Ransomware

Ransomware in Healthcare practices
Abyde News, Best Practices, HIPAA

When Ransomware Meets HIPAA: Turning a Cyber Scare Into a Plan

November 6, 2025 No comments yet

November 6, 2025   The lights flicker. Your EHR freezes. A skull-and-crossbones pops up with a countdown, and your team can’t access patient charts. Appointments grind to a halt. No, it’s not a scene from a horror movie you watched on Halloween; it’s what a real ransomware attack can look like for a healthcare practice. Ransomware is a growing threat in healthcare because it goes after what you rely on most: access to patient information. Attackers lock you out of your own systems and demand payment, all while putting Protected Health Information (PHI) at risk. The good news? With the proper safeguards, training, and a plan in place, your practice can respond quickly and minimize the damage. What is a Ransomware Attack? Ransomware is malicious software, or malware, that deliberately seizes records in exchange for a payment, usually demanding enormous amounts of money.  The Change Healthcare Breach, the most significant HIPAA breach on record, highlighted the devastating scale of these attacks. This single incident impacted nearly 200 million Americans! It involved a $22 million bitcoin ransom paid to the hackers after the initial attack, as well as billions of dollars in downtime and recovery. That’s how serious these incidents can get. When PHI is worth 10 to 20 times more than a credit card on the black market, it puts healthcare providers in the crosshairs of malicious bad actors. A credit card is like having a single slice of pizza, and who stops at one? A patient’s PHI gives hackers the whole pie. Instead of cheesy goodness, it’s a compliance nightmare for your practice.  Ransomware attacks have increased rapidly in the healthcare sector in recent years, with a 264% rise in large breaches caused by ransomware crimes. The big problem is that these threats are Pandora’s box, incredibly difficult to contain once they’ve begun.  How can I stop a Ransomware Attack?  You can’t guarantee it will never happen, but you can take the proper steps to minimize risks significantly.  First, ensure staff are adequately trained on email safety. We hate to break it to you, but that “Free vacation when you send an Apple gift card!” email is probably too good to be true. Most attacks start with a suspicious email that’s opened by unknowing employees. Ensure staff are aware of common phishing signs and know how to report suspicious activity correctly.  Also make sure that all proper technical safeguards, such as firewalls and encryption, are current and fully operational to secure patient data. Implement multi-factor authentication (MFA) for all logins to provide an additional layer of protection. While your password acts as a door, MFA acts as a key, keeping patient PHI secure.  No practice is 100% safe, but a solid Disaster Recovery Plan empowers your team to actually know what to do if ransomware hits and gives actionable items like quickly taking the infected device offline and involving your IT team immediately. And if you’ve got good backups in place, you can protect your patients and get your practice back on track much faster!   Keeping Your Practice Ransomware Ready Ransomware isn’t just a one-time jump scare; it’s an ongoing risk. But when you combine staff training, up-to-date safeguards, MFA, and a thorough response plan, your practice goes from vulnerable to prepared. The best part? You don’t have to figure it out alone! Smart compliance solutions can help you stay on top of requirements, document your actions, and support you if something does go wrong. Ready to learn more? Meet with a HIPAA compliance expert today

Ransomware Data Breach in Healthcare
Abyde News, Fines, HIPAA

Ransomware Strikes Again: What the Latest HIPAA Fine Teaches Us

July 28, 2025 No comments yet

July 28, 2025   Healthcare’s cybercrime nightmare just got more expensive. With over half a million dollars in fines and the second HIPAA ransomware fine issued this month alone, it’s time to acknowledge the serious threat cybercrimes pose to healthcare.  The Office for Civil Rights (OCR)  just announced its latest HIPAA fine, following a ransomware attack affecting a surgery center in New York, totalling $250,000 and placing the practice under a two-year Corrective Action Plan (CAP). The two-year period includes constant government monitoring, ensuring the healthcare provider has taken action to mitigate risks and secure Protected Health Information (PHI).  Here’s where things get interesting. Upon further inspection, the exact ransomware variant, PYSA, explicitly targets the healthcare industry. Think about it: cybercriminals know the absolute treasure trove of sensitive patient data a healthcare organization holds.  As malicious actors know the importance of patient health records, your practice must be extra vigilant when handling PHI.    What Happened? In March 2021, an unauthorized actor gained access to the networks of Specialty Surgery Center of Central New York (also known as Syracuse ASC, LLC). The hacker deployed ransomware in the organization’s networks for over two weeks. This ransomware exposed nearly 25,000 patient records, with access to Social Security numbers, addresses, health histories, and more.  Syracuse ASC, LLC, notified the OCR of this breach in October 2021, over six months after the initial intrusion. This wait violated the HIPAA Breach Notification Rule. Given the massive breach, the healthcare provider had to notify the OCR, patients, media, and potentially the State Attorney General within 60 days of discovery. Notifying these parties allows patients to take control and explore options for protecting and monitoring their data post-breach. Additionally, it could have expedited the OCR and State officials’ investigations into the extent of the ransomware attack. During the investigation process, the OCR made another startling discovery: no Security Risk Analysis (SRA) was in place.  A thorough SRA is required to maintain your practice’s security. By examining existing safeguards, you can identify and address vulnerabilities proactively before they cause problems. This practice learned the hard way about a common HIPAA pitfall: missing an SRA. Due to this, a hacker infiltrated and exploited the vulnerability of an insecure network, leading to a quarter-million-dollar fine.    Protecting Your Practice Against Ransomware Hackers have discovered a gold mine with medical records costing upwards of $1000 on the dark web, compared to the average credit card number fetching 25¢. When hackers directly target healthcare practices, your compliance program and safeguards must be in order.  Proactive compliance is key to the security of PHI. Your practice can mitigate and minimize ransomware threats by using the right compliance solutions and robust IT assistance. With the right software, it’s easy to streamline pillars of HIPAA compliance, like the SRA, identifying issues early to avoid risking your patients.  Meet with our team of experts to learn more about how you can simplify HIPAA compliance for your practice. 

Business Associate Ransomware Fine
Abyde News, Fines, HIPAA

Ransomware Reality Check: Business Associate Pays Big HIPAA Fine

June 2, 2025 No comments yet

6/2/2025   Did you know Business Associates (BAs) are at risk for ransomware attacks just as much as Covered Entities?  Ransomware attacks disproportionately affect healthcare organizations, with malicious actors looking to exploit Protected Health Information (PHI). When PHI includes sensitive information such as Social Security Numbers, addresses, phone numbers, and more, it provides someone with a lot of information to use for the wrong reasons.  A medical billing BA in Massachusetts, Comstar, LLC, recently experienced the fallout of a ransomware attack. Trusted with the PHI of over 70 practices, the organization did not have the proper safeguards to mitigate risk after a cybercrime. Part of this was a missing Security Risk Analysis (SRA), or a thorough assessment of an organization’s potential vulnerabilities.   This latest enforcement represents the responsibility of BAs to uphold their commitments and for all HIPAA-regulated entities to complete and maintain an SRA.    What Happened? In May 2022, a malicious actor intruded Comstar’s network servers. Comstar was unaware of this intrusion for several days. In the meantime, the hacker encrypted nearly 600,000 patient records with ransomware. Even though these patients weren’t directly Comstar’s, they assumed the responsibility of protecting their data.  While it is not public what steps Comstar took to mitigate risks after the initial ransomware breach, it was discovered that the organization did not complete an SRA. This assessment is at the foundation of a compliant practice and is a requirement of HIPAA.  After this discovery, the organization was fined $75,000 and put under a Corrective Action Plan (CAP), or government monitoring, for two years.  This assessment is at the foundation of a compliant practice and is a requirement of HIPAA.  Recently, the Office for Civil Rights (OCR) has sharpened its focus on this commonly missed requirement with the latest Risk Analysis Initiative. This fine is the 9th enforcement of this initiative.    Streamlining the SRA with Software When less than 20% of BAs could showcase a compliant SRA when being audited, completing the SRA is unfortunately a common oversight by regulated entities. Additionally, this is a responsibility of both Covered Entities and BAs, and both parties must carefully handle PHI.  With smart software, BAs can easily streamline the SRA and complete the assessment that pinpoints common vulnerabilities organizations face. By simplifying the SRA, intelligent solutions can empower an organization to cultivate a culture of compliance for its staff, securely meet requirements, and handle PHI.  To learn more about how your organization can easily complete the SRA, meet with a compliance expert today. 

Business Associate HIPAA Fine
Business Associates, Fines, HIPAA

Choose Your Business Associates Wisely: An $80K Mistake

January 8, 2025 No comments yet

January 8, 2025 As we ring in the new year, it’s important to remember that Business Associates (BAs) are just as responsible for protecting patient health data as their Covered Entity counterparts. A major misstep by a BA was highlighted recently on a federal level, and the first fine of 2025 was imposed. Elgon, a Massachusetts-based medical record and billing support company for Covered Entities, was levied a $80,000 fine due to numerous violations of the Security Rule, which were exposed by the fallout of a ransomware attack. As a proposed update to the Security Rule is currently open for public comment and may take effect in the spring, it is crucial for Covered Entities to select Business Associates (BAs) who prioritize compliance. BAs are just as responsible for ensuring that Protected Health Information (PHI) is kept secure. What Happened? Elgon was the victim of a ransomware attack on March 25, 2023. Unfortunately, the BA didn’t realize the intrusion of its firewalls for over a week until a ransom note was discovered. Elgon then reported the breach, which affected over 30,000 patients of a Covered Entity. Thousands of social security numbers, addresses, and other personally identifiable information were leaked from the attack. When Elgon was investigated, it was uncovered that the organization failed to recognize its risks in a Security Risk Analysis (SRA). The SRA is at the foundation of a successful practice or business, giving an organization a benchmark on how it handles PHI and how it can improve. This fine is also the second enforcement of the OCR’s Risk Analysis Initiative, highlighting the importance of completing and maintaining this assessment. How to Protect Your Organization Covered Entities and Business Associates need to uphold their commitment to protecting patient data. This recent fine is a stark reminder of what can happen when the proper procedures are not followed, exposing the personal information of thousands of patients. To avoid and mitigate situations like this, Covered Entities must carefully choose the right BA to work with, ensuring they also understand the importance of protecting patient data.  For BAs, having the proper safeguards in place is vital, earning trust from Covered Entities that you can keep their patients’ PHI safe. A key document that establishes the liability of both parties is the Business Associate Agreement (BAA). The BAA is a written document required when working with Business Associates and vice versa. This signed agreement ensures both parties know their responsibilities when handling patient data. Proposed updates to the Security Rule expand on this, with BAs potentially having to verify they are enforcing the proper safeguards on a yearly basis, certified by a compliance expert. Overall, this fine sets the tone for a new year of significant changes and enforcement by the OCR. Covered Entities and Business Associates must both understand their critical role in protecting patients. To learn more about how you can become HIPAA compliant, schedule a consultation with our team of experts today.

Ransomware HIPAA Fines
Cybersecurity, Fines, HIPAA

The Price of Neglect: Ransomware Fines Hit Healthcare Practices

November 7, 2024 No comments yet

November 7, 2024 Healthcare practices felt quite a scare on Halloween, with over half a million dollars in fines levied on medical practices. These practices were fined for not taking the necessary precautions against ransomware breaches. The two practices impacted on this day of significant fines include Plastic Surgery Associates of South Dakota in Sioux Falls (PSASD), a multi-location organization, and the Bryan County Ambulance Authority (BCAA), an Oklahoma emergency medical services provider. PSASD was fined $500,000, and BCAA was fined $90,000. These significant fines are just the precipice of the future of healthcare breaches, with ransomware breaches increasing 264% since 2018. What Happened? Major ransomware attacks unfortunately impacted both of these healthcare providers. For PSASD, a breach was discovered that infected nine workstations and two servers in July 2017. This breach impacted over ten thousand patients, putting their data at risk. The malicious actors utilized trial and error to hack into the organization’s system. The data was unable to be restored. The investigation revealed significant gaps in their compliance program, including a missing Security Risk Analysis, inadequate policies and procedures for data handling and breach reporting, and insufficient training. This $500,000 penalty also includes two years of monitoring by the Office For Civil Rights (OCR). For the BCAA, its ransomware attack began in November 2021, but wasn’t reported until May of the following year. After a breach, depending on the severity, you must notify the OCR within 60 days. Since this breach impacted over 14,000 patients or over 500 people, it is considered a large breach. Similar requirements, such as a Security Risk Analysis, adequate policies, a risk management plan, and other safeguards, were missing as found in this investigation. It’s $90,000 fine includes a Corrective Action Plan as well. Protecting Your Practice from Ransomware Ransomware attacks will continue to affect our healthcare system. Although complete immunity is impossible, there are many precautions you can take to protect your practice. Implementing the right technical safeguards, such as firewalls, antivirus software, and a qualified IT team is crucial. Additionally, you can streamline your HIPAA compliance by using intelligent software solutions that help identify your compliance needs unique to your practice. In the event of an attack, these solutions can also guide you on how to respond effectively. To learn more about these smart solutions, meet with a compliance expert today.

$240K Ransomware HIPAA Fine
Fines, HIPAA

The Rise of Ransomware in Healthcare: How a Phishing Breach Led to a $240K HIPAA Fine

October 14, 2024 No comments yet

October 14, 2024 Unfortunately, the future of data breaches is ransomware, accounting for nearly two-thirds of data breaches. As ransomware remains a significant threat in the healthcare sector, another HIPAA fine has been issued concerning a ransomware incident. Recently, a healthcare organization was fined $240,000 following ransomware attacks, including phishing, that compromised the Protected Health Information of over 85,000 patients. What happened?  The Center of Orthopaedic Specialists merged with Providence Medical Institute, a healthcare system in southern California. In February 2018, during the transition, an employee clicked on a malicious link from a phishing attempt, which encrypted over 85,000 files with ransomware. Subsequently, two more successful ransomware attacks were launched on the already vulnerable IT system. Between these attacks, PMI restored data using backup tapes. In the final ransomware attack, the malicious actors used stolen credentials from previous attempts to remotely access PMI’s systems. What could they have done? After the breach, several cybersecurity mistakes that affected almost 100,000 patients were brought to light. Before merging with PMI, the Center of Orthopaedic Specialists partnered with another IT company, Creative Solutions in Computers. However, PMI failed to sign a Business Associate Agreement with the IT company during the transition, a crucial HIPAA requirement. This agreement ensures that both parties understand and take the necessary precautions to protect PHI. Furthermore, PMI made numerous IT and cybersecurity mistakes, such as sharing logins, not properly separating private networks from public networks, failing to monitor access controls, and not encrypting ePHI, which allowed anyone with access to view it. The lack of proper IT infrastructure, which could have been easily avoided, significantly impacted numerous patients. What’s next?  After the recent HIPAA fine, it’s crucial for your practice to take the necessary precautions and implement cybersecurity measures to safeguard your patients’ data. When establishing a culture of compliance for your practice, using smart software solutions can help you assess your practice’s status and offer efficient solutions to meet requirements, such as electronically managed Business Associate Agreements. To find out more about how intelligent software solutions can protect your practice from cyber attacks, schedule a consultation with a compliance consultant.

$250K HIPAA Fine for Data Breach
Fines, HIPAA

$250K HIPAA Fine for Data Breach: The High Cost of Ignoring Cybersecurity Threats

October 3, 2024 No comments yet

October 3, 2024 Ransomware remains a significant threat to the healthcare industry, causing nearly two-thirds of data breaches. The Office for Civil Rights imposed a $250,000 HIPAA fine on Cascade Eye and Skin Centers, which provides ophthalmology and dermatology care in Washington state. This fine highlights the ongoing impact of ransomware attacks on the healthcare sector and emphasizes the importance of protecting medical practices. What Happened?  In May 2017, hackers held almost 300,000 electronic Protected Health Information (ePHI) files at Cascade Eye and Skin Centers for ransom. The practice lacked essential safeguards, such as a thorough Security Risk Analysis and effective data access monitoring, leaving patient data vulnerable to malicious actors.  The Aftermath  The $250,000 fine is a stark reminder of the OCR’s commitment to enforcing HIPAA compliance against cybercrimes. Several ransomware fines have been levied in the past year, and unfortunately, this trend is expected to continue as ransomware attacks against healthcare organizations rise. In addition to the substantial fine, the practice is subject to a Corrective Action Plan (CAP), with the OCR overseeing Cascade Eye and Skin Centers as it implements necessary initiatives and measures to safeguard its operations from cybersecurity breaches. Protecting Your Practice While no healthcare practice can be completely immune to cyber threats, there are proactive steps you can take. By implementing preventive measures, you can stop cyberattacks before they impact your practice.  Implementing a comprehensive Security Risk Analysis can help identify vulnerabilities and inform your risk management strategy, providing a comprehensive overview of what your practice currently has in place. Encrypting data provides another layer of protection by making it inaccessible to unauthorized individuals. Firewalls and antivirus software can also act as barriers to malicious attacks.  Beyond technical safeguards, a well-developed Disaster Recovery Plan is essential for minimizing the impact of a breach. Having a plan in place can help ensure a swift and effective response to incidents and limit disruption to patient care. Remote access and support capabilities can also be critical in managing compromised systems and restoring operations quickly. As technology continues to transform the healthcare industry, your compliance program should also evolve. By utilizing automated software, you can streamline compliance efforts, receive expert guidance, and stay informed about the latest cybersecurity threats.  Schedule a consultation with a compliance expert to learn more about how software solutions can help protect your practice. 

Heritage Valley Health System HIPAA Fine
Fines, HIPAA

A Nearly Million Dollar Mistake: Heritage Valley Health System

July 3, 2024 Comments Off on A Nearly Million Dollar Mistake: Heritage Valley Health System

July 3, 2024 Did you know that ransomware attacks are becoming increasingly common in healthcare?  Since 2018, there has been a whopping 264% increase in large ransomware breaches. The devastating impact of a ransomware breach on an organization is wide-reaching, regardless of its size, as seen with the Change Healthcare breach. It’s imperative to take the proper precautions to ensure that Protected Health Information (PHI) is secure against hacking attempts.  At the center of the latest fine, Heritage Valley Health System (HVHS), which operates in Pennsylvania, Ohio, and West Virginia, fell victim to ransomware attacks. These attacks infected HVHS systems, affecting sensitive patient information.  As the Office for Civil Rights (OCR) reviewed the major data breach, several pieces of required documentation, such as a Security Risk Analysis (SRA) and an emergency plan, were absent.  This missing documentation has led to a $950,000 fine and three years of corrective monitoring.  Let’s explore what you can do to prevent this nearly million-dollar mistake. Importance of an SRA  The purpose of the SRA is to review your risks and vulnerabilities regarding the management of ePHI (electronic Protected Health Information). This comprehensive analysis notes the physical, technical, and administrative controls to protect your patient’s PHI.  Your SRA is documented proof that your organization understands its weaknesses and is making strides to address them and better protect patient data.  While the SRA is a very important document, it is frequently missed. From the last round of random HIPAA audits, which have resumed recently, only 83% of practices and Business Associates could produce a sufficient SRA.  SRAs are vital for practice compliance, showcasing growth, and best practices in safeguarding patient data. Check out our recent blog post here to learn more about the SRA. Why do I need plans in place?  When running a medical practice, it’s important to be prepared for any situation that could arise. That’s why policies and procedures are so important. If your practice faces a scenario that may compromise PHI, your team needs easy access to a plan for handling the situation calmly. By addressing potential challenges well in advance, your team will feel empowered and confident in their ability to respond. Moreover, as part of your preventive measures, it’s beneficial to designate specific roles and responsibilities for your staff. This ensures that everyone is aware of their duties in any given situation.  Cybersecurity Measures  Unfortunately, healthcare practices have become very common victims of ransomware attacks. To prepare your organization for this, follow best cybersecurity practices, such as encryption, reviewing access controls, and creating unique sign-ons for all employees.  Healthcare organizations should prioritize technical safeguards like encryption, access controls, and multi-factor authentication. However, security goes beyond technology.  Implement security awareness training for staff, establish a data breach response plan, and maintain regular backups. Regularly conduct risk assessments and evaluate the security practices of third-party vendors. It’s important to consider partnering with an IT company offering valuable expertise. They can recommend the right tools, update you on evolving threats, and monitor your systems for suspicious activity. This layered approach will strengthen your systems and prepare you for potential attacks. How Smart Software Can Help Fines for HIPAA non-compliance can be staggering, but there are alternatives to the manual tracking and paper binders you may be used to. Intelligent software systems are designed to save you time and headaches and ultimately protect your practice to avoid audits and fines. Software empowers your team to manage your program easily and enables a culture of compliance in the office. It streamlines commonly overlooked requirements such as the SRA with dynamically created documentation and develops comprehensive plans, policies, and procedures so you stay current with the latest requirements. Better yet, when using cloud-based software solutions, you get 24/7 secure access and real-time updates when compliance regulations change. Schedule an educational consultation today to learn more about how software solutions can protect your practice.     

Change Healthcare Breach: Next Steps
Cybersecurity, HIPAA

Change Healthcare Breach: What You Need to Do

May 31, 2024 Comments Off on Change Healthcare Breach: What You Need to Do

May 31, 2024 Since February, the Change Healthcare ransomware attack has dominated headlines in the medical industry, cited as likely the most significant breach ever in the U.S. health system.  To quickly recap, a group of malicious hackers infiltrated Change Healthcare’s systems in February. The hackers had access to the system for nine days before infecting systems with ransomware on the 21st. When it was realized Change Healthcare’s systems were compromised, its systems were immediately disconnected to mitigate risks.  This attack not only jeopardized patients’ Protected Health Information (PHI) but also caused detrimental impact on the healthcare industry at large. Change Healthcare processes 15 billion healthcare transactions annually. With these systems down, healthcare providers continue to struggle with basic processes, like filling prescriptions and getting paid through insurance claims.  The latest update on the Change Healthcare breach has reached Capitol Hill. Andrew Witty, CEO of UnitedHealth Group, the parent company of Change Healthcare, testified at two congressional hearings on May 1st. At these hearings, the cause of the breach was acknowledged: a lack of multi-factor authentication prompts when logging into internal systems.  Additionally, while Witty confirmed that the exact scope of impacted patients is unknown, it is expected to be very severe. One-third of Americans could be affected by this cyberattack.  Although Change Healthcare’s lack of security protocols caused the catastrophic breach, it is still your practice’s responsibility to notify impacted patients. What You Need to Do The Office for Civil Rights (OCR) is still investigating the magnitude of this cyberattack, but guidance has been released.  First, Change Healthcare is notifying stakeholders impacted by the breach. This includes Covered Entities and Business Associates. Business Associates must notify Covered Entities if their business is affected, and the responsibility to inform patients ultimately falls on Covered Entities.  The Breach Notification Rule under HIPAA details what information needs to be shared with patients, including suspected dates the data was breached, what PHI was involved, and the next steps.  Once it’s known that this breach impacted your patients, it’s vital to notify affected individuals without unreasonable delay and to inform the HHS. The media must also be notified if five hundred or more patients were affected.  After this significant cyber attack, reviewing your risks and vulnerabilities is crucial. If a vast organization processing up to $2 trillion in medical claims annually can be hacked, so can your practice.  Ensure standard security protocols, like multi-factor authentication, are in place to mitigate the risk of breaches. When it comes to your HIPAA compliance programs, securing your data is critical. For example, Abyde’s cloud-based software features an intuitive Security Risk Analysis (SRA) and ongoing compliance review to quickly identify and address risks to keep your practice’s sensitive data safe.  As this breach is still under investigation, Abyde will keep Covered Entities and Business Associates up-to-date on the latest developments.  Visit the HHS FAQ page on the Change Healthcare breach here. To learn more about software solutions to ensure protected compliance for your practice, schedule an educational consultation here with a compliance expert.

UnitedHealth Group in the Hot Seat
Cybersecurity, HIPAA

UnitedHealth Group in the Hot Seat: All Eyes on the Change Healthcare Breach

May 1, 2024 Comments Off on UnitedHealth Group in the Hot Seat: All Eyes on the Change Healthcare Breach

May 1, 2024 Over the last several months, your friends at Abyde have kept you updated on the latest in the Change Healthcare Breach.  Since February 21st, this breach has held the healthcare industry captive, likely the most significant healthcare data breach in the United States ever.  Change Healthcare, nestled under the UnitedHealth Group umbrella, processes about 50% of U.S. medical claims, is still picking up the pieces. If you work in healthcare, you feel the sting of the attack. Almost all hospitals reported financial damages because of the attack.  So, how did we get here?  You’re getting answers, as CEO of UnitedHealth Group, Andrew Witty, is set to testify in front of two congressional panels today.  Don’t worry, we’re not going in blind! While Witty might be on center stage today, a written testimony has already been released. Stay tuned because we’re decoding this testimony and answering your burning questions.  Pack your bags! We’re taking a quick trip to the Capitol! Party Crashers This compliance catastrophe began on February 21st, with the BlackCat hacking group infecting Change Healthcare’s systems with ransomware.  However, the team of malicious hackers had been plotting for over a week, being in Change Healthcare’s systems for nine days before the attack.  How did they get in?  It wasn’t a Mission Impossible stunt, avoiding lasers and jumping between buildings, but a simple case of compromised credentials.  Using a stolen login, the black-hat hackers could log into a Change Healthcare application portal and remotely access desktops. This portal didn’t have a standard security protocol: multi-factor authentication. Multi-factor authentication (MFA), like a code sent to your phone before logging in, is a typical security standard for protecting sensitive data. Implementing technical safeguards, like MFA, falls under the HIPAA Security Rule.  Mopping up the Mess While Change Healthcare is no stranger to hacking attempts – thwarting 450,000 intrusions a year – once the ransomware was identified, Change Healthcare sprung into action. According to Witty, the Change Healthcare team immediately severed connectivity with the data centers to avoid the spread of ransom.  Change Healthcare started from the bottom up, rebuilding the foundation of its technology infrastructure, replacing thousands of laptops, implementing new credentials, and new servers with the help of Tech powerhouses like Amazon and Google.  As of today, the ransomware only impacted Change Healthcare and none of UnitedHealth Group’s other organizations.  Witty also admitted to meeting ransom demands, saying it was one of the toughest decisions he’s ever had to make.  What’s Next?  These uninvited party crashers have put the UnitedHealth Group in hot water. These congressional hearings are just the tip of the iceberg for the medical titan.  Here at Abyde, we’re keeping a close eye on things, and you can bet we’ll keep you in the loop through our blogs and social media on the latest in these hearings.  Want to stay on top of all things compliance? Follow us and watch for our This Week in Compliance series – it’s your one-stop shop for compliance info!

Is your dental practice OSHA-ready? Cut through the complexities with our latest eBook.

DOWNLOAD NOW
X