Top Stories
The average company with data in the cloud has a $28 million breach risk | SC Media
The average company with data in the cloud has 157,000 sensitive records exposed to everyone on the internet by SaaS apps sharing features, representing $28 million in data-breach risk, according to a new report released Tuesday by Varonis.
Cybersecurity Is Patient Safety, Says US Senator
Decrying cybersecurity's status in healthcare as a second tier issue, a U.S. senator is suggesting that medical practices participating in Medicare come under a mandate to apply minimum security practices as standard operating procedure.
Breaches
SolarWinds May Face SEC Investigation Over Hack Disclosure
The Austin, Texas-based company divulged the possible SEC probe in a shareholder filing. Federal regulators have made a preliminary determination an investigation should proceed into whether the company violated securities law by failing to adequately disclose cybersecurity risks and incidents. They sent the company what's known as a "Wells Notice," a notification that stops short of a formal charge and allows the company to contest the preliminary staff determination, which SolarWinds says it will do.
OakBend Medical Center Provides Healthcare Data Breach Notice
“For example, we do not believe that the cybercriminals were able to remove the entire medical record of OakBend’s patients. It does appear, however, that the cybercriminals were able to access and/or remove certain employee data sets and certain reports that included the personal and medical information related to our current and former patients, employees, and related individuals.”
Massachusetts AG finds failed security measures led to Georgia provider’s breach | SC Media
Aveanna Healthcare in Georgia agreed to pay Massachusetts $425,000 after that state's attorney general investigation into the home health and hospice provider found that the company’s failure to implement proper security measures led to its phishing-related data breach in 2019.
Keystone Health Faces Lawsuit Over Healthcare Data Breach
Keystone Health suffered a healthcare data breach that impacted 235,237 individuals and potentially exposed protected health information.
Ransomware attack on Ascension St. Vincent’s legacy EMR spurs breach notice | SC Media
An investigation led with assistance from a third-party forensic team revealed that an attacker accessed systems within the legacy Coastal Cardiology network, used by Ascension to retain data, including patient information, in order to meet regulatory requirements. The data was not used for current business operations.
Vendor Hack Tied to 20 Anesthesiology Practice Breaches
A hacking incident at a New York-based administrative services firm has resulted in a growing list of anesthesiology practices reporting breaches that so far have affected the personal information of about 430,000 people.
St. Luke’s Health Suffers Third-Party Data Breach, Unrelated to CommonSpirit Attack
Texas-based St. Luke’s Health notified 16,906 individuals of a third-party data breach that impacted Adelanto Healthcare Ventures (AHCV), a consulting services vendor. The breach is unrelated to the October ransomware attack at St. Luke’s Health’s parent company, CommonSpirit Health, which impacted multiple facilities, including St. Luke’s.
Security
OCR Recognized Security Practices Video Presentation - YouTube
A new video from the Office for Civil Rights outlines the evidence and documentation entities impacted by a healthcare data breach must provide the agency in order to qualify for the relief outlined in the HITECH Act’s safe harbor amendment.
Healthcare Sector Urged to Address OpenSSL Flaws
Healthcare organizations should be ready to find and patch instances of OpenSSL 3.0, warn cybersecurity experts.
Ransomware Attack Disrupts Japanese Hospital for 2nd Day
A Japanese hospital in Osaka stopped offering anything but emergency care after hackers launched a Monday morning ransomware attack on the electronic medical records system. Hospital officials say the prospects of system recovery are not good.
AstraZeneca password lapse exposed patient data | TechCrunch
Mossab Hussein, chief security officer at cybersecurity startup SpiderSilk, told TechCrunch that a developer left the credentials for an AstraZeneca internal server on code sharing site GitHub in 2021. The credentials allowed access to a test Salesforce cloud environment, often used by businesses to manage their customers, but the test environment contained some patient data, Hussein said.
Privacy
Patients sue WakeMed, Aurora Advocate over data collection by Meta's Pixel tool | SC Media
WakeMed Health and Hospitals, and Aurora Advocate Health are both facing patient-led lawsuits after two separate breach notices tied to possible data scraping by the use of Pixel on its hospital and patient-facing websites. The two separate lawsuits were filed on Oct. 31.
Europe
Europrivacy: the first certification mechanism to ensure compliance with GDPR | Shaping Europe’s digital future
It leverages two complementary models of ISO certification (ISO/IEC 17065 and ISO/IEC 17021-1) in order to make it applicable to a large set of data processing activities. It is aligned with ISO standards and can be easily combined with the certification of security of information management systems (ISO/IEC 27001).
Greek DPA imposes 20M euro fine on Clearview AI for unlawful processing of personal data
This number doubled from the previous largest fine issued by the HDPA, which was 9.25 million euros against the largest telecommunications conglomerate in Greece.
British govt is scanning all Internet devices hosted in UK
NCSC's scans are performed using tools hosted in a dedicated cloud-hosted environment from scanner.scanning.service.ncsc.gov.uk and two IP addresses (18.171.7.246 and 35.177.10.231).
Misc
Businesses Seek to Soften SEC Cyber Rules - WSJ
Companies including Chevron Corp. , Quest Diagnostics Inc. and Ernst & Young LLP are pushing to narrow proposed cybersecurity rules from the Securities and Exchange Commission in the private sector’s latest attempt to shape a growing array of regulations by Washington.
CommonSpirit Appoints Daniel Barchi as Chief Information Officer
CommonSpirit Health has appointed Daniel J. Barchi, MEM as Senior Executive Vice President and Chief Information Officer, effective Nov. 7, 2022. Suja Chandrasekaran left as CommonSpirit's chief digital and information officer in June, according to her LinkedIn profile.