Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Health Information. Show all posts

Orrick, Herrington & Sutcliffe: Law Firm Suffers Data Breach, Sensitive Health Info Leaked


A renowned San Francisco-based international law firm, Orrick, Herrington & Sutcliffe, recently suffered a data breach.

In the breach which was discovered in March 2023, sensitive health information belonging to more than 637,000 individuals was compromised. Apparently, the breach occurred on February 2, 2023, and was discovered on March 3, 2023. 

During the breach, the threat actors accessed a file share, revealing personal data and sensitive health information of victims. Amongst the total of 637,620 victims, 830 were ones belonging to Maine. 

The stolen data included a variety of information like names, date of birth, addresses, email addresses, and government-issued identification numbers like Social Security, passport, driver’s license, and tax identification numbers.

Moreover, medical details, insurance claims information, healthcare insurance numbers, provider details, online account credentials, and credit/debit card numbers were compromised.

According to an official filing, the company took immediate action by notifying the affected victims through a written notification. Also, identity theft protection services were offered in the form of a two-year Kroll identity monitoring service. 

The data leak also impacted the data-based security services of other companies for which the company provided legal counsel. Affected individuals included customers of vision plans from EyeMed Vision Care, dental plans from Delta Dental, and data from health insurance company MultiPlan, behavioural health giant Beacon Health Options (now known as Carelon), and the U.S. Small Business Administration.

Ongoing Investigations and Legal Implications

While there are speculations of a ransomware group being involved in the incident, no official statement has been published by Orrick, leaving room for suspicion on who is behind the attack. 

Also, the law firm is on its way to settle the class-action lawsuit stemming from the data breach. 

Acknowledging the inconvenience it had caused, the firm came to a preliminary settlement in principle to resolve four consolidated lawsuits involving hundreds of thousands of victims. 

While the specifics of the deal are still unknown, Orrick hopes to finalize agreements in 15 days. The proposed resolution tries to handle all claims connected to the breach, which exposed thousands of individuals' sensitive personal information, including names, addresses, dates of birth, and Social Security numbers. It is pending approval by U.S. District Judge Susan Illston.  

Facebook Shares Private Information With NHS Trusts

 


In a report published by The Observer, NHS trusts have been revealed to share private information with Facebook. As a result of a newspaper investigation, it was discovered that all of the websites of 20 NHS trusts were using a covert tracking tool to collect browsing data that was shared with the tech giant, it is a major breach of privacy that violated patient privacy. 

The trust has assured people that it will not collect personal information about them. It has not obtained the consent of the people involved in the process. Data were collected showing the pages people visited, the buttons they clicked, and the keywords they searched for.

As part of the system, the user's IP address was matched with the data and often the data was associated with their Facebook account details. 

A person's medical condition, the doctor's appointment, and the treatments they have received may be known once this information is matched with their medical information. 

Facebook might use it for advertising campaigns related to its business objectives as part of its business strategy. 

The news of this weekend's breach of Meta Pixel has caused panic across the NHS trust community. This is due to 17 of the 20 trusts using the tracking tool taking drastic measures, even apologizing for the incident. 

How does a Meta Pixel tracker work? What is it all about? 

Meta's advertising tracking tool allows companies to track visitor activity on their web pages and gain a deeper understanding of their actions. 

A meta-pixel has been identified as an element of 33 hospital websites where, whenever someone clicks on an appointment button to make an appointment, Facebook receives “a packet of data” from the Meta Pixel. Data about an individual household may be associated with an IP address, which in turn can be linked to its specific IP address. 

It has been reported that eight doctors have apologized to their patients. Furthermore, multiple trusts were unaware they sent patient data to Facebook. This was when they installed tracking pixels to monitor recruitment and charity campaigns. They thought they monitored recruitment specifically. The Information Commissioner's Office (ICO) has proceeded with its investigation despite this and privacy experts have verbally expressed their concerns in concert as well.

As a result of the research findings, the Meta Pixel has been removed from the Friedrich Hospital website. 

Piedmont Healthcare used Meta Pixels to collect data about patients' upcoming doctor appointments through Piedmont Healthcare's patient portal. These data included patients' names, dates, and times of appointments. 

Privacy experts have expressed concern over these findings, who are concerned that they indicate widespread potential breaches of patient confidentiality and data protection that are in their view “completely unacceptable ”. 

There is a possibility that the company will receive health information of a special category, which is legally protected in certain situations. As defined by the law, health information consists of information that relates to an individual's health status, such as medical conditions, tests, treatments, or any other information that relates to health. 

It is impossible to determine the exact usage of the data once it is accessed by Facebook's servers. The company states that the submission of sensitive medical data to the company is prohibited. It has filters in place to weed out such information if it is received accidentally. 

As several of the trusts involved explained, they originally implemented the tracking pixel to monitor recruitment or charity campaigns. They had no idea that patient information is sent to Facebook as part of that process. 

BHNHST, a healthcare trust in the town of Buckinghamshire, has removed the tracking tool from its website. It has been commented that the appearance of Meta Pixel on this site was an unintentional error on the part of the organization. 

When BHNHST users accessed a patient handbook about HIV medications, it appears that BHNHST shared some information with Facebook as a result of the access. According to the report, this data included details such as the name of the drug, the trust's name, the user's IP address, and the details of their Instagram account. 

In its privacy policy, the trust has made it explicitly clear that any consumer health information collected by it will not be used for marketing purposes without the consumer's explicit consent. 

When Alder Hey Children's Trust in Liverpool was linked to Facebook each time a user accessed a webpage related to a sexual development issue, a crisis mental health service, or an eating disorder, the organization also shared information with Facebook. 

Professor David Leslie, director of ethics at the Alan Turing Institute, warned that the transfer of patient information to third parties by the National Health Service would erode the "delicate relationship of trust" between the NHS and its patients. When accessing an NHS website, we have a reasonable expectation that our personal information will not be extracted and shared with third-party advertising companies or companies that might use it to target ads or link our personal information to health conditions."

According to Wolfie Christl, a data privacy expert who has been researching the ad tech industry to find out what is happening, "This should have been stopped long ago by regulators, rather than what is happening now. This is unacceptable in any way, and it must stop immediately as it is irresponsible and negligent." 

20 NHS trusts in England use the tracking tool to find their locations. Together the 20 trusts cover a 22 million population in England, reaching from Devon to the Pennines. Several people had used it for many years before it was discontinued. 

Moreover, Meta is facing litigation over allegations that it intentionally received sensitive health information - including information taken from health portals - and did not take any steps to prevent it. Several plaintiffs have filed lawsuits against Meta, alleging it violated their medical privacy by intercepting and selling their individually identifiable health information from its partner websites. T

Meta stated that the trusts had been contacted to remind them of the privacy policies in place, essentially to prohibit the sharing of health information between the organization and Meta. 

"Our corporate communication department educates advertisers on the proper use of business tools to avoid this kind of situation," the spokesperson added. The group added that it was the owner's responsibility to make sure that the website complied with all applicable data protection laws and that consent was obtained before sending any personal information. 

Several questions have been raised concerning the effectiveness of its filters designed to weed out potentially sensitive, or what types of information would be blocked from hospital websites by the company. They also refused to explain why NHS trusts could send the data in the first place. 

According to the company, advertisers can use its business software tools to grow their business by using health-based advertising to help them achieve their business goals. There are several guides available on its website on how it can display ads to its users that "might be of interest" by leveraging data collected by its business tools. If you look at travel websites, for instance, you might see ads for hotel deals appearing on the website. 

Meta was accused of not complying with part of GDPR (General Data Protection Regulation), in the sense that it moved Facebook users' data from one country to another without permission, according to the DPC. 

Meta Ireland was fined a record fine on Meta Ireland from the European Commission. This order orders it to suspend any future transfers of personal data to the US within five months. They have also ordered the company to stop any future data transfer to the US within the same period. Meta imposed an unjustified fine, according to the company.

 NHS 111 Cyberattack may Harm Patients Privacy



On Thursday, the software firm Advanced, which supplies patient data to numerous trusts and the majority of NHS 111 providers in England, suffered a cyber attack. Several NHS systems, notably Carenotes, which is used to store patient records, experienced an outage that affected mental health and community services across the nation.

Carenotes have not yet been restored 22 days after the outage. On August 17, a hospital in Birmingham informed its staff that restoration might take an additional five weeks. The experts said that if Carenotes is back up, it will likely take two weeks for every day under current predictions, indicating that full recovery might take longer than a year. 

After Carenotes went down, patients' safety concerns about mental health and community trust workers not being able to access their records were raised. According to experts, there have already been instances where staff members have been unable to access patient records, resulting in patients not receiving the proper dosage of their medications.

The staff is also at ris; when you step outside, you never know who might be in danger. Authorities claimed that you cannot create reports for the court based on the Mental Health Act. Last Monday, the staff at Birmingham Children's Hospital, which manages children's mental health services, was informed that the problem might not be solved for additional five weeks.

Hackers are requesting money in exchange for not disclosing private information, leaving the NHS without access to essential services in the interim. The hackers stole GP notes and patient data.

As part of its winterization efforts, the NHS recently stated it would increase the number of call takers to 111. "Politicians and NHS England need to recognize that mental health trusts are working with complicated and high-risk patients, who have a higher risk of mortality," one physician in the east of England said.

The Advanced Carenotes EPR program, which contains mental health records, was also hacked by criminals. Staff members are currently in a very desperate situation, according to the affected mental health trusts, since they are still unable to access crucial patient details.





40M+ People had Health Information Leaked in 2021

 

This year, data breaches compromised the personal health data of almost 40 million people in the United States, a substantial increase from 2020 and a continuation of a pattern towards more and more health data hacks and leaks. 

Any health data breaches affecting 500 or more persons must be reported to the Office for Civil Rights at the Department of Health and Human Services, which makes the breaches public. As per the office's database, 578 breaches have been reported so far this year. Although this is less than the 599 breaches disclosed in 2020, the breaches last year only impacted approximately 26 million people. 

According to a survey from security firm Bitglass, hacking or other IT accidents have been the primary cause of people's health records being exposed since 2015. Before it, the majority of data breaches were caused by lost or stolen devices. 

The transition occurred in line with the federal rules in the United States requiring healthcare companies to adopt electronic medical records, as well as a broader shift toward digital instruments in healthcare, such as internet-connected monitoring. In the black market, medical records are valuable because they contain information that is more difficult to alter than a credit card and can be used to establish false medical claims or acquire medications. 

Patients may be harmed in several ways as a result of these breaches: their personal information may be revealed, and they may be forced to cope with the financial consequences of having their medical identity stolen. 

Hacking and attacks on healthcare institutions that shut down hospital computer systems might make it more difficult for hospitals to provide high-quality care, which can be hazardous to patients. According to research, more people die in hospitals as a result of data breaches, even if the incident does not result in a computer system shutdown. 

Although the risk of cyberattacks is increasing, many healthcare companies have not prioritised cybersecurity investment. A cyberattack on the Florida Healthy Kids Corporation health plan, for instance, resulted in the exposure of 3.5 million people's personal data in 2021. 

According to Health News Florida, an investigation conducted following the hack revealed that the plan's website had "significant vulnerabilities." However, experts suggest that the increase in attacks in 2020 and 2021, notably in ransomware attacks, is driving companies to take the threat more seriously.