On November 28, 2016, the Office of Civil Rights of the Department of Health and Human Services, the entity responsible for HIPAA administration, issued an alert about a potential “phishing” email scam. The email purports to come from OCR’s Director, Jocelyn Samuels, and targets employees of covered entities and business associates. The email appears legitimate and includes a link concerning the audit program. By clicking on the link, the user is redirected to a cybersecurity firm marketing website.
For those who may not be familiar with the term, “phishing” refers to an email that looks official or legitimate, but then redirects the person to an unaffiliated website. Common “phishing” emails mimic requests from credit card companies for personal information, auction sites for login information, and banks for updated privacy information. As always, if you have received an email that you did not expect and have questions about it, contact the alleged source directly to verify before opening.
The Federal Bureau of Investigation is warning all businesses about the risks of “ransomware.” Ransomware is malware – a malicious program embedded inside of a message or web page. The message may come in the form of an innocuous message directed towards a specific person in the organization, such as a controller, accountant, or risk manager. The message typically includes an attachment, like document (.pdf), text file (.txt), or spreadsheet (.xls) that appears legitimate, such as a bill or a letter. Alternatively, the message may direct the user to a website that appears valid. When the user opens the attachment or goes to the website, the malicious program encrypts – that is, hides – files and folders containing the user’s information and data. The person or organization who sent the message then contacts the user and demands a ransom – money for the return of the information and data.
There has been an increase in the number of ransomware attacks. The FBI does not advocate paying a ransom for the return of data. The FBI has set up a Cyber Task Force to assist in the event of a ransomware attack (www.fbi.gov/contact-us/field). The FBI recommends employee training, keeping all operating systems, software, and antivirus/malware protection systems up to date, and maintaining robust file access privileges across an organization.
If a health care provider, covered entity, or business associate is hit with a ransomware attack, there may be additional reporting requirements under HIPAA, depending on the circumstances. Remember, many insurance policies provide data breach services that include assistance with reporting and remediation.
You can’t make this stuff up.
On December 19, 2015, Radiology Regional Center, an outpatient diagnostic facility, sent paper records of 480,000 to the incinerator for disposal. Apparently, the driver of the truck failed to lock the storage department door adequately before leaving. Along the way, the door opened and the patient records fell out of the truck. According to news sources, employees and physicians of Radiology Regional attempted to gather up all of the records. The employees returned to the scene two more times to look for any remaining records. Although it was believed the staff recovered all of the records, Radiology Regional notified 480,000 patients of the breach. In remediation, Radiology Regional moved its records disposal business to a different contractor.
Although the focus of most news reports is on electronic data privacy, this story is a good reminder of the importance of maintaining the privacy of tangible items as well. Visit our web page for more information about how we can help you.
For more information on Carlock Copeland & Stair’s Health Law & Regulation Update Blog, please click here.