Dec 112018

Bisi Onile-Ere reports:

A cyber attack on the Ramsey County Social Services may have comprised hundreds of clients’ private health information.

In August, hackers gained access to the accounts of 28 employees in an attempt to divert their paychecks.

“At Ramsey County this is the first time that we experienced something like this,” said John Siqveland, Ramsey County public communications director.

An assessment by a data security firm revealed in October, that during the August security breach, the personal information of roughly 500 Ramsey County Social Services clients may have been exposed.

“Most of the clients that were compromised used our chemical or mental health services,” said Siqveland.

The hackers may have accessed their social security numbers, dates of birth, addresses and a limited amount of medical information.

Read more on Fox9. At the time of this posting, I am not finding any notice on the county’s site.

Dec 112018

Lukas Barfield reports:

Last week, a Florida medical cannabis dispensary took their website offline after it was found that patient information was obtainable through the site’s basic search function. Sarasota-based AltMed is a licensed Medical Marijuana Treatment Center (MMTC) that also goes by the name MÜV.

AltMed responded quickly by taking their website offline after a customer noticed the search function was revealing sensitive customer information.

Read more on Ganjapreneur.

A December 1 statement on MÜV’s Facebook page reads:

To our valued Florida customers; 

This morning we were notified by a customer that some customer information could be accessed through a search utility on our website. Within 10 minutes, our Information Technology staff removed the search engine function.

We then retained Kroll, Inc. an industry leader in data risk and security.

Upon review of the site, our experts recommended that we take the site down, which we did. Taking it one step further, we “unpublished” any sections of the site that contained customer data.

Based on the forensic review thus far it appears that there was limited access to the site with limited information accessed. The review will continue until we fully understand what happened and who is responsible.

Please know that we take security and patient confidentiality seriously—not just because it’s the law, but because it’s the right thing to do.

If your information was accessed in any way, we will contact you directly. Otherwise, we’ll provide more information as our experts work through their process.

We appreciate your patience.

Typo corrected post-publication. Apologies to Ganjapreneur for misspelling their name.

Dec 102018

David Thacker of G Suite writes that Google is abandoning Google+ even sooner than it had originally planned. A recent bug affecting more than 50 million users seemed to be the death knell for the product.

In October, we announced that we’d be sunsetting the consumer version of Google+ and its APIs because of the significant challenges involved in maintaining a successful product that meets consumers’ expectations, as well as the platform’s low usage.

We’ve recently determined that some users were impacted by a software update introduced in November that contained a bug affecting a Google+ API. We discovered this bug as part of our standard and ongoing testing procedures and fixed it within a week of it being introduced. No third party compromised our systems, and we have no evidence that the app developers that inadvertently had this access for six days were aware of it or misused it in any way.

With the discovery of this new bug, we have decided to expedite the shut-down of all Google+ APIs; this will occur within the next 90 days. 

Read more on Google’s blog.

Dec 102018

Heather Landi reports:

Hackers are using the Dark Web to buy and sell personally identifiable information (PII) stolen from healthcare organizations, and exposed databases are a vulnerable attack surface for healthcare organizations, according to a new cybersecurity research report.

A research report from IntSights, “Chronic [Cyber] Pain: Exposed & Misconfigured Databases in the Healthcare Industry,” gives an account of how hackers are tracking down healthcare personally identifiable information (PII) data on the Dark Web and where in the attack surface healthcare organizations are most vulnerable.

The report explores a key area of the healthcare attack surface, which is often the easiest to avoid—exposed databases. 

Read more on Healthcare Informatics.

Dec 102018

Baylor Scott & White Medical Center – Frisco, a joint venture managed by United Surgical Partners International (USPI), announced today it has sent letters to approximately 47,000 patients or guarantors whose payment information, including partial credit card information, may have been subject to an inappropriate computer intrusion. Baylor Scott & White Medical Center – Frisco is a joint venture affiliated with Baylor Scott & White Health and USPI.

On September 29, 2018, the hospital discovered an issue with a third-party vendor’s credit card processing system. The hospital immediately notified the vendor and terminated credit card processing through them. An investigation determined the inappropriate computer intrusion occurred between September 22-29, 2018. There is no indication the information has been further disclosed or misused by any other unauthorized individuals or entities.

Baylor Scott & White and USPI take safeguarding information seriously. As a precaution, the hospital has arranged for TransUnion Interactive, a subsidiary of TransUnion, one of the three nationwide credit reporting companies, to provide patients or guarantors with one year of credit monitoring services, free of charge.

It is important to note that the hospital’s information and clinical systems were not affected, and medical information was not compromised. Social Security numbers and medical record information were not accessed. No other Baylor Scott & White facility was impacted.

Data that may have been accessed included name, mailing address, telephone number, date of birth, medical record number, date of service, insurance provider information, account number, last four digits of the credit card used for payment, the credit card CCV number, type of credit card, date of recurring payment, account balance, invoice number, and status of transaction.

Patients or guarantors in need of more information related to this incident may contact 1-833-836-9900 between the hours of 7:00 am and 6:00 pm CST Monday – Friday, excluding holidays.

Source: Baylor Scott & White

The incident was reported to HHS on November 26 as affecting 47,984 patients.  As of December 10, the online payment system is still down.  USPI has not responded to an inquiry from asking whether they were in the process of finding another vendor.