- adequately implement policies and procedures for authorizing access to the on-line application database
- perform an appropriate technical evaluation in response to a software upgrade to its information systems
- have technical safeguards in place to verify the person or entity seeking access to electronic protected health information maintained in its application database.
Friday, July 12, 2013
Another (relatively) trivial breach that illustrates some common perceptions. The fact that the files were found in Vietnam is of little concern. Sure the “owners” of the files had bad security if the FBI could locate the data, but with 4.25 million people in Harris County and 7 Billion elsewhere on the globe, the odds were it was taken by someone outside of the county.
Brian Collister reports that the personal information of approximately 16,000 former and current Harris County employees was found in two electronic files in Vietnam. The information included names, Social Security numbers, and dates of birth. One of the files was from 2005 and another was from 2007, both before the county changed its system to minimize use of SSN.
The county learned of the breach when the FBI notified them of the discovery.
Not surprisingly at this point, the county does not know how the breach occurred, but has sent a letter to those affected.
Oh the horror, the horror! A $60+ Billion company fined a mere $1.7 Million (0.028% of revenue) is like me being fined $20. Hardly rises to the level of “Irritating” Perhaps if the law (or the Board of Directors) required the fine to be paid from executive bonuses we might get their attention?
The managed care company WellPoint Inc. has agreed to pay the U.S. Department of Health and Human Services (HHS) $1.7 million to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules.
This case sends an important message to HIPAA-covered entities [“See what you can get away with!” Bob] to take caution when implementing changes to their information systems, especially when those changes involve updates to Web-based applications or portals that are used to provide access to consumers’ health data using the Internet.
… OCR’s investigation indicated that WellPoint did not implement appropriate administrative and technical safeguards as required under the HIPAA Security Rule.
The investigation indicated WellPoint did not:
As a result, beginning on Oct. 23, 2009, until Mar. 7, 2010, the investigation indicated that WellPoint impermissibly disclosed the ePHI of 612,402 individuals by allowing access to the ePHI of such individuals maintained in the application database.
Imagine what the penalty would have been if HHS had also taken Wellpoint’s previous and long-running exposure breach into account? That situation, which was reported on PogoWasRight.org in 2008, was extremely similar, if not actually identical, to this one.
Now what? It's illegal in France, but apparently not important enough to have the police do this. Lawsuits? A sudden increase in fatal “accidents?”
The Local reports:
Twitter has handed over data to French authorities to help identify [The person owning the account is not necessairily the author of the Tweets. Bob] the authors of anti-Semitic tweets following a complaint from a Jewish students’ group, AFP reported on Friday.
Twitter said in a statement that it had given information to judicial authorities “enabling the identification of some authors” of anti-Semitic tweets..
A French court in January ordered the company to provide the data after the complaint from France’s Union of Jewish Students (UEJF).
Read more on The Local (FR)
What I've been saying, only smarter...
The NSA's Surveillance Is Unconstitutional
Due largely to unauthorized leaks, we now know that the National Security Agency has seized from private companies voluminous data on the phone and Internet usage of all U.S. citizens. We've also learned that the United States Foreign Intelligence Surveillance Court has approved the constitutionality of these seizures in secret proceedings in which only the government appears, and in opinions kept secret even from the private companies from whom the data are seized.
If this weren't disturbing enough, the Consumer Financial Protection Bureau, created by the 2010 Dodd-Frank financial reform, is compiling a massive database of citizens' personal information—including monthly credit-card, mortgage, car and other payments—ostensibly to protect consumers from abuses by financial institutions.
All of this dangerously violates the most fundamental principles of our republican form of government.
… As other legal scholars, most notably Yale law professor Akhil Reed Amar, have pointed out, when the Fourth Amendment was ratified in 1791 as part of the Bill of Rights, government agents were liable for damages in civil tort actions for trespass.
… With the NSA's surveillance program, the Foreign Intelligence Surveillance Court has apparently secretly approved the blanket seizure of data on every American so this "metadata" can later provide the probable cause for a particular search. Such indiscriminate data seizures are the epitome of "unreasonable," akin to the "general warrants" issued by the Crown to authorize searches of Colonial Americans.
… The secrecy of these programs makes it impossible to hold elected officials and appointed bureaucrats accountable.
Been there. Done that. Got the T-shirt.
Bruce Schneier’s blog points us to a recent article by Penica Cortez and David Hay. Here’s the Abstract:
This paper reports an exploratory study of privacy breaches in the U.S. from 2005-2011 to explore potential benefits of data privacy auditing. Privacy auditing is a mechanism to help organisations to be vigilant in protecting information privacy, and to avoid penalties or damage to reputation and losing customer trust. Recently, privacy audits have been imposed on several high-profile organizations, but little is known about the benefits of privacy audits. We examined whether companies with privacy disclosures in their audited financial statements (as a proxy for privacy audits) were more or less likely to incur subsequent privacy breaches, and whether companies incurring breaches were more or less likely to make privacy disclosures. The results show that there are empirical regularities consistent with the privacy disclosures in the audited financial statements having some effect. Companies disclosing privacy risks are less likely to incur a breach of privacy related to unintentional disclosure of privacy information; while companies suffering a breach of privacy related to credit cards are more likely to disclose privacy risks afterwards. Disclosure after a breach is negatively related to privacy breaches related to hacking, and disclosure before a breach is positively related to breaches concerning insider trading. These results may be related to the risk of privacy breaches. Privacy disclosure in the regulatory risks section of a 10K report is associated with a larger number of records affected by a breach of privacy. We also examined the extent of damages arising from privacy breaches, but there are not enough observations to draw a conclusion.
You can download the full article from SSRN.
An article for my students and my lawyer friends (is the NSA reading your correspondence with your clients?)
… I’d like to offer a few easy ways that you can encrypt your webmail to at least try and maintain some semblance of email privacy in a world filled with snoops and spies.
Not sure if my students will like this, but I find things like “Fantasy SCOTUS” amusing and JD Supra “obvious in retrospect.” Let's hope the like the technology that enables the law firm Robot, Robot & Hwang LLP.
Fastcase 50 for 2013
“2013 was the Year of Reinvention, with innovators gathering at several national conferences pushing the boundaries of the business of law, using software, algorithms, and new pricing models for lawyers as a way to better provide legal services to the middle class. New companies challenged our assumptions about legal research, and established challengers hit their stride as much larger enterprises. Bar associations and law professors sought to change some of the most traditional legal organizations serving law students and lawyers. The Fastcase 50 classes of 2011 and 2012 were an inspiration. This year, you submitted a record number of nominations, and we are pleased to honor the Fastcase 50 Class of 2013.”
For my fellow teachers (and my students)
Share My Screen Pro is a handy cost-effective software solution that lets you share your screen with anyone online via browser. It is aimed at people who work remotely and located in different geographical locations. Using it you can run meetings and presentations over the Internet from single user presentations up to 300 viewer webinars. It is easy to set up and run and doesn’t require the viewer to download any software. Your viewers can access your screen via Windows PCs and devices running Android and iOS platforms.
Another potentially useful tool (you can't have too many)
Quickly record a video of what you’re doing on your computer, or take a precise screenshot. Free app oCam makes this process easy for Windows users, and is completely free.
I post a lot of free (and I hope useful) tools, but this one really grabbed my attention. If you have an eReader, watch the demo video and be amazed...
Calibre is a free and open source e-book library management application developed by users of e-books for users of e-books.