incident and that it seems related to penetration testing. Director Reginald Humphries of IT strategic communication at the Office of Information and Technology at the VA issued a statement that a researcher was trying to discover security inadequacies and vulnerabilities in United Valor Solutions systems. Currently, the company does not think this to be a data breach. Rather, this was performed for research requirements, as per the request of the company, United Valor Solutions. The VA investigation into the occurrence is in progress.

Additional People Impacted by Insider Atascadero State Hospital Breach

A breach earlier reported by the California Department of State Hospitals (DSH) has affected more people than formerly accounted. The breach, which was uncovered on February 25, 2021, was about the improper access of medical records by a past employee.

The breach was initially considered to have impacted the files of 1,415 patients and former patients, 617 employee names, the personal data and PHI of 1,735 employees, and records of approximately 1,217 job candidates who were not successful in landing work.

More investigations into the inappropriate access showed the personal data of another 80 persons were viewed, including phone numbers, addresses, email addresses, birth dates, social security numbers, and driver’s license numbers. The immigration data of 38 people, employment-linked health data of 81 persons who had applied for a job, had been employed or were past employees, and 20 individuals’ dates of birth and the last four digits of their Social Security numbers were additionally accessed.

The employee concerned was put on administrative leave while the breach investigation is ongoing. The California Highway Patrol is helping the DSH with the inquiry.

CISA/NIST Publishes Guidance on Enhancing Protection Against Software Supply Chain Attacks

The Cybersecurity and Infrastructure Security Agency (CISA) and the National Institute of Standards and Technology (NIST) have released guidance to assist companies strengthen their defenses versus software supply chain attacks.

The guidance document – Defending Against Software Supply Chain Attacks – talks about the three methods most frequently used by threat groups in supply chain attacks together with exhaustive advice for software consumers and vendors for deterrence, mitigation, and bettering resilience versus software supply chain attacks.

Just like a lot of supply chain attacks, the latest SolarWinds Orion attack employed hijacking the software update process of the platform to put in a software version that contains malicious code so that attackers could get persistent access to over 18,000 customers’ systems, and then the attackers could pick targets for more considerable compromises. This was additionally the strategy employed by the threat group associated with the 2017 NotPetya wiper attacks. The software update process utilized by a well-known tax accounting software program in Ukraine was hijacked to seize control of the software program and used it in detrimental attacks.

It is additionally prevalent for attackers to weaken the code signing process to control the software update systems and send malicious code. This is frequently accomplished by self-signing certificates and taking advantage of misconfigured access controls to imitate trusted vendors. According to CISA’s report, the Chinese advanced persistent threat group APT41 typically sabotage code signing in its complex attacks in the U.S.

The third most popular method employed in supply chain attacks is to focus on publicly available code libraries and put in malicious code, which is later downloaded by program developers. In May 2020, GitHub, the biggest platform for open-source software programs, found that 26 open source projects were compromised because of malicious code being inserted into open-source software programs. Blocks of open source code are additionally often utilized in privately owned software programs and these could also be quickly exploited.

Software supply chain attacks are cumbersome and resource-demanding and generally call for long-lasting commitment. Although criminal threat actors have succeeded in conducting supply chain attacks, they are more frequently carried out by state-sponsored advanced persistent threat groups, which have the motive, abilities, and assets for long-term software supply chain attack activities.

These attacks could compromise a lot of companies by attacking only one. Companies are vulnerable to these attacks because software vendors get privileged access to their solutions so they could work efficiently. Vendors need to communicate frequently to get updates on the installed software programs to strengthen security versus surfacing threats and to resolve vulnerabilities. In case a vendor is breached, the attackers could get around security tools like firewalls and obtain persistent access to all its clients’ systems.

The guidance document gives a number of suggestions and guidelines for utilizing NIST’s Cyber Supply Chain Risk Management (C-SCRM) Framework and the Secure Software Development Framework (SSDF). Companies can significantly boost resilience to software supply chain attacks by using software in the scope of a C-SCRM framework along with a mature risk management program.

A mature risk management program allows a company to recognize risks introduced by ICT products and services, which include software programs, in the framework of the mission or supported business processes. Companies could take care of such risks by means of different technical and non-technical actions, such as those specific for C-SCRM for software and the linked complete software lifecycle.

The guidance specifies 8 recommendations for creating a C-SCRM strategy and implementing it to software:

  • Incorporate C-SCRM throughout the company.
  • Set up a formal C-SCRM system.
  • Know and take care of critical components and suppliers.
  • Fully grasp the company’s supply chain.
  • Carefully team up with key suppliers.
  • Involve key suppliers in resilience and enhancement programs.
  • Evaluate and keep track of the supplier relationship.
  • Have a plan for the complete lifecycle.

Even if this method is used, it’s not possible to stop all supply chain attacks therefore it is important to take other steps to mitigate unsecured software components.

Companies must create a vulnerability management program and lessen the attack surface by means of configuration administration. This consists of putting configurations under change management, performing security impact studies, employing manufacturer-presented recommendations to strengthen the application, operating systems, and firmware, and sustaining an information system component listing. Steps must additionally be taken to boost resilience to a thriving exploit and restrict the damage that may be created on mission critical operations, personnel and solutions in case of an attack.

Montefiore Medical Center Employee Terminated and Belden Class Action Lawsuit

Montefiore Medical Center has learned that one more employee got access to patient data without any legit work reason.

The New York hospital reported in February 2020 that one employee was found to have viewed health records with no permission for 5 months in 2020, and a different employee was discovered to have gotten the protected health information (PHI) of roughly 4,000 patients from January 2018 to July 2020.

The most recent findings concerned an employee viewing patient records with no permission for over one year. Montefiore’s FairWarning software detected the breach. The software tracks logs of improper access.

Upon discovery of unauthorized medical record access, the center suspended the employee pending an investigation. An evaluation of record access showed that the employee had viewed records without having legit work reasons from January 2020 to February 2021.

The types of data accessed differed from one patient to another and involved first and last names, addresses, emails, birth dates, medical record numbers, and the last 4-numbers of Social Security numbers. Montefiore did not find any proof of access to financial data or clinical details.

The unauthorized record access is a violation of Montefiore’s guidelines and HIPAA. The center dismissed the employee from work and referred the issue to law enforcement for probable criminal prosecution.

Class Action Lawsuit Against Belden Over November 2020 Data Breach

Belden, a networking equipment vendor in the U.S., is confronted with a class-action lawsuit in connection with a November 12, 2020 data breach that resulted in the compromise of the personal data of present and past employees. Hackers obtained access to only a few file servers and copied employees and some business partners’ information.

The breach report was lately submitted to the HHS’ Office for Civil Rights as affecting the PHI of 6,348 people. The following information was stolen: names, Social Security numbers, financial account numbers, tax identification numbers, residence addresses, email addresses, birth dates and other employment-associated data. Belden reported the breach on November 24, 2020 and began informing affected persons on December 14, 2020.

The lawsuit against Edke v. Belden Inc. claims the plaintiff and class members suffered harm due to the breach and needed to wait a few weeks prior to being informed about the theft of their personal data. They assert the information breach has put them at “considerable risk of identity theft and different types of personal, financial and social hurt. The lawsuit states Belden was careless and negligent, and because of security breakdowns at the company, patient data was stolen.

HHS OIG Rated the HHS Information Security Program as ‘Not Effective’

The Department of Health and Human Services Office of Inspector General has publicized the results of its yearly assessment of the HHS information security programs and practices, in accordance with the requirements of the Federal Information Security Modernization Act of 2014 (FISMA). It was confirmed that the HHS information security program hasn’t yet attained the degree of maturity to be regarded as effective.

The third-party review was performed on behalf of the HHS’ OIG by Ernst & Young (EY) to find out conformity to FISMA reporting metrics and to evaluate if the total security program of the HHS achieved the necessary information security requirements.

The HHS was evaluated with the Identify, Protect, Detect, Respond, and Recover functional areas of the Cybersecurity Framework throughout the FISMA domains: Risk management, identity and access management, configuration management, data protection and privacy, information security continuous monitoring (ISCM), security training, contingency planning, and incident response.

There are five maturity levels for information security:

  • Level 1 (Ad hoc policies)
  • Level 2 (Defined)
  • Level 3 (Consistently Implemented)
  • Level 4 (Managed and Measurable)
  • Level 5 (Optimized policies)

An information security policy must get to Level 4 for it to be regarded as effective.

Until September 30, 2020, the HHS had made improvements from the prior audit and had carried out a number of modifications to reinforce the maturity of its enterprise-wide cybersecurity program. There were enhancements throughout all FISMA domains, which include greater maturation of data security and privacy and constant tracking of information programs.

Nevertheless, the HHS received a “not effective” score because of the inability to obtain the Level 4 maturity level in at least one of the five functional areas: Identify, Protect, Detect, Respond, and Recover. The review showed there were inadequacies inside the Identify, Protect, and Respond functional parts and the level of maturity was under Consistently Implemented for some FISMA metric questions, each at the HHS entire and at chosen Contingency Planning operating divisions (OpDivs).

The HHS got Defined (Level 2) for 17 FISMA metrics and Consistently Implemented (Level 3) for 42 FISMA metrics however had not reached Managed and Measurable (level 4) in at least one of the IG FISMA metrics. There was no modification in any of the FISMA metrics out of the audit in FY19, though the review showed improvement had been done in a number of individual IG FISMA metrics, like the steady implementation of information exfiltration systems, ongoing Authorization to Operate (ATO) checking, and configuration management controls. There is no progress in other areas because of the insufficient data security continuous monitoring throughout the different HHS operating divisions, which is necessary for offering dependable information for making risk management decisions.

A number of suggestions were created to reinforce the HHS’ enterprise-wide cybersecurity program. The HHS agreed with 11 out of the 13 suggestions.

GetApp Recognized TigerConnect as Leader in Telemedicine Software

TigerConnect, the industry-leading company offering HIPAA-compliant clinical communication and collaboration solutions to the healthcare industry, has been called a category leader in the 2021 GetApp software rankings.

GetApp conducts a yearly analysis of a large selection of technology products to determine the best products available on the market to assist small- and medium-sized enterprises select the most effective software solutions for their needs. The Gartner firm has been evaluating business software products for the last Decade to guide SMBs to make the perfect decisions regarding the software that could fix their problems, enhance productivity and performance, and speed up development.

Every software product is evaluated in five areas, depending on impartial ratings from legitimate users of the products. The best-rated products are labeled as Leaders in their particular categories. Raters of the products evaluate software products on the simplicity of use, value for money, performance, consumer support, and the odds of recommending the product to friends, co-workers, and other companies.

This year, the TigerConnect communication and collaboration solution earned the title of a category leader in the area of telemedicine software in North America. 95% of TigerConnect end users ranked the product as excellent or very good, while 100% of TigerConnect end-users stated they will recommend the product to an associate or a good friend.

The solution was remarkably lauded by clients and attained high rankings throughout all five categories, with consumers obtaining significant benefits from utilizing the product while finding it user-friendly.

Founder and CEO Brad Brooks of TigerConnect stated that it was an honor to be regarded as a top choice for the telemedicine software programs. Additionally, the company gives thanks to its clients, community, and development team without whom this won’t be possible. Many thanks for the trust given to the company.

Massachusetts Mental Health Clinic Pays $65,000 to Settle HIPAA Right of Access Case

Boston, MA-based Arbour Hospital, a mental health clinic, has settled a HIPAA Right of Action investigation with the HHS’ Office for Civil Rights (OCR) by paying a $65,000 penalty.

On July 5, 2019, OCR was informed regarding a potential HIPAA Right of Access violation. A patient of Arbour Hospital stated he had submitted a request for a copy of his medical records from the hospital on May 7, 2019 however had not been given those records in a period of two months.

Whenever a healthcare company receives a request from an individual who wants to exercise their HIPAA Privacy Rule right to get a copy of their healthcare records, a copy of that information should be given immediately and no later than 30 days after receiving the request. It is possible to extend the period beyond 30 days in cases where records are saved offsite or are otherwise not quickly accessible. In such instances, the patient wanting to have the records should be advised concerning the extension in writing within 30 days and be provided with why the documents are delayed.

OCR contacted Arbour Hospital and offered technical support on the HIPAA Right of Access on July 22, 2019 and closed the complaint. The patient then sent a second complaint to OCR on July 28, 2019 because he still did not receive his healthcare data. The records were eventually provided to the patient on November 1, 2019, nearly 6 months after submitting the written request and more than 3 months after the technical assistance on the HIPAA Right of Access given by OCR.

OCR confirmed that the failure to respond to a written, signed medical record request from an individual promptly violated the HIPAA Right of Access – 45 C.F.R. § 164.524(b). Besides the financial penalty, Arbour Hospital needs to undertake a corrective action plan that entails employing policies and procedures regarding patient record access and giving training to the employees. Arbour Hospital will additionally be under OCRmonitoring for 1-year compliance.

Health care providers have a responsibility to give their patients prompt access to their own health records, and OCR will hold providers responsible for this requirement so that patients can exercise their rights and get necessary health data to be active participants in their medical care, explained by Acting OCR Director Robinsue Frohboese.

The HIPAA Right of Access enforcement initiative began at the end of 2019 to make sure patients are furnished with on-time access to their medical records at a fair price. This is the sixteenth financial penalty to be paid to OCR to resolve HIPAA Right of Access violations following this enforcement initiative and the 4th HIPAA Right of Access settlement to be reported in 2021.

Hospice CEO Confesses to Falsifying Medical Care Claims and Inappropriate Medical Record Access

The ex – CEO of Novus and Optimum Health Services, which manages two hospices within Texas, pleaded guilty in a fraudulence case that resulted in the loss of tens of millions of dollars by Medicare and Medicaid because of bogus medical care claims submissions.

Acting U.S. Attorney Prerak Shah for the Northern District of Texas, lately reported that Bradley Harris, 39 years old, pleaded guilty to conspiracy to undertake medical care fraud and is currently awaiting his sentence.

Besides defrauding the federal healthcare services, the actions of Harris led to the denial of vulnerable patients to get the medical care they need, the approval of prescriptions for pain treatment without the doctor’s input, and the non-examination of terminally ill patients.

Harris confessed to charging Medicare and Medicaid for hospice services from 2012 to 2016 that were not rendered, not instructed by a medical specialist, or were given to people who were not qualified for hospice services. Harris additionally confessed to utilizing blank, pre-signed controlled substances prescriptions and giving the medications with no physician involvement.

Harris paid two coconspirators, Dr. Laila Hirjee and Dr. Mark Gibbs, $150 each for every fake order they sign and would frequently approve the hospice patients who had terminal conditions and a life expectancy of at least 6 months, with no need to get any assessments. Dr. Gibbs, Dr. Hirjee, and another doctor, Dr. Charles Leach, supplied blank prescription medications for controlled substances which permitted Harris to schedule beneficiaries their II-controlled substances from Medicaid and Medicare in the hospice with no need for consultations with a medical specialist at a cost

Harris additionally broke the Health Insurance Portability and Accountability Act (HIPAA) Guidelines when he gained access to the healthcare records of patients to determine people who can be contacted and provided Novus hospice services. In summer 2014, Harris discussed an agreement with Express Medical which permitted him to get access to the healthcare records of potential patients in exchange for utilizing the company for lab services and home health appointments. Harris’s wife then contacts the past patients of Express Medical and other hospice personnel to recruit them, no matter if they were really qualified for hospice services. This permitted Harris to get new hospice patients to steer clear of going above Medicare’s aggregate hospice limit.

The HHS’ Centers for Medicare and Medicaid Services obtained several reports of potential fraudulence and suspended Novus; nevertheless, Harris then moved patients from Novus to another hospice organization, which then moved back reimbursements for hospice services to Novus. Dr. Gibbs is known as the new hospice organization’s medical director.

Harris is slated to get his sentence on August 3, 2021 of around 14 years in prison. Dr. Gibbs, Dr. Hirjee and two more coconspirators are going to have their trial on April 5, 2021. 10 codefendants confessed and are waiting for sentencing for their part in the fraud. Dr. Charles Leach earlier pleaded guilty to one count of conspiracy to perform healthcare fraudulence in 2018, for his part in the $60 million scams case. Based on court files, the blank prescription medications Dr. Leach authorized were employed to get hold of controlled substances, high quantities of which were then given to patients by nurses to speed up their demise.

The Justice Department can’t permit unethical businessmen to get in the way of the practice of medicine. It is determined to take out healthcare scams. It is going to work tirelessly with the state and federal associates to make those who perform medical care scams responsible and get justice for people that are hurt by the fraud schemes, said FBI Dallas Special Agent in Charge Matthew DeSarno.

2019 American Medical Collection Agency Data Breach Investigation Ends in Multistate Settlement

An alliance of 41 state Attorneys General has decided to resolve an investigation of the 2019 data breach involving Retrieval-Masters Creditors Bureau dba American Medical Collection Agency (AMCA) that led to the compromise/theft of the protected health information (PHI) of about 21 million U.S. citizens.

Retrieval-Masters Creditors Bureau is an agency engaged in debt collection. Its AMCA arm offers small debt collection services to medical care clients, for instance, laboratories and medical testing centers.

From August 1, 2018 to March 30, 2019, an unauthorized person got access to AMCA’s systems and exfiltrated sensitive information like names, personal data, Social Security numbers, payment card details, and, for certain people, medical test data and diagnostic codes. The AMCA data breach was the biggest healthcare data breach documented in 2019.

AMCA informed states regarding the breach beginning June 3, 2019, and people impacted by the breach were given two years of free credit monitoring services. Because of the huge cost of breach remediation, AMCA had to file for bankruptcy protection last June 2019.

The Indiana, Connecticut, New York, and Texas Attorneys General led the multi-state investigation of the AMCA breach. The Texas and Indiana AGs likewise took part in the bankruptcy proceedings to make sure that the investigation carried on, and the personal data and PHI of breach victims were secured. AMCA obtained authorization from the bankruptcy court to negotiate the multistate action and requested for termination of the bankruptcy last December 9, 2020.

The multistate investigation affirmed that information security inadequacies contributed to why the breach occurred and in spite of AMCA getting notices from banking institutions that processed AMCA payments regarding fraudulent usage of payment cards, AMCA still did not identify the attack.

The terms of the settlement required AMCA to make and follow an information security plan, create an incident response program, hire a competent chief information security officer (CISO), employ a third-party evaluator to conduct an information security evaluation, and continue to help state attorneys general with the data breach investigations.

A $21 million financial penalty was charged to AMCA which will be allocated pro-rata among the impacted states; nonetheless, because of the company’s financial position, the $21 million financial penalty was put on hold. That payment will just be required if AMCA fails to follow the conditions of the settlement agreement.

When a business doesn’t sufficiently invest in information security, a data breach can cost a lot leading to bankruptcy – ruining the business and harming the affected people. AMCA’s security problems allowed illegal access to 21 million Americans’ data. State AGs should be committed to safeguarding the state citizens’ personal information and should hold companies responsible when they neglect to protect that information. The AMCA settlement agreement makes certain that the company implements the necessary security and incident response plan in order that such a failure won’t happen again.

Connecticut, Indiana, Texas, and New York were on top of the investigation while Florida, Illinois, Massachusetts, Maryland, Michigan, Tennessee, and North Carolina assisted the investigation. The Attorneys General of Arizona, Arkansas, the District of Columbia, Colorado, Georgia, Hawaii, Iowa, Idaho, Louisiana, Kansas, Kentucky, Maine, Missouri, Minnesota, Nebraska, New Hampshire, Nevada, New Jersey, New Mexico, Oklahoma, Ohio, Oregon, Pennsylvania, South Carolina, Rhode Island, Utah, Virginia, Vermont, West Virginia, and Washington likewise joined the settlement.

45-Days Extension of Comment Period on Proposed HIPAA Privacy Rule Changes Announced

Making changes to the HIPAA Regulations does not happen quite often, thus when there is a proposal for updates, the tendency is to include a variety of new standards and revisions to current terms. Prior to making any updates, a request for information (RFI) is released to let the HHS get feedback on areas of the HIPAA Rules that are creating issues, and parts that need improvements.

Right after the RFI, the HHS issues a notice of proposed rulemaking, which is followed by a comment period. During this comment period, industry stakeholders, such as patients and their households, get the last opportunity to say their thoughts regarding the proposed modifications prior to signing them into law.

After the HHS’ Office for Civil Rights issued an RFI, a Notice of Proposed Rulemaking was published on December 10, 2020. The standard 60-day comment period began from the date, January 21, 2021, when the proposed rulemaking was published in the Federal Register. The comment period will end on March 22, 2021.

Because the proposed modifications consist of updates to the HIPAA Privacy Rule that is going to affect almost everybody in the healthcare sector, the HHS has decided to give an extension for the comment period.

The proposed Privacy Rule modifications consist of fortifying patient rights to get easy access to their own healthcare records, modifications to support a greater family and caregiver participation in the care of people during health and emergency crises, modifications to provide more flexibility for disclosures during emergency scenarios, updates to minimize the administrative load on healthcare companies, and modifications to enhance data sharing for better care coordination and case administration.

The HHS’ Office for Civil Rights is requesting all stakeholders to go through the proposed modifications and give their comments. All feedback obtained will be properly considered and will be used for the final rule which is estimated to be released in late 2021 or early 2022.

OCR expects a high level of public interest in giving feedback on the proposals since the HIPAA Privacy Rule impacts just about everyone who uses the health care system. With the comment period extended for 45 days until May 6, 2021, the public can have the opportunity to look at the proposals and send feedback to shape the future policy.

You can find the HIPAA Privacy Rule Proposed Modifications on this page.

Two Employees Dismissed for Impermissible Disclosures of PHI to Third Parties

Humana has found out that a staff of a hired subcontractor of a business associate impermissibly shared the protected health information (PHI) of around 65,000 members to a third-party for training purposes.

Humana contracted Cotiviti to give services in managing medical records. Then, Cotiviti got a subcontractor to look at the requested health files. Under HIPAA, subcontractors employed by business associates must also follow the HIPAA.

The privacy violations took place between October 12, 2020 and December 16, 2020. Cotiviti informed Humana concerning the HIPAA violation on December 22, 2020. Together, Cotiviti and Humana worked to make certain that security procedures are executed to avoid very similar privacy breaches again. Also, those safeguards are set up at any subcontractors it hires. The individual who shared the information is no longer hired by the subcontractor.

The types of records compromised include the member names, phone numbers, dates of birth, addresses, email addresses, full or partial Social Security Numbers, insurance identification numbers, provider names, medical record numbers, dates of service, treatment data, and medical photos.

Although the disclosures were not intended for malicious reasons and it is believed that there were no further exposures of the PHI, Humana is providing affected people with 2 years of credit monitoring and identity theft protection services for free.

UPMC St. Margaret Dismisses Employee for Impermissible Disclosure of PHI

UPMC St. Margaret has learned about the impermissible disclosure of the protected health information of some of its patients by an employee to a third-party provider without authorization.

In August 2020, UPMC, St. Margaret learned that an organization got a medication administration report even with no legitimate work purpose. The report included details like names, UPMC ID numbers, and medication administration data, such as drug name, dose, time/date of administration, and the reason for having the medication.

After the discovery of the impermissible disclosure, UPMC terminated the staff’s access to UPMC systems and terminated the person’s employment after the investigation was finished. The provider notified the impacted persons regarding the privacy breach on March 5, 2021. There was no reason provided for the delay in sending the notification.

Whistleblower Who Wrongly Accused a Nurse Violated HIPAA Serves 6 Months in Jail

A man from Georgia who wrongly accused a former associate of violating patient privacy and breaching the HIPAA Guidelines got penalized $1,200 and 6 months jail time.

In October 2019, Jeffrey Parker, a 44-year old resident of Rincon, GA, served as a HIPAA whistleblower and notified the authorities regarding a major privacy violation committed by a nurse working at a Savannah, GA hospital, which included sending emails with graphic images of hospital patients with traumatic injuries within and outside the hospital.

Based on court documents, Parker was involved in a complex scheme to set up a former associate as violating the Federal Health Insurance Portability and Accountability Act’s Privacy Rule. To support the false claims, Parker made several email accounts using the names of actual patients and utilized those email accounts to submit false allegations of privacy violations. The hospital where the nurse is employed, the Department of Justice (DOJ), and the Federal Bureau of Investigation (FBI) received copies of the email messages.

Parker additionally claimed that he received threats for being a whistleblower, and so law enforcement officials had taken action to make certain that he is safe. When asked with regards to the threats and the HIPAA rule violations, an FBI agent found irregularities in his statements and after more questioning, Parker confessed that he falsely accused the former associate to frame him up for fake HIPAA violations.

When Parker got charged, U.S. Attorney Bobby L. Christine explained that making false accusations on others of criminal activity is unlawful, and it slows down justice system staff by making them pursue needless investigations. This bogus complaint prompted federal investigators to shift resources and caused unnecessary trouble for a vital health care organization in the community.

Parker admitted to committing a case of making false claims and is likely to face a 5-year jail period. U.S. District Court Judge Lisa Godbey Wood sentenced Parker to stay in jail for 6 months.

Special Agent Chris Hacker who is in Charge of FBI Atlanta stated that numerous investigative hours and resources were spent in figuring out that Parker’s claims as a whistleblower were fraudulent and intended to cause damage to another person. Before he can cause more problems, his fancy scheme was discovered by a perceptive FBI agent and at this point, he is going to serve time for his planned criminal offense.

Parker is not entitled to get parole and is going to serve the complete term, and afterward, he will get 3 years of monitored release.