More ACH Changes Coming September 2017

The business world continues to evolve and banking is no different. There are two new rule changes being implemented in September this year. Beginning September 15, 2017, Same Day ACH will be available for debit entries, enabling the same-day processing of virtually any ACH payment. The Rule enables the option for same-day ACH payments through additional ACH Network functionality, without affecting previously available ACH schedules and...

Read More

Cyberattacks Fuel 2017’s Biggest Breaches

With the exception of one large insider theft, hacker attacks, some involving ransomware, continue to be the method of choice behind the biggest health data breaches reported so far this year to federal regulators. As of July 3rd, 149 breaches affecting nearly 2.7 million people have been reported to the Department of Health and Human Services’ ‘wall of shame’. Of those 2017 breaches, 53 are listed as hacking/IT incidents. Even though...

Read More

Mississippi Medicaid Website Transmitted Unencrypted Email

Unsecure Email Incident a Reminder of Risks to PHI A breach report involving the transmission of protected health information via unencrypted email offers a reminder of the need to pay attention to safeguarding PHI no matter where it resides, including website forms used to collect information and smartphone apps. According to the HHS “Wall of Shame”, the Mississippi Division of Medicaid reported on May 26, 2017 to the U.S. Department of Health...

Read More

Changes to FFIEC Cybersecurity Tool help banks meet baseline.

A just released update to the Federal Financial Institutions Examination Council’s Cybersecurity Assessment Tool will should help make meeting regulators’ demands for “baseline” cybersecurity more attainable. The changes only impact Appendix A of the tool but those changes make a difference for smaller institutions. For example, many smaller institutions were not able to meet the tool’s requirement for having a...

Read More

Phishing Incident Leads to $400,000 HIPAA Settlement

HIPAA Enforcement Agency Cites Lack of Timely Risk Analysis, Again Colorado-based Metro Community Provider Network is just another healthcare entity to learn a painful lesson from the Department of Health and Human Services Office for Civil Rights regarding the importance of conducting a timely and comprehensive risk assessment. The breach was reported in early 2012 after a hacker accessed employees’ email accounts and obtained 3,200...

Read More

Messaging Apps Create New Privacy Headaches for Banks

Many businesses have benefitted from the proliferation of mobile devices and text messaging apps that facilitate quick, round-the-clock communications. However, these technologies can make it difficult to monitor and control the unauthorized distribution of confidential data. This is critically important in highly regulated industries like banking. To give you an idea of how messaging apps have caused headaches for banks, on March 30, UK...

Read More

Texas Ransomware Attack Highlights Need For Legacy Data Protection

A ransomware attack on a Texas urology practice that could potentially affect nearly 280,000 patients ranks as one of the largest health data breaches of 2017. On January 22nd Urology Austin, suffered a ransomware attack that encrypted data stored on its servers. Among the information impacted by the ransomware were names, addresses, birthdates, SSN’s, and medical information. Their mitigation effort included restoring data from backups and...

Read More

New Phone Scam Is Deceptively Simple

Don’t pick up the phone to answer calls from unknown numbers. Instead, let them go to voicemail. While many of us do that anyway, that’s now the FCC’s advice to all Americans in response to an ongoing series of attacks designed to trick victims into uttering a single word. According to a March 27th alert, this scam centers on tricking victims into saying the word “yes,” which criminals record and later use to attempt to...

Read More

What auditors are focusing on: Desk Audits

HHS Office of Civil Rights (OCR) is now completing reports of audits performed in 2016 and distributing reports. Once the report is received, organizations have 10 days to respond. The following is an overview of a small clinic that was subject to a Privacy Audit by the OCR. This was a desk audit, meaning that the auditors did not come on-site and all information was provided to the OCR by uploading documents to a portal. While a desk audit...

Read More

Another Data Breach Highlights Need For Phishing Training

On March 6th, the Silicon Valley firm, Coupa, fell victim to a phishing attack that compromised the personal information of employees who worked for them in 2016. A scammer impersonated the company’s CEO and requested that payroll information (Form W-2) for the 2016 tax year be sent via email. Fraudsters continue to increase the number of W-2 phishing scams, also known as business email compromise – BEC – or CEO fraud attacks. These...

Read More