HIPAA Horror Stories

‘BlueLeaks’ Contained Individual COVID Data

one-minute read

Hackers are starting to target law enforcement agencies who maintain mountains of personal data on individuals in their communities. In June it was announced that sensitive data from more than 200 police departments and the FBI was leaked by a group known as Distributed Denial of Secrets, or DDoSecrets. Some believe that law enforcement agencies are becoming a prime target for hackers, given recent civil unrest and protests against policing activity.

DDoSecrets describes itself as a whistleblower group, intent on bringing private information into the open for the public to see, similar to WikiLeaks. Whether one agrees with the core mission or not, is the collateral damage to individuals whose private data is published worth the cause? Privacy laws in the U.S., at the state and federal level are designed to protect individuals’ right to privacy, but cyberthieves can sweep away the protection with a few keystrokes.

The hackers succeeded by attacking a web development company, Netsential, a third party vendor to many law enforcement customers. Netsential failed to protect the data it held, and its customers failed to require better security measures. A similar scenario happens in healthcare all too often.

Medical Information Revealed

In a continuation of the BlueLeaks saga, last week a South Dakota law enforcement agency announced that sensitive data containing individuals’ COVID-19 status was leaked. The data also contained names, addresses, and birth dates. Although the agency is not covered by HIPAA – it’s not a covered entity – the parallels to healthcare are clear.

Third-Party Vendors are a Weak Link

Healthcare covered entities commonly use third-party vendors (business associates) to support their organizations. Both are required to comply with HIPAA.

When a covered entity performs its HIPAA Risk Analysis, it needs to do “due diligence” concerning its business associates. This means taking an inventory of all its business associates, and asking questions like “do you comply with HIPAA?” and “when did you last perform a HIPAA Risk Analysis”. The questions and answers must be documented, and there should be a HIPAA compliant business associate agreement in place.

Cybertheft on the Rise During COVID-19

The BlueLeaks event described here, while not covered by HIPAA, is a stark warning for covered entities and business associates in healthcare. Dealing with urgent COVID-19 problems can seem more important than maintaining cybersecurity hygiene. Criminals know this. They identify organizations stressed by COVID-19 and target them with automated probes and socially engineered phishing attacks. If you’ve let your guard down you’re in trouble, and patient data is at risk. Don’t let it happen to you, and if you need help, we have answers at The HIPAA E-Tool®.

The HIPAA E-Tool® makes compliance fast and easy. Get your free HIPAA Quick Start kit, complete with a webcam privacy guard, HIPAA Hot Zone labels and a HIPAA checklist delivered directly to your office.

Don’t become a HIPAA Horror Story! HIPAA compliance is easy, when you know the rules.

Request A Demo

Copyright © 2020 ET&C Group LLC.

The HIPAA E-Tool® and Protecting Patient Privacy is Our Job®
are registered trademarks of ET&C Group LLC

Terms of Service | Privacy Policy

Powered by JEMSU

Mailing Address
The HIPAA E-Tool
PO Box 179104
St. Louis, MO 63117-9104

Office
8820 Ladue Road Suite 200
Saint Louis, MO 63124

You may have questions about COVID-19 and HIPAA. We have answers. 

We are open and answering questions about all the new modifications and waivers, coming from HHS, OCR, CMS, and the new CARES act.

If you need help with HIPAA during the COVID-19 pandemic, fill in the form, and we’ll get back to you.

Free hipaa kit!

hipaa compliance Quick start kit
Delivered free