A Breakdown of the Second Largest HIPAA Fine to Date – $5.5m

ICYMI, I wrote an article for Tripwire: State of Security


Please go over and take a look! Big shout out to @tripwireinc for the spot!

A Breakdown of Second Largest HIPAA Fine to Date – $5.5m

/s/ HH @LegalLevity

Interview – HIPAA and Population Health Management

I recently had the opportunity to talk about the challenges and successes of working to create a HIPAA compliant information sharing exchange platform with the goal of promoting population health management.

Hope everyone is having a happy holidays! Coming up soon I will discuss things you should consider as goals in privacy and security management for 2016.

/s/ HH @LegalLevity

Blue Cross Hacked, again.

This morning news broke that another member of the Blue Cross family, this time Excellus, was hacked, exposing approximately 10.5 million records. The hack originally began December 23, 2013, but was not discovered until August 5, 2015. In other words, Blue Cross had a persistent, ongoing vulnerability that was actively exploited for almost two (2) years.

The attack on Excellus compromised the following information: Name, DOB, SSN, mailing address, telephone number, member ID, financial account information and claims information. Amazingly, the attack also exposed records of individuals who were not Excellus members, but belonged to other Blue Cross plans, including but not limited to: any BCBS client who received services in New York; BCBS Central New York; BCBS Rochester; and BCBS Utica-Watertown.

According to BCBS, the hacking event occurred, but they are not sure whether any data was taken. Honestly, how is that even possible, unless you are not monitoring network traffic or logging access and downloads.  Further, while the information was encrypted (according to BCBS), there is a rather obtuse statement from them saying that the hackers had administrative access, so they had access.

On top of the above exposures of personal data, the hack also exposed the information of business partners and vendors. Specifically, those who provided Excellus with financial account information and SSN’s.

Let’s recap the banner year for BCBS and its affiliates.

Total Number of Breaches Attributable to BCBS in 2015: 103,303,208

BCBS also has the dubious honor of now holding the top three spots for largest PHI breaches. Here is a breakdown of the breaches spread across Anthem, Premera, and several smaller BCBS entities. This will be updated to include the most recent Excellus hack once the data is available. At a certain point, it begs the question of what is going on at BCBS that has led to the largest three PHI breaches in US history, all occurring in a single year? This is not to mention how a company’s risk analysis approved of cross company data on servers, non-segregated networks, often no encryption, and apparently no network monitoring for suspicious activity.

If you are impacted and need more information, here is the link to the Excellus Breach Response page.

If you have not read my post on the FTC’s guidelines on data security, go read it now. It’s a great place to start on determining whether your data security plan has a good foundation.

Prepare now, or pay later.

/s/ HH @LegalLevity

10 Technology Tips to Avoid HIPAA Violations – Guest Author at Newegg Business

This week I wrote a guest article for Newegg’s Business blog, Hardboiled. I walked through my 10 Technology Tips on How to Avoid HIPAA Violations.

Take a read!

/s/ HH @LegalLevity