HIPAA Journal – May data breach report
Highlights From The HIPAA Journal
From The June 22nd Newsletter
May 2020 data breach report published.
- May saw the first decrease in 17 months of data breaches that occurred in the Healthcare sector. The statistic was less that one per day.
- Many companies have seen a spike in Covid-19 related phishing email attacks.
- May saw 1,064,652 healthcare records breached.
- Indiana was the worst affected state with 7 reported breaches of 500 or more records, all of which were due to the improper disposal of records by business associate, Central Files, Inc.
Public cloud attacks are due to lack of visibility and poor management.
- Organizations must still ensure that their cloud services are configured correctly, identities and access rights are correctly managed, and they have full visibility into all their cloud workloads.
- Limiting access and permissions to the public cloud is an effective strategy to limit cyber-attacks.
Microsoft exchange servers have seen a large attack rate due to vulnerabilities.
- Microsoft has issued a further warning to all Exchange users to patch the critical Microsoft Exchange memory corruption vulnerability CVE-2020-0688. The patch was released in February.
- With gaining unauthorized access to the email system, PHI is very accessible in the healthcare space.
Hacker of UPMC cyber-attack in 2014 was arrested and charged.
- In January 2014, UPMC discovered a hacker had gained access to a human resources server Oracle PeopleSoft database that contained the personally identifiable information (PII) of 65,000 UPMC employees. The data was stolen and offered on the dark web.
- The suspect’s name was Justin Sean Johnson from Michigan who was an IT representative for the Federal Emergency Management Agency. He was charged for one count of conspiracy, 37 counts of wire fraud, and 5 counts aggravated identity theft.
- The info stolen was used in a massive campaign to defraud UPMC employees.
Recent cyber/ransomware attacks related to the Healthcare industry
- North Shore Pain Management in Massachusetts notified over 12,400 patients that their PHI was potentially access by unauthorized users. The gang responsible for the attack dumped 4GB of data stolen in the attack on their Tor site when the ransom demand was not paid.
- Florida Orthopedic Institute had PHI encrypted on its servers. It is unclear how many patients were affected by this attack.
- CHI St. Luke’s Health-Memorial Lufkin (TX) has confirmed that two employees’ emails had unauthorized access gained by an outside party. It is unclear how many patients were affected by this attack.
- RiverPointe Post Acute Charmichael, CA has notified over 600 nursing home residents that their PHI was accessed by an unauthorized user. A USB device containing PHI was sent in the mail but was lost in transit.