Thieves steal Bassett Family Practice’s patient information



BASSETT-The records from more than 500 patients at Bassett Family Practice were stolen in August, company officials say. On Friday, officials from the facility sent out letters to all of their patients, informing them what was included in the theft and what steps the medical practice is taking to prevent it from happening again.

The patient information included each person’s full name, date of birth, account number at the medical practice, identity of their insurance provider and potentially some details about the reasons behind recent visits to Bassett Family Practice, such as the type of sickness a patient was suffering from. All of that information was stored on a laptop, which was sitting in an employee’s car. Officials at the practice say they aren’t certain on a specific date, but say the laptop was stolen from the employee’s vehicle between the evening of Aug. 12 and the morning of Aug. 14. While a police report was filed immediately, officials with the facility waited until Oct. 13 to inform patients of the incident.

“The time was spent working with law enforcement, consulting our legal counsel, recovering the backup and researching the files,” said Bassett Family Practice Finance Director Alvin Franks, when asked why the facility had delayed in releasing the information. “The files to be researched were voluminous and we wanted to ensure we were not double counting anyone.”

In this case, Franks said Bassett employees had to first search for and find the backup to the stolen laptop, in order to see what information had been transferred on to it. In the letter sent out to patients, the facility states that “while there were details about office visits, such as [the] identity of the affected individual’s provider name and reason for visit, much of the information for the affected individuals was account balance information for the procurement of medical services contained in spreadsheets, which, by law, is still considered HIPAA protected information.”

Bassett Family Practice officials made it clear repeatedly, both in the letter and speaking with Bulletin staff, that there were no social security cards, debit or credit card information stored on the stolen laptop.

The information had to be released before Oct. 15, as theft of patient records is a violation of HIPPA, the Health Insurance Portability and Accountability Act. Signed into law in 1996, HIPPA gives specific instructions for safeguarding a patient’s medical records and other information. The Bulletin reached out to officials with the U.S. Department of Health and Human Services and they directed us to the department’s website, which gave a complete breakdown of the law. According to the department’s website, information about any type of breach has to be “provided without unreasonable delay and in no case later than 60 days following the discovery of a breach.”

Since the breach took place at some point between Aug. 12-14, letters had to be sent out no later than Oct. 14, in order to fall within the 60 day window. A copy of one of the letters sent out by Bassett Family Practice, which the facility provided to the Bulletin, gives a date of Oct. 13 for when this was sent out. HHS officials said because there is some question about when the theft occurred, that letter met the time requirements. They also said Bassett employees didn’t break any laws by not immediately informing patients.

As for taking the laptop out of the facility, there is no portion of the HIPPA Security Rule that makes that decision illegal. The current HIPPA edition, which has been revised over the last two years, states that a facility “must have in place policies and procedures regarding the transfer, removal, disposal and re-use of electronic media, to ensure appropriate protection of electronic protected information.”
When asked on Monday, HHS officials also could not point to anything stating that removal of a laptop containing patient information from a facility violated policies.

The equipment was on a laptop in the first place due to the fact the facility was making a transition to a new IT system. As part of that switch, which is now complete, all patient information is stored only on a company server and not on any laptops being used by employees. Franks also said the medical practice was removing files already on laptops to the server, as well as encrypting all laptops with Symantec Encryption Software.

As of Oct. 16, there was nothing to report from law enforcement in terms of a suspect or any leads on who may have stolen the machine. Based on the fact the laptop was unlabeled and had been stolen from inside the vehicle, Bassett officials said they didn’t think it was stolen with the intent to access protected health information.

To the knowledge of both local law enforcement and Bassett Family Practice employees, no one has accessed the patient information. They know this because if the patient information is accessed, the facility’s server will receive a notification. If that happens, Franks said employees can protect the information by remotely wiping the laptop clean.

“There is also a fail-safe, where the organization could delete the information on the laptop, should it ever be accessed through the operating system,” Franks said. “The laptop has not yet been recovered nor accessed at this time.”

Any patients of Bassett Family Practice with questions about the theft can call the facility at 1-888-746-7175.


Article by: Martinsville Bulletin – Brian Carlton Continue Reading

Deloitte Hacked — Exposes Clients’ Emails



Another day, another data breach. This time one of the world’s “big four” accountancy firms has fallen victim to a sophisticated cyber attack.

Global tax and auditing firm Deloitte has confirmed the company had suffered a cyber attack that resulted in the theft of confidential information, including the private emails and documents of some of its clients.

Deloitte is one of the largest private accounting firms in the U.S. which offers tax, auditing, operations consulting, cybersecurity advisory, and merger and acquisition assistance services to large banks, government agencies and large Fortune 500 multinationals, among others.

The global accountancy firm said Monday that its system had been accessed via an email platform from October last year through this past March and that “very few” of its clients had been affected, the Guardian reports.
The firm discovered the cyber attack in March, but it believes the unknown attackers may have had access to its email system since October or November 2016.

Hackers managed to gain access to the Deloitte’s email server through an administrator account that wasn’t secured using two-factor authentication (2FA), granting the attacker unrestricted access to Deloitte’s Microsoft-hosted email mailboxes.

Besides emails, hackers also may have had potential access to “usernames, passwords, IP addresses, architectural diagrams for businesses and health information.”

“In response to a cyber incident, Deloitte implemented its comprehensive security protocol and began an intensive and thorough review including mobilising a team of cybersecurity and confidentiality experts inside and outside of Deloitte,” a Deloitte spokesperson told the newspaper.

“As part of the review, Deloitte has been in contact with the very few clients impacted and notified governmental authorities and regulators.”

Deloitte’s internal investigation into the cyber incident is still ongoing, and the firm has reportedly informed only six of its clients that their information was “impacted” by the breach.

Deloitte has become the latest of the victim of the high-profile cyber attack. Just last month, Equifax publicly disclosed a breach of its systems that exposed personal data of as many as 143 million US customers.

Moreover, last week the U.S. Securities and Exchange Commission (SEC) also disclosed that hackers managed to hack its financial document filing system and illegally profited from the stolen information.
Continue Reading

Women’s Health Group of Pennsylvania Notifies 300,000 Patients of Ransomware Attack



A data breach at one of Pennsylvania’s largest health networks has sparked safety concerns and questions regarding why it took several months for patients to be notified.

The Women’s Health Care Group of Pennsylvania, which is based in Oaks, Pennsylvania but has 45 offices serving women in Montgomery, Chester and Delaware Counties, sent a letter to patients this month informing them that hackers had stolen their information. That information included patient names, birth dates, social security numbers, pregnancy histories, blood type information and medical diagnoses.

The following notice, posted on Women’s Health Group’s site on July 18, indicates that this was a ransomware attack:

Notice of Security Breach Incident

Posted: July 18, 2017

On May 16, 2017, we discovered that a server and workstation located at one of our practice locations had been infected by a virus designed to block access to system files. Upon discovering the virus, we immediately removed the infected server and workstation from our network and began an investigation with the assistance of an expert computer forensics team to determine how the virus made it onto our systems and the extent to which the virus may have affected any of our data. Local Federal Bureau of Investigation authorities were contacted and a report was filed.

As part of our investigation, we learned that external hackers gained access to our systems, as far back as January 2017, through a security vulnerability. We also believe the virus was propagated through this vulnerability. Although this security vulnerability allowed access to limited patient information and the virus encrypted certain files, we have been unable to determine if any specific information was actually acquired or viewed in connection with this incident. In addition, the encrypted files were promptly restored from our back-up server and the incident had no effect on our ability to continue to provide patient care nor was any information lost.

The types of files that could have been accessed may have included information about a patient’s name, address, date of birth, Social Security number, lab tests ordered and lab results, telephone number, gender, pregnancy status, medical record number, blood type, race, employer, insurance information, diagnosis, and physician’s name. No driver’s license, credit card or other financial information was stored in any files on the infected server.

Individuals whose information may have been affected by this incident will receive a letter informing them of this incident, with instructions on steps they can take to receive free credit monitoring and identity theft protection services for a year. We recommend these individuals review all financial account information closely and report any fraudulent activity or suspected incident or identity theft. We have set up a call center with a toll-free help line for individuals who have questions about this incident. The phone number is (877) 534-7033. The call center is staffed weekdays Monday through Friday from 9:00 AM to 9:00 PM (EST) and Saturday and Sunday from 11:00 AM to 8:00 PM (EST)

We sincerely regret any concerns or inconvenience this incident may cause our patients. Maintaining the integrity and confidentiality of our patients’ personal information is very important to us and we are conducting a comprehensive internal review of our information security practices and procedures to help prevent such events in the future.

Update: When this incident appeared on HHS’s breach tool, it was reported as impacting 300,000 patients.

Continue Reading

New Ransomware Threatens to Send Your Internet History & Private Pics to All Your Friends



After WannaCry and Petya ransomware outbreaks, a scary (but rather creative) new strain of ransomware is spreading via bogus apps on the Google Play Store, this time targeting Android mobile users.

Dubbed LeakerLocker, the Android ransomware does not encrypt files on victim’s device, unlike traditional ransomware, rather it secretly collects personal images, messages and browsing history and threatens to share it to their contacts if they don’t pay $50.

Researchers at security firm McAfee spotted the LeakerLocker ransomware in at least two apps — Booster & Cleaner Pro and Wallpapers Blur HD — in the Google Play Store, both of which have thousands of downloads.

To evade detection of malicious functionality, the apps initially don’t contain any malicious payload and typical function like legitimate apps.

But once installed by users, the apps load malicious code from its command-and-control server, which instructs them to collect a vast number of sensitive data from the victim’s phone — thanks to its victims granting unnecessary permissions blindly during installation.

The LeakerLocker ransomware then locks the home screen and displays a message that contains details of the data it claims to have stolen and holds instructions on how to pay the ransom to ensure the information is deleted.

The ransom message reads:

All personal data from your smartphone has been transferred to our secure cloud. In less than 72 hours this data will be sent to every person on your telephone and email contacts list. To abort this action you have to pay a modest ransom of $50. Please note that there is no way to delete your data from our secure but paying for them. Powering off or even damaging your smartphone won’t affect your data in the cloud.

Although the ransomware claims that it has taken a backup of all of your sensitive information, including personal photos, contact numbers, SMS’, calls and GPS locations and browsing and correspondence history, researchers believe only a limited amount of data on victims is collected.

According to researchers, LeakerLocker can read a victim’s email address, random contacts, Chrome history, some text messages and calls, take a picture from the camera, and read some device information.



All the above information is randomly chosen to display on the device screen, which is enough to convince the victims that lots of data have been copied.

Both malicious apps have since been removed by Google from the Play Store, but it is likely that hackers will try to smuggle their software into other apps.

If you have installed any of the two apps, uninstall it right now.

But if you are hit by the ransomware and are worried about your sexy selfies and photographs being leaked to your friends and relatives, you might be thinking of paying a ransom.

Do not pay the Ransom! Doing so motivates cyber criminals to carry out similar attacks, and there is also no guarantee that the stolen information will be deleted by the hackers from their server and will not be used to blackmail victims again.


Article by: Mohit Kumar Continue Reading

White Blossom Care Center Notifies Residents of Data Security Incident



From their press release:

White Blossom Care Center (“White Blossom”) announced today an incident that resulted in the exposure of certain resident information at its facility in San Jose, Calif. It is important to note that, based on the available information, we have no specific evidence that any potentially exposed data has been used inappropriately.

What happened.

We recently received a report that a former White Blossom employee had improperly acquired resident data while employed at the facility. We immediately engaged an independent technical security expert to investigate and contacted state and federal law enforcement; we have continued to work closely with them on their investigation.

What information was involved.

Based on the available information, we believe data relating to approximately 800 residents may have been inappropriately acquired by the former White Blossom employee. We do not know when this took place. We currently believe that a limited number of the inappropriately acquired files contained some combination of resident names with social security numbers, dates of birth, health insurance carrier and account numbers, and/or limited medical information, such as admission dates, diagnoses, medications, and/or procedures. It is important to note that, based on available information, no bank account numbers or any other financial information is impacted.

What we are doing.

We recognize the trust that our residents place in us and have committed ourselves to taking steps to prevent this type of incident from happening again. Although our data systems have always contained safeguards to protect personal information, we are enhancing data security by resetting employee computer user accounts and passwords and reconfiguring our computer systems to further limit access to already-restricted sensitive resident data. We will continue to work with our independent technical expert to ascertain if additional improvements can be made. Additionally, although we have no specific evidence that any potentially exposed data has been used inappropriately, we are offering identity theft protection services to affected individuals in an abundance of caution.

What you can do.

The social security number of a limited number of individuals affected by this incident may have been exposed, and we therefore recommend that, in addition to enrolling in the services outlined above, you place a fraud alert on your credit files. A fraud alert requires potential creditors to use “reasonable policies and procedures” to verify your identity before issuing credit in your name. This fraud alert will automatically renew every 90 days. You can place a fraud alert by calling one of the three credit reporting agencies at the telephone number provided below. The company you call should contact the other two credit reporting agencies, so you should be able to place an alert with all three agencies through a single phone call. You will receive letters from all three agencies, confirming the fraud alert and letting you know how to obtain a free copy of your credit report from each agency. If you do not receive a letter from each agency, you may choose to contact the additional agencies to place individual fraud alerts.

Experian 1-888-397-3742

Equifax 1-800-525-6285

TransUnion 1-800-680-7289

When you receive your credit reports, look them over carefully. Look for accounts you did not open, inquiries from creditors that you did not initiate, and for personal information, such as home address and Social Security number, that is not accurate. If you see anything you do not understand, call the credit reporting agency at the telephone number on the report. If you do find suspicious activity on your credit reports, call your local police or sheriff’s office and file a police report of identity theft.

For more information.

We take our obligation to protect the personal and medical information of our residents very seriously and sincerely apologize for any inconvenience and concern this may cause. If you have any questions regarding this incident, please call our dedicated toll-free line at 1-888-697-8571, where a team is standing by to assist you Monday through Friday from 6 a.m. to 6 p.m. Pacific Time.

SOURCE: White Blossom Care Center

Continue Reading

Get in touch

CoreRecon

Talk to us

Did you know?

$32,000 is the average cost per DAY of a cyber attack on a business.