Skip to main content

Privacy & Security

By Adam Ang | 05:05 am | August 26, 2021
The latest update to the incident mentions that the IT system at the Eye & Retina Surgeons Camden branch has been securely restored. 
By Sara Mageit | 08:28 am | August 25, 2021
Earlier this year, the NHS was issued a legal challenge over its contract with Palantir. 
By Sam Hanna | 01:22 pm | August 24, 2021
A new weekly series looks beyond the pandemic and explores strategies for driving lasting, IT-enabled operational and business improvements across healthcare.
By Bill Siwicki | 12:59 pm | August 24, 2021
Christopher Frenz takes on some tough questions about cyberattacks and patient safety in a one on one with Healthcare IT News.
By Kat Jercich | 06:02 pm | August 23, 2021
An Ohio-based law firm is investigating claims on behalf of the breach victims.
By Kat Jercich | 04:30 pm | August 23, 2021
The UpGuard research team says it notified 47 organizations – including governmental public health entities – about their publicly accessible data. 
By Adam Ang | 06:24 am | August 23, 2021
A majority of the cases were caused by criminal acts such as phishing and ransomware.
By Kat Jercich | 12:34 pm | August 20, 2021
In another incident, a former employee in New York is accused of electronic health record snooping – potentially affecting more than 10,000 patients.
By Kat Jercich | 03:52 pm | August 18, 2021
The Indiana Department of Health said this week that it was notifying almost 750,000 Hoosiers after a company "improperly accessed" the data from the state's COVID-19 online contact tracing survey.   But the company in question, the cybersecurity vendor UpGuard, told the Associated Press' Rick Callahan that it had actually discovered the data was publicly accessible on the internet and had notified the health department about it.   "This is known as a data leak," UpGuard spokesperson Kelly Rethmeyer said in a statement sent to Callahan. "It was not unauthorized because the data was configured to allow access to anonymous users and we accessed it as an anonymous user."   UpGuard has deleted all the data in its possession, said Rethmeyer.   UpGuard and IDH did not respond to Healthcare IT News' requests for comment by press time.   WHY IT MATTERS   IDH said it learned on July 2 that a company had accessed the data from the state's online COVID-19 contact tracing survey. The data included names, addresses, dates of birth, emails, gender, ethnicity and race.    But UpGuard representatives told Callahan that it had not "improperly accessed" the data.   Rather, said Rethmeyer, the company "aided in securing the information, in turn ensuring that it would no longer be available to anyone with malicious intent."   Indiana officials said that UpGuard had signed a so-called certificate of destruction to confirm it had destroyed the data and not shared it with any other entity.    The records were returned on Aug. 4.   "We take the security and integrity of our data very seriously," said Tracy Barnes, chief information officer for the state, in a statement provided to local news site WTHR. "The company that accessed the data is one that intentionally looks for software vulnerabilities, then reaches out to seek business." "We have corrected the software configuration and will aggressively follow up to ensure no records were transferred," Barnes added.   THE LARGER TREND   Although the exact situation with IDH remains unclear, it wouldn't be the first time COVID-19-related data accidentally went public.    In May of this year, a Wyoming Department of Health employee mistakenly uploaded COVID-19, influenza and blood alcohol test results for more than a quarter of the state's population to a public-facing website.   Two months prior, a state of California employee improperly accessed more than 2,000 employee and patient records from Atascadero State Hospital that had been necessary for tracking COVID-19.   ON THE RECORD   Regarding the Indiana incident, "in this case, the data that was accessed appears to have been done so in a way that did not put it at risk of cyber criminals obtaining it," said Erich Kron, security awareness advocate at the training vendor KnowBe4, in a statement.    "Unfortunately, 'software configuration' errors such as this often lead to the data being accessed by bad actors, putting the users of the systems at risk," Kron said. Kat Jercich is senior editor of Healthcare IT News. Twitter: @kjercich Email: kjercich@himss.org Healthcare IT News is a HIMSS Media publication.
By Kat Jercich | 12:43 pm | August 18, 2021
Meanwhile, Ohio-based Memorial Health System struggles to get back online after a ransomware attack.