Saturday, April 12, 2008

An insider commits an (almost) undetectable theft of data. I wonder if this was one of the rare HIPAA audits?

http://www.phiprivacy.net/?p=239

Apr-11-2008

Thousands of ID thefts at NYC hospital

From ABC Eyewitness News:

The personal information of thousands of patients at New York-Presbyterian/Weill Cornell Medical Center may have been compromised.

A Federal investigation and a NewYork-Presbyterian Hospital internal audit have uncovered the possible theft of personal identity information, including names, phone numbers, and in some cases social security numbers, of approximately 40,000 hospital patients.

Authorities do not believe [Translation: Hope & pray Bob] that any health-related information was included.

Full story - ABC


More

http://www.phiprivacy.net/?p=241

Apr-11-2008

Patients’ Data Stolen, Hospital Says

The New York Times provides some additional details on the breach involving NewYork-Presbyterian Hospital/Weill Cornell Medical Center:

The theft — which occurred over the past several years and included patients’ names, phone numbers and Social Security numbers — was discovered during a federal investigation, and the hospital was notified in January, the spokeswoman, Myrna Manners, said. An internal audit by the hospital confirmed the theft, she said.

The hospital does not believe that any medical information was stolen, Ms. Manners said, adding that there is no evidence that the stolen information has been used.

She declined to identify the employee who the hospital believes stole the data.

“We obviously deeply regret that this has happened,” she said, adding that the hospital, at East 68th Street and York Avenue, was trying to contact all patients involved.

Investigators were looking into the possibility that the theft could be part of a larger criminal scheme, Ms. Manners said.

The United States attorney’s office for the Southern District of New York was investigating the theft, a spokeswoman said, along with the United States Postal Inspection Service and the United States Secret Service. She declined to give details of the investigation.

Comment: if the hospital was notified in January, why are patients first being notified now? Did the federal investigators ask them to delay notification, or did it just take the hospital that long to figure out whom to notify? And how would they know that the stolen information hasn’t been used? Have they run checks on all 40,000 patients to determine if they’ve been the victims of ID theft?



Taking the quiet route.

http://www.pogowasright.org/article.php?story=20080412082626598

Stolen laptop contains Siemens employee data

Saturday, April 12 2008 @ 08:26 AM EDT Contributed by: PrivacyNews News Section: Breaches

Yet another company laptop stolen from an employee's home is causing worry for employees. This time, the laptop stolen from an employee's home on March 26th belonged to Siemens [pdf], and it contained names, birthdates, and SSN of approximately 3,542 employees.

Neither the notification to the NH DOJ nor the notification to employees specifically mentioned whether the data or laptop were encrypted.

The company does not seem to have offered their employees free credit monitoring.



If the company doesn't ask the right questions, don't expect the bloggers to hold back...

http://www.phiprivacy.net/?p=245

Apr-12-2008

UniCare discovers more members affected by web exposure breach than previously identified

On April 2, Sean Doolan of Hinman Straub, lawyers for UniCare, notified the New Hampshire Department of Justice that:

Approximately one year ago, it was discovered that a computer server that contained protected health information (PHI) was not properly secured by a third party vendor for a period of time, which caused the PHI of certain UniCare members to be temporarily accessible via the internet.

The PHI contained member ID numbers (which in some cases included a social security number) and certain pharmacy/medical data that pertained to the member or the member’s dependents enrolled under the member’s health plan. We quickly initiated an assessment and secured the PHI. We implemented additional security measures to ensure that similar incidents do not recur.

We also notified the members who we determined might have been impacted. On December 27, 2007, we discovered that the PHI of additional members might have been accessible via the internet at the time of this incident. [Either their idea of “Quickly” differs from mine or it took them almost a year to find this out? Bob] UniCare is addressing this issue with the vendor. Upon notification of the loss, UniCare immediately initiated an investigation into the matter. UniCare has no indication at this time that any instances of identity theft related to this situation have occurred.

A copy of the notification letter being sent out to those newly identified as having been affected was attached to the letter to the DOJ.

Comment:

Was this incident related to the WellPoint breach described by PogoWasRight.org that had been reported to WellPoint by a customer in February 2007? It may well have been, since some files that said UniCare were exposed via Google indexing and caching back then. But WellPoint spokespeople claimed this week that the exposure (only) affected 1350 people — a statistic that PogoWasRight.org questions.

It seems like there will still be much more to be revealed and explained. And now added to the list is why did it take almost a year before UniCare realized that there were more people affected by the web exposure? Did UniCare bring in an outside security firm to investigate and assess the problem when they first became aware of the exposure, or did they just conduct an internal investigation whereby the same people that may have failed to adequately secure the server and files in the first place would be asked to find all of their own mistakes?



Ah! Something to discuss at the Privacy Foundation's next seminar... I think it makes sense as part of the strategy to achieve a quick and favorable resolution. Also, I think it likely this will become a standard tool in the civil litigation world. Perhaps hosting these blogs is a business opportunity?

http://www.law.com/jsp/article.jsp?id=1207904890877

Battle Erupts Over Duke University Lacrosse Players' Web Site

Vesna Jaksic The National Law Journal April 11, 2008

The latest twist in the Duke University lacrosse case concerns the players' media strategy, with Duke officials trying to shut down a Web site about the case.

Lawyers for Duke University, the city of Durham and the Duke University Health System have objected in federal court to the Web site run by the players' legal and communications team, http://www.dukelawsuit.com/. The Web site is regularly updated with information about the case and includes briefs from both sides.

The lawyers have said the Web site, as well as a press conference and media alerts sent by the players' legal team, violate rules of the North Carolina Professional Conduct and have a likelihood of prejudicing proceedings. In court papers, the lawyers said the Web site "is aimed at attacking the character, credibility, and reputation of the Duke Defendants."

Lawyers for the 38 Duke lacrosse players from the 2006 season have filed an opposing brief, saying the rule does not apply to civil cases and that most of the information on the Web site and revealed at the press conference is available through public records. They said the city officials' attempt to silence the players "gives a new meaning to the concept of gall," and said city officials fueled negative publicity about the players when the case surfaced in 2006.



Business Opportunity! Sell Police Detectors to British Crooks!

http://www.pogowasright.org/article.php?story=20080411102949480

UK: Metropolitan Police to be fitted with tracking devices

Friday, April 11 2008 @ 10:29 AM EDT Contributed by: PrivacyNews News Section: Workplace Privacy

London's 31,000 police officers are set to be fitted with a tracking device to monitor their movements while on duty under a scheme by the Metropolitan Police.

Technology services firm Telent will provide the police service's officers with an Automated Personal Location System (APLS), which would use police radios to accurately pin-point the location of officers on duty.

Source - PersonnelToday.com



The blog is a bit of a rant (this is the only post) but you get the idea... It would seem smarter to make the public announcement yourself, rather than let the victims control the information.

http://www.pogowasright.org/article.php?story=20080411111239878

Helio security breach results in access to customers' personal information

Friday, April 11 2008 @ 11:12 AM EDT Contributed by: PrivacyNews News Section: Breaches

Helio has sent a notification letter to some customers that a security breach may have resulted in the acquisition of their personal information such as names, addresses, telephone numbers, dates of birth and last four digits of their Social Security numbers. A copy of the notification letter was uploaded to the Specific Randomness blog by one of their customers.

A spokesperson for the Los Angeles-based provider of mobile devices and services, Rick Heineman, tells PogoWasRight.org that the company became aware of the problem a very short time ago, and immediately started working with local and national law enforcement. On April 4, they notified a portion of the customers in their database of the problem that some of their personal information -- but no financial information -- may have been accessed.

Due to the ongoing investigation, the company would not disclose the nature of the breach in terms of whether it was due to hacking or some other type of event. Nor would they indicate how many customers they notified, other than to reiterate that it was not all of their customers [Translation: They missed one... Bob] whose data were at risk.

Helio wants to remind its customers that they will not receive any phone calls from Helio [but you can expect many phishing e-mails. They should specify how they will communicate and how to authenticate that communication! Bob] about the incident, and if anyone calls claiming to be from Helio, customers should not give out any personal information and should report the call to law enforcement.



God help us if this catches on here... (Perhaps a Name-that-blog contest? Hillary's Hilarity?)

http://techdirt.com/articles/20080411/115829825.shtml

Malaysian Politicians Go From Hating Blogs To Requiring Them In Record Time

from the well-how-about-that dept

It would appear that some politicians in Malaysia have gone through quite a transformation when it comes to blogging. Almost exactly one year ago, some Malaysian politicians got into a bit of an argument with some bloggers and started trashing the entire concept of blogging -- leading to some politicians there declaring that all bloggers needed to register themselves with the government if they wanted to keep blogging. That resulted in an uproar, and the politicians backed down on the registration requirement. In fact, they started to check out blogs a little more carefully, and even liked what they saw. By the end of that same month, the government agreed to set up a special government agency to follow blogs and interact with bloggers to respond to any concerns they might have. Fast forward a year and not only do some of the original leading critics of blogging have their own blogs, but the ruling political party is now requiring many of its political candidates to blog. Anyone who wants a "youth post" needs to have a blog. The guy in charge of the party's youth wing explained: "All candidates must have blogs. If not, they are not qualified to be leaders."

So they've gone from hating blogs to requiring them in about a year. To be fair, a lot of this is politically motivated. Apparently the opposition has been getting plenty of attention because its leader has a popular blog. So this is likely a politically motivated response. Also, it seems almost equally as extreme as the original plan to require bloggers to register. Not everyone should blog. Not everyone wants to blog. Requiring a politician to have a blog, even if it's helpful, seems a bit extreme. It certainly won't lead to good content if people are forced to blog, rather than blogging for a good reason.


Related? Perhaps a Dems vs. Repubs breakdancing contest? An 'Idle American' lack-of-talent show?

http://techdirt.com/articles/20080411/024555821.shtml

Congress Makes YouTube Promise To Host Representatives' Videos Sans Ads

from the following-the-rules dept

Apparently Congressman Kevin McCarthy happened to be one of a very small number of folks in Congress who actually bothered to read some of the rules that Congress is supposed to abide by. In doing so, he realized that all those Congressional Representatives putting videos on YouTube are probably breaking the rules, which say that Representatives can't be doing stuff on commercial sites. When he first brought this to the attention of other Reps, they basically told him to ignore it, since everyone else did [Translation: Rules is for Fools Bob] -- but eventually Congress decided to fix [Translation: A benefit recognized only by the politicians involved. Bob] the problem. Of course, they didn't fix it by changing the rules... but by putting out a request for a webhosting site to host their videos in a non-commercial manner. YouTube was the only site to agree to do so, so now your Congresscritters can continue posting to YouTube, and (apparently) you won't see ads on their YouTube pages. I can't decide if I'm happy that Congress decided to actually follow its own rules, or worried about them spending time on something as silly as this.



This might be an interesting research tool.

http://www.pogowasright.org/article.php?story=20080411114811841

Public comments to FTC re Online Behavioral Advertising

Friday, April 11 2008 @ 11:48 AM EDT Contributed by: PrivacyNews News Section: Fed. Govt.

A linked index of public comments in response to the FTC request for comments concerning online behavioral advertising and self-regulator principles can be found on the FTC's web site. The submissions include Google's comments [pdf]. Today, Microsoft issued a press release summarizing its submission to the FTC.


Related. “Let's be real careful with legislators and people who are likely to sue – the rest can fend for themselves...”

http://www.pogowasright.org/article.php?story=20080411165845773

Microsoft Proposes Tiered Privacy in Online Advertising

Friday, April 11 2008 @ 04:58 PM EDT Contributed by: PrivacyNews News Section: Businesses & Privacy

Microsoft has proposed a tiered approach to protecting the privacy of people targeted by online advertising, saying advertisers should get permission before using sensitive, personally identifiable information to deliver ads.

Source - NY Times



Wasn't there a congressional ruling (law?) to hold off on taxing the Internet? Has that expired? Will China and other countries comply?

http://news.slashdot.org/article.pl?sid=08/04/12/0415223&from=rss

New York to Implement an 'Amazon Tax'

Posted by ScuttleMonkey on Saturday April 12, @01:34AM from the death-and-taxes dept. Government The Almighty Buck The Internet

theodp writes

"NY Governor David Paterson is expected to sign a bill requiring online retailers to collect sales taxes on purchases shipped to the state, even if they have no operations or employees working there. The so-called 'Amazon tax', which applies to Internet retailers who derive sales through affiliate programs, would end what for many New Yorkers had been tax-free shopping and generate an estimated $50M in revenue this fiscal year. Experts predict that other states could follow suit with similar provisions."



For my geek friends (and my hacking students?)

http://digg.com/design/Incredible_Firefox_Keyboard_Shortcuts_You_May_Not_Know_About

Incredible Firefox Keyboard Shortcuts You May Not Know About

[The link is down, so use: http://duggmirror.com/design/Incredible_Firefox_Keyboard_Shortcuts_You_May_Not_Know_About/

No comments: