John Blacksmith
43,000 UT Southwestern Medical Center Patients Impacted by Data Breach
UT Southwestern Medical Center (UTSW) in Texas submitted a breach report to the HHS’ Office for Civil Rights (OCR) involving an email-linked unauthorized access/disclosure incident that affected the protected health information (PHI) of about 43,048 patients. As per the substitute … Read more
Kaye-Smith Pays $2 Million to Resolve Class Action Data Breach Lawsuit
The marketing firm and mailing vendor, Kaye-Smith Enterprises, opted to settle a class action lawsuit associated with a cyberattack and data security breach in 2022. Hackers acquired access to its network, deployed ransomware for file encryption, and possibly stole sensitive … Read more
GoodRx to Pay $25 Million to Settle Tracking Technology Lawsuit
Telemedicine platform company and drug discounter GoodRx will pay $25 million to settle a consolidated class action lawsuit. When users became aware that GoodRx used website tracking tools on its platform and shared website visitor information with third parties like … Read more
Truepill Pays $7.5 Million To Settle Data Breach Lawsuit
Postmeds Inc., dba Truepill, an online pharmacy, has agreed to negotiate a class action lawsuit it faced due to a 2023 data breach that impacted 2,364,359 people. U.S. District Court Judge Haywood S. Gilliam gave preliminary approval of the plaintiffs’ … Read more
Cyber Incident Response Playbook Now Available to Help Manufacturers of Medical Products
The Healthcare Sector Coordinating Council (HSCC) has published a Medical Product Manufacturer Cyber Incident Playbook (MPM CIRP). This comprehensive guide is designed to help medical product manufacturers prepare for and respond effectively to cyber incidents affecting their operations. It provides … Read more
US Healthcare Organizations Targeted by New Interlock Ransomware Group
Cisco Talos Incident Response reported that a new ransomware group has been targeting the healthcare sector and has been active since September 2024. Interlock ransomware is a threat group that claims to conduct attacks for financial gain and to show … Read more
OMB’s Review of the Proposed Change to the HIPAA Security Rule
In December 2023, the Department of Health and Human Services (HHS) published its cybersecurity strategy for the healthcare sector, detailing a list of actions to be implemented to improve cybersecurity across the healthcare industry, including voluntary performance targets. These voluntary … Read more
UMC Health’s EHR System is Back After Ransomware Attack
UMC Health System based in Lubbock, Texas reported the progress of its recovery from the ransomware attack in September. The ransomware attack impacted several systems, including the systems used by Texas Tech Physicians and Texas Tech University Health Sciences Center. … Read more
CISA Issues Alert to F5 BIG-IP Users on Unencrypted Cookie Exploitation
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has raised concerns for F5 BIG-IP users, warning that malicious actors are exploiting unencrypted cookies to gain information into internal network servers, potentially leading to targeted attacks on vulnerable systems. F5 BIG-IP … Read more
Choosing the Right HIPAA Compliance Software
HIPAA compliance software helps a covered entity deal with the issues of HIPAA by streamlining and automating compliance and undertaking comprehensive risk management processes. Smaller organizations that have less than 100 employees assign the responsibility for HIPAA compliance to an … Read more
Observing National Cybersecurity Awareness Month in 2024
National Cybersecurity Awareness Month is a month-long event held in October aimed at promoting cybersecurity and sharing best practices to help individuals and organizations protect themselves online. The theme in 2024 is “Secure Our World.” The awareness campaign will be … Read more
Impact of the Ransomware Attack on Ascension’s Financial Recovery
Healthcare system Ascension based in St. Louis, MO encountered a ransomware attack in May 2024 that considerably impacted the company, both operationally and financially. Because of the attack, Ascension diverted ambulances, closed pharmacies, took down critical IT systems, and used … Read more
Why Cyberattackers Target Third-Party Vendors
Recent big data breaches that affected third-party vendors like Change Healthcare targeted critical security risk management issues for business associates and vendors. These breaches have proven the necessity of security measures and comprehensive monitoring of third-party vendors, specifically in the … Read more
OSHA’s New Online Database of Reported Severe Workplace Injuries
The Department of Labor’s Occupational Safety and Health Administration (OSHA) has introduced a new online dashboard designed to simplify searching its severe injury report database and tracking workplace injury trends in states under federal OSHA jurisdiction. Beginning January 1, 2015, … Read more
57% More Active Ransomware Groups in H1 2024
Searchlight Cyber1 reported a 57% increase in the number of active ransomware groups. In H1 of 2023, 46 active ransomware groups were identified from posts on dark web data leak sites compared to 72 active groups in H1 of 2024. … Read more
Atlantic General Hospital Pays $2.25 Million to Resolve Data Breach Lawsuit
Atlantic General Hospital in Berlin, MD, has proposed a $2.24 million settlement to resolve a class action lawsuit associated with a ransomware attack in 2023. The settlement proposal was given preliminary approval by the court. The nonprofit hospital identified the … Read more
Radar/Dispossessor Ransomware Group Operations Disrupted by the FBI
The Federal Bureau of Investigation (FBI) spearheaded a global operation that successfully dismantled the infrastructure of the Radar/Dispossessor ransomware group, a criminal ransomware-as-a-service (RaaS) group led by someone known as ‘Brain’. The operation led to the takedown of the group’s … Read more
Blood Supplies Affected by Ransomware Attack on OneBlood
OneBlood, a nonprofit blood donation organization based in Florida, encountered a ransomware attack that is impacting its capability to supply blood to hospitals in the U.S. OneBlood supplies blood to about 250 hospitals in Alabama, Georgia, Florida, and South and … Read more
EPA Urged to Develop a Strategy to Address Cybersecurity Risks in Water Sector
The U.S. water and wastewater systems are dealing with an increasingly serious threat from cyberattacks, which could have lasting consequences for public health and environmental safety. A report from the U.S. Government Accountability Office (GAO) has found weaknesses within these … Read more
74% of Ransomware Victims Suffered Multiple Ransomware Attacks
A new study by the cybersecurity company Semperis showed that companies tend to be attacked by ransomware groups several times. 74% of organizations that encountered a ransomware attack reported experiencing multiple attacks. These attacks caused problems at 87% of targeted … Read more
10 Million Unique Acadian Ambulance Records Stolen by Daixin Team
Acadian Ambulance reported a cyberattack in June 2024 that upset the functionality of selected computer systems. Daixin Team said it was behind the ransomware attack and threatened to release the stolen information to the public when no ransom is paid. … Read more
NextGen Healthcare Faces Legal Battle Over 2023 Data Breaches
Overview of the Data Breaches The health information technology company “NextGen Healthcare”, is currently embroiled in a legal battle following two data breaches that took place in 2023. These incidents exposed sensitive patient information, leading to a wave of lawsuits … Read more
Phishing Attack on Memorial Sloan Kettering Cancer Center
Memorial Sloan Kettering Cancer Center (MSK) based in New York City has reported the compromise of the protected health information (PHI) of 12,274 people due to a phishing attack. On April 26, 2024, MSK discovered suspicious activity in the email … Read more
$3.4M Settlement Proposed by Nationwide Vision/Sightcare to Resolve Class Action Lawsuit
A $3.45 million settlement was proposed to resolve a combined class action lawsuit associated with a data breach at USV Optical, a U.S. Vision subsidiary. The 2021 data breach impacted over 710,000 people, which included 73,073 Nationwide Optometry patients and … Read more
HIPAA Violation Email Examples
There are thousands of HIPAA violation email examples in the public domain, and likely many more thousands not made public due to the reporting requirements of HHS’ Office for Civil Rights and State Attorneys General. However, few examples of HIPAA … Read more
312,000 Patients Impacted by Texas Retina Associates Cyberattack
Texas Retina Associates (“Texas Retina”) encountered a cyberattack that impacted over 312,000 patients. This company is the biggest ophthalmology practice with 15 practices established in Dallas, Texas. The attack involved unauthorized access to its network and possible theft of sensitive … Read more
Is it a Violation of HIPAA to Email Medical Records?
It is not a violation of HIPAA to email medical records as long as the reason for emailing PHI is a required, permissible, or excepted reason under the Privacy Rule, as long as the disclosure of PHI complies with the … Read more
$950,000 Paid by Heritage Valley Health System to Resolve Alleged HIPAA Violations
The 3-hospital health system has over 50 doctor clinics and numerous community satellite services in eastern Ohio, Pennsylvania, and the panhandle of West Virginia. In 2017, Heritage Valley was impacted by a worldwide malware attack. The NotPetya malware was installed … Read more
Sisense Data Breach Impacts About 20,000 Aptihealth Patients
The digital mental health solutions company Aptihealth based in Saratoga Springs, NY has reported the exposure or theft of the protected health information (PHI) of 19,805 patients. It uses its digital platform to provide mental health care to patients while … Read more
Ransomware Group Exposes 300 Million Patients’ Data
The Qilin ransomware group, believed to be Russian, uploaded to its dark web leak site the information stolen during the attack on Synnovis because of non-payment of the $50 million ransom demand. On June 3, 2024, Synnovis, the company offering … Read more
Healthcare Cybersecurity Awareness Training Course Launched by ComplianceJunction
ComplianceJunction has created a new training course for healthcare organizations to allow them to raise employee awareness of the common cyber threats that provide hackers with access to healthcare networks and employee, patient, and client data. The HIPAA Security Rule … Read more
512,000 Consulting Radiologists Patients Affected by Cyberattack
Consulting Radiologists is a radiology services firm based in Edina, Minnesota. The companybegan sending personal notifications to approximately 512,000 patients impacted by a cyberattack in February 2024. Consulting Radiologists provides 22 hospitals and clinics with on-site radiology services and remote … Read more
Columbia University Irving Medical Center Patient Data Exposed Online
Columbia University Irving Medical Center (CUIMC) submitted a data breach report to the HHS’ Office for Civil Rights on May 6, 2024 indicating that 29,629 individuals were affected. New York-Presbyterian (NYP) and CUIMC were informed of the breach of patient … Read more
Ascension Confirms Initial Access Vector and Data Theft During a Ransomware Attack
Ascension has reported the theft of files from a few servers during its latest ransomware attack. Some files included personally identifiable information (PII) and protected health information (PHI). The attackers accessed servers that were employed for everyday and regular tasks, … Read more
MicroDicom DICOM Viewer Two New High Severity Vulnerabilities
The MicroDicom DICOM Viewer medical image viewer was found to have two high-severity vulnerabilities. One vulnerability can result in arbitrary code execution. The other vulnerability could enable an attacker to get sensitive data, put new medical photos, or overwrite current … Read more
Large Healthcare Companies Need to Improve Cybersecurity Measures
Senate Finance Committee chair, Senator Ron Wyden sent a letter to the Department of Health and Human Services (HHS) through Secretary Xavier Becerra asking big healthcare organizations to improve their cybersecurity protocols. One factor in the success of cyberattacks in … Read more
Designed Receivable Solutions Lawsuit Due to 500M-Record Data Breach
Revenue cycle management company, Designed Receivable Solutions based in Cypress, CA, is facing a class action lawsuit associated with a data breach that impacted more or less half a million people. The company detected an attack on January 22, 2024. … Read more
Critical Vulnerabilities Found in Baxter Welch Allyn Products
On May 30, 2024, CISA publicized ICS Medical Alerts for Baxter products and medical devices. Baxter identified two critical vulnerabilities in its Welch Allyn products, namely the Welch Allyn Connex Spot Monitor and the Welch Allyn Product Configuration Tool. Baxter … Read more
Health Data of Texas Panhandle Centers Patients Exposed in October 2023 Data Breach
Certified Community Behavioral Health Clinic, Texas Panhandle Centers (TPC) based in Amarillo, TX uncovered unauthorized access to its computer network and the compromise of 16,394 patients’ personal data and protected health information (PHI). TPC, which was founded in 1966, serves … Read more
New Reproductive Health Care Privacy Rule Released Under HIPAA
The Final Rule ensures the privacy protection of the health records of women, their members of the family, and physicians who are seeking, getting, offering, or assisting legal reproductive health care. The Biden-Harris Administration and the Office for Civil Rights … Read more
Warning Against Different Types of Business Email Compromise Attacks
The Department of Health and Human Services (HHS) Health Sector Cybersecurity Coordination Center (HC3) is warning the healthcare and public health (HPH) sector concerning business email compromise (BEC) attacks. BEC attacks refer to a type of spear phishing utilizing social … Read more
Discovered Vulnerabilities in GE Healthcare Ultrasound Products and in Desktop Windows Manager
11 Vulnerabilities Discovered in GE HealthCare Ultrasound Products About 12 vulnerabilities were discovered in GE HealthCare Vivid Ultrasound devices that threat actors can exploit to access and modify patient information, and possibly install ransomware to make the devices inaccessible. Researchers … Read more
How to Make ChatGPT HIPAA Compliant
The way to make ChatGPT HIPAA compliant is to deploy anonymizing software between users and the ChatGPT program in order that no Protected Health Information is disclosed to ChatGPT. However, when using this solution, it is necessary for the anonymizing … Read more
Settlement of Class Action Lawsuits by Gifted Healthcare and Presbyterian Healthcare Services
Settlement Offered to Settle Gifted Healthcare Data Breach Lawsuit Gifted Healthcare has offered to settle a class action lawsuit that claimed negligence for not implementing appropriate cybersecurity steps that resulted in a data breach. The nursing agency based in Metairie, … Read more
Password Guidelines and Recommendations
World Password Day is celebrated on the first Thursday of May. It was founded in 2013 with the objective of increasing awareness of the significance of using complex and unique passwords and implementing password guidelines to maintain the privacy and … Read more
PHI Exposed in Tennessee Eye Clinic Network, Somerset Dental Las Vegas and Catholic Medical Center Cyberattacks
BianLian Threat Group Attacks Tennessee Eye Clinic Network Politzer and Durocher, PLC, also called Optometric Physicians of Middle Tennessee (OPMT), submitted a hacking incident report to the HHS Office for Civil Rights that impacted the personal data and protected health … Read more
Orrick, Herrington & Sutcliffe Settles Lawsuit and Ernest Health’s Recent Lawsuit
Orrick, Herrington & Sutcliffe Pay $8 Million to Settle Class Action Data Breach Lawsuit The law agency Orrick, Herrington & Sutcliffe based in San Francisco, CA is paying $8 million to settle a class action lawsuit associated with a cyberattack … Read more
Planned Parenthood Los Angeles Settles Lawsuit and Children’s Healthcare of Atlanta Pixel-Related Lawsuit
Planned Parenthood Los Angeles Settles Class Action Data Breach Lawsuit for $6 Million Reproductive healthcare services provider Planned Parenthood Los Angeles located in Los Angeles County proposed a $6 million settlement to take care of all claims associated with a … Read more
How to Make Microsoft 365 HIPAA Compliant
The way to make Microsoft 365 HIPAA compliant so it can be used to create, receive, store, or transmit Protected Health Information is to subscribe to a plan that supports HIPAA compliance and configure each product or service within the … Read more
How to Make Google Workspace HIPAA Compliant
The way to make Google Workspace HIPAA compliant is to subscribe to a Workspace Plan that supports HIPAA compliance, agree to the terms of Google’s Business Associate Addendum, and configure the core services included in the Workspace plan to mitigate … Read more
