Another turkey: potential 9M patients affected by medical transcription vendor data breach

December 1, 2023 | by

Vendors are hot, hot, hot…with hackers. In another notable vendor data incident, Perry Johnson & Associates (PJ&A), a Henderson Nevada-based provider of transcription services for hospitals and physician practices, reported a data security incident to the US Health & Human Services (HHS) Office of Civil Rights (OCR) on 3 November. The breach occurred in the network and files were copied 27 March-2 May, when it was detected. 8.95 million individuals were affected, with over 4 million individuals in NYC and Syracuse at Northwell Health, the largest health provider in New York State, and Crouse Health. Northwell hasn’t had much luck with transcription providers, having been affected by Nuance Communications’ hack earlier this year by one of their vendors–the Progress Software MOVEit file transfer protocol (FTP) theft traced back to ransomwareistes CLOP [TTA 3 Aug].

Personal health information stolen for all included name, date of birth, address, medical record number, hospital account number, admission diagnosis, and date(s) and time(s) of service. While the records didn’t contain financial information, some patients may have had breaches of their Social Security numbers, insurance information and clinical information from medical transcription files, such as laboratory and diagnostic testing results, medications, the name of the treatment facility, and the name of healthcare providers.

PJ&A notified affected providers on 29 September and affected patients on 31 October. In addition to the 4 million+ in New York, 1.2 million individuals were served by Cook County Health in Illinois. The rest have not been identified. TechCrunch, News4NY, PJ&A notice 

This ‘n’ that: HHS settles *2017* ransomware breach, Carbon Health lays off 114 in restructuring, why oh why VC General Catalyst wants a $3B health system, when Larry Met Billy, a lexicon of workplace terms

November 2, 2023 | by

It only took five years to levy a $100,000 fine. Doctors’ Management Services, a Massachusetts-based medical management company, had a ransomware attack back in 2017 that exposed 206,695 individuals to personal health information violations. The Health and Human Services (HHS) Office for Civil Rights (OCR), which is charged with actually enforcing penalties and remedies for data breaches, decided that Doctors’ management hadn’t done quite enough to protect their patients. The cyberattack was identified in December 2018, but Doctors’ didn’t report the breach to OCR until April 2019. Their network had been infected with GandCrab ransomware. After determining various protection failures, HHS put them on a three-year corrective plan to protect their data and collected the $100,000 fine, their very first. But still, nearly four years later? And with breaches, ransomware, and hacking going on every day?  Healthcare Dive

Another Covid unicorn comes down with a bang. Carbon Health, a 13-state network of primary care clinics along with virtual care in areas such as mental health, says ‘bye’ to 114 or 5% of its staff. It grew and got funded big during Covid as it set up testing and vaccine initiatives, achieving a valuation of $3 billion. In 2021, Covid accounted for 60% of their revenue, but as it waned in 2022, so did their revenue by 23%. To date, their funding has been over $622 million, with $100 million in January in a Series D funded by CVS Health Ventures. This isn’t their first big layoff–200 staffers said goodbye in January as well as 250 in mid-2022 which was about 8%. Becker’s

General Catalyst’s newest venture into Health Transformation Land, HATco, The Health Assurance Transformation Corporation, is in the market for a health system in the “$1 billion to $3 billion” range. Not too small to not have an impact in their communities, and large enough to have capabilities around value-based care plus a track record of excellence. This is to create their ‘blueprint’ for healthcare transformation. Interested parties should contact CEO Marc Harrison, MD. Their other plans to get there were announced at HLTH. As to why…General Catalyst has had a lot of experience with companies, and perhaps they feel they have a Better Way to Get There. Becker’s, TTA 10 Oct.

Of Note…The second wealthiest executive in healthcare, Oracle’s Larry Ellison, wasn’t too busy to hang out with the third wealthiest on Forbes’ list, former senator and HCA honcho Bill Frist, in Nashville at the inaugural Frist Cressey Ventures Forum. Ellison is also investing in a 70-acre, $1.35 billion campus on Nashville’s riverfront. It’s always nice to make nice with the neighbors, especially when they have major holdings in a large health corporation. Becker’s

To wrap up This ‘N’ That, Becker’s has a useful article that will keep you au courant on those workplace terms you see on places like LinkedIn. ‘Quiet quitting’, so popular in 2021-2, has had its day with layoffs leading to real ‘quitting’, leaving behind ‘grumpy stayers’ who try to get away with ‘Bare Minimum Mondays’. ‘Coffee badging’ was a new one on your Editor. The rest are catchy phrases for things as old as time in the workplace.

16 or 27 million 2016 breaches, 1 in 4 Americans? Data, IoT insecurity runs wild (US/UK)

March 29, 2017 | by

What’s better than a chilly early spring dive into the North Sea of Health Data Insecurity?

[grow_thumb image=”https://telecareaware.com/wp-content/uploads/2017/03/Accenture-Health-2017-Consumer-Survey.jpg” thumb_width=”150″ /]Accenture’s report released in February calculated that 26 percent of Americans had experienced a health care-related data breach. 50 percent of those were victims of medical identity theft and had to pay out an average of $2,500 in additional cost. One-third (36 percent) believed the breach took place in hospitals, followed by urgent care and pharmacies (both 22 percent). How did they find out? Credit card and insurer statements were usual, with only one-third being notified by their provider. Interestingly, a scant 12 percent of data breach victims reported the breach to the organization holding their data. (You’d think they’d be screaming?) The samples were taken between November 2016 and January 2017. Accenture has similar surveys for UK, Australia, Singapore, Brazil, Norway, and Saudi Arabia. Release  PDF of the US Digital Trust Report

So what’s 16 million breaches between friends? Or 4 million? Or 27 million?

  • That is the number (well, 15.9 million and change) of healthcare/medical records breached in 2016 in 376 breaches reported by the Identity Theft Resource Center (ITRC), a Federally/privately supported non-profit. Healthcare, no surprise, is far in the lead with 34 percent and 44 percent respectively. The 272 pages of the 2016 End of Year Report will take more than a casual read, but much of its data is outside of healthcare.
  • For a cross-reference, we look to the non-profit Privacy Rights Clearinghouse which for many years has been a go-to resource for researchers. PRC’s 2016 numbers are lower, substantially so in the number of records: 301 breaches and 4 million records.
  • HIMSS and Healthcare IT News insist that ransomware is under-reported, (more…)