Jun 102019

Alexander Quon reports:

The Nova Scotia Health Authority (NSHA) is in the process of notifying nearly 3,000 people about a potential privacy breach involving personal health information, the organization announced on Monday.

The health authority says the breach was detected by its IT team on May 13, 2019, after an employee’s email account was compromised due to a phishing attack on May 8, 2019.

Read more on Global News.

Jun 052019

In January, 2019, we learned about a breach at Centerstone Insurance and Financial Services, Inc. d/b/a BenefitMall, a business associate.  The breach reportedly affected more than 111,000 insurance members/covered employees of the vendor’s clients. HIPAA Journal covered the incident.

Yesterday, Aetna issued a public notice  related to the incident. Surprisingly, their notice discloses that by December 18, 2018, they had received information from BenefitMall as to which employees were potentially impacted.

So why did it take Aetna from then until this week to handle notifications for a few hundred people in Virginia?  That seems way too long a gap.

Public Notice
AETNA NOTIFIES MEMBERS OF VENDOR PRIVACY BREACHThis serves as a public notice that Aetna, a CVS Health business (NYSE: CVS), has notified approximately [238] [Virginia ] residents that Centerstone Insurance and Financial Services, Inc. d/b/a BenefitMall, a general agent that also acts as a third-party vendor that Aetna utilizes to provide administrative services related to employee benefits (e.g., enrollment and billing services), had certain employee email accounts compromised. Aetna confirmed that this incident did not involve any Aetna system or application, and did not involve any personal information that Aetna maintained.BenefitMall notified Aetna on December 11, 2018 that Aetna members may have been impacted by the breach. On December 18, 2018, BenefitMall provided Aetna with a list of potentially affected members. Upon receipt, Aetna began to gather the information necessary to mail letters to affected members to explain the situation and provide additional resources. Although Aetna is not aware of any evidence to indicate improper use of member information, Aetna is offering each affected member two years of credit monitoring coverage, at no cost,.BenefitMall notified Aetna that the breach was caused by phishing attacks, which occurred between approximately June 2018 and October 19, 2018, and have since been contained. BenefitMall informed Aetna that the affected correspondence may have included names, addresses, Social Security numbers, dates of birth, zip codes, bank account numbers, plan descriptions, premium payment amounts, and health plan beneficiary numbers.

If members have any questions, they can call Aetna toll-free at the number on the back of their member ID cards. 6285007

Jun 012019

Today’s Poughkeepsie Journal has a news story about a phishing incident that appears to have been discovered in July, 2018 that affected an unspecified number of Health Quest patients. From the available information, it sounds like Health Quest first discovered email attachments in January, 2019, and then it took them until April 2, 2019 to determine that PHI was involved. They do not explain why, if they first learned of the phishing incident in July, 2018, it took them until January 25, 2019 to discover email attachments and why it then took them more than two more months to discover that PHI was affected. And of course, once they discovered that PHI was involved, it was still another two months until patients were notified. So we’re talking about 10 months from discovery of phishing incident to notification to patients? Although it’s been quite rare, OCR has enforced the 60 day notification rule. So has New York State’s Attorney General. Will either of them enforce it again in this case?

Here is Health Quest’s statement:

Health Quest affiliates Health Quest Medical Practice, Health Quest Urgent Care and Hudson Valley Newborn Physician Services (“collectively Health Quest Affiliates”) are healthcare providers and maintain information related to those services. This notice relates to the Health Quest Affiliates ongoing investigation of an incident that may have involved some patients’ information. This notice explains the incident, measures the Health Quest Affiliates have taken and some steps that can be taken in response.

On April 2, 2019, through Health Quest Affiliates’ ongoing investigation of a phishing incident, Health Quest Affiliates determined an unauthorized party may have gained access to emails and attachments in several employee email accounts that may have contained patient information. Health Quest Affiliates first learned of a potential incident in July 2018, when several employees were deceived by a phishing scheme, which resulted in certain workforce members being tricked into inadvertently disclosing their email account credentials to an unauthorized party. Although these phishing emails appeared to be legitimate, they were sent by an unknown actor and were designed to have the recipients disclose their email account usernames and passwords. Upon learning of the incident, the employee email accounts in question were secured and a leading cybersecurity firm was engaged to assist us in our investigation. As part of the investigation, Health Quest Affiliates performed a comprehensive review of the contents of the email accounts in question to determine if they contained any sensitive information.

Through this ongoing review, on January 25, 2019, Health Quest Affiliates identified email attachments that contained certain health information, and on April 2, 2019, were determined to contain patient information, which may have included names, provider names, dates of treatment, treatment and diagnosis information, and health insurance claims information, related to services some patients received at Health Quest Affiliates between January 2018 and June 2018.

Although, to date, Health Quest Affiliates have no evidence that any information has been misused or was in fact viewed or accessed, Health Quest Affiliates began notifying the potentially affected individuals on May 31, 2019, and we have established a dedicated call center to answer any questions. If you believe you may be affected by this incident but did not receive a letter by June 10, 2019, please call, 1-800-277-0105, Monday through Friday, 9:00 a.m. to 6:30 p.m. EST.

Health Quest Affiliates regret any inconvenience or concern this may cause you. To help prevent a similar incident from occurring in the future, Health Quest Affiliates are implementing multi-factor authentication for email and additional procedures to further expand and strengthen its security processes. Health Quest Affiliates are also providing additional training to its employees regarding phishing emails and other cybersecurity issues.

May 242019

Paul Kunert reports:

The third-party mailbox used by Computacenter employees and contractors to deposit data for security clearance applications has been hacked and used in phishing scams.

The company, one of Europe’s largest resellers, counts some of the biggest names in financial services among its corporate client base, and sells to a raft of local and central government customers.

Computacenter wrote to its staff yesterday to confirm the incident:

Read more on The Register.

May 232019

Brian Krebs reports:

Some of the most convincing email phishing and malware attacks come disguised as nastygrams from a law firm. Such scams typically notify the recipient that he/she is being sued, and instruct them to review the attached file and respond within a few days — or else. Here’s a look at a recent spam campaign that peppered more than 100,000 business email addresses with fake legal threats harboring malware.

Read more on KrebsOnSecurity.com.

This is timely for those of us who tend to get legal threats on an all-too-frequent basis.