Mar 202019
 

ZOLL Medical Corporation, an Asahi Kasei Group Company, develops and markets medical devices and software solutions. A press release on March 18 described an incident that impacted what they describe as “some patients’ personal and medical information.”

On January 24, 2019,  ZOLL discovered that some email archived by an unnamed third-party service provider had been exposed during a server migration. The vendor believes that the exposure occurred between November 8, 2018 and December 28, 2018.

At this point, ZOLL is not aware of any fraud or identity theft to any individual as a result of this exposure. The vendor has since confirmed that all information has now been secured.

Information that may have been exposed includes patient names, addresses, dates of birth, and limited medical information. A small percentage of patients also had Social Security numbers exposed.

ZOLL takes the privacy and security of patient information very seriously. Upon learning of the incident, ZOLL immediately initiated an internal review and retained a leading independent forensics firm to conduct a thorough investigation of the incident. Law enforcement and federal and state agencies have been notified to give them the opportunity to further investigate.

Further, ZOLL is taking steps to review its process for managing third party vendors and confirmed that the impacted vendor has also taken actions to help prevent against similar incidents in the future.

ZOLL is offering free credit and identity monitoring services for one year to impacted patients where available. As an added precaution, ZOLL is providing impacted patients with information on additional steps that may help to guard against fraud or identity theft.

ZOLL sincerely regrets any inconvenience or concern this incident may cause. If you have any questions or need any additional information, please do not hesitate to contact 1-833-231-3358.

Pennsylvania-headquartered ZOLL, LLC reported this incident to HHS as impacting 277,319 patients.

Mar 192019
 

Zack Whittaker reports:

A health tech company was leaking thousands of doctor’s notes, medical records, and prescriptions daily after a security lapse left a server without a password.

The little-known software company, California-based Meditab, bills itself as one of the leading electronic medical records software makers for hospitals, doctor’s offices, and pharmacies. The company, among other things, processes electronic faxes for healthcare providers, still a primary method for sharing patient files to other providers and pharmacies.

But that fax server wasn’t properly secured, according to the security company that discovered the data.

Read more on TechCrunch.

Mar 152019
 

In November, 2018, this site noted a breach disclosed by Huntsville Hospital involving JobScience, Inc., a vendor providing online job application services.  On November 10, we reported that other entities were also affected, such as Tallahassee Memorial Hospital,  who had been notified in September by JobScience, and NorthBay Healthcare Corp., who were notified in October.  Although not posted on this site, DataBreaches.net subsequently noted that El Centro Regional Medical Center had also been notified by JobScience.

DataBreaches.net reached out to JobScience and Bullhorn everal times but never received any replay at all.  Similarly, Huntsville Hospital Health did not reply to two requests for information on this breach.

And there things remained for a while. Until today, when I see that Advocate Sherman Hospital submitted notification to the California Attorney General’s Office about the same May, 2018 incident.

In their letter, Matt Pattelli, their VP – Human Resources, refers to JobScience as a “former service provdier,” and says that they “recently discovered an incident…..”

Recently?  Define “recently.”

What took so long for discovery and notification? Pattelli’s letter provides some clues, but not a really clear explanation:

After provision of additional information by Jobscience in December 2018 and further investigation, we were able to identify in February 2019 that your data was involved. Jobscience stated that law enforcement is aware of the incident, but this notification was not delayed as a result of a law enforcement investigation.

Given that personal information may have included  names, contact information, dates of birth, resumes and Social Security Numbers, you would hope that notification and protective services would be offered quickly.  If other hospitals notified applicants in November, 2018, why did it take so long in this one hospital’s case?  What information wasn’t provided to the hospital that it seemed to need?

Yes, JobScience arranged for services for those affected — even though there is no longer any relationship with the hospital, but what happened here?  And are there any other hospitals that are still first notifying job applicants because of this incident?

DataBreaches.net sent an inquiry earlier today to Advocate Sherman Hospital asking when they were first notifed by Jobscience and why the notification wasn’t sufficient to enable them to do notifications more promptly.  The inquiry also asked whether the hospital terminated their relationship with Jobscience as a result of the incident or if that was unrelated. DataBreaches.net has received no resply as yet, but will update this post if a response is received.

Mar 152019
 

Felicia Choo reports:

The personal information of more than 800,000 people who have donated or tried to donate blood in Singapore since 1986 was improperly put online by a Health Sciences Authority (HSA) vendor for more than two months, but access to the database was cut off soon after the discovery.

Disclosing this in a statement on Friday (March 15), the HSA said its preliminary findings indicate that there was only one instance of external access – by a cyber security expert who discovered the vulnerability on Tuesday (March 12) and alerted the Personal Data Protection Commission to it a day later.

Read more on Straits Times.

The vendor was identified in HSA’s press release as Secur Solutions Group Pte Ltd (SSG). According to the press release:

HSA had provided the data to SSG for updating and testing. SSG placed the information in an internet-facing server on 4 Jan 2019 and failed to institute adequate safeguards to prevent unauthorised access. It had done so without HSA’s knowledge and approval, and against its contractual obligations with HSA.

Related:  Notice to those affected.

Kudos to the researcher who engaged in responsible disclosure. At the time of this posting, I’m not sure who that was.

Mar 112019
 

So here’s yet another breach with what seems like a long delay to notification.

In this case, Re-Solutions, a division of RSC Insurance Brokerage in Massachusetts, is a business associate to healthcare providers.

On August 23, 2018,  an employee’s laptop was stolen. In its disclosure letter, the laptop was described as “password-protected,” but there was no mention of any encryption or ability to remotely wipe the drive upon discovery of the theft.

On January 22, 2019, RSC provided written notification to its clients that it had completed its investigation and analysis of the incident. There was no explanation in the notification to patients as to why the investigation and analysis took 5 months.

On March 1, RSC notified HHS of the breach as impacting 2,088 patients.  They also began sending notifications to those affected.  A template of the letter appears on the California Attorney General’s site.

Obviously, this incident did not impact as many clients or patients as the Wolverine Solutions Group I’ve reported on previously.  But once again, we have a business associate breach and notification to patients within 60 days of notification to the covered entities — but long gaps (more than 60 days) from initial discovery that there has been an incident to notification to the covered entities.

I really wish HHS would dive into this issue more, as a thief obtained PHI on August 23, 2018 and had from them until March of 2019 to possibly be misusing data before patients were ever alerted. And that may be fine under HIPAA or HITECH,  but perhaps it shouldn’t be (if it is fine).