Regulator: Georgia Clinic Showed ‘Systemic Noncompliance’ Federal regulators have announced a $1.5 million HIPAA settlement with Athens Orthopedic Clinic in Georgia, stemming from a 2016 breach involving The Dark Overlord hacking group that exposed the records of nearly 209,000 individuals. The exposed PHI included name, date of birth, SSN, patient demographic information, clinical information, and financial/billing information. The...

Two recent ransomware incidents targeted companies serving healthcare organizations, highlighting an emerging challenge for vendor risk management in the sector. Blackbaud, which sells cloud-based marketing, fundraising, and customer relationship management software, was recently hit by ransomware. Some of its affected clients are now being revealed. Meanwhile, medical debt collector firm R1 RCM, formerly known as Accretive Health, also has...

At least 275,000 individuals served by a variety of healthcare providers and health plans had data exposed as a result of a breach at Houston-based billing and debt collection vendor Benefit Recovery Specialists Inc. The company says that on April 30, it discovered a malware incident affecting certain company systems. BRSI customer files containing personal information may have been accessed and/or acquired between April 20 and April 30, 2020....

Risk Mitigation Tips Ransomeware Attacks continue to surge as two ransomware incidents recently reported to federal regulators as health data breaches illustrate. Recent ransomware-related data breaches reported to the DHHS OCR affected Woodlawn Dental Center based in Cambridge, Ohio, and Mat-Su Surgical Associates in Palmer, Alaska. Woodlawn Dental Incident The HHS “Wall of Shame” shows that Woodlawn Dental reported on May 18 that a breach...

Attackers are continuing to use concerns over COVID-19 to distribute ransomware and malware, including for smartphones. The healthcare sector continues to be the largest single target of cybercriminals, and they are exploiting the current situation. Culprits behind such attacks include cybercrime operators looking to make a fast buck as well as nation-states seeking to sow chaos. These attacks are hitting all levels of the U.S. healthcare...

As of early December, the HHS “Wall of Shame” shows that 462 major health data breaches affecting a total of nearly 41 million individuals have been logged in 2019. By the numbers: • 272 breaches were reported as hacking/IT incidents, affecting a total of nearly 36 million people, accounting for approximately 88 percent of people affected by breaches. • 136 breaches were reported as “unauthorized access/disclosure” breaches,...

HHS Points to Ways to Improve Compliance With HIPAA Requirements   Under the HIPAA Privacy Rule, patients and their authorized representatives have the right to access their electronic or paper health records. Unfortunately it’s often easier said than done, and federal regulators want that to change. Complaints from patients about the lack of access to their records have remained consistently among the top five issues in HIPAA cases that...

With the exception of one large insider theft, hacker attacks, some involving ransomware, continue to be the method of choice behind the biggest health data breaches reported so far this year to federal regulators. As of July 3rd, 149 breaches affecting nearly 2.7 million people have been reported to the Department of Health and Human Services’ ‘wall of shame’. Of those 2017 breaches, 53 are listed as hacking/IT incidents. Even though...

Unsecure Email Incident a Reminder of Risks to PHI A breach report involving the transmission of protected health information via unencrypted email offers a reminder of the need to pay attention to safeguarding PHI no matter where it resides, including website forms used to collect information and smartphone apps. According to the HHS “Wall of Shame”, the Mississippi Division of Medicaid reported on May 26, 2017 to the U.S. Department of Health...

HIPAA Enforcement Agency Cites Lack of Timely Risk Analysis, Again Colorado-based Metro Community Provider Network is just another healthcare entity to learn a painful lesson from the Department of Health and Human Services Office for Civil Rights regarding the importance of conducting a timely and comprehensive risk assessment. The breach was reported in early 2012 after a hacker accessed employees’ email accounts and obtained 3,200...