Stolen Laptops Lead to Nearly $2M in HIPAA Settlements

gold-dollar-sign

Stolen laptops are a concern for every business - the loss of proprietary data, compromised employee or client information and concerns over access into the business's network, if they theft isn't reported right away to IT staff, are just a few of the ways a lost or stolen laptop can damage a business.

However if your business is in the Medical Industry the damage can be exponentially worse, as it was for two 2014 cases where the U.S. Department of Health and Human Services settled with two entities for total of nearly $2,000,000 USD as a result of potential HIPAA violations after laptops were stolen.

The first of the two incidents involved Concentra Health Services, who had an unencrpyted laptop stolen from it's Springfield Missouri Physical Therapy Center.  During the investigation of this incident it was determined that Concentra had previously acknowledged via risk analyses that their lack of encryption on devices containing Electronic Protected Health Information (ePHI) was a serious risk.  Concentra had begun the process of encrypting ePHI but the efforts had been "inconsistent" resulting in insufficient security in place to safeguard patient information.  To settle these potential violations Concentra agreed to pay $1,725,220 and put in place an action plan to remediate these issues.

The second incident involved QCA Health Plan, Inc. of Arkansas, who reported in February 2012  that a laptop containing ePHI records of 148 individuals had been stolen from an employee's car.  Upon investigation it was determined that QCA had failed to comply with multiple HIPAA rules with the beginning compliance date of April 2005 and ending June 2012.  QCA Health Plan, Inc. agreed to pay a $250,000 USD settlement and was required to provide Health and Human Services with an updated risk analysis and risk management plan.

In 2014 we've covered some of the cyber attacks in the US and around the world; several of these attacks have involved the medical industry and include hardware theft and cyber attacks:

  • February 2014 - Lost thumb drive compromises 3598 Texas Cancer Center patients
  • February 2014 - Laptop stolen at St. Vincent's Indianapolis hospital, 1100 patient's information compromised
  • February 2014 - St. Joseph Health System hacked, over 400,000 patients and employees personal information compromised
  • February 2014 - Assisted Living Concepts had an incident of unauthorized access
  • March 2014 - Franciscan Medical Group employees responded to a phishing scam
  • April 2014 - Lubbock Cardiology Clinic had unauthorized access of their Electronic Health Record System
  • April 2014 - Centura Health employees responded to a phishing scam
  • April 2014 - Midwest Orthopaedics at Rush notified patients a doctor's email had been accessed by an outside individual
  • May 2014 - DeKalb Health patient information exposed by "overseas hacking"
  • July 2014 - Doctor's PharmaNet account accessed by unauthorized individual
  • August 2014 - Community Health Systems reported the theft of 4.5 million patients information by cybercriminals
  • August 2014 - StayWell Health Management experienced a breach affected personal information
  • September 2014 - Central Utah Clinic in Provo may have had personal health information viewed by an intruder who broke in to one of their servers
  • October 2014 - UC Davis Health System physician's work email was accessed by an unknown source
  • October 2014 - Penn Highlands doctor's server was accessed by a "third party" intruder
  • November 2014 - Jessie Trice Community Health Center patients information was stolen as a part of "an identity theft criminal operation"
  • November 2014 - Onsite Health Diagnostics information was accessed and stored by an "unknown source"
  • November 2014 - Central Dermatology Center notified patients that one of it's servers had been compromised by malware for roughly 2 years
  • February 2015 - Anthem hacked, details still coming out

If the Concentra Health Services and QCA Health Plan settlements are any indication, many of these recent breaches may appear on the Health and Human Services list of settlements in the next couple of years. Add to that the information coming out from Anthem on their recent data breach of possibly 80 million subscribers information, the settlements could get even larger.

A few years ago a local doctor's office had an external hard drive assigned to an employee every night to be taken home.  This seemed like common sense to protect the backed up company and patient data on the server in case of fire or theft.  Unfortunately, one night this employee left the external hard drive in their car which was subsequently broken into (very similar to the Concentra incident).  This doctor's office had to notify all their patients and employees of the loss and potential breach of their personal information.  But all things considered this case could have been worse, had Health & Human Services been involved at the time this could have resulted in a business ending settlement or fine.

The important take away is if you're in the medical industry bound by the HIPAA laws now is the time to make sure you've done everything necessary to protect your business's and patients's data and avoid the chance of having to pay a large fine or settlement.

Read more...

Malicious Email Disguised as Microsoft Volume Licensing

This email appears perfectly legitimate although it's consequences could be devastating to a business!

Most businesses use some version of Microsoft and are aware of licensing requirements, even when they don't know the specifics of their licenses.  So when an email arrives appearing to be from Microsoft's Volume Licensing Service Center and it is properly addressed to the business owner or other correct recipient within the company, most are likely to view it as legitimately from Microsoft.

Take a look at the example of this scam below.  All the company and owner specifics are correct, although yes we redacted the actual business information, and as this company uses Microsoft products the owner immediately thought - I had better figure out what this is all about. MS_Licensing

Helping to add legitimacy to this email, in the case of this business owner, is they are in the process of an expansion and are actively acquiring hardware and software, including some Microsoft products.

So what happens when the unsuspecting victim clicks on the link?  That's where this rouse gets even more convincing.  Upon clicking the link two things happen.

First a web browser does indeed open the main page of the Microsoft Volume Licensing Service Center.  Well that definitely looks right.

MS_Volume_Licensing

Second a prompt to download and save a file also opens. The prompt is right next to the Microsoft page so this is clearly a download from Microsoft.  Except it's not.  The download is a zip file.  As we've said over and over and over if you aren't expecting a zip file, don't save it and absolutely don't open it.

"But I thought it was from Microsoft..."

Once the zip is extracted and the program file is run it pretends to be a Screen Saver, which is an interesting choice.  With monitors just going to sleep these days less and less people use screen savers so it's planting the infection in an unused portion of most people's computers.

While we didn't take the testing further, and the link in this email has been taken down preventing further testing, the download came from a Polish domain and is likely either a variant of the Dyre Malware which has previously been noted to hide as a screen saver or another method of delivery of one of the numerous versions of ransomware currently causing trouble all across the Internet.

The lesson here is the importance of vigilance. Hovering over the link before clicking shows this goes to a .pl (Polish) domain and right there no matter how good the email looks it's obviously fake. Or the moment you're prompted to do anything with a zip file that you weren't expecting either just delete it or if you believe the sender is legitimate call or email to verify the zip before extracting.

Read more...

A New Year Brings With It New Ransomware

It's a new year so naturally a new ransomware infection has been found attacking computers and networks.  PClock has been discovered masquarading as CryptoLocker.  See image below.  PClock attempts to name itself CryptoLocker, more as a scare tactic than anything, however it has been named PClock from the project name found in it's executable file.

 

It is not currently known how PClock is distributed. Once installed it attempts to only encrypt certain files types, specifically photos, videos, word processing and spreadsheet files. After encryption is complete PClock changes your desktop background to the ransom screen and provides a 72 hour count down clock for the victim to pay the 1 Bitcoin ransom.  Bitcoin is down a bit today, currently trading at 1 Bitcoin to $267.23 USD.

PClock regularly queries blockchain.info to determine if your payment has been received.  If a payment is received it then automatically transforms itself into the decryptor and prompts you to decrypt your files.

Interestingly if you do not pay within the 72 hours you receive a file, last_chance.txt, that tells you to download the malware again and claims to give you an additional 3 days to pay.  I have not seen any security firms who have actually tested that particular "feature".  

 

Aside from calling itself CryptoLocker and using a shield as it's image PClock and CryptoLocker don't have much in common.  In fact PClock has a very important difference from CryptoLocker, thanks to the hard work of some in the technology security industry at Emsisoft you won't need to pay to decrypt your files, nor have an enterprise backup running.  This is generally not the case with most ransomware infections, however in this case Emsisoft has called PClock "quite primitive by nature" and it's creators "amateurs at best."  Emsisoft has been able to provide a decryptor saving anyone unlucky enough to get this infection.  

Read more about PClock on Emsisoft.com.  Or if you need a help using the decryptor call you local IT support.

Read more...

10-Year Old Girl Targeted Online By Pedophiles

First no one should be surprised by this headline; it's the day and age we live in.  Fueling some of the fires is that there is a certain amount of pseudo anonymity online making some believe they are safe to act however they please.

For instance you find all sorts of things online that only the lowest of the low would spew in real life to a total stranger:

Internet_Insult

What a charming person he / she must be.  And that was the cleanest example I could find in the 5 minutes I went looking; it actually took me 5 minutes to find something clean enough to post.

On the Internet (with pseudo anonymity) someone finds a FB page, a G+ page, or website that they disagree with, at that point some people feel free to get on their profanity laced soap box and hurl the nastiest thing that comes to mind.  On the other hand, in the real world most people just think that nasty thing, let it go and walk away.

The Internet is a beast all it's own, and parents need to learn it's not a safe place to set their kids loose by themselves, but sadly for kids many parents are even more naive than they are about what is lurking on the Net.

Back to the story of the 10 year old girl, which comes from Opposing Views. This girl was contacted by pedophiles on her iPad which her parents had provided her to help with school work.  "According to the Daily Mail, the incident began when a man contacted the girl on Snapchat."

Let's just pause here for a moment...from Opposing View, the parents said that while "they knew their daughter was using apps, they had taken 'all sensible child safety measures that all sensible parents do.'"  I will have to disagree with them on that one.

First of all Snapchat's own Terms of Service, had they taken all sensible child safety measures and read them, would have made it clear that their daughter should not have been on Snapchat's site or had an account. "Snapchat is intended for people who are at least 13 years old. Persons under the age of 13 are prohibited from creating Snapchat accounts."  Which per the pseudo anonymity previously mentioned I'm sure this young lady told Snapchat that she was at least 13 in order to create said account.

Second the intention of Snapchat is to be temporary, "Friends can view Snaps for up to 10 seconds, and then it disappears from the screen - unless they decide to keep it, such as with a screenshot or separate camera."  Their service is intentionally deceptive, in more than one way.  It's got a false sense of security that that half naked picture the kid took and sent is being deleted in 10 seconds and on the other side that pedophile believes they are hard to trace after they send their messages / pictures.

Nothing good can come from this service, but these parents took "all sensible child safety measures..."

So back to what happened to this girl after her first contact.  The man who first made contact started the conversation off "normally", not sure there is a "normal" between an adult and a 10 year old girl on the Internet, but I digress.  Soon enough he began sending her sexually explicit messages.  Whether at this point the girl brought this is her parents attention or not is not mentioned in the article, but as they were using "all sensible child safety measures" they were checking with her on her online activity, right???

The girl's father said that more men began to contact her and the girl informed them she was underage, according to her father that "only encouraged them."  Anyone surprised by this development?!?  If you answered yes, get off the Internet now and never return.

Her father went on to say that, "In one case they begged her to undress. When she refused he said 'Your parents won't come into your room in the time it will take to get out of your pajamas.'"  Another man is reported to have offered the child money for her to travel to meet him.

The authorities believe the original pedophile went on to send her contact information onto 15 other pedophiles.

This girl's parents were naive and the outcome could have been disastrous for the child.  Taking real steps towards protecting your kids online includes regularly checking up on their online activity, removing / blocking any inappropriate apps, and reading the terms of service for any app (especially social app) they want to install.

For instance how many are aware that Twitter is crawling with pornography and unlike Facebook when you see pornography there is no button to report explicit content? Would you like to know why there is no way to report explicit content?  Well the answer is right there under "Twitter Rules" in their Terms of Service: "Pornography: You may not use obscene or pornographic images in either your profile photo, header photo, or user background."  As long as you don't post it in any of those 3 locations feel free to put as much pornography on Twitter as you like.  Below is the cleanest screenshot I could find to take.  Note the hashtags, that's all it takes to search for #porn #sex or #xxx on twitter.

Twitter_Porn

These two examples should have parents everywhere checking on their kids online activity and having conversations about safely using the Internet before something bad happens. as in the recent case of Jason Murphy in Connecticut who used the social networking site Meetme.com to lure a 13 year old girl to his home to perform sex acts on him.  In case you're wondering Meetme.com has an age requirement of the user being of legal age to form a binding contract...13 doesn't fit that requirement...but I bet her online alter ego is at least 18.

Read more...
Subscribe to this RSS feed

Contact us

Phone: (775) 852-1811

Toll Free: (866) 511-1331

Fax: (775) 852-1844

Email: info@tsis.net

Physical Address:

800 South Meadows Parkway

Suite 600

Reno, NV 89521

Log in or Sign up