Wednesday, December 09, 2009

I blogged about this yesterday and noted there were no facts in the article. Some are starting to trickle out.

http://www.databreaches.net/?p=8776

Attorney General Says Health Net Security Breach Concerns Worsen After Report Reveals Breach Was Likely Theft

December 8, 2009 by admin Filed under Healthcare Sector, Of Note, U.S.

The Connecticut Attorney General, Richard Blumenthal, has issued a statement about his intensified concerns about the Health Net breach:

… “An independent investigative report shreds Health Net’s sanitized story — revealing that this severe security breach was most likely a theft, and that two laptops were also stolen from Health Net’s facility at virtually the same time,” Blumenthal said.

… In a second letter to Health Net officials, Blumenthal said there are significant inconsistencies between Health Net’s response to his office and an independent report by Kroll, a security company Health Net hired to assess the loss of the missing disk drive. Blumenthal has asked Health Net for more details and requested a meeting.

… “The most glaring inconsistencies are Health Net’s explanations for its delay in reporting the data breach, its characterization of the likely cause of that data breach, and its assessment of the accessibility level of the data that was contained on the missing disk drive.

“Health Net has emphasized its inability to promptly access data on the disk to indentify and notify those whose information was compromised, and offered assurances that the data could not be viewed without special software. These claims contradict Health Net’s own private security firm, which claims the data could be easily accessed through common commercially available software — and indicating another Health Net office in Rancho Cordova may have had a copy of the compromised information on hand to identify.

“Health Net has gone out of its way to dismiss and downplay this serious security breach when it should have been focusing on notifying and protecting people who may be at risk of financial fraud or having health information leaked.”

Blumenthal has requested a meeting with Health Net staff and is seeking additional details, including:

  • Why did Health net fail to assess the information contained on the missing drive by communicating with its Rancho Cordova office and assessing the information it had successfully copied from the drive onto its EXP server?

  • Why was there an eight-day delay in notifying the Health Net Privacy Officer after the drive was discovered to be missing?

  • Were the IBM and other technical consultants retained under a “business associate” agreement as the term is defined under HIPAA?

  • Was any protected health or financial information contained on the stolen laptops?

  • How many separate Connecticut individuals’ protected health information was on the missing drive?


(Related) This explains why the AGs are taking an interest. The thumbscrews are being tightened.

http://www.phiprivacy.net/?p=1612

Two Data Security Breaches Give State Attorneys General a Chance to Exercise Their New HIPAA Powers

By Dissent, December 8, 2009 3:19 pm

In a sign that state attorneys general may be flexing the HIPAA enforcement muscle granted by the HITECH Act provisions in the Recovery Act, the Connecticut and Arizona attorneys general are investigating health plans that recently experienced data breaches that they failed to disclose for several months.

Typically, state attorneys general prosecute only violations of state laws, but they now have authority to investigate and levy fines for violations of HIPAA and the HITECH Act, which requires mandatory notifications within two months of knowledge of a breach.

[...]

Specifically, the HITECH Act states that when an AG “has reason to believe that an interest of one or more of the residents of that state has been or is threatened or adversely affected by any person who violates a [privacy and security provision], the attorney general of the state…may bring a civil action on behalf of such residents of the state in a district court of the United States of appropriate jurisdiction.”

Read the full article from Report on Patient Privacy on AISHealth.com.



More information is always useful

http://www.databreaches.net/?p=8785

Verizon Business Issues 2009 Supplemental Data Breach Report Profiling 15 Most Common Attacks

December 9, 2009 by admin

… To access the Verizon Business 2009 Supplemental Report, click below: www.verizonbusiness.com/go/09SuppDBIR

A complete copy of the 2009 Data Breach Investigations Report is available at: http://www.verizonbusiness.com/resources/security/reports/2009_databreac…



What we have here is a learning moment.

http://www.pogowasright.org/?p=6143

Tiger Woods has forfeited his right to privacy – no


OR

http://www.pogowasright.org/?p=6140

Tiger Woods has forfeited his right to privacy – yes



You can find transcripts and other interesting stuff at the FTC website. Just follow the links.

http://www.pogowasright.org/?p=6131

Ngo: Online targeted advertising discussed at FTC roundtable

December 8, 2009 by Dissent Filed under Businesses, Internet

Melissa Ngo of Privacy Lives blogged about her participation and the issues addressed in yesterday’s first of three FTC Roundtable:

The Federal Trade Commission had the first of three privacy roundtables yesterday, and I spoke on a panel about online targeted behavioral advertising.

… A New York Times article on the roundtable quoted me about a fundamental issue that divides industry and consumer advocates: opt-in or opt-out. Opt-in, the choice of consumer advocates, puts the burden on companies to have strong privacy protections and use limitations so consumers will choose to share their data. Opt-out, the choice of the majority of ad industry players, puts the burden on consumers to learn about what the privacy policies are, whether they protect consumer data, whom the data is shared with and for what purpose, and how to opt-out of this data collection, use and sharing.

Read more on Privacy Lives



“We're number two! We're number two!” I wonder why?

http://news.slashdot.org/story/09/12/08/2042253/US-No-Longer-Leading-the-World-In-Spam?from=rss&utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot+%28Slashdot%29

US No Longer Leading the World In Spam

Posted by kdawson on Tuesday December 08, @05:20PM from the we're-number-two dept.

darthcamaro writes

"America is no longer the spam king. According to Cisco, US-originated spam dropped by over two trillion messages — American-based IP addresses sent about 6.2 trillion spam messages. The new world leader is Brazil at 7.7 trillion messages. [NOTE: These are yearly figures. Bob] 'I'm not completely surprised to see US falling to number two in the spam stats, but I didn't expect it to happen yet,' said Cisco Fellow Patrick Peterson. 'I was really gratified to see the actual spam volume decrease, not just ranking, but we [also] decreased the amount of spam that is pouring out of the United States.'"

The drop in US spam might have had something to do with the temporary shutdown of the McColo spam ISP.


(Related) A very small percentage of a very large number is all it takes to turn a profit.

http://www.theregister.co.uk/2009/12/07/phishing_hit_rate/

One in 200 success rate keeps phishing economy ticking over

Nibbles add up to big haul

By John Leyden Posted in Security, 7th December 2009 18:26 GMT

… Stats culled from Trusteer's anti-phishing browser plug-in, which is offered by banks to their clients as a transaction security add-on, revealed that 0.47 per cent of a bank’s customers fall victim to phishing attacks each year.

… Trusteer's report (PDF) is worth considering because it looks at how many would-be marks respond to phishing emails (ie live attack data). Most surveys only look at how many phishing attacks are launched and what brands are targeted, without considering how successful these attacks actually might be.



This is either really dumb or really smart. (I'm leaning heavily toward dumb.) Some articles are calling this a bailout for Microsoft and others are suggesting that Microsoft will use it as a way to test their software, allowing Germany to identify problems for them.

http://www.h-online.com/security/news/item/Germany-to-set-up-centre-to-coordinate-fight-against-botnets-880077.html

8 December 2009, 16:32

Germany to set up centre to coordinate fight against botnets

… The idea, jointly developed by the Federal Office for Information Security (BSI) and the Association of the German Internet Industry (eco), is based on the premise that internet service providers (ISPs) have long had the technical capability to identify infected computers by analysing network traffic.

… According to the plan, ISPs will contact customers whose PCs are infected with a bot, possibly by post or by telephone. [Why not by email? Too technical? Bob] The plan also contemplates having infected computers automatically connect to a special web page each time they connect to the internet. Before the plans are implemented, however, a decision needs to be made on what sanctions customers who decline to cooperate with their ISP can be subjected to.



Good news for the Class Action lawyers if this works. (Why do we preach BACKUP! If no one listens?)

http://www.databreaches.net/?p=8780

Class Action Lawsuit Alleges Palm Pre/Pixi Users Suffered from Data Loss

December 8, 2009 by admin Filed under Business Sector, Of Note, Other

A Bay Area man filed a class action lawsuit against Palm and Sprint Nextel (NYSE:S) for losing most all the contacts, appointments and other data stored by many of the hundreds of thousands of Sprint users of the popular Palm webOS line of mobile phones, including the Palm Pre and Pixi.

The data loss is reminiscent of the recent data loss suffered by T-Mobile Sidekick users after Microsoft lost the personal data of Sidekick users.

The lawsuit alleges that Palm and Sprint actively marketed the Palm webOS mobile phones as automatically backing up all the data that users would store, such as contacts, appointments, and more and then failed to follow through on these promises.

The suit is brought by Jason Standiford of San Francisco. Standiford alleges he suffered a nearly complete loss of his personal data in November after exchanging his fourth malfunctioning Palm Pre for a fifth new Palm Pre. He further alleges that Palm has since recovered some, though not all of his data, leaving him missing crucial information Palm promised it would safeguard for him.

Read more on Wireless and Mobile News. A copy of the lawsuit can be found here (pdf).



An element of a future business model for games, music, movies, etc.? Didn't Gillette do something like this? NOTE: DLC is “DownLoadable Content” in other words, new blades for your free razor.

http://games.slashdot.org/story/09/12/09/0631228/Pirates-as-a-Marketplace?from=rss&utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot+%28Slashdot%29

Pirates as a Marketplace

Posted by Soulskill on Wednesday December 09, @06:31AM from the marrrrrrrket-share dept.

John Riccitiello, the CEO of Electronic Arts, made some revealing comments in an interview with Kotaku about how the company's attitudes are shifting with regard to software piracy. Quoting:

"Some of the people buying this DLC are not people who bought the game in a new shrink-wrapped box. That could be seen as a dark cloud, a mass of gamers who play a game without contributing a penny to EA. But around that cloud Riccitiello identified a silver lining: 'There's a sizable pirate market and a sizable second sale market and we want to try to generate revenue in that marketplace,' he said, pointing to DLC as a way to do it. The EA boss would prefer people bought their games, of course. 'I don't think anybody should pirate anything,' he said. 'I believe in the artistry of the people who build [the games industry.] I profoundly believe that. And when you steal from us, you steal from them. Having said that, there's a lot of people who do.' So encourage those pirates to pay for something, he figures. Riccitiello explained that EA's download services aren't perfect at distinguishing between used copies of games and pirated copies. As a result, he suggested, EA sells DLC to both communities of gamers. And that's how a pirate can turn into a paying customer."



Toward a replacement for newspapers? Clearly we will need to wait for more papers to join this project – which has potential. There has to be a way for readers to select stories to cover (not everyone believes the Redskins are the only football team in America. Worth exploring!

http://www.bespacific.com/mt/archives/022977.html

December 07, 2009

Google Launches Joint News-by-Topic Service

New York Times: "Google on Tuesday introduced a new approach to presenting news online by topic, developed with The New York Times and The Washington Post, and said that if the experiment succeeded, it would be made available to all publishers. The announcement of the “living stories” project shows Google collaborating with newspapers at a time when some major publishers have characterized the company as a threat. Google has also taken steps recently to project an image of itself as a friend to the industry."

  • "The Living Stories project is an experiment in presenting news, one designed specifically for the online environment. The project was developed by Google in collaboration with two of the country's leading newspapers, The New York Times and The Washington Post. [Note: See Living Stories FAQ]

  • All in one place: "Complete coverage of an on-going story is gathered together and prioritized on one URL. You can now quickly navigate between news articles, opinion pieces and features without long waits for pages to load."

  • Easy to explore: "Each story has an evolving summary of current developments as a well as an interactive timeline of critical events. Stories can be explored by themes, significant participants or multimedia."

  • Smarter reading: "Updates to the story are highlighted each time you come back, and older news is summarized."



Could this be extended to other areas?

http://www.killerstartups.com/Web20/legallynoted-com-for-law-students-everywhere?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+killerstartups%2FBkQV+%28KillerStartups.com%29

LegallyNoted.com - For Law Students Everywhere

http://www.legallynoted.com/

LegallyNoted is a new online resource that is primarily geared towards law students. We could convey its essence effectively by comparing it to a 24-hour virtual study group where active law students can come together and share information such as class notes, outlines and briefs. They can also interact among themselves and develop successful class strategies in that way.

No comments: