Oct 132018

Lindsay Dodgson reports:

If you sign up to Ashley Madison, you don’t have to think about what you’re doing as cheating, but “outsourcing your sex life.”

“In 2018 we expect our life partners are going to be everything to us — they’ve got to be my best friend, they’ve got to be sexually compatible, they have to be great at coparenting,” Ruben Buell, Ashley Madison’s president and chief technology officer, told Business Insider.

“We have to have the same vision of finances, we have to have the same hobbies, the same interests… There’s so much pressure on that one relationship, everything has to be right.

“And sometimes, the vast majority of it is right, but maybe there’s something that’s not.”

This is one of the reasons Ashley Madison currently sees 20,000 new sign ups a day, and over 40,000 affairs happen on the site every day.

Even after the data leak back in 2015, people came back to Ashley Madison.

Read more on Business Insider.

Oct 112018

HIPAA lawyer Matt Fisher has a thoughtful commentary inspired by an OCR investigation first reported on this site. Unlike the FTC who have tended to demand 20-year monitoring plans as part of their settlements with entities that have data security breaches, OCR tends to use a more educative approach without monetary penalties or long-term monitoring in responding to breaches. But is that enough to satisfy those whose PHI may have been compromised or who may have suffered because of a breach?  Should there be more monetary penalties or public disclosure? Matt writes, in part:

While behind the scenes resolutions work very well for the entities involved, a different perspective should also be considered. Specifically, the perspective of the complainant if there is an alleged violation of a HIPAA requirement or the individuals whose protected health information is impacted in the event of a breach. In those instances, the aggrieved individuals may ask why more was not done to penalize the entity or impose some punishment given the harm to the individual that likely cannot be “remedied” in the individual’s eye. While retribution will not necessarily result in satisfaction, a very real human desire can arise to see it imposed regardless.

Given what should be a real consideration of not discounting the harm to individuals, should OCR pursue more enforcement actions that result in penalties or another form of public reprimand? The answer is not clear and not one subject to easy advocacy.

Read all of Matt’s commentary on Mirick O’Connell’s The Pulse.

Oct 092018

Tim Johnson reports:

The digital operations team at the Democratic National Committee hit some dark days after Russian hackers mauled their networks in 2016, hijacking dozens of computers and pilfering tens of thousands of emails to hand over to WikiLeaks and onto the internet.

Remnants of that digital bruising linger.

“I feel like everyone’s still feeling, like, the PTSD from ’16,” said Raffi Krikorian, who now is the chief technology officer for a newly beefed-up unit of the Democratic National Committee, referring to post-traumatic stress disorder.

Read more on McClatchyDC.

Oct 082018

A few weeks ago, DataBreaches.net reported on a leaky Amazon S3 bucket owned by MedCall Advisors in North Carolina. The leak, which exposed approximately 3,000 patients’ protected health information, was discovered by UpGuard, who published a number of redacted screenshots to document the leak.  Their detailed report also noted how Randy Baker, the CEO of MedCall Advisors, did not acknowledge or respond to their notification of the leak, although the leak was secured within hours of them sending the CEO an email.  MedCall also failed to respond to questions put to it by DataBreaches.net.

MedCall Advisors not only failed to respond to UpGuard and DataBreaches.net, but, more importantly, perhaps, they never even asked whether we would securely delete any ePHI we may have acquired. 

In light of their response – or lack of response – you shouldn’t be totally surprised to learn that a few weeks later, DataBreaches.net was  contacted by another researcher, Britton White, who informed this site that MedCall Advisor’s S3 bucket was leaking again.

This time, it appeared that 10,000 files might be available for download…. and/or deletion or editing.  The leak was noted on grayhatwarefare.com’s site, where any curious soul or criminal could find pages and pages of exposed MedCall files listed for the taking.

For the second time in less than one month, MedCall Advisors leaked thousands of patients’ protected health information from their Amazon S3 bucket. This screenshot shows part of how the leak was exposed on grayhatwarefare.com. Some exposed files appeared to include patients’ names in the filenames.

White attached a .csv file that included patients’ name, email address, postal address, phone numbers (fixed and cell), gender, date of birth, and  Social Security Number.

Other files contained recordings of patient evaluations/conversations with doctors, and records completed by doctors following patient or injured employee contacts. These detailed records contained information such as what medications the patient was already on, any allergies, the nature and detail of their complaint, onset, etc.

Even files that appeared to be deleted from the bucket were actually still available for download. And as before, there were was no login required, no encryption of the data, and the files were writable.  DataBreaches.net promptly emailed MedCall Advisors to alert them to this newest leak. Once again, the email notification resulted in security of the data but without any acknowledgement from the firm.

Were any patients, doctors, or client companies notified by MedCall Advisors after the first incident?  Are any going to be notified after this second incident?

How many people may have found the exposed files and downloaded them?

All we can say for sure  is that there is no report/entry from MedCall Advisors up on HHS’s breach tool at this time, and there is no notice on their web site at this time.

After verifying that the patient names belonged to real individuals, DataBreaches.net sent email inquiries to some doctors whose names appeared in some of the injury contact files to ask if MedCall has notified them of any leak. A few patients and employee supervisors whose names appeared in files were also sent emails asking them whether MedCall Advisors has advised them of any data leak incidents.  This post will be updated if any responses are received.

When DataBreaches.net notified Randy Baker of this second leak, this site also asked him how MedCall was going to prevent a third leak.  Baker not only failed to acknowledge the courtesy notification that they were leaking patient data, but he did not answer the question as to what steps they would take to prevent a third recurrence.

Maybe they will answer those questions for OCR. Unless, of course, they decide that this is not a reportable breach under HIPAA.  But even if they are not covered by HIPAA, they likely have some notifications to make to state attorneys general and patients.


Oct 082018

One of the common themes in discussing security is that many organizations are not “mature” yet. And of course, as HIPAA recognizes in its security rule, smaller practices should not be expected to do everything you might expect a larger hospital system to do. But even small or  medium-sized entities need to comply with the core standards.

At the Privacy and Security Forum in D.C. this past week, I had the opportunity to speak briefly with Roger Severino,  the new Director of the Office for Civil Rights at the U.S. Department of Health and Human Services.

Severino comes to the position, he explained, with an enforcement background and orientation. So I took the opportunity to mention that I have yet to see OCR really take enforcement action against entities who never even disclose a breach to OCR or to affected patients. It’s certainly been the case that over the past few years, Justin Shafer has notified OCR of a number of FTP server leaks, and I’ve notified OCR of a number of leaks or hacks (some involving TheDarkOverlord) that were seemingly never reported to OCR and may never have been disclosed to affected patients.

Severino asked me to send him a batch of information on breaches that were never investigated or have not shown up on their breach tool — or where patients may never have been notified. I will be collaborating with Justin Shafer to compile a sample list for OCR. Not all of the entities may be covered entities under HIPAA, of course, but I bet you the majority are.

Anyway, I left D.C. encouraged by Severino’s enforcement attitude, and got home to a second pleasant surprise relevant to this topic.  OCR had sent Justin Shafer a letter about the outcome of an investigation they had conducted based on a complaint he sent them in December, 2016. The complaint involved an FTP server that was open to the public because it permitted anonymous login.

As with the Patterson Dental situation that I have reported on in the past,when contacted by OCR, Patients Choice in Texas reportedly told OCR that Shafer had hacked them. He hadn’t, of course, but it’s not clear whether Patients Choice really understood their leak or if they were just trying to deflect responsibility. In any event, when OCR investigated, they found numerous deficiencies on Patients Choice’s part. By the time OCR closed its investigation more than 18 months later, they had provided substantial information and assistance to help Patients Choice come into compliance with HIPAA and HITECH.

The Complaint

On December 27, 2016, Shafer reported to OCR that in November, 2016 he had found Patients Choice patient data in the form of 1,069 scanned pdf files with protected health information exposed on an FTP server that permitted anonymous login. He also reported to OCR that he had notified Patients Choice by phone and had recorded the notification calls.

OCR reached out to Patients Choice in March, 2017 and thereafter. Patients Choice’s report on HHS’s breach tool is dated in September, 2017.

The Investigation and Findings

As OCR explains it, the Patients Choice report in response to their inquiry indicated possible noncompliance with certain aspects of the privacy and security rules:

The report indicated potential violations of 45 C.F.R. §§ 164.502(a) (Uses and Disclosures of PHI), 164.308(a)(l)(ii)(A) (Risk Analysis), 164.308(a)(l)(ii)(B) (Risk Management Plan), 164.308(a)(7)(ii)(A) (Data Backup Plan), 164.312(a)(2)(iv) (Encryption and Decryption), 164.312(d) (Person or Entity Authentication), 164.312(e)(l) (Transmission Security), 164.404 (Notification to Individuals), 164.406 (Notification to Media), and 164.408 (Notification to Secretary)

That’s a lot of potential violations for OCR to investigate. As their closing letter explains:

By letters dated March 2, 2017, and January 26, 2018, OCR notified Covered Entity of its investigation into this matter.  In its responses to OCR from March 31, 2017 to September 21, 2018, and during a site visit by OCR, Covered Entity provided evidence of its internal investigation concerning the breach incident as well as extensive corrective action it has taken in response to the incident.

The evidence revealed that at the time of the breach incident, Covered Entity’s satellite offices utilized the involved FTP server to send billing documents to Covered Entity’s Billing Department. Covered Entity discovered that a contractor handling multiple hardware issues allowed the FTP server to accept anonymous logins while trouble shooting network errors. The contractor inadvertently failed to disable the anonymous login on the FTP server. Covered Entity ceased using the IT vendor that employed the involved contractor and hired a new IT vendor.

The closing letter (see below) reviews all of the corrective actions Patients Choice subsequently took.  But would they have taken any of these actions if OCR had not contacted them and opened an investigation based on Shafer’s report? I think that the entity would likely have continued to claim that they were hacked, and might have taken significantly different corrective actions. And it’s not clear to me whether OCR or patients would ever have been notified. Why was their notification to OCR dated September, 2017 instead of no later than January, 2017 after Shafer contacted them in November, 2016?  As OCR found, notification was not timely.

In its investigation, OCR also looked at notification to patients, to the media, and to OCR. They found that although Patients Choice had made notifications, the notifications were all untimely, and there were other deficiencies:

Upon review, OCR also noted that Covered Entity’s substitute notice did not include a brief description of the breach, the types of PHI involved in the breach, steps affected individuals should take to protect themselves from potential harm, and a brief description of what Covered Entity is doing to investigate the breach, mitigate the harm, and prevent further breaches. Further, the substitute notice did not include a toll-free number for individuals to contact Covered Entity regarding the breach. OCR, therefore, provided technical assistance to Covered Entity regarding Breach Notification requirements, including timeliness of notifications and requirements for substitute notice. Covered Entity re-educated appropriate workforce members on Breach Notification requirements specified at 45 C.F .R. § § 164.404- 164.408. Covered Entity provided OCR sufficient documentation of the aforementioned re­education.

A lightly redacted copy of OCR’s closing letter is reproduced below this post. I think it reflects OCR’s approach to educating and assisting via enforcement, and that it is a good document to share with medical practices/small groups to show them how OCR applies the standards to small or medium-sized practices. If we want to help more entities mature in their security, we could use more enforcement actions like this one that are then made public so that other small and medium-sized entities can learn from them.

When asked for his reaction to OCR’s actions, Justin Shafer responded,

I am glad OCR investigated this matter and that the covered entity became more educated on HIPAA\HITECH.

I know HHS/OCR has been limited in terms of resources, and that the present environment leans more to deregulation, but these enforcement actions can be a wonderful tool to help more entities understand and comply with regulatory requirements.  I hope to see more of them.