Ignorance is no excuse... Unless you're a manger?
Private medical records of Colorado residents exposed on Internet
Posted at 10:03 PM on May 22, 2007 by Jon Gordon
On Friday's Future Tense, you'll hear this story:
As medical records are created and transmitted electronically more and more, the chance of private information falling into the wrong hands is growing. Sometimes records are stolen by hackers, other times just improperly secured. Compromised records can lead to a range of problems, from loss of employment to identity theft to plain old embarrassment.
Future Tense has discovered that detailed, personally identifiable medical records of thousands of Colorado residents were viewable on a publicly accessible Internet site for an uncertain period of time through at least last Friday, May 18. The data included patient records from at least 10 Colorado clinics and hospitals, and one hospital in Peoria, Illinois. It’s unclear how many people may have seen the records.
Experts say the case likely runs afoul of federal health information privacy laws, even though there is no evidence that the records were misused.
The unsecured computer, which was accessible through a Web browser, was operated by Beacon Medical Services of Aurora, Colorado, which provides billing, coding and other services to emergency physicians at 17 facilities.
Beacon CEO Dennis Beck says he was shocked to learn about the breach and that the company took immediate steps to correct it.
“We’ve implemented a culture of compliance and data security and it just did not seem consistent with our culture, our practice and our experience,” he said.
The medical records resided on an FTP server. FTP stands for File Transfer Protocol. It’s a means by which users send and receive computer files over the Internet or private networks. In Beacon’s case - and this is typical of the industry - health care providers sent encrypted data to the server for Beacon to access so it could bill patients and insurance companies. The data was unencrypted on Beacon’s end, and the FTP server was not supposed to be accessible to the public. But in this case it was. No username or password was required to view the records.
The data included details of patients’ visits to emergency rooms -- what ailments they complained of, diagnoses and treatments, and medical histories, along with the patients’ names, occupations, addresses, phone numbers, insurance providers, and in some cases, Social Security numbers. Some of the records detailed sensitive cases, from sexually transmitted diseases to severe depression. The site also contained financial information, such as a list of low-income patients who received state aid to help pay their medical bills.
Beacon has employed two firms to help investigate what led to the security hole.
“It appears to us now at this point as if there was some back door that was opened to this server," said Beck. "We don’t know when, but we believe it may have been done when a consultant did some work for us several years ago."
The company is trying to determine the exact number of patients affected, but Beck says the number looks to be fewer than 5,000.
Future Tense discovered the Beacon site after a tip from a source who stumbled upon it. We followed up on the tip, staying just long enough to confirm the existence of the records and get an idea what kind of data they contained. We notified several health care providers whose patient data was exposed. Those providers informed Beacon, which promptly shut the server down when it learned of the problem.
Bill Byron is spokesman for Banner Health Corporation, the parent company of McKee Medical Center of Loveland, Colorado, one of the providers whose data was included on the FTP site. Byron said McKee physicians won’t transmit any more records to Beacon until they're satisfied the security problem is fixed.
“We’re trying to understand what our obligations are going to be, in terms of disclosing to patients that this has occurred, so that’s still in process, to determine what we have to do,” he said.
The Colorado medical records incident appears to be a serious violation of federal law governing medical record privacy, according to Janlori Goldman, director of the Health Privacy Project at Georgetown University.
“Large-scale breaches like this are not uncommon," she said. "They may not happen every day but they happen enough that you have to wonder, why aren’t people taking greater care with this information?“
About a year ago, for example, a data security breach exposed medical information and Social Security numbers of some 26 million veterans after data was stolen from the home of an employee of the Department of Veterans Affairs.
Tomorrow on Future Tense, we’ll explore the potential harm of compromised medical records, and at the federal law designed to protect patients. One critic of current law says patients have very little recourse when their most sensitive medical records become public.
Here is a list of physician groups, clinics and hospitals which had data of various kinds on the exposed site:
-McKee Medical Center of of Loveland, CO
-Big Thompson Emergency Physicians of Longmont, CO
-Presbyterian St. Luke’s Hospital of Denver
-North Suburban Medical Center of Thornton, CO
-Carepoint Emergency Physicians of the greater Denver area
-Long’s Peak Emergency Physicians
-Longmont United Hospital
-Boulder Community Hospital
-Emergency Medical Specialists PLC
-Memorial Hospital of Colorado Springs
-Proctor Hospital of Peoria, IL
HP is wrapping up their “Pretexting” issues
HP settles with SEC over disclosure
By Greg Sandoval Story last modified Wed May 23 16:23:21 PDT 2007
Hewlett-Packard and U.S. regulators have settled allegations concerning an investigation that HP launched last year to uncover a boardroom leak.
HP "failed to disclose the reasons" that a board member had resigned, according to a statement released by the Securities and Exchange Commission. The board member, Thomas Perkins, gave up his director's position due to his objections over the company's investigation into leaks to the press. Federal law requires public companies to fully disclose the reasons why a director leaves.
"HP acted in what it believed to be a proper manner," said Michael Holston, HPs executive vice president and general counsel. "However, we understand and accept the SEC's views and are pleased to put this investigation behind us."
As part of the settlement with regulators, HP agreed to a cease-and-desist order but neither admitted nor denied any wrongdoing as part of the administrative proceeding, the SEC said.
No need for courts! We have you on video.
http://www.manchestereveningnews.co.uk/news/s/1007/1007600_super_wardens_go_on_patrol.html
'Super wardens' go on patrol
Alan Salter 23/ 5/2007
PRIVATELY-employed `super wardens' are to go on patrol in Greater Manchester wearing head-mounted video cameras.
The 20 parking attendants, who work for NCP Services, will be the first in the country to be issued with the equipment.
Their main role is to issue parking tickets but under legislation brought in last year they will also have powers to give on-the-spot fines for anti-social behaviour.
Salford council has asked the wardens to issue penalties up to £80 for offences which include littering, flyposting and allowing dogs to foul the pavement. [Not everything should be videotaped... Bob] NCP will use the film as evidence to back up their wardens if any fine is challenged and also in the event of any attack or abuse.
In some cases the footage could be handed to police and used in court.
... "Our attendants do a very good job but they are not police officers and they have very specific powers. It makes the job more interesting."
Yes, it's English...
http://www.vnunet.com/vnunet/news/2190538/philfing-scourge-net
'Philfing' the new scourge of the net
Underhanded websites adding hidden charges on online sales
Ian Williams, vnunet.com 23 May 2007
A recent survey of more than 2,400 web users has found that Britain is becoming a nation of angry online shoppers.
The report, commissioned by MoreComputers.com, found that 93 per cent of UK users are annoyed by 'sneaky' website charges.
Hidden delivery charges provoke the most anger, with 64 per cent saying they would not buy from sites engaging in the practice.
The growing practice of so-called 'philfing' describes online stores holding back the real cost of 'extras' until the last minute.
... The research reveals that 'free delivery' tariffs that only apply with an extra purchase or spending over a certain amount frustrate consumers immensely, as do hidden surcharges for paying by credit card.
Online shopping comparison sites are now finding it increasingly difficult to maintain a level playing field when listing prices, according to the research.
... Other irritating online shopping listed on Philfing.info include:
* Poor stock information
* The lack of contact telephone numbers and the use of 0870 telephone numbers
* Sites that make no mention of a delivery fee until you get to the shopping basket
* Sites that say delivery is free then charge for 'packaging and handling'
* Sites that do not make any mention of a credit card surcharge then take an extra two per cent at the submit order stage
* Budget airlines that charge extra for checking in luggage
* Train ticket sites that charge extra for ticket insurance
* No indication whether prices include VAT
* Free delivery that turns out to be free only when you buy more than one item
* Credit card handling charges that state £2 then turn out to be £2 per person, per flight
Is this a taste of things to come?
http://www.twincities.com/business/ci_5962051
Plastic privacy
This week, Minnesota became the first state to hold merchants more accountable for sensitive customer information, allowing card-issuing financial institutions to recoup losses from retailers that break the rules.
BY NICOLE GARRISON-SPRENGER Pioneer Press TwinCities.com-Pioneer Press Article Last Updated:05/22/2007 09:14:17 PM CDT
When thieves hacked into the wireless network at a Marshall's store somewhere in the east metro and downloaded some 46 million credit and debit card numbers in 2005, thousands of Minnesotans were among those affected.
But it wasn't Marshall's parent company, TJX Cos. of Massachusetts, that notified individual customers of the breach. The banks and credit unions that issued the cards were forced to be the bearers of the bad news.
On Monday, Gov. Tim Pawlenty signed a law making Minnesota the first state to hold merchants more accountable for sensitive customer information and enable credit unions and banks to recoup losses from retailers that violate the accountability standards.
Beginning in August, the Plastic Card Security Act - touted by its backers as a consumer-protection measure - prohibits merchants from storing PIN, security code and magnetic stripe data from credit and debit cards for more than 48 hours after the transaction is authorized.
In August of 2008, penalties to merchants kick in. Retailers that violate the 48-hour rule and subsequently suffer a security breach must reimburse financial institutions for the costs of notifying customers and reissuing cards.
Several other states are considering legislation to make merchants liable for security breaches, and Rep. Barney Frank, D-Mass., has said he will introduce a bill in Congress to address the issue.
And the French strike again...
French Data Protection Authority Fires Warning Shot to U.S. Multinationals: U.S.-Based Employer Fined for Improper Transfers of Employee Data to the U.S.
May 2007 By: Philip L. Gordon Timothy A. Rybacki
In what may foreshadow a new era of more aggressive enforcement, France's data protection authority - La Commission Nationale de L'informatique et des Libertés (CNIL) - recently fined Tyco Healthcare France (THF), the local subsidiary of a U.S. multinational organization, €30,000 (approximately $41,000) for, among other things, improperly transferring employee information to Tyco's U.S. headquarters. The fine appears to be the first imposed on a U.S.-based company accused of unlawful cross-border transfers of human resources data. The French government's enforcement action coincides with recent public declarations by other European data protection authorities, calling for more aggressive enforcement of the European Union's strict data protection regime.
Planning is everything...
http://www.bespacific.com/mt/archives/014889.html
May 23, 2007
International Biodefense Handbook 2007
International Biodefense Handbook 2007, by Sergio Bonin, published by the Center for Security Studies, ETH Zurich, May 1, 2007.
"The handbook compares different political, strategic, and structural approaches to biosecurity in seven countries and five international and supra-national organizations. It provides an overview of national and multilateral biodefense efforts by examining important policies in this field and through an inventory of the institutions and actors involved. It is an important step towards a comprehensive overview of existing efforts in biodefense."
Document Download: English Version
Another fun legal battle to watch!
http://www.pogowasright.org/article.php?story=20070523131538172
The Battle of Athens, Ohio, Begins; Ohio Law Firm Takes Up Cause of Students Against the RIAA
Wednesday, May 23 2007 @ 01:15 PM CDT - Contributed by: PrivacyNews - Minors & Students
There have been numerous press reports that Ohio University, in Athens, Ohio, has been targeted by the RIAA. Now the battle is joined. The RIAA has filed its usual ex parte John Doe lawsuits. But this time it has encountered an adversary.
Joseph A. Hazelbaker and Jonathan Sowash of Sowash, Carson & Ferrier, an Athens, Ohio, law firm, have taken up the cause of Ohio University students, and have served notice on the University that they expect the University to protect its students' rights, and will hold the University accountable if it does not.
Source - Recording Industry vs The People (blog)
Merry Olde England!
Two million historic court papers to go online
By Nicola Fenwick
PREVIOUSLY inaccessible court records dating back to the Middle Ages will be compiled into an online database after a university was granted nearly $750,000 US.
The records include marriage, slander and defamation cases that came before the church courts and contain a wealth of information valuable to social, economic and legal historians.
The documents constitute one of the most extensive collections of ecclesiastical papers in Europe and take up 540 metres of shelf space.
They include two million case papers containing information on more than 13,000 cases dating from 1300 to 1858.
... Work begins this month and will take more than three years to complete.
One will probably work for you!
http://zenhabits.net/2007/05/6-great-free-alternatives-to-quicken-ms-money/
6 Great Free Alternatives to Quicken & MS Money
Recently I got some amazing responses from all of you in Ask the Readers: What are your financial tools? and I wanted to share some of the best tools I’ve found from that thread. And the thing I like most about them: unlike Quicken and Microsoft Money, they’re free!
Perhaps we could duplicate the “Disney clips explain Copyright” in other areas? Darth Vader explains Ethics? R2D2 on Identity Theft?
http://online.wsj.com/article/SB117997273760812981.html
Make-It-Yourself 'Star Wars'
Lucasfilm Will Post Clips From Film Saga on the Web, Inviting Fans to Edit at Will
George Lucas, creator of "Star Wars," has never hesitated to protect his intellectual property, which is why some call him "Lucas the Litigator." But this week, his Lucasfilm plans to make clips of "Star Wars" available to fans on the Internet to mash up -- meaning to remix however they want -- at will.
The clips -- about 250 of them, from all six Star Wars movies -- will land on the Starwars.com Web site tomorrow, part of this week's 30th-anniversary celebrations of the release of his hit movie. Working with an easy-to-use editing program from Eyespot Corp. of San Diego, fans can cut, add to and retool the clips. Then they can post their creations to blogs or social-networking sites like MySpace. More clips will come out from time to time over coming months.
No comments:
Post a Comment