Impermissible Disclosure Settlement Costs Covered Entity $2.5 Million for Insufficient Risk Analysis for Stolen Unsecured Device with ePHI

April 28, 2017. On April 24, 2017, the Office for Civil Rights (OCR) of the U.S. Department of Health and Human Services (HHS) announced in a news release a $2.5 settlement in a Resolution Agreement and Corrective Action Plan with CardioNet, a “covered entity that provides patients with wireless ambulatory cardiac monitoring service,” for “impermissible disclosure of unsecured electronic protected health information (ePHI) in reported breaches on January 10, 2012 (1,391 individuals affected) and February 27, 2012 (2,219 individuals affected). OCR initiated an investigation in May 2012 and determined that CardioNet:

$31,000 is a High Price to Pay for Failure to Implement a Business Associate Agreement

April 28, 2017. On April 14, 2017—the Effective Date—the Office for Civil Rights (OCR) of the U.S. Department of Health and Human Services (HHS) settled with Center for Children’s Digestive Health (CCDH), “a small, for-profit health care provider that operates a pediatric subspecialty practice in seven clinic locations across Illinois,” for “impermissibly [disclosing] the [protected health information] of at least 10,728 individuals” to a “third-party vendor that stored inactive paper medical records” “without obtaining [the vendor’s] satisfactory assurances, in the form of a written business associate agreement, [that the vendor] would appropriately safeguard the PHI.

Lack of a Security Management Process to Safeguard ePHI Costs a FQHC $400,000 and Must Implement Corrective Action Plan

April 17, 2017. On April 12, 2017, the Office for Civil Rights (OCR) of the U.S. Department of Health and Human Services (HHS) announced in a news release entitled: “Overlooking risks leads to breach, $400,000 settlement”, that it had executed a Resolution Agreement and embedded Corrective Action Plan with a nonprofit federally qualified health center (FQHC), Metro Community Provider Network (MCPN) of Denver, CO for failure to:

OCR Issues Cyber Awareness Newsletter Warning About MITM Cyberattacks that May Impact Integrity and Impermissible Access to PHI

April 5, 2017. The Office for Civil Rights (OCR) of the U.S. Department of Health and Human Services (HHS) has issued an April 2017 Cyber Awareness Newsletter entitled: “Man-in-the-Middle Attacks and ‘HTTPS Inspection Products’”. The Newsletter states: “Man-in-the-middle (MITM) attacks occur when a third-party intercepts and potentially alters communication between two different parties, unbeknownst to the two parties. MITM attacks can be used to inject malicious code, intercept sensitive information like protected health information (PHI), expose sensitive information, and modify trust information.”

WEDI Publishes Issue Brief on Growing Concern of Cybercrime in Healthcare

April 4, 2017. The Workgroup for Electronic Data Interchange (WEDI) has published an Issue Brief entitled: “The Rampant Growth of Cybercrime in Healthcare.” The timing of the WEDI release coincides with the Federal Bureau of Investigation (FBI) Cyber Division release of “Cyber Criminals Targeting FTP Servers to Compromise Protected Health Information,” which HIPAA Integrity® has discussed in several of its posts in the past week. Designed for “Education and Awareness Use Only,” the Issue Brief “explores some of the common vulnerabilities of healthcare organizations that are typically exploited by threat adversaries in today’s environment as well as best practices to mitigate these vulnerabilities.”

Take the Pew Research Center Cybersecurity Knowledge Quiz

April 4, 2017. In the past week, HIPAA Integrity® has posted several significant pieces on the importance of implementing and hardening cybersecurity perimeter defenses to deter and mitigate the consequences of the growing incidence of cyberattacks such as phishing and ransomware demands resulting in impermissible access, use, and disclosure of unsecured protected health information (PHI).

FBI Alerts Healthcare Industry to Harden FTP Server Defenses for Safeguarding PHI

April 3, 2017. In a rare but significant move, the Cyber Division of the Federal Bureau of Investigation (FBI) issued on March 22, 2017, a Private Industry Notification to the healthcare industry entitled: “Cyber Criminals Targeting FTP Servers to Compromise Protected Health Information,” which is accessible online at: This matter, which only began appearing on healthcare industry radar late last week, concerns File Transfer Protocol (FTP) servers containing protected health information (PHI) operating in anonymous mode without password protection, creating an opportunity for hackers to penetrate vulnerable healthcare networks to impermissibly access unsecured PHI. The FBI Notification cites a 2015 University of Michigan study that indicated “over 1 million FTP servers were configured to allow anonymous access, potentially exposing sensitive data stored on the servers.”

Essential Reading Follow-up: “Why the FBI alert is a wakeup call for healthcare organizations”

March 31, 2017. On March 22, 2017, the Cyber Division of the Federal Bureau of Investigation (FBI) issued a Private Industry Notification entitled: “Cyber Criminals Targeting FTP Servers to Compromise Protected Health Information [PHI].” FTP servers mean File Transfer Protocol servers, with “U(FTP) a protocol widely used to transfer data between network hosts.” “The anonymous extension of FTP allows a user to authenticate to the FTP server via common username such as ‘anonymous’ or ‘ftp’ without submitting a password or by submitting a generic password or e-mail address.” Access to such servers containing protected health information (PHI) potentially imperils such information for impermissible use or disclosure.

Experts at CLM Conference Warn Organizations to Prepare for Cost-Effective Breach Response by Planning Ahead

March 31, 2017. With breaches growing and types expanding, experts at the Claims and Litigation Management Alliance Conference in Nashville, TN yesterday recommended planning ahead for cost-effective breach response and management, according to Gavin Souter in his March 30, 2017, Business Insurance article entitled: “Early breach preparation can save costs as attacks grow.” Robert Parisi of Marsh L.L.C. in New York stated: “’You don’t’ want to start figuring out who to hire—whether it be a lawyer or a forensics investigator—as you are sending the FBI guys out the door and thanking them for telling you about the breach…. Have a plan, work the plan. That seems to be the best way to keep losses to a minimum.’”

NIST Misses Projected March 28, 2017, Publication Deadline for NIST SP 800-53-5, But Status Document Informative About Changes

March 30, 2017. In its undated update of the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53-Revision 5, with the expected title: “Security and Privacy Controls for Federal Information Systems and Organizations,” NIST indicated that it was projected to be published on March 28, 2017, which date also coincided with the Information Security and Privacy Advisory Board (ISPAB) meeting in Washington, DC, at which a presentation was scheduled on Draft SP 800-53-Revision 5.



  • October 2017 (1)
  • August 2017 (3)
  • July 2017 (1)
  • June 2017 (7)
  • May 2017 (12)
  • April 2017 (10)
  • March 2017 (2)
  • February 2017 (3)
  • January 2017 (4)
  • December 2016 (4)
  • November 2016 (7)
  • October 2016 (7)
  • September 2016 (2)
  • August 2016 (1)
  • July 2016 (3)
  • June 2016 (1)
  • May 2016 (1)
  • April 2016 (8)
  • March 2016 (6)
  • February 2016 (2)
  • December 2015 (1)
  • November 2015 (1)
  • October 2015 (4)
  • September 2015 (1)
  • June 2015 (8)
  • May 2015 (3)
  • April 2015 (2)
  • March 2015 (1)
  • November 2014 (1)
  • September 2014 (15)
  • August 2014 (6)
  • July 2014 (1)
  • June 2014 (13)
  • May 2014 (11)
  • April 2014 (13)
  • March 2014 (6)
  • February 2014 (12)
  • January 2014 (3)
  • December 2013 (1)