Category: Internet Security

The number of healthcare companies to report they have been impacted by the Accellion ransomware attack is increasing, with two of the most recent victims such as Trillium Community Health Plan and Arizona Complete Health.

At the end of December, unauthorized people exploited zero-day vulnerabilities in Accellion’s old File Transfer Appliance platform and stole information from its customers before downloading CLOP ransomware.

Trillium Community Health Plan recently informed 50,000 of its members that protected health information (PHI) like names, dates of birth, addresses, health insurance ID numbers, and diagnosis and treatment data was taken by the people that launched the attack and the information was published on the internet between January 7 and January 25, 2021.

Trillium mentioned it has currently halted using Accellion, has taken out all data files stored in its systems, and has taken steps to minimize the threat of future attacks, which include going over its data-sharing processes. Trillium is providing affected members complimentary credit monitoring and identity theft protection services for 12 months.

Arizona Complete Health has advised 27,390 of its plan members regarding the data breach and the types of information that were compromised. The health plan also discontinued utilizing Accellion and took out its files from its systems and provided its plan members credit monitoring and identity theft protection services for 12 months free.

Previously, the supermarket and pharmacy firm Kroger based in Ohio announced that it was impacted by the attack, and the PHI of 368,000 clients were exposed. The University of Colorado and Southern Illinois University School of Medicine likewise mentioned they were affected.

Lawsuits Filed Against Accellion and its Customers

Several lawsuits have currently been filed against Accellion and its customers because of the breach. Centene Corp. has filed a legal case against Accellion alleging it failed to comply with several provisions of its business associate agreement (BAA). The cyberattack led to the theft of the PHI of a substantial number of its health plan members. Centene thinks it is going to suffer from considerable costs due to the breach and has made a request to the courts to order Accellion to abide by the stipulations of its BAA and pay for all breach-related costs. Cenene stated in the lawsuit that the attackers obtained 9 gigabytes of its data.

A federal lawsuit was also filed against Kroger because of the breach. The lawsuit, which seeks class-action status, claims that Kroger was negligent and had complete awareness of the potential security concerns with the legacy file transfer solution, but did not upgrade to a safer solution even after being advised by Accellion. Kroger gave its clients credit monitoring and identity theft protection services for 2 years; nevertheless, since names, addresses, birth dates, medical information, and Social Security numbers were compromised, 2 years is not regarded as enough to safeguard Kroger customers from identity theft and fraud.

Agency for Community Treatment Services, Inc. (ACTS) based in Tampa, FL is informing some patients about the potential comprimise of some of their protected health information (PHI) due to a cyberattack in October 21, 2020.

The security breach was discovered on October 23 upon deployment of the ransomware (|occurred}. The hackers acquired access to portions of the ACTS server and data networks and did file encryption to block access. Systems had to be taken offline to stop unauthorized access. To find out the scope of the breach, third-party computer forensic specialists investigated the matter .

Though it’s possible that there was unauthorized data access, the investigators did not find any proof to indicate the access or exfiltration of patient information. ACTS mentioned that this was because of the attackers making considerable efforts to hide their malicious activity. The attackers may consequently have accessed or gotten information saved on the breached systems.

The assessment of the compromised systems revealed that they held patient names, birth dates, Social Security numbers, and medical data that contain data such as diagnoses, treatment information, and health insurance data associated with the services obtained by patients from 2000 and 2013.

ACTS could bring back the encrypted data using backups and no ransom was paid. It took steps after the incident to reinforce security and avoid other attacks. Since patient information may have been exposed, ACTS is giving all affected people complimentary credit monitoring and identity theft protection services.

Conti Ransomware at Leon Medical Centers Attacked

Leon Medical Centers, a network of 8 medical centers in Miami and Hialeah in Florida, encountered a Conti ransomware attack. The attackers stole the protected health information of patients prior to the deployment of ransomware and issued a ransom demand with a threat to publish the stolen information of patients.

The attackers claimed the stolen data included names of patients, addresses, diagnoses, treatment data, medical insurance details, patient images and Social Security numbers. They assert to have obtained the PHI of over 1 million patients, though Leon Medical Centers debunked that statement and said the amount of stolen information was very overstated.

The attack happened before December 22, 2020 and Leon Medical Centers is still looking into the incident. At this time it is not clear precisely what data was stolen and how many patients were impacted.

Proliance Surgeons Announce Corporate Website Breach

The corporate website of Proliance Surgeons based in Seattle, WA suffered a breach resulting in the likely theft of payment card information. The surgical practice explained in a December 23, 2020 breach notice that attackers had accessed the website between November 13, 2019 to June 24, 2020. During that time frame, the attackers possibly accessed and gotten cardholder names, card numbers, zip codes, and expiry dates. No other PHI was compromised. The breach only affected individuals who paid for services on the internet, not persons who paid in person or over the phone.

The cause of the breach has been identified and addressed and a new website with a different payment platform has been implemented, which has superior security protections. Proliance has coordinated with the major payment card providers to prevent unauthorized charges on the affected cards. Individuals affected by the breach have been advised to check their statements carefully and to report any unauthorized charges to their card provider.

The HIPAA-compliant cloud service provider Atlantic.Net introduced two new projects on November 15, 2020. The goal of the projects is to assist small- to medium-sized businesses (SMBs) at this period of the Covid-19 pandemic.

Despite the difficulties during the pandemic, SMBs are attempting to employ more long term remote workers with minimal budgets, which has consequently put pressure on their IT and cloud services platforms. To help companies make it through the challenges, Atlantic.Net has introduced two new offerings. The first provides the business with new cloud VPS customers having two times the resources than what was provided in the past, for zero cost.

In the beginning, this new offering is available to all Atlantic.net cloud plans around the Orlando data center. There will be automatic upgrades to the features of the next price cloud plan. Atlantic.Net is considering to make this offer available in the seven worldwide data centers in the following couple of weeks.

The second offering will give new users an automatic upgrade of Atlanic.Net’s Free Server promotion. Instead of getting just 1 GB, users will get 2GB. The upgrade will be given for one year at no extra cost.

COVID 19 has put IT and cloud services systems under serious stress considering that remote work is growing bigger and more permanent. So as to help companies, Atlantic.Net is offering companies even more flexibility with their cloud solutions. Hopefully, not only the small to mid-size businesses of America can benefit from the offerings, but also the country’s healthcare providers that need audit-ready and HIPAA compliant cloud solutions for about half the cost.

Atlantic.net is a top provider of cloud services to countless numbers of developers and SMB clients in over 100 countries. Some of the valued clients of Atlantic.net include NASA, Hilton, Lenovo, and Newegg. Atlantic.Net is additionally a major provider of HIPAA-compliant cloud solutions to the healthcare sector in the United States, providing scalable cloud computing through the seven international data centers located in San Francisco, New York, Dallas, London, Orlando, Toronto, and Ashburn.

See the information on the most recent cloud offerings of Atlantic.Net including the pricing structure on this page

Comparitech security researcher Bob Diachenko has identified an open bunch of databases owned by the Voice over IP (VoIP) telecommunications supplier Broadvoice. The data of greater than 350 million consumers are kept in the databases.

The compromised Elasticsearch cluster was found on October 1, 2020, when the Shodan.io search engine indexed the database collection. There were 10 libraries of data discovered in the Elasticsearch cluster. The biggest cluster comprised of 275 million documents and had information like caller names, telephone numbers, and site of callers, in addition to other sensitive information. One database was discovered to include transcribed voicemail communications that involved an array of sensitive records like data about financial loans and prescribed medicines. Above 2 million voicemail recordings were contained in that subset of information, 200,000 of which had transcriptions.

The voicemails had information such as phone numbers, caller names, internal identifiers, voicemail box identifiers, and the transcripts contained personal details including complete names, dates of birth, telephone numbers, and other information. Voicemails kept at health clinics such as specifics of prescribed medications and medical operations. Details related to loan requests were likewise exposed, coupled with several insurance policy numbers.

Diachenko informed Broadvoice regarding the breached Elasticsearch cluster and the provider took quick action to stop any unauthorized access. Broadvoice CEO Jim Murphy stated that they knew on October 1 that a security expert got access to a subset of b-hive data files. The data files were located in an accidentally unprotected storage service on September 28 and were made secure again on October 2. Diachenko verified on October 4, 2020 that the Elasticsearch cluster is no longer exposed.

Right now, Broadvoice believes there was no misuse of information. A third-party forensics agency is analyzing the data and will present more data and new reports to clients and associates.

Broadvoice sent a breach report to authorities and is inspecting the breach. It is at this time unknown if any person besides Diachenko discovered and viewed the databases.

Though almost all of the databases included just some data, cybercriminals would consider it invaluable and utilize it to very easily target consumers of Broadvoice in phishing campaigns. The information in the database can be utilized to convince clients that they were talking to Broadvoice, and they can be misled into disclosing more sensitive information or sending fraudulent payments.

People whose data was written in the voicemail transcripts can be most vulnerable, as the extra data may be employed to set up convincing and effective phishing campaigns.

Comparitech researchers have in the past explained that persons are consistently checking for unsecured databases and that they are normally identified within hours of being disclosed. Their research revealed that initiatives were made to get access to their Elasticsearch honeypot within just 9 hours of the information being exposed. As soon as databases are spidered by search engines for example Shodan and BinaryEdge attacks take place in a few minutes.

Comparitech researchers browse the internet to determine exposed records and give breach reports to the owners of the databases. Their purpose is to have the information secured and all pertinent parties advised right away to limit the probable damage created.

The National Institute of Standards and Technology (NIST) just published the updated guidance about Security and Privacy Controls for Information Systems and Organizations (NIST SP 800-53 Revision 5).

Since 2013, NIST updated the guidance for the first time. It is a total redevelopment instead of just a minimal update. NIST mentioned that the new guidance is going to give a solid framework for securing companies and systems – which include the personal privacy of men and women – in the 21st century.

Years of effort had been put in the development of the updated guidance. It is the first detailed list of security and privacy settings that could be utilized to control risk for establishments of any industry and size, and all varieties of systems – including industrial control systems, supercomputers, and Internet of Things (IoT) devices.

This is the very first catalog to be published around the world that consists of privacy and security controls. The guidance can help safeguard companies from different threats and risks, such as cyberattacks, natural disasters, human error, privacy risks, infrastructure failures, and foreign intelligence agencies attacks. The controls specified in the guidance can help companies take a proactive and organized approach to secure very important systems, resources and services and will ascertain having the required toughness to secure the national and economic security interests of America.

The guidance is designed to assist government institutions and third-party contractors to satisfy the specifications of the Federal Information Security Management Act and it is going to be compulsory for government institutions to execute the new specifications included in the new guidance. The guidelines are not mandatory for private sector companies, however, NIST is encouraging the private sector to use the new recommendations to deal with privacy and security concerns.

The following lists a number of key updates to the new guidance:

• New, ‘state-of-the-practice’ controls to secure critical and top-grade assets. The updates were determined by the most recent information on threat intelligence and cyber-attack and are going to enhance cyber resiliency, develop a protected system design, security and privacy control and responsibility.
• Data security and privacy controls were incorporated into a seamless, blended control catalog for systems and companies.
• Controls are currently based on the outcome, with the entity in charge of carrying out the controls taken out from the document. The updated guidance centers on the security outcome from employing the controls.
• Requirements were incorporated for supply chain risk management with the advice given on the integration of those standards all through an organization.
• The guidance features next-generation privacy and security controls and includes how-to-use guidelines.
• Control selection procedures were segregated from the controls so that different communities of interest can find it easier to use the controls.
• Information of content relationships was enhanced, making clear the relationship between controls and requirements and the connection between privacy and security
  controls.
• NIST Fellow and co-author of the guidance Ron Ross explained that the controls give a practical and organized approach to making sure that critical systems, elements, and services are adequately dependable and have the required resilience to protect the national security and economic
  interests of America.

Zoom got to an arrangement with the New York Attorney General’s office and has determined to carry out better privacy and security controls for its teleconferencing system. New York Attorney General Letitia James started an investigation into Zoom after experts discovered several privacy and security concerns with Zoom early this year.

Zoom has become one of the most well-liked teleconferencing programs at the time of the COVID-19 crisis. In March, over 200 million people were taking part in Zoom conferences with usership increasing by 2,000% in the interval of only three months. As more persons use the platform more often, problems in the system began to appear.

Meeting participants began to report incidents of uninvited individuals joining and troubling private conferences. Many of these “Zoombombing” attacks made meeting participants racially mistreated and harassed based on religion and sexuality. There were additionally a number of documented instances of uninvited people joining meetings and showing pornographic pictures.

Then security experts began discovering privacy and security problems with the system. Zoom explained on its web page that Zoom meetings were safeguarded with end-to-end encryption, however, it was found that Zoom had utilized AES 128 bit encryption instead of AES 256 bit encryption, and so its end-to-end encryption promise was untrue. Zoom was additionally found to have issued encryption keys via data centers in China, even if meetings were happening between end people in the U.S.A.

Zoom utilized Facebook’s SDK for iOS to permit end-users of the iOS mobile application to sign in via Facebook, which suggested that Facebook was supplied with technical information associated with users’ devices whenever they launched the Zoom application. While Zoom did say in its privacy policy that third-party apps may gather details about users, information was found to have been transferred to Facebook even if users hadn’t utilized the Facebook login with Zoom. There were additionally privacy problems connected with the LinkedIn Sales Navigator function, which permitted meeting participants to see the LinkedIn information of other meeting attendees, even if they had taken measures to stay anonymous by using pseudonyms. The Company Directory function of the program was found to defy the privacy of certain users by leaking personal details to other users when they had a similar email domain.

Zoom reacted immediately to the privacy and security problems and fixed most in a couple of days of discovery. The company additionally announced that it was ceasing all improvement work to focus on privacy and security. Zoom likewise enacted a CISO Council and Advisory Board to target privacy and security and Zoom lately made an announcement that it has obtained the start-up company Keybase, which is going to help to apply end-to-end encryption for Zoom conferences.

As per the terms of the arrangement with the New York Attorney General’s office, Zoom agreed to employ an extensive information security program to make sure its users are secured. The program is going to be monitored by Zoom’s head of security. The firm has likewise agreed to do a complete security risk evaluation and code review and will resolve all identified security problems with the system. Privacy controls will additionally be implemented to safeguard free accounts, like those utilized by schools.

As per the terms of the settlement, Zoom should continue to evaluate privacy and security and use more protections to provide its users with better control of their privacy. Action should additionally be taken to control profane activity on the system.

Zoom and other teleconferencing platforms have increased in popularity during the COVID-19 crisis as businesses and consumers use it for communication whilst working from home. However, in the last few days, there were a number of issues identified in the Zoom security and there were questions regarding its suitability for medical use.

Researchers Uncovered Zoom Security Problems

A number of Zoom security issues and privacy concerns were identified in the last few days. Apparently, the macOS installer uses malware-like techniques to install the Zoom app without the users giving a final confirmation. This method could possibly be exploited and used for malware delivery.

Zoom’s macOS client version has two zero-day vulnerabilities identified, which could enable a local user to elevate privileges and acquire root privileges, without having an administrator password. He could then access the microphone and webcam to intercept and capture Zoom meetings.

Zoom’s feature that makes it simpler for business users to locate other people within the organization was furthermore leaking information such as the profile photos, email addresses, and statuses of users. The Company Directory function automatically adds individuals to a user’s list of contacts if they have the same email address domain. A number of users reported that strangers were added to their contact lists after signing up using their personal email addresses.

There were additionally a lot of reported incidents of Zoom-bombing. Uninvited persons were able to join meetings by guessing meeting IDs using brute force tactics. The FBI lately publicized an alert after a surge in hijacking attacks. People have reported hacking of Zoom meetings, abuses of meeting participants, and showing pornography using the screen share feature.

There are some news as well about the sharing of users’ background information with Facebook through the Facebook SDK. This is true even for users who have no Facebook accounts.

Zoom Doesn’t Offer End-to-End Encryption

The Intercept reported that Zoom’s implementation of end-to-end encryption doesn’t cover video meetings. According to Zoom’s spokesperson, it is not possible at this time to implement E2E encryption on Zoom video meetings. Zoom video meetings employ both TCP and UDP, but only UDP connections are encrypted.

The data encryption used is the same as the technique used to secure communications involving an HTTPS website and a web browser. With transport encryption, information that is moving from client to client is secured using encryption on communications between meeting participants. However Zoom’s audio and video content are not encrypted.

Zoom explained that although it is possible to access unencrypted users’ data, there are layers of protection set up to safeguard the privacy of users. First, any person including Zoom personnel cannot directly access any information revealed during meetings, which includes – but not restricted to – the audio, video and the chat content material of the meetings. Most importantly, Zoom does not mine individual data or peddle any user data to anyone.

Researchers at University of Toronto’s Citizen Lab research team discovered that the encryption and decryption keys of video conferences were sent to China. A scan indicates that China has five servers and the United States has 68 that evidently operate the identical Zoom server software program just like the Beijing server. We believe that keys were dispersed across these servers. A company mainly serving the North American customers that sometimes sell encryption secrets via the servers in China is possibly worrisome, presented contemplating that Zoom might be lawfully required to reveal these keys to people in Cina.”

Zoom announced in April 3, 2020 that its servers were already whitelisted for use in other areas as a possible backup bridge to make sure that its service is maintained, and that the servers were just utilized in very minimal instances. The problem has been fixed and Zoom announced that the vulnerabilities did not affect Zoom for Government.

The Swedish Data Protection Authority (DPA) charged Google a 75 million kroner ($7.8 million) GDPR fine over the failure to carry out the right-to-be-forgotten’ requests received from EU citizens to remove web pages from its search engine listings.

The right to be forgotten in the EU exists before GDPR. It was first covered in EU legislation in 2014 subsequent to a ruling by the European Court of Justice regarding the case, Google Spain SL, Google Inc versus Agencia Española de Protección de Datos, Mario Costeja González. The law mandates search engines to remove links to freely accessible webpages that are seen in search results created from a search of an individual’s name, in case that individual requests the removal of the listing and when particular conditions are satisfied.

GDPR strengthened the right to be forgotten. Upon receipt of a request from a citizen in EU who wants to exercise the right to be forgotten, provided the request does not clash with the right of freedom of expression and information, deletion of personal data must immediate where the data are no longer required for their original processing intent, or the data subject has taken his permission and there isn’t any other legal basis for processing.

Google has gotten innumerable requests from EU folks to remove content and had fulfilled roughly 45% of the requests.

The Swedish DPA performed an audit of Google in 2017 to evaluate how Google was dealing with requests to delist links indexed by its search engine and ordered Google to delist a number of webpages.

In 2018, the Swedish DPA reviewed the audit and found out that Google did not delist all the search results written in the order. The GDPR fine pertains to two listings that Google was directed to delist. In one case, Google’s understanding of the web pages that had to be removed was found to be too narrow. In the second case, Google did not remove the search result listing without undue delay.

The Swedish DPA additionally discovered that when Google delists web URLs, website owners receive notifications alerting them regarding the removal of the information from its listings and data is given regarding who made the request. These notices make sure that website owners know about the delisting, however, doing so simply allows the website owners to republish the delisted content using a different URL.

The Swedish DPA stated that this approach undercuts the usefulness of the right to be forgotten. Google does not have a legitimate basis for informing website owners any time removing search result listings, and in addition, gives people unreliable information regarding the use of the request form.

Google disagrees with the decision and plans to appeal regarding the financial penalty. The EU law requires the filing of the appeal within 3 weeks.

iland has reported that it has updated and improved its Secure Cloud Console using Veeam Cloud Connect to give more visibility and handle backups from multiple locations for big businesses and managed service providers (MSPs).

The revision gives big businesses and MSPs just one pane of glass view and enables universal cloud backups. Clients receive more granularity that enables them to take advantage of real-time information over several accounts and provides them more control over several tenants without additional work or permissions.

iland also simplified storage management with increased chances for self-service, enabling clients to reallocated assets and get more new tenants. The upgrade makes it possible for international MSPs and businesses to give backup-as-a-service in house and, by means of one interface, take care of several repositories and places.

The iland BAAS Insider Protection function is an air-gapped storage for information that gives security against internal and external hazards, which include ransomware attacks. Clients can already see the status of multiple-tenant environments by means of just one view and change Veeam Cloud Connect tenant names and passwords without difficulty from any place. The whole portfolio of Veeam cloud-based backup solutions is now being controlled from just one, specific console.

With these most recent updates, iland is making it simple for channel and IT business clients to provide backup services around the globe with a basic, quick-to-use typical interface,” stated iland senior vice president of business development. Dante Orsini.

The most recent improvements to iland Secure Cloud Backup using Veeam Cloud Connect have already been presented throughout all 10 data centers of iland. New clients could avail a complimentary 30-day trial which comes with 5TBs of information.

TechCrunch researchers discovered a security error in a website that is used for hosting LabCorp’s internal customer relationship management system. Although the system has password protection, the researchers identified an error in the back-end system where patient records are taken. The error permitted patient data access even without a password and the web URL was indexed by search engines.

Google had cached just one document that contains a patient’s health data. However, the researchers were able to see other patient records with health data just by modifying the document number in the web URL.

The researchers analyzed sample documents to find out what types of information were compromised. The documents primarily included data of patients who had undergone tests at the Integrated Oncology specialty testing unit of LabCorp. The documents contained the following personal data: names and birth dates, laboratory test results and diagnostic information, and Social Security numbers of some patients.

TechCrunch researchers made an effort to find out how many documents could be accessed on the website by using computer commands. They used commands that would return information regarding the files’ properties, instead of opening the files and accessing the patient data. The analysis showed that approximately 10,000 documents were potentially accessible.

TechCrunch alerted LabCorp concerning the challenge and the clinical laboratory network took the server offline while fixing the error. Google has not yet removed the cached link of the exposed document, but the page is not active anymore and patient data is not viewable.

This is LabCorp’s second serious security incident in the last 12 months. In March 2019, LabCorp patients’ records were compromised in the American Medical Collection Agency (AMCA) breach involving 26 million records. Initially, it was thought that 7.7 million LabCorp patients were affected. However, the breach report submitted to the HHS’ Office for Civil Rights indicated that about 10,251,7847 LabCorp patients were impacted.

The Department of Health and Human Services’ Office for Civil Rights (OCR) issued a $1.6 million civil monetary penalty (CMP) to Texas Health and Human Services Commission (TX HHSC) for a number of Health Insurance Portability and Accountability Act (HIPAA) Rules violations.

TX HHSC, as a state agency, runs supported living centers, manages nursing and childcare centers, gives substance abuse and mental health services and supervises many state projects for people requiring assistance, like people having intellectual and physical handicaps.

OCR started an investigation after the Department of Aging and Disability Services (DADS) submitted a breach report. DADS is a state agency that became TX HHSC in September 2017. According to the June 11, 2015 DADS report to OCR, a security incident resulted in the online exposure of 6,617 people’s electronic protected health information (ePHI). The data exposed included names, diagnoses, treatment details, addresses, Social Security numbers and Medicaid numbers.

The cause of data exposure was the migration from a private to a public server of an internal CLASS/DBMD software. A defect in the software application permitted ePHI access online without any validation. A Google search can lead to finding and accessing private and highly sensitive data.

TX HHSC could not present documentation to show compliance with three crucial HIPAA Rules provisions. Hence, OCR declared that the TX HHSC violated the following four HIPAA rules.

• 45 C.F.R. § 164.308(a)(1 )(ii)(A) – Inability to perform a detailed organization-wide risk analysis to determine all risks to PHI integrity, confidentiality and availability
• 45 C.F.R. § 164.502(a) – The previously mentioned failures caused an impermissible disclosure of 6,617 persons’ ePHI.
• 45 C.F.R. § 164.312(a)(1) – Inability to use access controls. No credential is required to access ePHI included in its CLASS/DBMD
• 45 C.F.R. § 164.312(b) – Inability to use audit controls that logged user access on the public server, which kept TX HHSC from identifying the person that accessed ePHI within the application at the time of exposure.

HIPAA determines financial penalties according to the level of culpability. OCR established that TX HHSC’s violations was not considered willful neglect and involved reasonable cause, which is the second penalty tier. For every one of the HIPAA violations mentioned above, the minimum penalty is $1,000 to a maximum financial penalty of $100,000 annually. TX HHSC’s risk analysis problems, access controls issues, and audit control failures covered the years 2013 to 2017, therefore the total penalty of $1.6 million.

Covered entities should know who could access PHI under their care at all times. There should be no worries that somebody could discover the private health data by means of a Google search.”

The first HIPAA penalty report was in March 2019 during which it seemed that TX HHSC and OCR reached a settlement concerning the HIPAA violations. The 86th Legislature of the State of Texas had decided to accept the settlement; nonetheless, it would seem that the suggested settlement was declined. OCR gave a Notice of Proposed Determination on July 29, 2019.

TX HHSC didn’t debate the findings of OCR’s Notice of Proposed Determination and chose to give up their right to a hearing. OCR obtained the CMP from TX HHSC on October 25, 2019.

This is the number two HIPAA penalty OCR announced this week. A couple of days ago, OCR declared getting a $3 million settlement with the University of Rochester Medical Center to solve HIPAA violations associated with the missing unencrypted devices filled with ePHI.

There are 7 HIPAA penalties issued in 2019 totaling $9,949,000 with the TX HHSC CMP as the seventh.