HIPAA Journal – PHI leaking incident through GitHub

Highlights From The HIPAA Journal
From the August 17th Newsletter

Major PHI leaking incident through GitHub

• A new report has revealed the personal and protected health information of patients and other sensitive data are being exposed online without the knowledge of covered entities and business associates through public GitHub repositories.
• Nine HIPAA-covered entities and business associates have been leaking information via GitHub.
• It is said to be around 150,000 to 200,000 patient records

July 2020 Healthcare data breach report

• 14 healthcare data breaches of 10,000 or more were recorded in July.
• Email led the way for the location of the highest number of breaches occurred

Researches issue warning on COVID-19 home monitoring technologies

• These forms of technologies were created quickly to respond to the COVID-19 pandemic.
• Researchers are concerned with patient privacy and security through these tools.
• Many home monitoring technologies are not considered medical devices and are outside the FDA’s area of control.
• HIPAA includes privacy protections for patients which covers home monitoring technologies, but HIPAA only applies if a technology is provided by a HIPAA-covered entity. If a patient chooses to use home monitoring technologies and is not instructed to do so by a HIPAA-covered entity, HIPAA privacy protections will not apply.

A medical database exposes over 3.1 million patients’ records

• There were no password requirements to access PHI through the database as a security researcher had discovered this.
• There is currently no evidence of the data being stolen.
• It was found that the database was created by a medical software company called Adit which makes online booking and patient management software for medical and dental practices.

Recent cyber/ransomware attacks related to the Healthcare industry

• Northern Light Health Foundation announced that they incurred a ransomware attack. Their database contained information on donors, potential donors and individuals that attended fundraising events. Over 657,000 patient records were potentially accessed through their databases.
• Medical debt collection agency called R1 RCM incurred a breach as their systems were locked down. No clear statement was made on how the attacked occurred or how many patients were potentially affected.
• The attack was likely caused by Defray ransomware which usually spreads via malicious Word documents sent via email in small, targeted campaigns.
• Beaumont Health (MI) incurred a breach that had potentially affected over 6,000 patients. Email accounts were accessed by unauthorized individuals in January of 2020.

Over 3,700 patients had PHI exposed through The Connection, INC. (CT), a provider of community-based behavioral health and substance use services. Email accounts of their employees were hacked by unauthorized users in January of 2020 and PHI was potentially exposed.