Failure to Report and Hiding an eMail Breach
“Government contractors and other recipients of government funding are accountable for violating cybersecurity requirements and placing government data and security systems at risk. federal rules and obligations attach to federal funds, even where those funds are first passed through state governments.” **
- knowingly provide deficient cybersecurity products or services;
- knowingly misrepresent cybersecurity practices or protocols; or
- knowingly violate obligations to monitor and report cybersecurity incidents and breaches.
Reference: Cyber Security Article
Imagine the UAC email provider, The Hierarchy, asserting a healthcare provider’s cyber security team is being “a tad extreme” in demanding answers as to whether a breach is being reported to authorities. “In their world, IT security is first then staff have email and they believe UAC should be the same way… they were still concerned because they send UAC info via email.”
In May 2023, the unpaid programmer notified UAC management there were concerns that the CAREWare AIDS database might be stored on a non-HIPAA-compliant server and passwords were being shared. Unauthorized users on the server portal saw the shortcut to the CAREWare database, causing alarm and confusion. Upgrades to CAREWare were being done during business hours. On May 9, 2023, UAC Senior Management knew the healthcare cyber security team was demanding answers. The Hierarchy refused to report the incident and the UAC executives and Latoison pretended they had “no idea” if UAC had reported the breach.
UAC refused to provide the unpaid victim with an industry-standard Business Associate agreement to memorialize obligations concerning Protected Health Information under the requirements of HIPAA and relevant implementing regulations, including the Privacy Rule the Security Rule, and the Breach Notification Rule. All parties acted as if they had no idea what a business associate agreement was. Does UAC have a business associate agreement with The Hierarchy?
Philadelphia Alerts Public to Recent Data Breach
The City of Philadelphia has issued a notice on October 20 2023, reporting a recent security breach that could affect the personal data of several individuals. The breach was first detected on May 24 2023, when suspicious activities were identified within the City’s email system. To investigate the matter, the City engaged third-party cybersecurity experts, who determined that unauthorized access to certain email accounts occurred between May 26 and July 28 2023. Significantly, on August 22 2023, the City also discovered these breached email accounts contained protected health information (PHI).
https://www.infosecurity-magazine.com/news/philadelphia-alert-may-data-breach/
The unpaid programmer told UAC C-Suite managers in June 2023 that the breached email accounts possibly contained PHI data. It took a report to DHS on August 22, 2023, of the suspected PHI breach to be confirmed as the programmer suspected since May for immediate same-day action.
New users to UAC are sent their login IDs and Passwords in emails to Gmail, Yahoo, Hotmail, and other insecure email accounts. The passwords are not industry standard compliant. Often the emails go to spam. Why are logins and passwords being sent to individual’s personal email accounts that may be shared with family members? Why is the industry standard random password generator application developed by the unpaid programmer presented to the UAC auditors not being used?
“Below is the information for your new company e-mail account, as well
as what you will need to access your new account through the web. This information is specific to you, so you should not share this information with anyone.
Also, keep this paper on your person, so as to not leave it out for anyone to see.”
Staffing Company to Pay $2.7 Million for Failing to Provide Adequate Cybersecurity for COVID-19 Tracing Data
On May 1, 2024, the DOJ announced that Insight Global LLC (“Insight”), an international staffing and services company, agreed to pay $2.7 million to settle a whistleblower’s allegations that it failed to establish adequate cybersecurity measures to protect personal health information (PHI) and personally identifiable information (PII), in violation of the FCA.