News and Toolkit Updates
Recent breach shows importance of BA agreements
Carefully managing your Business Associates (BA) agreements is important. At PrivaPlan we can’t emphasize that enough. The following story illustrates why. As if going to the dentist doesn’t cause enough anxiety, last week 4300 dental patients learned that their personal records may have been compromised. Massachusetts General Hospital (MGH) in Boston contacted the patients about…
From the PrivaPlan Blog
Alert: Imminent and increased threat of cybercrime attacks against healthcare industry
The Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Department of Health and Human Services (HHS) issued a Joint Cybersecurity Advisory October 28 siting “credible information” they have on an “imminent and increased” threat of cybercrime attacks against the US healthcare industry with the goal of locking down systems, stealing data, and extorting money.
Do you understand what PHI is?
An apparent lack of understanding of what defines Protected Health Information (PHI) has cost one hospital system $2.175 million in fines to the Office for Civil Rights (OCR) at the U.S Department of Health and Human Services (HHS).
Are your Business Associates protecting your patient data?
This week, American Medical Collection Agency (AMCA), the billing collections vendor for both Quest Diagnostics and LabCorp, reported to both companies that the data of nearly 20 million customers may have been compromised.
HHS reduces maximum civil penalties for HIPAA violations
The HHS published a Notification of Enforcement Discretion Regarding HIPAA Civil Money Penalties that changes the interpretation of fines for violations defined under the HITECH Act, effectively reducing some of the annual limits.
Email breaches in three states expose protected health information
Three email system breaches in three states exposed protected health information and each healthcare entity is stepping up efforts so it won't happen again.
Verizon’s 2018 Data Breach Investigations Report Shows Healthcare Suffers Most Breaches
Can you hear me now? Verizon reports that the healthcare industry had more breaches than any other industry in 2017. In the recently released 2018 Data Breach Investigations Report (DBIR) by Verizon, Personally Identifiable Information and Protected Health Information were shown to be the most common types of data compromised overall, even more than payment…
Judge rules in favor of OCR, orders cancer center to pay $4.3 for HIPAA violations
A HHS Administrative Law Judge has ruled that MD Anderson violated HIPAA and is requiring the Texas cancer center to pay $4.3 million in penalties to the OCR.
Vendor email attachments could be phishing bait
One of the latest reported email phishing schemes is very hard to beat and it always includes an attachment. What can you do about it?
W-2 phishing season is here…again
As the tax season gets underway, you can bet that cyber criminals are doing their tax preparations for W-2 phishing; they’re preparing to dupe hundreds of payroll and HR departments into providing W-2 data on their employees.
Phishing scam exposes PHI of patients at Colorado Mental Health Institute
As the year comes to an end, there appears to be no end in sight for healthcare data hacks. An employee at the Colorado Mental Health Institute at Pueblo recently fell for a phishing scam that potentially exposed the PHI of 650 patients.
Will a Federal Data Security and Breach Notification Act finally get passed?
Three Democratic Senators re-introduced a Data Security and Breach Notification Act on Thursday that has failed to get legislative approval since 2015.
Expect phishing attacks to follow Equifax hack
With news that cyber criminals stole 143 million credit records in a hacking scandal at Equifax, highly targeted spear phishing attacks are expected.
Latest HIMSS cybersecurity report: threats rise, so does security
The August 2017 HIMSS Cybersecurity Report indicates that respondents are taking proactive steps to stay ahead of security threats.
Google Docs used in latest phishing attack
A widespread phishing attack using Google Docs is currently hitting inboxes. This is a good time to be extra cautious about clicking links.
Survey finds 68% healthcare employees will share sensitive info
Results from a recent survey reveal that 68% of healthcare employees occasionally share confidential or regulated data.
Health data breaches rise significantly in March
The number of health data breaches for March was more than January and February combined.
FBI warns of cyber attacks on FTP servers in healthcare
An FBI alert warns the healthcare sector that cyber criminals have stepped up attacks targeting their FTP servers.
HIPAA settlement proves value of audit controls
Having policies and procedures in place is good, as long as you have audit controls to ensure they’re implemented, unlike this Florida healthcare system.
Hospital’s fate warns of tax season scams
On January 25, it was discovered that the tax information of 1,457 hospital employees had fallen into a scammer’s hands in one of the latest W-2 business email compromise attacks.
Patient behind breach using hospital library laptop
The New Hampshire DHHS says a former patient is behind a breach that began on a laptop in the hospital library, affecting approximately 15,000 patients.
Hack of Quest Diagnostics affects 34k people
Quest Diagnostics Inc. is investigating a hack into an internet application on its network that exposed the PHI of about 34,000 people.
Be on the alert for App ID Theft
Want to give personal information to a scammer this holiday season? There’s an app for that. Actually, there are hundreds of apps for that and many are masquerading as legitimate retailers.
Latest HIPAA settlement proves why managing security risk is critical
St. Joseph Health will pay $2.14 million for HIPAA violations, serving as an unfortunate example of why managing security risk is critical.
OCR releases guidance on Cloud Computing and HIPAA
The OCR released a guidance on October 6 that attempts to clear things up regarding cloud service providers and HIPAA.
Latest HIPAA settlement shows importance of up-to-date BA agreements
On Sept. 23, 2016, the OCR announced its second HIPAA enforcement action against a business associate to the tune of $400,000. The hospital had previously entered into a settlement of $150,000 for its part in the breach.