HIPAA Journal – Exposure of PHI During Online Presentations

Highlights From The HIPAA Journal
From the August 24th Newsletter

Radiology Groups may have allowed exposure of PHI during online presentations

  • The American College of Radiology, the Society for Imaging Informatics in Medicine, and the Radiological Society of North America have issued a warning about the risk of accidental exposure of protected health information (PHI) in online medical presentations.
  • The radiology organizations warn against the use of formatting tools in the presentation software – PowerPoint, Keynote, Google Slides etc – for cropping the images so as not to display any patient identifiers, as this practice will not permanently remote PHI from the images.

OCR identifies the importance of maintaining a comprehensive IT asset inventory

  • Many cases of noncompliance are due to the failure to perform a comprehensive risk analysis across the entire organization.
  • One of the common reasons for a risk analysis compliance failure, is not knowing where all ePHI is located in the organization.
  • The inventory should include all physical IT related devices plus the applications associated with the organization’s hardware.

Vishing, the new way hackers are trying to hack in to a Healthcare Organization’s database, is announced as a threat by the FBI and CISA

  • The threat actors impersonate a trusted entity and use social engineering techniques get targets to disclose their corporate Virtual Private Network (VPN) credentials.
  • Due to many workers working from home and working on a VPN, cybercriminals are targeting Organizations with the potential to receive those credentials.

Recent cyber/ransomware attacks related to the Healthcare industry

  • Dynasplit Systems, a manufacturer of stretching devices to improve joint motion, experienced an attack that PHI may have been stolen. Over 102,000 individuals were likely affected by this attack.
  • Pinnacle Clinic Research of Texas announced it had a phishing attack. One email account was compromised and was immediately secured when the breach was discovered. It is unclear how many individuals were potentially affected by this attack.
  • The Institute for Integrative Nutrition (NY) had a phishing attack in March of 2020 where it wasn’t discovered until June 22 that the breach occurred. Significant measures have been taken.
  • Mental Health Center of Boulder County (CO) incurred a phishing attack in March of this year and complimentary credit monitoring services were given to clients that were potentially affected by this attack.


Find out how we can help

Portrait of young female doctor at office