SecurityWeek
CISA, HHS Release Cybersecurity Healthcare Toolkit
CISA and the HHS have released resources for healthcare and public health organizations to improve their security.
DataBreaches
HHS HC3: Multi-Factor Authentication & Smishing
HHS Health Center Cybersecurity Center (HC3) has published a new informational handout and guidance on multi-factor authentication (MFA) and smishing. It...
CyberSecurity Dive
HHS reaches second-ever ransomware settlement
A mental healthcare provider didn’t have sufficient protections in place before a ransomware attack exposed the protected health information of more than 14,000 people, according to the HHS’ Office for Civil Rights.
DataBreaches
HHS announces its first settlement in a ransomware case: Doctors’ Management Services
From HHS, this interesting press announcement: Today, the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) announced a...
DataBreaches
HHS: Lessons learned from the HSE cyberattack
HHS Cybersecurity Program has released a new threat brief on lessons learned from the HSE cyberattack. DataBreaches.net covered the incident and aftermath in...
DataBreaches
GA: Peachtree Orthopaedic Clinic reports breach to HHS
It appears that Peachtree Orthopaedic Clinic in Georgia reported a breach to HHS on January 3 that impacted 53,686 patients. They reported the breach as...
The Cyber Express
HHS Scrambles to Patch Security Hole After $7.5 Million Cyberattack
Following a cybersecurity incident dubbed as an indirect ‘HHS data breach’, and theft of funds, the U.S. Department of Health
DataBreaches
HHS Brief: Log4J Vulnerabilities and the Health Sector
The HHS Cybersecurity Program has issued a new brief this week: Log4J Vulnerabilities and the Health Sector You can access it at https://www.hhs...
DataBreaches
HHS Cybersecurity Program: Electronic Medical Records in Healthcare
HHS has published a new cybersecurity threat brief, available for download on their site. The topics include: • What Is an EMR, and How Is It Used in...
Security Affairs
US HHS warns healthcare orgs of Royal Ransomware attacks
The US Department of Health and Human Services (HHS) warns healthcare organizations of Royal ransomware attacks. The human-operated Royal ransomware first appeared on the threat landscape in September 2022, it has demanded ransoms up to millions of dollars. The Health and Human Services (HHS) is aware of attacks against the Healthcare and Public Healthcare (HPH) […]
DataBreaches
HHS Security Risk Assessment Tool Version 3.4 and Webinars
From HHS OCR: The Office for Civil Rights (OCR) and the Office of the National Coordinator for Health Information Technology (ONC) at the U.S. Department of...
CyberSecurity Dive
Hospital groups question HHS about data breach reporting after Change Healthcare attack
In a Thursday letter, the American Hospital Association urged the HHS’ Office of Civil Rights to reduce “duplicative” breach notifications from the cyberattack.
SecurityWeek
In Other News: Secure Use of AI, HHS Hacking, CISA Director Swatting
Guidance on secure use of AI, HHS grant money stolen by hackers, CISA director Jen Easterly target of swatting.
DataBreaches
HHS warns entities; patients file potential class action lawsuit over PACS breach
HHS recently issued an alert about a known vulnerability allowing access to some picture archiving communications systems (PACS). The vulnerability had been...
DataBreaches
HHS’ Office for Civil Rights Settles Malicious Insider Cybersecurity Investigation for $4.75 Million
Today, the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR), announced a settlement with Montefiore Medical Center, a...
Security Affairs
FBI, CISA, HHS warn of targeted ALPHV/Blackcat ransomware attacks against the healthcare sector
The FBI, CISA, and the Department of HHS warned U.S. healthcare organizations of targeted ALPHV/Blackcat ransomware attacks.
The Record
HHS agrees to $480,000 settlement with Louisiana medical group over data breach
The U.S. Department of Health and Human Services (HHS) agreed to a settlement of $480,000 with Louisiana-based medical group Lafourche Medical Group following a 2021 cyberattack that exposed the sensitive information of nearly 35,000 people.
Bleeping Computer
HHS: Conti ransomware encrypted 80% of Ireland's HSE IT systems
A threat brief published by the US Department of Health and Human Services (HHS) on Thursday paints a grim picture of how Ireland's health service, the HSE, was overwhelmed and had 80% of its systems encrypted during last year's Conti ransomware attack.
The Record
HHS proposes new cybersecurity requirements for hospitals through HIPAA, Medicaid and Medicare
The United States Department of Health and Human Services (HHS) said it is planning to take a range of actions in an effort to better address cyberattacks on hospitals, which have caused dozens of outages across the country in recent months.
The Record
Medical firm reaches $100,000 settlement with HHS over 2017 ransomware attack
Doctors’ Management Services — which provides medical billing and payer credentialing services — was attacked by the now-defunct GandCrab ransomware gang in April 2017. The settlement with HHS is the first for the agency over a ransomware attack.
DataBreaches
HHS OCR Settles HIPAA Investigation with Banner Health Following 2016 Hacking Incident
The following is a press release from HHS. It is an update to a 2016 hacking incident previously covered on this site. The incident also resulted in a class...
DataBreaches
HHS Releases New Voluntary Performance Goals to Enhance Cybersecurity Across the Health Sector and Gateway for Cybersecurity Resources
January 24 Today, the U.S. Department of Health and Human Services (HHS), through the Administration for Strategic Preparedness and Response (ASPR), is...
DataBreaches
HHS Civil Rights Office Enters Settlement with Dental Practice Over Disclosures of Patients’ Protected Health Information
From HHS, resolution of a complaint they received in 2017: The Office for Civil Rights (OCR) has settled with B. Brandon Au, DDS, Inc., d/b/a New Vision Dental...
DataBreaches
HHS issues two warnings: one about Royal & BlackCat Ransomware, and one about AI’s potential use in malware
HHS issued two reports or advisories this past week. The first was a 67-page report on Royal & BlackCat Ransomware and the threat that they pose to the...
DataBreaches
HHS Cybersecurity Task Force Provides New Resources to Help Address Rising Threat of Cyberattacks in Health and Public Health Sector
On April 17, 2023, The U.S. Department of Health and Human Services (HHS) 405(d) Program announced the release of the following resources to help address...
DataBreaches
HHS’ Office for Civil Rights Settles Second Ever Ransomware Cyber-Attack for $40,000 and a Corrective Action Plan with OCR Monitoring
HHS OCR has announced a second enforcement settlement in a ransomware case. The 2019 breach involving Green Ridge Behavioral Health managed to fly mostly under...
Infosecurity News
HHS Information Security Program 'Not Effective'
Office of Inspector General slams department’s security program four years running
DataBreaches
HHS Office for Civil Rights Settles HIPAA Investigation with iHealth Solutions Regarding Disclosure of Protected Health Information on an Unsecured Server for $75,000
HHS has announced another Security Rule enforcement action. This one involves iHealth Solutions (dba Advantum Health), a business associate. The incident...
DataBreaches
ANNOUNCE: HHS’ Office for Civil Rights Seeks Public Comment on Recognized Security Practices and Sharing Civil Money Penalties and Monetary Settlements Under the HITECH Act
The U.S. Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) today released a Request for Information (RFI) seeking input from the...
CyberSecurity Dive
HHS opens investigation into Change Healthcare cyberattack
The Office for Civil Rights will focus on whether protected health information was breached and if UnitedHealth complied with privacy and security requirements.
SC Magazine
HHS investigating ‘unprecedented’ Change Healthcare ransomware attack
The probe will establish whether HIPAA privacy, security and beach notification met compliance rules.
DataBreaches
GAO: HHS Needs Improved Data Breach Reporting
Frank Konkel reports: The Government Accountability Office is recommending the Department of Health and Human Services establish a feedback mechanism to...
DataBreaches
The BreachForums case: The HHS-OIG did WHAT?!? Why?
Revelations contained in an affidavit by an FBI agent and a press release by the Department of Justice about the arrest of the owner of a popular hacking forum...
CyberSecurity Dive
HHS settles cybersecurity investigation with Montefiore Medical Center
The nonprofit will pay $4.75 million to settle allegations that data security failures allowed an employee to steal and sell the protected health information of thousands of patients.
CyberSecurity Dive
HHS warns providers of 'exceptionally aggressive' ransomware group
The Hive group practices double extortion — demanding payment to free data it has encrypted while also threatening to release the unencrypted data publicly.
Infosecurity News
Hospital IT Helpdesks Targeted By Voice Fraudsters, Warns HHS
Threat actors are socially engineering healthcare IT helpdesk staff to steal money, the government has warned
DataBreaches
HHS warns health systems of PACS security vulnerabilities — again
Mike Miliard reports: The U.S. Department of Health and Human Services is warning hospitals and health systems that a security vulnerability in picture archive...
CyberSecurity Dive
HHS agency launches program to automate cybersecurity at hospitals
The program will invest more than $50 million to create a software suite that can automatically find potential vulnerabilities that hackers could exploit and deploy fixes.
The Record
HHS offering $50 million for proposals to improve hospital cybersecurity
The program run by the Advanced Research Projects Agency for Health seeks to create a vulnerability mitigation software platform and a system for auto-detecting vulnerabilities.
The Record
HHS to investigate UnitedHealth and ransomware attack on Change Healthcare
The Department of Health and Human Services' Office for Civil Rights (OCR) said it would look into the incident “given the unprecedented magnitude of this cyberattack, and in the best interest of patients and health care providers.”
DarkReading
HHS Plans for Cyber 'One-Stop Shop' After United Healthcare Attack
The initiative is meant to provide more resources and better strategies for healthcare entities that face an increasing amount of cybersecurity challenges.
The Record
HHS strengthens privacy protections for reproductive health patients and providers
The rules will bar doctors, insurers and other health-care groups from making health information available to state officials investigating, prosecuting, or filing a lawsuit against a patient or provider.
CyberSecurity Dive
Providers urge HHS to clarify Change data breach reporting requirements
More than 50 provider groups are asking the federal government to publicly state that UnitedHealth should handle data breach reporting stemming from the cyberattack on its subsidiary.
CyberSecurity Dive
Provider groups urge HHS, Congress to mitigate damage from Change cyberattack
The American Hospital Association and the American Medical Association pushed the federal government to offer more financial support as the Change outage limits providers’ ability to receive payment.
DataBreaches
HHS Cybersecurity Update: Conti Ransomware Update
TLP: White Report: 202203101700 March 10, 2022 Conti Ransomware (Update) Executive Summary Conti is a ransomware group that has aggressively targeted...
The Record
Senator demands answers from HHS about $7.5 million cyber theft in 2023
Republican Sen. Bill Cassidy wants details from the department in response to a report from earlier this year about a scam involving a grant program.
The Record
HHS reverses course, allows Change Healthcare to file breach notifications for others
The department had received pushback against a previously released FAQ page that said every organization affected by the hack of Change Healthcare would have to file their own breach notices with federal and state regulators.
DataBreaches
HHS’ Office for Civil Rights Settles First Ever Phishing Cyber-Attack Investigation
Louisiana Medical Group settles after investigation reveals large cybersecurity breach affecting nearly 35,000 patients Today, the U.S. Department of Health...
The Record
Legislators: HHS is failing to adequately protect health records from law enforcement
Legislators wrote to the Department of Health and Human Services to demand that regulations for protect health information (PHI) treat it the same way the law covers a person's location data, texts and phone calls.
The Cyber Express
CISA, FBI, and HHS Update Joint Advisory on ALPHV Blackcat Ransomware
In a coordinated effort to address the escalating threat landscape of ransomware, the Cybersecurity and Infrastructure Security Agency (CISA), in
The Cyber Express
CISA, FBI, and HHS Update Joint Advisory on ALPHV Blackcat Ransomware
In a coordinated effort to address the escalating threat landscape of ransomware, the Cybersecurity and Infrastructure Security Agency (CISA), in
The Cyber Express
BlackCat Hackers Hit Healthcare Provider BrightStarCare, Threaten Data Leak to HHS
The hacking group ALPHV/BlackCat has resurfaced, once again targeting healthcare companies and threatening to report them to the U.S. Department
The Record
FTC, HHS warn health providers not to use tracking tech in websites, apps
Third-party tracking technologies like the Meta/Facebook Pixel and Google Analytics could cause healthcare institutions to be in violation of privacy laws, the agencies said in a letter to 130 organizations.
DataBreaches
Tennessee Orthopaedic Clinics notifies HHS of breach; has yet to notify patients
An undated message on the Tennessee Orthopaedic Clinics website states that TOC recently responded to a security incident. They don’t say when they...
DataBreaches
HHS OCR Issues Annual HIPAA Reports to Congress
Chris Bennington of Epstein Becker Green writes, in part: The HITECH Act requires OCR to issue annual reports to Congress of HIPAA breaches and complaints...
Infosecurity News
HHS Issues Threat Warning to US Healthcare Sector
Healthcare organizations told they could be targeted by cyber-attacks linked to Russian invasion of Ukraine
DataBreaches
The Untold Story of a Massive Hack at HHS in Covid’s Early Days
Jordan Robertson and Riley Griffin report: On March 15, 2020, just days after the US declared a national emergency because of the Covid-19 pandemic, the...
DataBreaches
NC: Monarch notifies HHS of breach, but where are the details and notice?
On September 1, a listing on a dark web site by a group calling themselves Don#t_Leaks named MonarchNC as a victim. The listing did not appear for long. The...
The Record
HHS warns of ‘Citrix Bleed’ attacks after hospital outages
The U.S. Department of Health and Human Services is warning hospitals and healthcare facilities across the country to patch a vulnerability known as “Citrix Bleed” that is being used in attacks by ransomware gangs.
DataBreaches
Lutheran Social Services of Illinois notifies 184,183 of ransomware attack one year ago
On March 25, 2022, Lutheran Social Services of Illinois (LSSI) notified HHS of a breach affecting 1,000 people. The incident, still under investigation by HHS,...
DataBreaches
HIPAA requires employers to sanction employees who violate HIPAA. Did you know that?
From HHS’s October cybersecurity newsletter: Last year, the Department of Health and Human Services’ (HHS) Health Sector Cybersecurity Coordination...
DataBreaches
Bits ‘n Pieces
Updating some HHS reports: First Choice Community Health Care reported its ransomware attack to HHS on August 1 as impacting 101,541 patients. BHG Holdings...
DataBreaches
Two covered entities who discovered breaches last summer first notifying patients
Two breaches that were first reported to HHS in November have now been more fully disclosed. Both of the following breaches were first reported to HHS in...
DataBreaches
HHS OCR settles charges against Manasa Health Center for disclosing PHI in response to a negative online review
New Jersey psychiatry practice pays $30,000 to settle complaint about impermissible disclosure of protected health information by disclosing this information...
DataBreaches
Annual Report to Congress on Breaches of Unsecured Protected Health Information For Calendar Year 2021- HHS OCR
From their report: Summary OCR received 609 notifications of breaches affecting 500 or more individuals, representing a decrease of 7% from the number of...
SC Magazine
Health sector help desks duped by social engineering scams, HHS warns
Hackers are using a sophisticated social engineering ruse targeting IT help desk staff to gain initial access to healthcare organizations.
DataBreaches
HHS Office for Civil Rights Settles with L.A. Care Health Plan Over Potential HIPAA Security Rule Violations
LA Care, the largest publicly operated health plan in the country paid $1,300,000 to settle Today, the U.S. Department of Health and Human Services’ Office...
DataBreaches
It took an HHS complaint, but three years later, some Ventura Orthopedic patients are finally being notified of a ransomware attack
In August 2020, DataBreaches reported that the Maze ransomware gang had added Ventura Orthopedics to their name-and-shame leak site. At the time, Ventura did...
DataBreaches
FTC and HHS Warn Hospital Systems and Telehealth Providers about Privacy and Security Risks from Online Tracking Technologies
The Federal Trade Commission and the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) are cautioning hospitals and telehealth...
DataBreaches
HHS Office for Civil Rights Announces the Expiration of COVID-19 Public Health Emergency HIPAA Notifications of Enforcement Discretion
Notifications of Enforcement Discretion expire at 11:59 pm on May 11, 2023 Today, the U.S. Department of Health and Human Services’ Office for Civil Rights...
SecurityWeek
Government Launches Probe Into Change Healthcare Data Breach
The HHS is investigating whether protected health information was compromised in the Change Healthcare data breach.
DataBreaches
HHS OCR creates new HIPAA enforcement arm and enhances focus on cybersecurity and privacy oversight
Marcy Wilder, Scott Loughlin, Melissa Bianchi, Paul Otto, and Alyssa Golay of Hogan Lovells write: This week the U.S. Department of Health and Human Services,...
The Cyber Express
OCR Resolves First HIPAA Phishing Case: Lafourche Medical Group Settles for US$480000
The U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR), has settled with Lafourche Medical Group,
DataBreaches
WA: Columbia River Mental Health Services issues preliminary media notice of a breach
On August 8, Columbia River Mental Health Services (“CRMHS”) in Washington State notified HHS about a data security breach involving some employee email...
The Cyber Express
Maryland Psychiatric Practice Settles HIPAA Violation: 14,000 Affected by Ransomware
The U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR), has announced a settlement with Green
The Hacker News
Royal Ransomware Threat Takes Aim at U.S. Healthcare System
The U.S. Department of Health and Human Services (HHS) has issued a warning about ongoing ransomware attacks targeting healthcare entities.
Bleeping Computer
US Health Dept warns of Venus ransomware targeting healthcare orgs
The U.S. Department of Health and Human Services (HHS) warned today that Venus ransomware attacks are also targeting the country's healthcare organizations.
DataBreaches
Independent Living Systems updates its breach disclosure; notifying more than 4.2 million patients
In September 2022, Independent Living Systems LLC (ILS), a business associate in Florida, notified HHS and regulators of a network incident that affected 501...
Bleeping Computer
FBI, CISA warn US hospitals of targeted BlackCat ransomware attacks
Today, the FBI, CISA, and the Department of Health and Human Services (HHS) warned U.S. healthcare organizations of targeted ALPHV/Blackcat ransomware attacks.
DataBreaches
HIPAA Security Rule Security Incident Procedures
HHS OCR’s October newsletter begins: Every October, in recognition of National Cybersecurity Awareness Month, the federal government and its partners...
DataBreaches
Data Exfiltration Trends in Healthcare
From the Office of Information Security / HHS and the Health Sector Cybersecurity Coordination Center: Data Exfiltration Trends in Healthcare March 9, 2023
DataBreaches
HHS Office for Civil Rights Settles HIPAA Investigation with Arkansas Business Associate MedEvolve Following Unlawful Disclosure of Protected Health Information on an Unsecured Server for $350,000
As background: this case began with someone finding an unsecured FTP server owned by MedEvolve. He reported it to DataBreaches. This site first reported on the...
DataBreaches
CISA Insights: Preparing for and Mitigating Foreign Influence Operations Targeting Critical Infrastructure
HHS Cybersecurity Program has issued an Alert (TLP: WHITE). Executive Summary Malicious actors use influence operations, including tactics like misinformation,...
DataBreaches
Ransomware Resources for HIPAA Regulated Entities
The HHS Office for Civil Rights (OCR) is sharing the following information to ensure that HIPAA regulated entities are aware of the resources available to...
DataBreaches
Major Cyber Organizations of the Russian Intelligence Services
The Office of Information Security Securing One HHS and Health Sector Security Coordination Center (HC3) have released slides from: Major Cyber Organizations...
DataBreaches
Lapsus$, Okta and the Health Sector
A whitepaper from the HHS Cybersecurity Program. April 7, 2022 Available online at https://www.hhs.gov/sites/default/files/lapsus-okta-health-sector-tlpwhite...
CyberSecurity Dive
Kaiser exposed up to 13.4M plan member records to third parties
The largest data breach reported to the HHS’ Office for Civil Rights so far this year comes as regulators reconsider healthcare’s use of tracking technologies.
DataBreaches
Sacramento County: Hundreds of personal records exposed in data breach
Jose Fabian provides details on a Sacramento County phishing incident reported to HHS last month: Hundreds of records containing personal information of...
DataBreaches
And as the work week draws to a close… (updated)
And as this work week drew to a close, we also learned about these breaches involving patient data that were reported to HHS earlier this month: Dialyze...
DataBreaches
HC3: Destructive Malware Targeting Organizations in Ukraine
HHS Cybersecurity Program has issued another alert and whitepaper report (202202280900): Executive Summary Leading up to Russia’s unprovoked attack against...
DataBreaches
NH: Northeast Rehabilitation Hospital Network updates their 2021 breach notification
In November 2021, the Northeast Rehabilitation Hospital Network in New Hampshire notified HHS of a breach. At the time, they indicated 501 patients had been...
DataBreaches
Oklahoma State University – Center for Health Services Pays $875,000 to Settle Hacking Breach
There’s an update to a breach previously reported on this site in 2018. From HHS: Oklahoma State University – Center for Health Sciences (OSU-CHS) has...
DataBreaches
Three recent breach disclosures remind of us how seldom timely breach notification is enforced under HITECH
Three recent data breach disclosures involving patient data all exceeded HIPAA’s 60-day deadline to notify HHS and individuals. Yakima Valley Radiology A...
Cyber Security News
FBI, CISA warns Of ALPHV Blackcat Ransomware Attacking Hospitals
FBI, CISA, and the Department of Health and Human Services (HHS) have issued a joint advisory warning about the ALPHV Blackcat ransomware.
DataBreaches
OH: Memorial Health System notifies 216,478 patients of malware incident last July
In November, Marietta Area Health Care Inc. dba Memorial Health System notified HHS of a breach. The number affected was submitted as 501 — a number that...
CyberNews
US gov opens probe into UnitedHealth hack as systems come back online
The US Department of Health and Human Services (HHS) is opening an investigation into the cyberattack on UnitedHealth Group’s health tech subsidiary Change Healthcare.
DataBreaches
Medsurant Health discloses ransomware incident, but not yet notifying patients
Medsurant Health in Pennsylvania recently notified HHS that 45,000 patients were impacted by a breach. The patients are not yet being notified, however,...
DataBreaches
Oak Valley Hospital District notifies more than 280,000 patients of data breach
On September 15, Oak Valley Hospital District in California notified the state and HHS of a data security incident that began on April 21 and was first...
DataBreaches
OCR Presents: How the Security Rule Can Help Defend Against Cyber-Attacks
The HHS Office for Civil Rights (OCR) will be producing a pre-recorded webinar for HIPAA covered entities and business associates (collectively, “regulated...
DataBreaches
Bloom Health Centers discloses data breach involving mental health data of 1,545 patients
Updated September 13: This incident was reported to HHS as affecting 1,654 patients. On September 11, Psych Associates of Maryland LLC d/b/a Bloom Health...
Loading more articles....