Every month, we compile the most compelling healthcare privacy and security-related news stories. Below, you’ll learn about the recent Ryuk ransomware attacks on U.S. hospitals, the insider threats causing the most concern right now, the delay to the ONC information blocking requirements deadline, Anthem’s $39.5M settlement, the former Mayo Clinic employee who wrongly viewed patients’ information, and more.
In response to the latest string of Ryuk ransomware attacks on U.S. hospitals, CISA, FBI, and DHS, have jointly issued a red alert to all hospitals and health care institutes across the U.S. Cybercriminals reportedly from the Eastern European region have already targeted multiple hospitals in Oregon, California, and New York, forcing them to go offline and revert to pen and paper to continue operations. The cyber actors are using Trickbot malware, leading to a Ryuk ransomware attack, data theft, and the disruption of health care services.
Note: FairWarning servers and data are secure and not susceptible to the ransomware cited in these alerts. The ransomware is currently targeting Windows systems and your FairWarning data is stored on locked down, secured Linux systems. Consequently, the risk of your connection to FairWarning being a source of infection is extremely low.
A recent survey from cybersecurity firm Netwrix revealed a majority of health care organizations are more concerned about insider threats now than before the pandemic. The 2020 Cyber Threats Report highlighted that they are most worried about phishing (87%), admin mistakes (71%), and data theft by employees (71%). It’s worth noting that 37% and 39% of respondents experienced incidents with phishing and IT staff errors, respectively, during the first few months of the pandemic.
Key findings include:
- 32% of health care organizations surveyed experienced a ransomware attack, which is the highest result among all verticals studied.
- 26% of health care organizations reported data theft by employees; 49% of them were unaware of the incident for weeks or months.
The U.S. Department of Health & Human Services (HHS) Office of the National Coordinator for Health Information Technology (ONC) has released an interim final rule announcing it is officially delaying the compliance deadline of its information blocking requirements. Released earlier this year, ONC’s interoperability and information blocking final rule originally required all actors – providers, vendors, health information exchanges (HIEs) and health information networks (HINs) – to comply with the information blocking requirements beginning on November 2, 2020. The Nov. 2, 2020 deadline for overall information blocking compliance has now been delayed by five months until April 5, 2021.
Health insurer Anthem has agreed to pay $39.5 million to settle a class action lawsuit related to a 2015 cyberattack that exposed the personal data of nearly 79 million people. The settlement is related to an investigation brought by the U.S. states’ attorneys general, including New York, Indiana, Connecticut, Illinois, Kentucky, Massachusetts, and Missouri. One of the biggest cybersecurity attacks the nation had ever witnessed at the time, this incident compromised users’ names, addresses, social security numbers, and medical identification numbers.
A former Rochester, Minnesota-based Mayo Clinic employee inappropriately accessed patient health records, viewing over 1600 patients’ information.
The article offers four details:
- More than 1,600 patients were notified by the health system that the former employee wrongly viewed their names, demographic information, birth dates, medical record numbers, clinical notes and medical images.
- A spokesperson for Mayo said the healthcare worker’s time at Mayo “was ending when the breach was discovered”, but would not confirm that the termination was due to the breach.
- Mayo notified the FBI and Rochester Police Department about the incident, and law enforcement will further investigate and decide whether to pursue charges against the former employee.
- No payment information was breached, and Mayo reported no evidence that the former employee kept the inappropriately accessed patient information.