April 22, 2024 Good morning! We hope we can cheer up your Monday blues with the announcement of our new educational series, Compliance Catastrophes: real-ish world examples of nightmare scenarios! Throughout this week, we’ll be releasing blogs and videos on common breaches of Protected Health Information (PHI) in healthcare, giving you the tips you need to stay secure. We’re starting our series with one of the most common HIPAA breaches: email scams. Email scams are very prevalent, with 91% of cyberattacks beginning with a phishing email. Phishing attempts are the most common form of cybercrime, with 3.4 BILLION spam emails sent daily. Now, before we get too far, let’s clear up any misconceptions. Phishing attempts are unfortunately not a Saturday night getaway on a boat with your friends catching fish, it’s much more like casting a lure of fake urgency or importance to try and ‘fish’ for personal information, like PHI. You might think that you could never fall for a phishing scam, but let me tell you, it happens quite often. Let me introduce you to the star of the week, Catastrophe Cathy. A One-way Ticket to a Breach Cathy was scrolling through her email, and she couldn’t believe her eyes! Her boss sent her an email offering her a week’s vacation to Italy! All she had to do was claim it by clicking the link listed at the bottom of the email. She was sold! It looked real; it said it was from her boss, Bob, and it even had his email signature! As she clicked the link, the malware began to work its nefarious magic – infecting her computer and getting access to PHI. Her dreams of seeing the Leaning Tower of Pisa came crashing down. Once she realized there was no trip. She panicked! What was she going to do? Email Safety 101 Now, we can be like Cathy if we aren’t careful when checking our emails! Falling for these phishing scams affects over 300,000 people a year, yielding over $50 million in losses. First, an always good rule of thumb: If it’s too good to be true, it’s not. Sorry, or scusa (sorry in Italian) Cathy! Next, always check who is sending the email. While it looked like it came from Bob the Boss, if she looked at the email address, she would have seen it came from Stevethescammer@email.com! Hackers pretending to be someone else at your organization is a very common practice known as spoofing. Lastly, if you see any odd links or attachments, never click them, report them as spam, delete them, and, if applicable, forward them to your organization’s phishing email! Phishing scams have also made a recent detrimental impact on healthcare. The OCR settled its first phishing cyber attack investigation, costing the Lafourche Medical Group $480,000! Reel in Control Now, if you find yourself falling for an email scam, the first thing you need to do is to alert your team. You might be embarrassed, but it’s brave to admit you’re wrong, ensuring others don’t fall for a similar attack, too. The most important step right now is to disconnect your device from the internet. Think of it like putting up a “closed for business” sign. This cuts off the hackers’ access and prevents them from finding more information on your network. Loop in your IT team or IT provider, and follow company procedures for a cyber attack. Of course, notify patients affected by the breach, and report the breach in your Abyde software and to the OCR. Also, since it is a phishing attempt, you can report it to the FTC. To learn more about common breaches, stay tuned to our blogs and videos this week! Follow us on social media to be the first to see the latest compliance news, and if you have any questions, email us at info@abyde.com.
Big Fish, Big Fine
February 3, 2023 A hacker dropped a line and an Arizona-based nonprofit health system got baited, hook line and sinker. Yesterday, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights announced a settlement resolving a data breach. The breach, executed by a “threat actor”, disclosed the protected health information of 2.1 million consumers. Ouch! Outlined by the HHS, the HIPAA violations include: The investigation began back in 2016 after OCR received a receipt of a breach report. The hacker was able to access PHI such as patient names, physician names, dates of birth, addresses, Social Security numbers, clinical details, dates of service, claims information, lab results, medication, diagnoses and conditions, and health insurance information. As part of the settlement, the hospital paid $1,250,000 to OCR and agreed to a Corrective Action Plan. The plan highlights efforts to resolve their violations against the HIPAA Security Rule. Before you catch yourself becoming a victim of “here fishy fishy”, make sure all your ducks – or should we say fish – are in a row. As we continue to see the relevance and impact of cybersecurity incidents increase, you should be more alert and secure than ever. And if you’re thinking, well that was a hospital – that could never happen to me, be careful what your next Go Fish card is. Whether you’re a big fish in a little pond or a little fish in a big pond, hackers are targeting healthcare. This particular hospital is facing extensive hours of work to complete its Corrective Action Plan which includes conducting a risk analysis, developing a risk management plan, implementing and distributing policies and procedures, and regular follow-up with the HHS. Conveniently, these are all things Abyde can help with. Reach out today to find out how we can save you over 80 hours a year and a time-consuming Corrective Action Plan down the road.
NJ Attorney General Imposes $425,000 Fine to Put out the Fire of HIPAA Violation
December 21, 2021 Handling sensitive information without having the right safeguards in place can be like playing with fire, and we’ve all seen enough headlines to know just how easily a data breach can send a healthcare organization up in smoke. Just last week, the New Jersey Office of the Attorney General and its Division of Consumer Affairs announced a $425,000 settlement with Regional Cancer Care Associates LLC (RCCA). Along with the payment, RCCA has agreed to strengthen data security and privacy practices to prevent further breaches. The investigation was sparked back in 2019 after RCCA reported two separate data breaches involving the protected health information (PHI) of 105,000 individuals. The first of the two breaches occurred after several RCCA employees fell victim to a targeted phishing scheme that gave unauthorized access to patient data stored on those accounts from April – June 2019. The phishing scheme exposed driver’s license, Social Security, and financial account numbers along with other health records. While the threat of a phishing scheme can be better avoided through proper cybersecurity measures and employee training, the even bigger problem began in RCCA’s attempt to put out the first set of flames. Following the Breach Notification Rule, the cancer care provider notified impacted patients in July of that same year. However, the third-party vendor they used to provide this notice, improperly mailed notification letters intended for 13,047 living patients by addressing the patients’ perspective next-of-kin. This mistake resulted in patients’ relatives being informed of their medical conditions without consent – essentially just adding even more fuel to the blaze that the initial breach set off. Now just one lit match wouldn’t ignite a settlement of this proportion, but rather RCCA’s failure to do all of the following: So while the rising trend of healthcare data breaches won’t be easily extinguished, keeping your practice best-protected starts with having a complete HIPAA and cybersecurity program in place. Better staff education and compliance measures should be a top priority and the message from Acting Attorney General Bruck stating, “We require healthcare providers to implement adequate security measures to protect patient data, and we will continue to hold accountable companies that fall short,” is hopefully something that will spark some change.