Top Stories
Privacy, security concerns prompt GAO to call for more telehealth oversight | SC Media
The Department of Health and Human Services Office for Civil Rights is missing a tracking mechanism to understand the extent providers are informing Medicaid patients of privacy and security risks brought on by telehealth platforms, which led to 43 patient complaints to OCR during the COVID-19 pandemic.
Covid-tracking program lacked bare minimum cyber protections - The Washington Post
The Department of Health and Human Services (HHS) failed to implement basic protections against hackers when it developed a system to track covid-19 data in 2020, according to an internal watchdog report it never made publicly available.
Breaches
Ambry Genetics Reaches $12.25M Settlement Over Healthcare Data Breach
California-based Ambry Genetics reached a $12.25 million settlement to resolve a healthcare data breach lawsuit. The clinical genomic diagnostics vendor suffered a breach in January 2020 that impacted 232,772 patients.
Humana Discloses Third-Party Data Breach at Choice Health
Humana disclosed a third-party data breach to the Maine Attorney General’s Office that impacted 22,767 individuals. The breach originated at Choice Health, which sells Medicare products on Humana’s behalf.
Security
OIG Finds NIH Health Grant Program Needs Stricter Cybersecurity Controls
OIG audited NIH’s health grant program and found that it did not have adequate cybersecurity controls and risk assessment protocols in place to safeguard sensitive data.
FBI Warns Healthcare Sector of Surge in Payment Scams
In recent incidents, cybercriminals used employees' publicly available personally identifiable information and deployed social engineering techniques to impersonate care providers and gain access to healthcare portals, payment information and websites, the FBI says.
CISA: Hackers exploit critical Bitbucket Server flaw in attacks
The third security flaw CISA added to its KEV list today (tracked as CVE-2022-36804) is a critical severity command injection vulnerability in Atlassian's Bitbucket Server and Data Center, with publicly available proof of concept exploit code.
Attackers can gain remote code execution by exploiting the flaw via malicious HTTP requests. Still, they must have access to a public repository or read permissions to a private one.
This RCE vulnerability impacts all Bitbucket Server and Data Center versions after 6.10.17, including 7.0.0 and up to 8.3.0.
Privacy
Action taken against SEVEN organisations who failed in their duty to respond to information access requests | ICO
The Information Commissioner’s Office (ICO) has taken action against seven organisations who have failed to respond to the public when asked for personal information held about them, known as a Subject Access Request (SAR).
Europe
Entrepôts de données de santé : la CNIL publie une « check-list » de conformité à son référentiel | CNIL
France’s data protection authority, the Commission nationale de l'informatique et des libertés, created a compliance checklist for controllers operating health data warehouses.
Misc
Groups Urge HHS to Extend 'Information Blocking' Deadline
A slew of heavyweight lobbying groups from the healthcare industry is calling on the federal government to hold off from penalizing medical providers who don't facilitate the easy digital sharing of patient data.