The lack of HIPAA cybersecurity training at a NY-based home health company has contributed to the company being fined $350,000 by the NY State Attorney General as part of a wide-ranging settlement agreement that includes a thorough overhaul of the company’s security and cybersecurity training measures. In January 2021, an employee of Personal Touch Holding Corporation (PTHC) – a Long Island, NY-based home health company – opened a malware-infested Excel file attached to a phishing email. The malware allowed a remote actor to take control of the employee’s unsecured laptop and unprotected emai ..read more

The significance consumers place on the privacy and security of their health information has been reviewed in a recent nCipher Security survey. The survey i question was aimed at 1,300 U.S. consumers and looked into attitudes toward online privacy, the sharing of sensitive information, and data violations. The survey showed consumers are much more worried about their financial data being hacked than their health information. 42% of those questioned said their biggest cybersecurity concern was their financial information being illegally obtained, as opposed to 14% whose main worry was the thef ..read more

Ransomware and other destructive cyberattacks on healthcare delivery organizations (HDOs) can cripple IT systems, prevent access to protected health information, and often see appointments cancelled and patients redirected to other healthcare facilities. The disruption caused and lack of access to patient data can impact patient safety, and while there have been no reported cases in the United States of patients dying as a direct result of a ransomware attack, it is only a matter of time before attacks directly cause fatalities. Recently, a study was conducted to explore the impact ransomware ..read more

The Department of Health and Human Services’ cybersecurity department, the Health Sector Cybersecurity Coordination Center (HC3), has issued a warning to organizations in the health and public health sector alerting them to an elevated risk of BlackMatter ransomware attacks. BlackMatter is a new ransomware-as-a-service (RaaS) operation that appeared in July 2021, shortly after the DarkSide ransomware gang closed down its operation following the high-profile ransomware attack on Colonial Pipeline. BlackMatter is regarded by many cybersecurity experts as the successor to DarkSide. The threat ac ..read more

In most organizations, the recommended practices for password creation involve setting a unique password for all accounts, making sure the password is as random as possible – combining upper- and lower-case letters, numbers and special characters – is at least 8 characters long, and does not contain dictionary words. The theory is that, by incorporating a range of character formats and avoiding dictionary words, passwords will be strong enough to resist brute force attacks by cybercriminals attempting to hack login credentials. Cybercriminals use lists of dictionary words and passwords compro ..read more

The average cost of a data breach has increased 10% year-over-year, according to the IBM Security 2021 Cost of a Data Breach Report. Data breach costs have reached record levels and are higher than at any other point in the past 17 years that IBM Security has been analyzing data breach costs. The average cost of a data breach has increased from $3.86 million last year to $4.24 million in 2021, with healthcare data breaches the most expensive, costing an average of $9.23 million to resolve. The average healthcare data breach cost has increased by more than $2 million year-over-year. The data f ..read more

Four new zero-day vulnerabilities in Microsoft Exchange Server versions 2013, 2016, and 2019 have been discovered by the U.S. National Security Agency (NSA). These versions of Microsoft Exchange Server must be patched as soon as possible to avoid the possibility of the vulnerabilities being targeted by cybercriminals. A directive has already been released by the Cybersecurity and Infrastructure Security Agency (CISA) for all federal bodies to patch all vulnerable on-premises Exchange Servers no later than 12.01 AM on Friday April 16, 2021 due to the high risk of the weaknesses being targeted ..read more

With the passing, in November 2020, of the California Privacy Rights Act, came a range of new obligations for businesses operating in the State. They must now move swift to make sure that every member of staff is conscious of their obligations in order to avoid large scale financial penalties being sanctioned against their company. In order to assist you in coming to terms with the new rules we have put together a short article detailing the main things that you need to be aware of moving forward. To read more about the introduction of the new data privacy legislation you can read the news st ..read more

In the third quarter of 2020, an alert was released for the healthcare and public health sector in the aftermath of a spike in ransomware activity being identified. The joint CISA, FBI, and HHS cybersecurity advisory group informed the healthcare sector that it was being focused on by hackers hoping to infiltrate their databases with ransomware. A number of ransomware collectives had increased attacks on the healthcare and public health sector, with the Ryuk and Conti operations the busiest of these. A new study from Check Point suggests that attacks continued to rise during November and Dece ..read more

In France the data protection regulator, Commission nationale de l’informatique et des libertés (CNIL), has penalised French retail giant Carrefour more than €3m ($3.7m) in relation to a number of breaches of the European Union’s General Data Protection Regulation. The total fine was split between the retails giant €2.25m and the banking subdivision, Carrefour Banque, that it operates (€800,000). The fine was made public on the web portal of CNIL.  The punishment could have been even worse, however while calculating the amount , CNIL considered the actions Carrefour took to address the G ..read more