HIPAA – Page 13 – DataBreaches.Net

An inexcusable gap from breach to notification, or an excusable one?

Posted on September 9, 2023 by Dissent

Some state and federal laws provide specific timeframes by which breached entities must provide notice to regulators and to those affected by a data breach. Unfortunately, loopholes abound, as we seen in statutory language such as Minnesota’s breach notification law, where for timing of notification, it says: “The disclosure must be made in the most…

The Government Isn’t Sure How to Get Small Hospitals to Take Cybersecurity Seriously

Posted on September 7, 2023 by Dissent

Eric Geller reports: The U.S. government is struggling to convince hospitals that they need to spend time and money fighting hackers and provide useful advice to them, a problem that could have lethal consequences as the country’s ransomware crisis rages on. “I don’t think we’ve figured out how to talk to the small and medium-sized…

HHS Security Risk Assessment Tool Version 3.4 and Webinars

Posted on August 31, 2023 by Dissent

From HHS OCR: The Office for Civil Rights (OCR) and the Office of the National Coordinator for Health Information Technology (ONC) at the U.S. Department of Health and Human Services (HHS) are hosting two webinars for the release of version 3.4 of the Security Risk Assessment (SRA) Tool. This tool is designed to aid small…

Health Data and Investigations: Between a Rock and a Hard Place

Posted on August 19, 2023 by Dissent

Matt Fisher writes: Demands for medical records can stem from a variety of investigations, which can involve a myriad of sources. The most recent example driving headlines is an investigation involving Vanderbilt University Medical Center (“VUMC”). VUMC disclosed records concerning treatment of transgender patients to the Tennessee Attorney General. According to the Attorney General, an investigation of…

One year later, Tift Regional Medical Center notifies patients of Hive attack

Posted on August 13, 2023 by Dissent

In September 2022, DataBreaches broke the story of how Hive had attacked Tift Regional Medical Center in Georgia between July and August. The attack did not involve encryption of systems but Hive claimed to have exfiltrated about 1 TB of data, including files with protected health information. On October 14, Tift notified HHS of an…

Another hospital hit by ransomware: Columbus Regional Healthcare System in North Carolina hit by Daixin

Posted on June 9, 2023October 3, 2024 by Dissent

Columbus Regional Healthcare System (CRHS) is a non-profit organization in North Carolina licensed for 154 beds. The Daixin ransomware group claims that on May 18, they encrypted the hospital’s servers after exfiltrating data and deleting backups. A Ransom Demand and Failed Negotiations A spokesperson for Daixin tells DataBreaches that three days after they encrypted the…