Spokane Regional Health District and Catholic Health Announce Data Breaches

Spokane Regional Health District (SRHD) located in Washington encountered once again a phishing attack. This is the second time this year, the health district has reported the potential compromise of patient data after a staff responded to a phishing email.

SRHD announced on March 24, 2022 that its IT unit identified a compromised email account. The investigation just confirmed that a staff replied to a phishing email on February 24, 2022, and subsequently shared credentials that enabled the account to be accessed. Last week, SRHD stated that the email account stored the protected health information (PHI) of 1,260 people. An unauthorized individual may have ‘previewed’ that data, although there was no evidence obtained that suggests the access or download of information.

Content in the account were names, birth dates, service dates, source of referral, healthcare provider name, diagnosing status, whether the patient was located, date placed, patient risk level, staging level, how medicines were obtained, test type, test result, treatment details, medication data, delivery dates and any remedies offered to the baby, diagnostic data, medical details, and client notes.

An SRHD spokesperson stated corrective measures were taken to mitigate the current incident and avoid further phishing attacks, such as reinforcing worker cybersecurity training, employing multifactor authentication, and carrying out testing on its systems.

Similar to the other parts of the state of Washington, SRHD has encountered a record-level surge in phishing emails as well as malware installation attempts. In this incident, staff members fell victim to a phishing scam that exposed confidential data to data thieves. SRHD Deputy Administrative Officer Lola Phillips expressed their strong dedication to protecting personal data and minimizing the possibility of future attacks.

On January 24, 2022, SRHD reported the compromise of an employee email account on December 21, 2021. The email account comprised the sensitive information of 1,058 persons, which include names, dates of birth, counselor names, case numbers, test findings and dates of urinalysis, medicines, and date of the last dose.

Subsequent to that attack, SRHD mentioned it will be enhancing worker cybersecurity training, using multifactor authentication, and doing tests on its systems.

Catholic Health Informs Patients Regarding Data Theft at a Business Associate

Catholic Health has lately begun informing roughly 1,300 patients concerning the exposure of some of their PHI in a cyberattack encountered by Ciox Health, its business associate.

Ciox Health based in Buffalo, NY offers health data management services to hospitals and insurance companies. From June 24, 2021 to July 2, 2021, emails and file attachments in the email account of a Ciox Health worker had been downloaded by an unauthorized person.

The breach was noticed last year and Ciox Health learned in September 2021 that the email account comprised patient data associated with billing queries and customer support requests. An assessment of the data within the account was done at the beginning of November and impacted healthcare providers and insurance companies were informed from November 23 to December 30, 2021.

Catholic Health stated the breached data included names of patients, healthcare provider names, birth dates, dates of service, medical insurance details, and/or medical record numbers. Although Ciox’s investigation didn’t uncover any cases of fraud or identity theft because of this incident, as a safety precaution, Ciox is informing impacted Catholic Health patients.

HIMSS Cybersecurity Survey Reveals the Human Factor is the Biggest Vulnerability in Healthcare

HIMSS has released the results of its 2021 Healthcare Cybersecurity Survey which revealed that 67% of respondents have had at least one significant security event in the past 12 months, with the biggest security breaches the consequence of phishing attacks.

The 2021 HIMSS Healthcare Cybersecurity Survey was performed on 167 healthcare cybersecurity specialists, who had at least some accountability for daily cybersecurity operations or oversight.

The surveyed IT experts were questioned concerning the major security breaches they had encountered in the last 12 months, and in 45% of instances it was a phishing attack, and 57% of survey participants stated the most significant breach involved phishing. Phishing attacks are most frequently carried out through email. 71% of the most significant security incidents are email-based phishing attacks; nonetheless, 27% mentioned there was a significant voice phishing incident (vishing), 21% stated they had many SMS phishing incidents (smishing), and 16% mentioned there were many social media phishing incidents.

Phishing was the most frequent preliminary point of compromise, accounting for 71% of the most critical security breaches. Next are social engineering attacks at 15%. Human error is often the reason for critical data breaches, making up 19% of the major security breaches, with 15% due to the extended use of legacy software for which support is not provided anymore. The survey additionally showed fundamental security controls were not completely implemented at many companies.

Ransomware attacks continue to trouble the medical care sector, and the attacks frequently result in major disruption and have huge mitigation costs. 17% of respondents reported the most critical security incident they experienced was a ransomware attack. 7% of survey participants stated negligent insider activity brought about the greatest security incident, although HIMSS remarks that healthcare firms frequently do not have strong defenses against insider breaches, thus it is likely that these kinds of breaches were underreported.

Considering the extent to which phishing results in account exposures or serious cyberattacks, it is essential for healthcare companies to employ effective email security measures to stop phishing emails and to additionally invest in security awareness training for the employees. Not just one security solution can prohibit all phishing attacks, therefore it is essential for the labor force to get training on how to recognize phishing and social engineering attacks. Training employees in security best practices can help to minimize human error which often causes data breaches.

The prolonged use of legacy systems once it’s the end-of-life can be a problem in healthcare, however, plans must be made to upgrade obsolete programs, and if that is not possible, mitigations ought to be used to make exploitation of vulnerabilities more difficult, for instance isolating legacy systems and not exposing them to the web.

44% of survey respondents stated their biggest breach had no negligible impact; nevertheless, 32% mentioned security breaches resulted in disruption to systems that impacted business functions, 26% said security breaches interrupted IT systems, and 22% reported security breaches led to data breaches or data leakage. 21% stated the security breaches had affected clinical care, and 17% mentioned the most critical security incident ended in financial loss.

In spite of the risk of cyberattacks, funds for cybersecurity budgets stay slim. 40% of surveyed IT specialists stated 6% or less of their IT budget was spent on cybersecurity, which is the same percent as the last four years even if the risk of attacks has grown. 40% of survey participants mentioned they either had funding that has not changed since last year or had diminished, and 35% stated their cybersecurity funding is not expected to change.

The HIMSS survey questioned respondents to learn about the biggest security problems, which for 47% of participants was inadequate budget. Staff compliance with policies and procedures was a big obstacle for 43% of respondents, the continuing use of legacy software programs was a problem for 39% of participants, and 34% stated they had trouble with patch and vulnerability management.

Workers making errors, identity and access management, device management, building a cybersecurity culture, data leaks, and shadow IT were likewise considered as big security issues.

The discoveries of the 2021 HIMSS Healthcare Cybersecurity Survey show that healthcare providers still have substantial difficulties to overcome. These obstacles to progress include limited security budgets, growing legacy footprints, and the increasing volume of cyber-attacks and compromises. Furthermore, standard security controls were not fully enforced at numerous organizations. Maybe the major vulnerability is the human factor. Healthcare companies ought to do more to support healthcare cybersecurity experts and their cybersecurity programs.

Newest Phishing Kits Used for Multi-Factor Authentication Bypass

Phishing attacks enable threat actors to acquire credentials, however, with multi-factor authentication (MFA), it is more difficult for phishing attacks to be successful. With MFA turned on, besides a username and password, one more method of authentication is required before granting account access. Microsoft has formerly stated multi-factor authentication hinders 99.9% of automated account compromise attacks. Nonetheless, MFA does not guarantee protection. A new kind of phishing kit is being used more and more to circumvent MFA.

Proofpoint Researchers revealed in a new blog article that phishing kits are currently being utilized that use a transparent reverse proxy (TRP), which facilitates browser man-in-the-middle (MitM) attacks. The phishing kits permit the attackers to expose browser sessions and steal credentials and session cookies in real-time, permitting full account control without giving a warning to the victim.

There are several phishing kits that can typically be purchased cheaply that enable the bypass of MFA; some are basic with no-extra functionality, while others are more advanced and include a few layers of obfuscation and include modules for doing a variety of functions, such as the theft of sensitive data such as passwords, credit card numbers, Social Security numbers, and MFA tokens.

With common phishing attacks, the attackers make a bogus login page to deceive visitors into sharing their credentials. Quite often the phishing page is a carbon copy of the website it impersonates, with the web address as the only indicator that the phishing page is not real. One MitM phishing kit discovered by the Proofpoint staff doesn’t utilize these bogus pages, instead, it utilizes TRP to present the legit landing page to the visitor. This strategy makes it difficult for victims to identify the phishing scam. As soon as a user visits the page and a request is transmitted to that service, Microsoft 365 for instance, the attackers record the username and password even before they are sent and snatch the session cookies that are transmitted in response in real-time.

The researchers pertain to the Stony Brook University and Palo Alto Networks’ review of MitM phishing kits, which found more than 1,200 phishing websites employing MitM phishing kits. Worryingly, these phishing web pages are frequently not discovered and blocked by security solutions. 43.7% of the domains and 18.9% of the IP addresses were not listed on common blocklists, for example, those managed by VirusTotal. Additionally, although regular phishing pages usually only have a lifespan of about 24 hours prior to being blacklisted, MitM phishing pages last a lot longer. 15% of those found lasted for longer than 20 days before being added to blocklists.

The usage of these phishing kits is growing, though fairly slowly. Proofpoint experts think that threat actors adopt MitM phishing kits a lot more widely in response to the greater use of MFA. MitM phishing kits are simple to set up, free to use, and have been confirmed effective at averting detection. The industry must be ready to handle blind spots like these before they can change in new unexpected directions.

PHI of 138,000 People Exposed Because of 3 Email Security Incidents

Hackers have acquired access to email accounts that contain protected health information (PHI) at Volunteers of America Southwest California, Injured Workers Pharmacy, and iRise Florida Spine and Joint Institute.

Injured Workers Pharmacy

Injured Workers Pharmacy based in Andover, MA has recently reported a data breach to the Maine Attorney General. The incident was discovered on or about May 11, 2021, upon seeing suspicious activity in an employee’s email account. The pharmacy immediately secured the email account and engaged third-party computer forensics professionals to investigate the attack. The investigation confirmed the compromise of 7 email accounts from January 16, 2021 to May 12, 2021.

Third-party data review experts were engaged to look at the emails and file attachments in the exposed accounts, which affirmed they included the PHI of 75,771 people like names, addresses, and Social Security numbers. Following the review, Injured Workers Pharmacy confirmed the results, and that process was finished on or approximately December 14, 2021. The pharmacy began sending notification letters to affected individuals on February 3, 2022.

Injured Workers Pharmacy mentioned it has augmented its email security measures and is giving some impacted persons complimentary credit monitoring and identity restoration services.

iRise Florida Spine and Joint Institute

The iRise Florida Spine and Joint Institute has found out a worker email account that contains the protected health information of 61,595 patients was accessed by an unauthorized individual. The forensic investigation revealed the hacker got access to the email account between February 24, 2021 and February 26, 2021.

A thorough assessment of email messages and attachments was performed, and the procedure was accomplished on November 22, 2021. iRise stated the following types of information were potentially viewed or obtained at the time of the attack: Names, dates of birth, diagnoses, clinical treatment data, physician and/or hospital name, dates of service, and health insurance details. The Social Security numbers, driver’s license numbers, financial account details, credit card numbers, and/or usernames and passwords of a few persons were likewise exposed.

Affected people were informed and a one-year membership to a credit monitoring service was offered for free to persons whose Social Security numbers were exposed. iRise has examined its email security procedures and has carried out extra technical safeguards, which include multifactor authentication. The workforce is also provided extra training on email security.

Volunteers of America Southwest California

The social service organization based in San Diego, CA Volunteers of America Southwest California, lately announced it encountered a phishing attack. A worker got an email that is like a voicemail message, that has a hyperlink to a web page that required the input of login information in order to listen to the message. The access credentials were captured and utilized to view the staff’s email account.

The attackers viewed the email account on or about November 16, 2021, and the attack was discovered and secured on November 16. An evaluation of the email account showed it comprised the first and last names of clients in most of the cases, with a number of the records at the same time including the COVID-19 vaccination status of individuals.

The breach appears to have been fully remediated and third-party specialists were employed to verify the containment steps. Email security was enhanced because of the breach.

The organization submitted the breach report to the HHS’ Office for Civil Rights indicating that 1,300 people were affected.

More than 30 Healthcare Providers Affected by CIOX Health Data Breach

The health information management services provider CIOX Health experienced a data breach that has affected no less than 32 healthcare providers. In July 2021, CIOX Health found out an unauthorized individual had acquired access to the email of a worker in the customer service team. The email account was promptly secured, with the following investigation affirming the email account was first accessed by an unauthorized person on June 24, 2021, with continuing access until the security breach was identified on July 2, 2021.

Based on the breach investigation by CIOX Health, it was confirmed that the incident was limited to just one staff email account. An audit of the data of the email account on September 24, 2021 revealed that it contained emails and file attachments that held the protected health information (PHI) of some of its healthcare provider clients for example names, dates of birth, provider names, dates of service, and the Social Security numbers, driver’s license numbers, health insurance data, and/or treatment details of a very limited number of people.

The worker in question worked in customer support and, therefore, assisted healthcare company clients throughout the country with billing problems and assisted with other customer service needs, therefore a substantial number of impacted clients. The staff did not, nevertheless, have access to the medical record systems of any of its healthcare provider clients.

CIOX Health stated that when the account was accessible it is likely that emails that contain protected health information were viewed or copied, however, there is no direct evidence of attempted or actual misuse of patient data found. CIOX Health is convinced that the email account was compromised to send out phishing email messages from the company domain to persons not related to CIOX Health.

CIOX Health is advising all people affected by the breach to take a look at their statements and explanation of benefits statements from their healthcare companies and insurance companies for any indication of unauthorized use of their information.

As a result of the breach, CIOX Health will implement stronger email security measures and will provide the workers with additional security awareness training.

On December 30, 2021, CIOX health started sending notifications to impacted healthcare company clients regarding the breach. Healthcare providers found to have been affected by the CIOX Health email account breach are the following:

Alabama Orthopaedic Specialists
AdventHealth in Orlando
Baptist Memorial Health Care
Butler Health Systems
Centra Health
Cameron Memorial Community Hospital
Children’s Healthcare of Atlanta
Copley Hospital
Coastal Family Health Center
DeSoto Memorial Hospital Health System
Hospital Sisters Health System
Hoag Health System
Huntsville Hospital Health System
Indiana University Health
MD Partners
McLeod Health System
Niagara Falls Memorial Medical Center Health System
Northwestern Medicine
Northern Light Mercy Hospital
Ohio State University Health System
Prisma Health – Palmetto Health
Prisma Health – Greenville Health System
Sarasota County Public Hospital District d/b/a Sarasota Memorial Health Care System
Trinity Health – Mount Carmel Health System
Trinity Health – Holy Cross Hospital
Trinity Health – Saint Alphonsus Health System
Trinity Health – St. Joseph Mercy Health System
Trinity Health – St. Francis Medical Center
Union Hospital Healthcare System
Women’s Health Specialist

CIOX Health reported the security breach to the HHS’ Office for Civil Rights indicating that 12,493 individuals were impacted.

UH College of Optometry and Valley Mountain Regional Center Report Data Breaches

The University of Houston College of Optometry has found out that an unauthorized person not from the United States acquired access to an affiliated eye clinic’s networks and stole data included in the database of the clinic.

The Community Eye Clinic based in Fort Worth, TX, is managed by UH College of Optometry. The security team discovered the attack on September 13, 2021, a day after the breach happened. The IT security team promptly took action to protect the system, implemented additional defensive safety measures to better secure patient information, and enhanced its monitoring and notifications. The security team also reviewed the clinic’s IT guidelines and procedures to make sure that industry-standard protocols are implemented.

The attacker obtained files associated with patients who got services at the Community Eye Clinic from May 22, 2013, to September 13, 2021. The information in the database included names, birth dates, contact details, government ID numbers, medical insurance data, Social Security numbers, passport numbers, driver’s license numbers, diagnosis, and treatment details. There was no financial data kept in the database and the attack did not affect the University of Houston or College of Optometry network systems.

The 18,500 impacted persons were instructed to keep track of their explanation of benefits statements and account for hints of fraudulent transaction, to review their credit reports, and to put a security fraud notifier on their credit reports.

17,197 Patients Affected by Valley Mountain Regional Center Phishing Attack

Valley Mountain Regional Center (VMRC) based in Stockton, CA has begun informing 17,197 patients that unauthorized individuals accessed some of their protected health information (PHI) located in breached email accounts.

VMRC found phishing emails in its inboxes on September 15, 2021, and removed all the messages from its email accounts; nevertheless, the following investigation of the phishing attack showed that 14 workers had clicked the hyperlinks and shared credentials that permitted access to their email accounts.

A thorough analysis of the contents of the impacted inboxes affirmed they included names, addresses, birth dates, state-given client identifier numbers, phone numbers, individual e-mail addresses, diagnoses, prescription drugs, dates of service, and other unique identifiers.

VMRC stated no proof was found that suggests the attacker accessed, obtained, or misused any data in the email accounts; nevertheless, impacted individuals were instructed to keep track of their accounts and credit reports for strange transactions.

Data Breaches Suffered by PracticeMax and UMass Memorial Health

Anthem health plan members who have End-Stage Kidney Disease and are signed up in the VillageHealth program were notified about the potential compromise of some of their protected health information (PHI) during a ransomware attack.

VillageHealth assists Anthem plan members through coordinating care between the dialysis center, nephrologists, and healthcare providers and shares the results with Anthem through its vendor, PracticeMax.

PracticeMax provides business management and information technology solutions to healthcare companies. It identified the attack on May 1, 2021. According to the investigation, the attackers obtained access to its systems on April 17, 2021, and had continuing access possibly until May 5, 2021. PracticeMax mentioned it obtain back the access to its IT systems on the following day.

A forensic analysis of the attack affirmed that it affected one server that held protected health information (PHI) and the attackers may have accessed and acquired them.

The investigation into the incident finished on August 19, 2021, and established the exposure of the following types of data: First and last name, address, date of birth, phone number, Anthem member ID number, and clinical information associated with kidney care services obtained. There were no compromised financial details or Social Security numbers.

PracticeMax states it has performed an evaluation of its policies and protocols and has applied extra safeguards to prevent future attacks, which include rebuilding systems, utilizing more endpoint security solutions, and improving its firewalls. Affected individuals were provided complimentary credit monitoring services for 24 months.

UMass Memorial Health Notifies Patients With Regards to Phishing Attack

UMass Memorial Health has found out that unauthorized persons obtained access to some employees’ email accounts due to responding to phishing emails. The phishing attack was identified on August 25, 2021 upon noticing suspicious activity in its email environment.

UMass blocked authorized access to the email accounts right away and launched a forensic investigation, with support given by a third-party computer forensics company. The investigation affirmed the breach of the email accounts from June 24, 2020 until January 7, 2021, and in the course of that time, the unauthorized individuals got access to PHI stored in the email accounts.

Although no proof was found that pointed out the attackers had viewed or acquired the emails, the chances could not be ruled out. An evaluation of the PHI within the accounts was done on August 25, 2021. The compromised information includes names, financial account information, driver’s license numbers, and Social Security numbers. UMass Memorial Health stated free credit monitoring and identity theft protection services were given to impacted people. UMass Memorial stated it is improving email security and will be re-educating the employees on email guidelines.

The breach has been reported to the Maine Attorney General as affecting a total of 3,099 individuals across the United States.

How Password Managers Protect MSPs

A quickly growing business is the offering of password managers for MSPs. This is because cybercriminals are targeting more Managed Service Providers. A recent “State of the Channel” survey revealed that 95% of MSP respondents state that their businesses were being attacked instead of the clients they provide with managed services.

It’s obvious why cybercriminals are attacking MSPs. When a “supply-chain ransomware attack” on an MSP succeeds, it could keep an MSP from providing its clients with its services; and even if only the MSPs’ systems are encrypted, clients can’t run their businesses because of the type of services delivered by the MSP.

Cybercriminals are also attacking SMB clients, but not as much as MSPs. The Datto “State of the Channel” survey reported that 78% of the respondents stated SMB clients had been attacked in the last two years with spyware, adware, and viruses causing as much trouble as ransomware. Even more troubling were the methods used by the cybercriminals to access systems and deploy malware:

  • Reported attacks by 54% of respondents were due to a phishing email
  • Reported attacks by 27% of respondents were due to poor user practices.
  • Reported attacks by 26% of respondents were because of a deficiency of cybersecurity training
  • Reported attacks by 24% of respondents were due to weak passwords and also bad credential management.

Other respondents stated that attacks succeeded because of lost and stolen user credentials, a deficiency of financing for IT security, and insufficiency of executive buy-in for using security tools. All of these causes are preventable or could be mitigated by employing a password manager for MSPs.

How Can Password Managers Protect MSPs

One lacking statistic from Datto´s State of the Channel report is the number of cyberattacks due to MSP susceptibility versus the number of cyberattacks due to client susceptibility. Although it could be presumed that clients are less difficult targets because of a lack of security competence, it is obvious the report says over fifty percent [of MSPs] currently use multi-factor authentication and password management tools.

Using the word “now” implies that less than fifty percent of MSPs were using password management tools in the past. Once again, there is no differentiation between the exclusive use of password managers within the MSP companies and the provision by MSPs of password-management-as-a-service to clients.

The creation, saving, and sharing of login credentials between teams can impact a business´s online protection. According to research, a lot of employees utilize weak passwords simply because they are easier to remember, re-use passwords in several accounts to save needing to recall several passwords, save login credentials in unprotected files, and share security passwords through unsecured avenues of communication like email, chat services, and SMS.

When companies use a password manager, they could likewise implement password policies necessitating the usage of tough, unique passwords for every account. The majority of commercial password managers feature cross-browser, cross-platform synchronization, use with directory services, and protected encrypted credential sharing, so employees have a secure means to swap passwords, credit card information, and other sensitive data.

Password managers for MSPs may be utilized to secure business credentials and clients’ credentials. Passwords are kept in a protected user vault and, whenever a user visits a site that vault has a saved password, the sign-in credentials are auto-filled. Therefore, when a user unintentionally clicks on a phishing email and lands on a phony phishing site, the sign-in credentials won’t auto-fill – notifying the user of a likely threat.

With password guidelines requiring good password tactics, teaching users on good password care, and getting rid of the possibility for weak passwords, the major methods used by cybercriminals to access MSP systems are removed. Regarding the insufficiency of funds for IT security or executive buy-in, password managers for MSPs are affordable in comparison to the price of recovering from a cyberattack and – if given to clients as “password-management-as-a-service,” password managers for MSPs could get more revenue than the cost.

Phishing Attacks at Star Refining & Express MRI

Express MRI, a medical imaging center based in Peachtree Corners, GA, has begun informing patients regarding the exposure of some of their protected health information (PHI) due to a historic data breach. Express MRI found out on July 10, 2020 that an unauthorized person had acquired access to one email account and utilized it to send unauthorized email messages. The occurrence was explored back then, however, it was confirmed that no patient data was accessed.

On June 10, 2021, another evaluation of the security breach was done, and although no particular evidence was found that suggested unauthorized data access or theft, Express MRI deduced that it wasn’t really feasible to completely rule out data access or exfiltration by unauthorized individuals, for that reason Express MRI issued breach notification letters.

An analysis of the breached account confirmed the potential access or exfiltration of the following data: names, email addresses, addresses, birth dates, patient ages, referring doctor names, part of the body scanned, and if the scan was associated to a workers’ payment claim or investigation of a motor vehicle accident. There is no other patient information present in the breached email accounts.

Express MRI stated it took the essential and prompt steps to deal with the incident, which include putting together a team of very competent experts to strengthen the security of its data systems and carry out more safety measures to avoid other breaches.

Star Refining Phishing Attack Impacts 1,910 People

Adelda Health, Inc. also known as Star Refining, has found out that unauthorized persons obtained access to several employees’ email accounts after responding to phishing emails. The personal data of 1,910 people may have been accessed or exfiltrated.

The dental refining company in West Palm Beach, FL discovered the breach on April 29, 2021. A third-party computer forensics company is helping to make sure the incident was completely remediated and to find out the nature and extent of the breach.

An analysis of the breached email accounts showed they contained sensitive information like first and last names, postal addresses, Social Security numbers, driver’s license numbers, and credit card/financial details; nevertheless, there is no evidence that suggested the emails with that data were seen or obtained during the breach of the accounts. The first account access happened on April 12, 2021.

Notifications began to be delivered to impacted persons on July 22, 2021. Free Identity Works credit monitoring and identity theft protection services via Experian were given to impacted persons.

Over 447K Patients Impacted by Orlando Family Physicians Phishing Attack

An unauthorized person accessed the email accounts of Orlando Family Physicians in Florida that contain the protected health information (PHI) of 447,426 patients.

Orlando Family Physicians stated that the compromise of the first email account happened on April 15, 2021 because an employee responded to a phishing email and exposed their account login information. The provider immediately took action to stop unauthorized access and started an investigation to find out the nature and scope of the breach.

With the help of a top-rated cybersecurity forensics company, Orlando Family Physicians confirmed that three more employee email accounts were accessed by unauthorized person. External access to the four compromised email accounts had been blocked in 24 hours after the first unauthored account access.

On May 21, 2021, Orlando Family Physicians confirmed that the unauthorized person possibly accessed email messages in the email account that included patients’ PHI. A review of the email messages and attachments was done, and on July 9, 2021, Orlando Family Physicians had identified all impacted persons.

The email accounts included the personal data and PHI of present patients, prospective patients, workers, and other people. The types of data in the accounts differed from person to person and included at least one of these data elements: Names, demographic information, diagnoses, names of providers, prescription medications, medical record numbers, patient account numbers, medical insurance data (Medicare beneficiary number or another subscriber ID number), and passport numbers.

The phishing attack seems to have been executed with the goal of undertaking financial fraud towards the practice rather than acquiring patient records. Nonetheless, because unauthorized data access and exfiltration cannot be excluded, impacted persons have been instructed to exercise extreme care and carefully monitor their explanation of benefits statements and financial accounts for indications of fraudulent transactions.

Orlando Family Physicians has improved its technical security procedures after the breach and additional training on email security is being given to its employees.

More than 200,000 People Potentially Impacted by ClearBalance Phishing Attack

ClearBalance in San Diego, CA, a loan provider that allows patients to distribute the cost of their hospital expenditures, was affected by a phishing attack last March 8, 2021 and workers were fooled into exposing their sign-in credentials.

ClearBalance discovered the email system breach on April 26, 2021 the moment the hacker tried to make a bogus wire transfer. Action was quickly taken to protect the email system and stop more unauthorized access, and the attempt to make a wire transfer did not succeed. No money was moved to the hacker’s account.

A third-party computer forensic team was involved to look into the breach and to figure out if the attacker viewed or acquired any sensitive information. The investigator affirmed that the breach only affected the email system and did not affect any other system and that the unauthorized person was blocked from accessing the email accounts on the day of discovering the breach.

The attacker did not obtain access to the database that holds the health care record systems of any healthcare company; nevertheless, a number of sensitive information was found in email messages and file attachments which were possibly accessed. An analysis of the email accounts’ contents showed they included these data elements:

Names, tax IDs, birth dates, Social Security numbers, government-issued ID numbers, phone numbers, balance amounts, healthcare account numbers, dates of service, ClearBalance loan numbers and balances, private banking details, clinical data, medical insurance data, and full-face photographic pics. Most people didn’t have PHI particularly affected.

Security measures were strengthened to better secure the email system and personal information, all user security passwords were altered, stronger access settings are put in place on the system, and procedures for submitting suspicious activity reports were kept up to date.

The objective of the attack seems to be to make bogus wire transfers instead of getting sensitive information; nevertheless, as a safety measure against identity theft and fraud, ClearBalance provided impacted people with free identity theft protection services, 2 years of credit monitoring services, and payment insurance coverage plus an identity theft insurance reimbursement guide.

The breach was submitted to the HHS’ Office for Civil Rights as impacting 209,719 people.

Phishing Attack on Saint Alphonsus Health System and Southeastern Minnesota Center for Independent Living

Saint Alphonsus Health System based in Boise, ID experienced a phishing attack that resulted in the potential exposure of patient information. The attack also impacted patients of Saint Agnes Medical Center in Fresno, CA.

Saint Alphonsus discovered strange activity in the email account of one worker on January 6, 2021. The provider quickly secured the account and conducted an investigation to find out the source and nature of the phishing activity. Saint Alphonsus learned that an unauthorized individual accessed the email account on January 4, 2021, and had access to the account and data held therein for 2 days. The attacker used the email account to send phishing emails to other contact people in an attempt to steal usernames and passwords.

The employee whose credentials were compromised assisted with a number of business functions that required access to protected health information (PHI), including sending billing for the West Region of Trinity Health, and Fresno.

An analysis of all email messages and file attachments revealed the account comprised the PHI of selected patients. The PHI in the account varied from one patient to another and contained full names along with one or more of these data elements: telephone, date of birth, address, email, medical record number, treatment data, and/or billing details. The account additionally included some Social Security numbers and credit card numbers.

Although the provider confirmed the unauthorized account access, it was not possible to ascertain which emails, if any, the attacker accessed. While distributing notifications, no evidence was found that indicates the misuse of any patient information. Saint Alphonsus offered credit monitoring services to affected persons and gave workers further training about email and cybersecurity to avoid the same breaches in the future.

When notifying patients regarding the breach, an error with the mail merge happened. Some patients have received a letter informing them regarding an email security issue and regrettably, the letters generated had an incorrect status for a number of patients, addressing them as deceased or a minor because of the mail merge issue.

It isn’t presently known how many patients were impacted by the breach. Updates will be provided when there’s more information available.

Southeastern Minnesota Center for Independent Living Phishing Attack Impacts 4,122 Individuals Affected

Southeastern Minnesota Center for Independent Living (SEMCIL), a disability and support services provider in Rochester and Winona, has found out an unauthorized person who obtained access to the email account of an employee containing the PHI of 4,122 people.

An investigation into the security incident showed the account was exposed on August 6, 2020 and the hacker got access to the account until September 1, 2020. The investigation affirmed on December 22, 2020 the compromise of PHI, including names, addresses, dates of birth, driver’s license numbers, Social Security numbers, and certain medical treatment details. SEMCIL started sending breach notification letters to affected persons on February 19, 2021.

The investigation did not get any proof that suggests the access or exfiltration of any protected health information. There is likewise no report received that indicates the improper use of any PHI. As a safety measure against identity theft and fraud, those who had their Social Security number or driver’s license number exposed received free offers of identity theft protection services.

PHI Exposed Due to Breaches at Elara Caring, ProPath and Cornerstone Care

Elara Caring, one of America’s largest home-based healthcare services providers, has experienced a phishing attack that impacted over 100,000 patients.

In mid-December, the provider identified suspicious activity in a number of email accounts of employees. It took prompt action to keep the accounts safe and prevent the attackers from accessing the accounts. A third-party security firm helped in investigating the breach.

The investigation affirmed that an unauthorized individual accessed several employee email accounts, though no proof was identified that suggests the attackers viewed or obtained any patient information in the email accounts. It wasn’t possible to eliminate data theft.

An analysis of the exposed email accounts revealed they held the PHI of 100,487 patients, such as names, dates of birth, Employer ID numbers, driver’s license numbers, Social Security numbers, financial/bank account details, passport numbers, addresses, email addresses and passwords, insurance data and insurance account numbers. Elara Caring offered the individuals affected by the attack complimentary credit monitoring and identity protection services.

The provider also took steps to enhance data security and has given more training on cybersecurity to its employees.

ProPath Email Accounts Breached by an Unauthorized Individual

ProPath, the United States’ biggest, countrywide, fully physician-owned pathology practice, has identified an unauthorized person who got access to two email accounts with patient records.

The unauthorized individual accessed the email accounts between May 4, 2020 and September 14, 2020. ProPath found out on January 28, 2021 that protected health information in the email accounts included the names of patients, birth dates, test orders, diagnosis and/or clinical treatment info, medical procedure details, and physician name. The Social Security number, financial account information, driver’s license number, health insurance data, and/or passport number of a limited number of people were also affected.

Persons whose Social Security number was breached were provided credit monitoring services for free. Workers have acquired additional training to aid them to identify malicious email messages and further technical security measures have now been implemented.

It is not yet confirmed exactly how many persons the incident impacted. ProPath stated most people who obtained testing from the company were not affected by the incident.

Cornerstone Care Email Account Breach Impacts 11,487 Patients

An unauthorized person accessed an email account that contains the PHI of 11,487 patients receiving services from Cornerstone Care community health centers located in Southwestern Pennsylvania and Northern West Virginia.

The provider detected the email account breach on June 1, 2020 and engaged third-party security specialists to assist investigate the breach. It was established that the breach only impacted a single corporate email account. An evaluation of the PHI included in the account was finished on January 13, 2021.

The account held the names and addresses of patients as well as, for selected people, date of birth, Social Security number, medical background, ailment, treatment procedure, diagnosis, and/or medical insurance data. Those whose Social Security number was exposed received free credit monitoring and identity theft protection services.

Cornerstone Care notified by mail the affected persons on February 25, 2021. It additionally enforced multi-factor authentication on the email accounts.

3 Healthcare Providers Have Began Notifying Patients Regarding Recent Phishing Attacks

This is a summary of healthcare phishing attacks that were publicly announced in the last couple of days.

2,254 Patients Affected by Email Account Breach at Leonard J. Chabert Medical Center

Leonard J. Chabert Medical Center received notified that the protected health information (PHI) of some of its patients was compromised because of a phishing attack on LSU Health New Orleans Health Care Services Division (LSU HCSD).

LSU HCSD reported a breach on November 20, 2020. On November 24, 2020, it found out that a number of patient information coming from Leonard J. Chabert Medical Center, one of its partner hospitals, had likewise been affected by the breach.

Leonard J. Chabert Medical Center received information about the breach on December 3, 2020, the evaluation of which showed that the PHI of 2,254 patients were exposed from September 15, 2020 up to September 18, 2020.

For the majority of patients, the exposed information only included names, telephone numbers, addresses, health record numbers, birth dates, account numbers, types of services gotten, dates of service, and medical insurance identification numbers. The limited health data for example diagnoses and/or bank account numbers of a small number of patients were likewise exposed.

LSU HCSD is going over its email security procedures, which will be improved to avoid the same breaches later on and more security awareness training will be given to staff members.

PHI of 1,800 Patients Possibly Compromised Due to Lynn Community Health Center Phishing Attack

Lynn Community Health Center (LCHC) based in Massachusetts discovered that an unauthorized individual accessed a staff member’s email account subsequent to responding to a phishing email. LCHC discovered the phishing attack on November 25, 2020 and promptly secured the email account. With the help of a digital forensics agency, LCHC established that up to 4 email accounts were compromised in the phishing attack.

An analysis of the possibly breached accounts revealed they included patient names along with one or more of these data elements: Mailing address, date of birth, phone number, insurance details, medical record number, diagnoses, and other clinical data. The Social Security number of a number of patients were additionally exposed.

The ongoing investigation has not found any proof that suggests patient data theft or misuse, however, as a preventive measure, people who had their Social Security number potentially compromised received offers of credit monitoring and identity theft protection services for free.

More safety measures are being put in place to avoid further email security breaches. Information protocols are being modified, and worker security awareness training was improved.

Auris Health Informs Patient Regarding March 2020 Email Account Breach

Auris Health located in Redwood City, CA started notifying a number of patients concerning an unauthorized person who possibly obtained access to some of their PHI because of an employee email account breach in March 2020.

Upon knowing about the breach, access to the account was blocked and an investigation was performed to find out the nature and magnitude of the breach. The inquiry into the attack is in progress, nevertheless, Auris Health has learned that the compromised email account held patient names combined with at least one of the following data elements: tax identification number, Social Security Number, passport number, health insurance number, health data, payment card details, and financial account number(s).

Auris Health is employing extra security measures to avert more breaches later on, such as improving its email authentication procedures. Affected persons got offers of complimentary membership to credit and identity theft monitoring services for two years.

FBI Advisory About the Surge in Vishing Attacks

A lot of data breaches begin with a phishing email, however, credential phishing may likewise happen through other communication channels like instant messaging applications or SMS texts. One frequently missed way for the acquisition of credentials is phishing through the telephone, also called vishing. These attacks allow attackers to get the credentials needed to have access to email accounts and/or cloud services with the ability to modify privileges.

Lately, the Federal Bureau of Investigation (FBI) gave an advisory because of a surge in vishing incidents where attackers steal credentials to company accounts, such as information for network access and escalation of privileges. The switch to remote employment in 2020 as a result of COVID-19 has made it more difficult for IT staff to keep track of network access and privilege escalation, so attacks can often be undetected.

The FBI cautioned that it has noticed a switch in strategies by threat actors. Instead of just targeting credentials of persons that could elevate privileges, cybercriminals are currently attempting to get all credentials. Although the credentials of low-profile workers may not provide the sought-for access to networks, systems, or data, those credentials enable them to get a foothold they can utilize to obtain increased network access, which includes the potential to escalate privileges.

Threat actors are utilizing VoIP systems to target company employees over the phone to get credentials. One way to do this is by persuading an employee to sign in to a phishing website that collects credentials. For example, the threat actor impersonates a member of the IT team and tells the employee to go to a website to update their software program or for security purposes.

In one of the latest vishing attacks, cybercriminals contacted a targeted company’s employee in its chatroom and told the employee to sign in to a counterfeit VPN page. The threat actors stole the employee’s information, signed in remotely to the VPN, and executed reconnaissance to locate an employee with greater privileges. The goal was to identify an employee who has permission to modify usernames and email credentials. As soon as someone is identified, the threat actor contacts the person again using the chatroom messaging service to harvest the credentials of the employee.

This is the FBI’s second warning about vishing. This tactic has been employed in attacks since December 2019. To strengthen defenses against these vishing attacks, the FBI recommends the following:

  • Use multi-factor authentication to increase the security of employee account access.
  • Allow network access for new personnel with limited privileges
  • Frequently evaluate network access for personnel to discover weak areas.
  • Scan and keep track of unauthorized network access and alterations of permissions.
  • Follow network segmentation to regulate the flow of network traffic.
  • Administrators should have two accounts: an account with admin privileges to be used for system changes and another account to be used for making updates, emailing and generating reports.

Beware of Phishing Campaigns That Use Free Google Services

A number of phishing campaigns were discovered that are employing free Google services to get around email security gateways and make sure the deliverability of malicious messages to inboxes.

Phishing emails frequently consist of hyperlinks that lead users to web pages hosting forms that collect login information. Email security gateways utilize various ways to identify these malicious links, such as blacklists of identified malicious sites, rating of domains, and checking the links to assess the information on the destination site. When the links are found to be malicious or suspicious, the emails are rejected. But by utilizing links to legit Google services, phishers are able to get around these security tools and deliver their emails.

Phishers using Google services are not new; nevertheless, Arborblox security analysts have seen an increase in this activity with the increase of remote working. The researchers discovered 5 campaigns using free Google services like Google Drive, Google Forms, Google Docs and Google Sites. Phishers are not only using Google services. Other free cloud services like Dropbox, Webflow, Amazon Simple Email Service, Microsoft OneDrive and SendGrid are being used as well.

One campaign imitated American Express, with the preliminary message asking the user to validate his account for missing some information during card validation. The emails tell the user to go a phishing page designed with Google Forms. The form contains the official logo of American Express and a brief questionnaire asking for information that the attackers can use to get access to the user’s credit card account – login details, telephone number, credit card number and security code, as well as security questions and responses. Because the hyperlink in the email redirects the user to Google Forms – a legit Google domain and service, it is likely that the email security gateway won’t identify the hyperlink as malicious.

Another campaign using Google Forms sent emails that seem to have been from a childless widow with a terminal cancer diagnosis. She says that she is seeking to donate her wealth to charity and tells the recipient to make donations to charity on her behalf. The URL in the email directs the recipient to an untitled Google Form. Anyone who submits a response will be shortlisted for more extortion attempts.

A campaign was identified that utilized a bogus email login page on Google’s Firebase mobile platform. The emails in this campaign imitate the security team and state that important messages were not delivered because of exceeding the email storage quota. The campaign is seeking to collect email login credentials. Because Firebase is a legit cloud storage database, it is unlikely that a Firebase link will be tagged as malicious.

There was also a campaign using Google Docs that impersonated the payroll team. The Google Docs document included a hyperlink to a phishing page that harvested sensitive information. Since the first link is of a legit and frequently used Google service, email security solutions are not likely to block the email. Although a few email solutions could recognize the malicious hyperlink in the Google-hosted document, different redirects are employed to muddle the malicious hyperlink.

Another campaign using a phony Microsoft login page built on Google Sites impersonated Microsoft Teams and the user’s IT department security team. In this case, Google Sites was used to build a webpage with a phishing form and the official Microsoft logo.

These campaigns emphasize the necessity of advanced security solutions that could identify and stop phishing emails that take advantage of legit cloud services and the necessity of giving employees continuous security awareness training to help them recognize phishing emails that elude detection by the cybersecurity defenses of their companies.

Phishing Incidents Reported by Connecticut Department of Social Services and LSU Care Services

Connecticut Department of Social Services (DSS) announced a potential exposure of the protected health information (PHI) of 37,000 people due to a number of phishing attacks that took place between July and December 2019.

A number of email accounts were accessed and were utilized to distribute spam emails to a lot of DSS staff. The investigation of the breach established the incident as phishing attacks. A detailed investigation was done employing state information technology assets and a third-party forensic IT organization. However, the investigators did not uncover any proof that shows the attackers acquired access to patient information in the email accounts. The DSS breach notification mentioned that the forensic professionals couldn’t ascertain that the attackers didn’t access personal data because of the big volume of emails involved and the type of phishing attack.

As a safety measure, DSS provided identity theft protection services to persons and took action to strengthen email security and better shield against phishing attacks down the road.

Phishing Attack on LSU Health Care Services

The Louisiana State University (LSU) Health New Orleans Health Care Services Division reported a likely exposure of information of its patients from a few hospitals in Louisiana as a result of the access of a staff email account by an unauthorized man or woman.

The breach of the email account occurred on September 15, 2020. LSU uncovered the attack on September 18 and quickly blocked the email account. An investigation of the incident did not reveal any information that the unauthorized individual accessed or obtained patient information in the email messages and attached files.

The compromised email account was discovered to have the PHI of patients from the hospitals posted below:

  • Bogalusa Medical Center in Bogalusa
  • University Medical Center in Lafayette
  • Interim LSU Hospital in New Orleans.
  • Leonard J. Chabert Medical Center in Houma
  • Lallie Kemp Regional Medical Center in Independence
  • O. Moss Regional Medical Center in Lake Charles

The types of data likely exposed differed from one patient to another and medical center location, however, may have included names, telephone numbers, dates of birth, addresses, health record numbers, account numbers, Social Security numbers, dates of service, types of services acquired, insurance ID numbers, and certain financial account details and medical data. The investigation into the incident is still ongoing, yet up to now “thousands” of patient records are identified to have been compromised.

At this time, LSU Health is checking further security procedures to better defend against more attacks. Employees likewise got more information and security training.

Breaches at Ascend Clinical, Alamance Skin Center, and Perry County Memorial Hospital

A phishing attack on Ascend Clinical based in Redwood City, CA, an ESRD laboratory testing provider for third party dialysis clinics resulted in a ransomware attack last May 2020.

Strange system activity as well as file encryption were noticed on or about May 31, 2020. Ascend Clinical immediately took action to segregate the impacted systems and investigated the incident to find out the nature and extent of the breach. A third-party security company helped Ascend Clinical to confirm that the attacker accessed its systems after an employee’s response to a phishing email.

Before deploying the ransomware, the attackers acquired access to files containing names, mailing addresses, birth dates, and Social Security numbers. Ascend Clinical, since then, have taken steps to reinforce its email security protection to avoid the same attacks later on.

The breach report sent to the HHS’ Office for Civil Rights showed that the breach affected 77,443 people.

Alamance Skin Center Experiences Ransomware Attack

A ransomware attack on Cone Health, a Greensboro-based health system, impacted only one practice, Alamance Skin Center located in Burlington, NC.

The ransomware attack happened in late July 2020. It seemed to have begun with a phishing attack or brute force attempt aimed at getting credentials. Cone Health took immediate action to isolate the affected systems and engaged third-party computer forensics specialists to evaluate the extent of the data breach. There was no evidence found that suggest the theft of patient information before file encryption. No report was received that indicate the misuse of patient data.

Nevertheless, some patient information was encrypted in the attack and cannot be recovered. Cone Health reports that the attack affected the protected health information (PHI) such as patient names, addresses, medical record numbers, dates of birth, diagnosis data, and date(s) of service.

The attack impacted the appointments system and was not accessible. Patients that have appointment were told to get in touch with the practice to confirm their scheduled appointment. Because it was not possible to determine with full certainty that the attackers did not access patient data, all affected patients were instructed to be cautious against reports of identity theft and fraud.

Alamance Skin Center is going over current policies and procedures and will implement extra safeguards to avoid similar incidents in the future.

Perry County Memorial Hospital Uncovers Email Security Breach

Perry County Memorial Hospital based in Tell City, IN found out that unauthorized persons got access to employees’ email accounts.

According to the investigation into the breach, the hackers accessed the email accounts on August 23, 2020. An analysis of the compromised accounts confirmed that they contained private patient information that may have been viewed or obtained by the attackers, although there was no proof of data theft.

The information possibly exposed only included names, birth dates, diagnoses/diagnostic codes, internal patient account numbers, healthcare provider names, and other health data, as well as the Social Security numbers, Medicare/Medicaid numbers, and health insurance information of certain patients.

Perry County Memorial Hospital is taking action to fortify email security to avert the same breaches from happening again. The hospital also offered the patients whose Social Security number was likely compromised complimentary identity theft monitoring services.

Latest Microsoft Teams Phishing Scam and Emotet Trojan Campaigns

Researchers at Abnormal Security detected a new Office 365 phishing campaign that spoofs Microsoft Teams to mislead users into visiting a malicious website with a phishing form that gets Office 365 login information.

Many organizations have adopted Microsoft Teams to enable remote employees to retain contact with the business office. In healthcare, the system is being utilized to give telehealth services to lessen the number of patients going to medical care facilities to regulate the dispersal of COVID-19.

Microsoft noted for the quarter ending June 30, 2020 that more than 150 million students and teachers are now using Microsoft Teams. Over 1,800 various companies have over 10,000 Teams users, and 69 companies have more than 100,000 Teams users. The healthcare industry also has a growing Microsoft Teams user, with 46 million Teams meetings now being done for telehealth reasons. The expanding usage is due to the pandemic, which gives an opportunity for cyber hackers.

Based on figures from Abnormal Security, the most recent campaign was the phony Microsoft Teams emails delivered to around 50,000 Office 365 users to date. The messages seem like they were sent from a user using the display name “There’s new activity in Teams,” thus the messages look like automated notices from Teams.

The messages tell users to sign into Teams as the community is attempting to communicate. The email messages have a button to click to sign in to Teams that displays a phrase – “Reply in Teams.” The notices consist of a genuine-looking footer that has the Microsoft brand and selections to install Microsoft Teams on Android and iOS.

The URL in the message brings the user to a Microsoft login page which is a clone of the official sign-in prompt, aside from the domain on which the page is visible. That domain begins with “microsftteams” to make it look genuine.

The campaign is an example of the many campaigns targeting Office 365 credentials. There are many campaigns aimed towards video conferencing platforms as they increase in popularity during the pandemic.

Emotet Trojan Campaign Employs Phony Microsoft Word Upgrade Notices

The Emotet Trojan is being distributed in a new campaign that utilizes bogus Microsoft Word upgrade announcements as a lure to let users install the malware. Emotet is the most extensively propagated malware presently in use. When an end user’s device is infected with the malware, it is added to a botnet that is employed to infect other gadgets. Emotet is likewise a malware downloader and is utilized to install information stealers like TrickBot and QBot malware, which are employed to transmit ransomware variants like ProLock, Ryuk, and Conti.

The messages look like Microsoft Office announcements that tell the user that they must execute an upgrade of Microsoft Word to include new functions. The messages have a Microsoft Word file and the end-user is advised to Enable Editing and then Enable Content. Doing so will start a malicious macro that will install Emotet onto the end user’s device.

Users must be careful and avert clicking URLs or opening doc attachments in unsolicited messages. Emotet uses the user’s email account to mail other phishing emails, even to those included in a user’s contact list.

Premera Blue Cross HIPAA Penalty of $6.85 Million is the 2nd Biggest HIPAA Violation Penalty Ever

The Department of Health and Human Services’ Office for Civil Rights (OCR) has issued a $6.85 million HIPAA penalty on Premera Blue Cross to take care of the HIPAA violations found during its investigation of a 2014 data breach concerning the electronic protected health information (ePHI) of 10.4 million people.

Premera Blue Cross based in Mountain lake Terrace, WA is the biggest health plan around the Pacific Northwest and caters to more than 2 million persons in Alaska and Washington. In May 2014, a sophisticated persistent threat group obtained access to Premera’s computer network and stayed undiscovered for more or less 9 months. The hackers attacked the health plan with a spear-phishing email that downloaded malware. The malware allowed the APT group to access ePHI including names, birth dates, addresses, email addresses, bank account data, Social Security numbers, and health plan clinical details.

Premera Blue Cross discovered the breach in January 2015 and informed OCR regarding the breach in March 2015. OCR started an investigation and found “systemic non-compliance” with the HIPAA guidelines.

OCR established that Premera Blue Cross was unable to:

  • Perform an extensive and accurate risk analysis to determine all risks to the integrity, availability, and confidentiality of ePHI.
  • Minimize risks and vulnerabilities to ePHI to a fair and proper level.
  • Apply enough hardware, software program, and procedural elements to capture and evaluate activity associated with information systems made up of ePHI, before March 8, 2015.
  • Stop unauthorized access to the electronic PHI of 10,466,692 persons.

Because of the nature of the HIPAA violations and the magnitude of the breach, OCR decided that a financial fine was necessary. Premera Blue Cross consented to resolve the HIPAA violation case without admission of liability. Besides the financial penalty, Premera Blue Cross accepted to undertake a solid corrective action plan to deal with all areas of non-compliance identified throughout the OCR investigation. Premera Blue Cross will be under direct monitoring by OCR for two years to make sure of its adherence to the CAP.

Roger Severino, OCR Director, stated that when top medical insurance entities fail to spend the time and effort to determine their security weaknesses, be they techie or human, hackers certainly will. This scenario strongly shows the harm that results when cybercriminals are permitted to roam undiscovered in a computer system for almost nine months.

In 2019, Premera Blue Cross consented to resolve a $10 million HIPAA violation legal case due to the breach. 30 state attorneys general had reviewed the health plan and determined that Premera Blue Cross failed to satisfy its responsibilities under HIPAA and Washington’s Consumer Protection Act. Premera Blue Cross additionally consented to pay a $74 million lawsuit filed by people whose ePHI was compromised in the breach.

The latest penalty is OCR’s second-biggest HIPAA penalty issued on a covered entity or business associate in relation to HIPAA violations. The highest financial penalty is the $16 million charged on Anthem Inc. because of a 2015 data breach concerning the ePHI of 79 million persons.

The HIPAA penalty is the 11th penalty to be published by OCR in 2020. It is the 8th to be reported this September. To date in 2020, OCR got paid $10,786,500 to settle HIPAA violations identified during data breach and HIPAA complaints investigations.