Isn't keeping quiet about the breach offset by all the reporting on the lawsuit?
By Dissent, July 1, 2011
Okay, here’s a breach I never saw reported anywhere in my usual sources, until I read about it in a lawsuit. Via Courthouse News’ Joe Harris:
A hospital and cancer center allowed a laptop computer stuffed with unencrypted, confidential information on its patients to be stolen, and did not notify patients of the data theft for 8 weeks, patients say in a class action.
Named plaintiff Rita Barricks claims the laptop was stolen during the weekend of Dec. 4, 2010 from Barnes-Jewish Hospital dba The Siteman Cancer Center, a joint venture between Washington University and Barnes-Jewish Hospital.
Barricks says the computer contained patients’ names, addresses, phone numbers, birth dates, Social Security numbers, medical records, diagnoses, lab results, email addresses, insurance information and employment information.
“WashU and BJC have a policy of encrypting the sensitive information of plaintiffs,” according to the complaint City Court. “However, the stolen laptop was unencrypted and contained unencrypted sensitive information.”
Barricks claims the defendants immediately knew about the theft, but waited 8 weeks – until Jan. 28 – to inform patients.
During that time, Barricks says, her identity was stolen.
Read more on Courthouse News.
Interesting legal approach as she reportedly experienced harm because the defendants not only did not encrypt sensitive data but seemingly did not take timely steps to mitigate the risk of harm to her by notifying her promptly. Will HITECH giving entities up to 60 days to report a breach be used to defend the hospital’s delay in notifying patients?
The complaint makes for interesting reading and I wonder what will the court do with this one.
When I see the words “potential breach” in a press release I have to wonder if that means the organization is “unable to determine what happened.” In this case, we also have an outsider telling them they had been compromised and “no evidence” (translation: no clue) what data was stolen, and you have to ask, “Do they have ANY security?”
JetBlue informed of malware on their system; Crewmembers notified months later?
July 1, 2011 by admin
A correspondent indicates that JetBlue has reportedly notified employees of a “potential” breach of their confidential information. In a written notification sent via mail, dated June 24, 2011, JetBlue states:
“A federal law enforcement agency recently informed JetBlue that malicious software may have been installed on our computer systems. Upon notification, we immediately launched an investigation and, upon finding the malicious software, removed it.”
“Our investigation has revealed that the malicious software was designed to allow an attacker to remotely search and collect information stored on our computer systems. On April 1, 2011, we learned that the affected systems included computer files containing confidential business information as well as personal information including the names, social security numbers and retirement fund account balances of Crewmembers employed by JetBlue since 2005.
“We would like to emphasize that, to date, we have no evidence that your personal information was actually obtained or has been misused.”
JetBlue is reportedly offering affected employees 12 months of services through Debix.
If anyone has a copy of the notification that they can scan in and email to me at admin[at]databreaches.net, that would be great.
As more devices become “Smart” we have more tools for surveilling/incriminating ourselves.
StolenCameraFinder: Get Help In Finding Your Lost & Stolen Digital Cameras
Modern digital cameras store their serial number in the metadata of pictures they take. If somebody who has stolen your digital camera shoots photos with it and uploads them to the web, you can use the serial number to track down the camera. An easy way you can do this is through is Stolen Camera Finder.
Stolen Camera Finder is a free web service that searches for photos that have your stolen digital camera’s serial number stored in their metadata. If you know the camera’s serial number you can manually enter it into the site; otherwise you can drag a photo shot from the camera earlier into the site’s interface – the site then reads the serial number from the picture’s metadata. With the serial number obtained, the site crawls the web to look for any photos with your camera’s serial number in its metadata and then displays the links to you.
Also read related articles:
(Related) In case you prefer to be the spyer rather than the spyee. For the Home Network...
Employee Monitor – Spyware Software You Can Actually Make Use Of [Windows]
… For your home network, you many only want to “spy” on a few computers to make sure that your kids aren’t getting themselves into trouble. One of the few, full-featured, free applications available that can do this is called ExtraSpy Employee Monitor.
Perhaps Cloud computing (at least the file storage part) is more valuable than I thought!
Elsewhere in the same Terms of Service, which are a few notches above the norm in both brevity and readability, Dropbox says both "Dropbox respects others’ intellectual property and asks that you do too," and "You retain ownership to your stuff."
...and how do you know the filter is for “Child Porn” and not to block “We don't like the government?”
"After four long years of debate about whether Australia will receive a mandatory Internet filter, finally some action has been taken. Yesterday the country's largest ISP, Telstra, started filtering all customers' connections for child pornography. The filter is DNS-based, meaning it's easy to circumvent, but you can't opt out of it — if you sign up to a plan with Telstra, your connection will be filtered for certain web addresses whether you like it or not. "
A cautionary tale for my Lawyer friends... And this was to determine if the lawyer should be sanctioned!
"Wired Magazine reports that Righthaven attorney Shawn Mangano's excuse for being a day late with his explanation as to why the litigation factory made 'dishonest statements to the court' was that his web browser upgraded and he could no longer attach PDF files to his submissions. Yeah, right ..."
For my Risk Management students
July 01, 2011
BIS - Operational Risk - Supervisory Guidelines for the Advanced Measurement Approaches - final document
"The Basel Committee on Banking Supervision issued two papers on operational risk: Principles for the Sound Management of Operational Risk and Operational Risk - Supervisory Guidelines for the Advanced Measurement Approaches. The regulatory capital adequacy framework envisages that, over time, the operational risk discipline will continue to mature and converge towards a narrower band of effective risk management and measurement practices. The guidance on advanced measurement approaches promotes improvement in this area by setting out supervisory guidelines relating to governance, data and modelling. A consultative version of this report was issued for public consultation in December 2010.
Comments received on the consultative version
Related postings on financial system
For my Statistics students
July 01, 2011
Census Bureau Releases Data on Alaska, Colorado, Connecticut, Nebraska and North Carolina
News release: "The U.S. Census Bureau today released new, detailed demographic information from the 2010 Census for Alaska, Colorado, Connecticut, Nebraska and North Carolina. These Summary File 1 tables provide the most detailed counts available so far from the 2010 Census, including cross-tabulations of age, sex, households, families, relationship to householder, housing units, detailed race and Hispanic or Latino origin groups, and group quarters. The statistics are available for a variety of geographic areas, with most tables available down to the block or census tract level."
"Researchers at Northwestern University and the University of Michigan have developed a technique which aims to extend the reach of mobile phone location tracking. Their free iPhone app, Batphone, extracts a location 'fingerprint' from a short recording of ambient sound. This software-only approach allows the device to determine its location with high accuracy using its built-in microphone. Unlike prior indoor tracking techniques, Batphone does not rely on the presence of Wi-Fi access points to serve as landmarks, although these can be used to assist the system when available. They also posted a web game which allows you to test your own ability to recognize rooms by listening. Technical details are in a paper which was presented at the MobiSys conference on Thursday. This is from the same people who brought you laptop sonar."
Because you can never have enough free stuff.