Saturday, December 05, 2009

Looks like BCBS is finally getting where they should have been weeks ago. Unfortunately, it looks like they got there by being dragged, kicking and screaming. (Repeating that this is “required” allows them to imply that it really isn't necessary.)

http://www.databreaches.net/?p=8740

BCBS of TN issues breach notification for stolen hard drive

December 4, 2009 by admin Filed under Breach Incidents, Healthcare Sector, Of Note, Theft, U.S.

Remember the BlueCross breach in Chattanooga from October. First it was 57 hard drives, then 68, then 3, then 1, depending on which report you read. Now it’s 57 again, it seems. Today, Blue Cross issued a breach notification on its web site, as required by the new HITECH Act:

Required Substitute HITECH Act Notice Regarding BlueCross Hard Drive Theft

Editor’s Note: BlueCross BlueShield of Tennessee has issued this press release as required by the Health Information Technology for Economic and Clinical Health Act (“HITECH Act”), Title XIII of Division A and Title IV of Division B of the American Recovery and Reinvestment Act of 2009 (Pub. L. 111-5) and its implementing regulations.

CHATTANOOGA, Tenn. — On Monday, Oct. 5, 2009 at 10 a.m., BlueCross BlueShield of Tennessee, Inc. employees discovered a theft of computer equipment at a network closet located in its former Eastgate Town Center office location in Chattanooga, Tenn. The theft occurred Friday, Oct. 2, 2009 at approximately 6:13 p.m. BlueCross has established that the items taken include 57 hard drives containing data that was encoded but not encrypted.

The hard drives were part of a system that recorded and stored audio and video recordings of coordination of care and eligibility telephone calls from providers and members to BlueCross’ former Eastgate call center located in Chattanooga.

… The back-up data of the stolen hard drives were restored and an exhaustive inventory of all data included on the drives is being conducted [We've been working for two months and still don't know what was on those drives. Bob] by BlueCross and Kroll Inc., a global leader in data security.

[Bob's questions and comments:

I'm not sure what the video recordings are (perhaps them mean screen shots?)

I understand these are recordings from their customer service call center. They are apparently listening to the calls to find out if sensitive data has been disclosed. Bad idea,

It would be much faster to check the computer logs of the call. Each time a client calls, the operator should call up their information on their computer and (at minimum) log the call. Recording which screens had been accessed (change of address, billing data, etc.) would tell them what information was being discussed – and would take only minutes to find!



Open a can of worm, expect an attack by crazed zombie pigeons?

http://www.databreaches.net/?p=8719

NH: AG reviewing WDH patient records breach

December 4, 2009 by admin Filed under Breach Incidents, Healthcare Sector, U.S.

As a follow-up to the coverage of a patient privacy breach involving Wentworth-Douglass Hospital (WDH), Adam D. Krauss of Foster’s Daily Democrat reports that a number of agencies are now piling on.

Concern over Wentworth-Douglass Hospital’s handling of a broad privacy breach into patients’ records has widened with the Attorney General’s Office confirming it is reviewing what happened.

“It is something we’re looking into,” said James Boffetti, who leads the AG’s Consumer Protection & Antitrust Bureau.

Boffetti said he could not divulge specifics, but confirmed the bureau took over the case after a complaint was made to the agency’s Medicaid Fraud Unit.

He also said a relevant state law is RSA 359-C: 20, which requires notification of a security breach, something WDH representatives have acknowledged they did not do after learning of the breach, which lasted from May 2006 to June 2007. An audit wasn’t completed until May.

Read more on Fosters.com.

[From the article:

When WDH was first asked late last month why it did not inform patients or authorities of the breach, Biehl said the hospital didn't have to because patients' personal health information wasn't affected — something disputed by two pathologists at the center of what's been alleged to be a hospital "cover up."

… We were concerned maybe diagnoses had been changed."

Moore said without contacting doctors for every patient it's impossible to be certain that no one was harmed.

The breach took place at the hands of a former hospital, not lab, employee after she had been transferred out of the pathology lab. The audit says she improperly accessed reports 1,847 times, resulting in changes to about half of them. Moore said the breach involved 1,157 patients.



For $20 Billion, I can secure medical records so well, not even the patients can read them.

http://www.informationweek.com/shared/printableArticle.jhtml;jsessionid=X001QDNRX3UINQE1GHPCKHWATMY32JVN?articleID=221601440

Can Electronic Medical Records Be Secured?

While EMRs promise massive opportunities for patient health benefits and reductions in administrative costs, the privacy and security risks are daunting.

By Mitch Wagner, InformationWeek Dec. 5, 2009

… The Obama administration has set an ambitious goal--to get electronic medical records on file for every American by 2014. The administration is offering powerful incentives: $20 billion in stimulus funds as per the American Recovery and Reinvestment Act (ARRA) of 2009, and stiff Medicare penalties for healthcare providers that fail to implement EMRs after 2014.

… Healthcare providers and other health businesses aren't stepping up to protect privacy, according to a recent study. Some 80% of healthcare organizations have experienced at least one incident of lost or stolen health information in the past year, according to a study released this month from security management company LogLogic and the Ponemon Institute, which conducts privacy and information management research.

Furthermore, some 70% of IT managers surveyed said senior management doesn't view privacy and data security as a priority, and 53% say their organizations don't take appropriate steps t protect patient privacy. Less than half judge their existing security measures as "effective or very effective."

Unauthorized use of medical records has created a new kind of crime: medical identity theft, where a criminal poses as another person to obtain medical treatments using another person's insurance. This is a crime with multiple victims: The actual person with insurance coverage, whose medical records are updated with incorrect information, and the insurance company, which is paying for the criminal's medical procedure. Medical identity theft cuts twice, causing both potential medical risk and financial harm to its victims.



Is there any way for them to get this information legally? (Surely we can trust the politicians to keep the data private.)

http://www.pogowasright.org/?p=6004

VA: Nonprofit sues state to avoid revealing source

December 5, 2009 by Dissent Filed under Breaches, Court

Bill Sizemore and Julian Walker report:

The kNOw Campaign, the source of an aborted mass mailing that would have disclosed many Virginians’ personal voting history days before the Nov. 3 election, is defying the State Board of Elections’ demand that it reveal where the data came from. In an escalating battle, the nonprofit group sued the state board Friday on constitutional grounds.

The group had planned a personalized mailing to 350,000 Virginia households in the week before the election detailing the recipients’ voting history in recent elections and that of their neighbors. The mailing would have disclosed only who voted in a given election, not how they voted.

The mailing was halted at the last minute amid indications that the voter information may have been acquired illegally.

Read more in The Virginian-Pilot.

[From the article:

Under state law, such information is restricted to candidates, elected officials and political party chairmen. Those who acquire such lists must sign a statement agreeing not to share the information with anyone else. Violation of the law is a felony.



Even the good ones can get better. Note that they did detect the breach as part of their “routine” security. However, they apparently didn't log activity, so they don' t know what was accessed. The applications from 2000 likely should have been archived when they were no longer “active” and deleted if no longer “required” but that is the Record Retention group's problem, not Security.

http://www.databreaches.net/?p=8733

EIU warns of student data security breach

December 4, 2009 by admin Filed under Breach Incidents, Education Sector, Malware, U.S.

From the Associated Press:

Eastern Illinois University says someone outside the school may have broken into files containing personal information from about 9,000 current and former students and applicants.

The university on Friday said it found a number of viruses on a server used by the university’s admissions office that could have provided outside access. Technology workers believe someone had such access between Nov. 11 and Nov. 16. But they aren’t sure if any of the files were accessed.

Read more on WAND-TV.

The Notice to Students on the university’s web site says:

On Nov. 16, 2009, routine security monitoring uncovered odd activity from a computer on campus. An investigation revealed that this computer had been compromised on Nov. 11, 2009, by malware that could have allowed an external individual to access and control the computer.

It’s good that they picked it up relatively quickly and followed up. What’s not so good is this part:

This incident affected some individuals who applied to Eastern Illinois University electronically between 2000 and 2009. Not everyone who applied electronically during this time was affected.

Why were applications from 2000 still on the computer instead of having been removed from the network after that length of time?



Interesting question. What does a breach victim need to know to protect themselves?

http://www.databreaches.net/?p=8596

Was Lockheed Martin breach notification intentionally vague?

December 4, 2009 by admin Filed under Breach Incidents, Business Sector

If Steve Regan of The Tech Herald thought Alpha Software’s breach notification was bland, I wonder what he thinks of Lockheed Martin’s recent breach notification.

On November 6, Lockheed Martin sent out a breach notification that began:

Dear

As part of Lockheed Martin’s continued vigilance of personal information privacy matters, I am writing to inform you about an incident that resulted in the potential compromise of your personal information.

After containing the incident, which occurred in April 2009, the Corporation took prudent measures to conduct a thorough analysis of the incident and implement solutions to deter future occurrences.

Really. There was no explanation of what the incident involved. Nor did the notification to the New Hampshire Attorney General’s Office contain even a clue as to the nature of the incident or why it took from April 2009 until November 6 to notify them or the individual(s).

Is Lockheed Martin being intentionally vague because of an ongoing investigation, did they accidentally omit a paragraph explaining the incident, or is something else going on? Can a recipient really assess the risk they face without some sense of what happened?



Like shrink wrap licenses?

http://www.pogowasright.org/?p=5988

Terms of (Ab)use: Are Terms of Service Enforceable?

December 5, 2009 by Dissent Filed under Internet

Ed Bayley of EFF writes:

In the first of a series of white papers on Terms of Service (TOS) issues, EFF today released The Clicks That Bind: Ways Users “Agree” to Online Terms of Service. The paper aims to answer a fundamental question: when do these ubiquitous TOS agreements actually become binding contracts? We discuss how courts have reacted to efforts by service providers to enforce TOS, and suggest best practices for service providers to follow in presenting terms to a user and for seeking his or her agreement to them.

The white paper examines both clickwrap agreements—whereby service providers require the user to click an “I Agree” button next to the terms—and browsewrap agreements—whereby service providers try to characterize one’s continued use of the website as constituting “agreement” to a posted set of terms. While neither method automatically creates enforceable contracts, some presentations may still be upheld even if the user never actually reads and understands the terms. The key is whether the service provider allows the user reasonable notice and opportunity to review the terms before using the website or service.

Of course, just because a TOS creates an enforceable agreement, does not mean that every provision of the TOS will be enforced by a court. In our next white paper, we’ll examine which particular provisions are most unfair to consumers, including provisions that have aroused the skepticism of courts and regulators.



I love it when someone shouts “The Emperor has no clothes!” (Or more properly, “Show me the data!”)

http://arstechnica.com/tech-policy/news/2009/12/bandwidth-hogs-dont-even-exist-says-analyst.ars

"Bandwidth hogs" join unicorns in realm of mythical creatures

One analyst has had it with Internet data caps. Bandwidth hogs are a myth, he says, and caps simply penalize heavy users who cause no problems for others. Now, he's throwing down the gauntlet and challenging ISPs to turn over some data for analysis.

By Nate Anderson Last updated December 3, 2009 7:25 PM

… Felten's basic critique concerns bandwidth caps—not because they exist, but because he sees them as disingenuous. Carriers can use them as a way to control bandwidth and wean people away from what the marketing department implicitly promises: all-you-can-surf Internet access for one monthly fee. The caps are sold as cutting off "bandwidth hogs" who use "more than their fair share," but Felten's take is that ISPs really have no idea if these people are causing any sort of actual congestion at all.

… Unfortunately, to the best of our knowledge, the way that telcos identify the Bandwidth Hogs is not by monitoring if they cause unfair traffic congestion for other users. No, they just measure the total data downloaded per user, list the top 5 percent and call them hogs."



A more rational explanation. Perhaps they are telling other countries that “the American people are behind us on this?”

http://www.wired.com/threatlevel/2009/12/feds-fear-acta-scrutiny/

Report: U.S. Fears Public Scrutiny Would Scuttle IP Treaty Talks — Update

By David Kravets December 4, 2009 4:16 pm

… But we now know that the real reason for secrecy, the one suspected all along, was that the United States does not think it could reach an accord with Europe and the nearly dozen other nations if the proposal came under public scrutiny.



Geeky stuff?

http://www.techcrunch.com/2009/12/04/meet-pivot-microsofts-newest-data-visualization-tool/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Techcrunch+%28TechCrunch%29

An In-Depth Look At Pivot, Microsoft’s Newest Data Visualization Tool

by Leena Rao on December 4, 2009

At Microsoft’s PDC event a few weeks ago, Microsoft Live Labs introduced a new technology, called Pivot, to make sense of interconnectedness between objects on the web. The underlying premise of Pivot is to view relationships between “collections” of individual information on the the web.

… Windows XP is not supported at this time.



When bureaucracies attack! Automation gone bad?

http://www.techcrunch.com/2009/12/04/fda-imac/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Techcrunch+%28TechCrunch%29

Dear FDA, Gimme My iMac

by MG Siegler on December 4, 2009

… As of yesterday, my new Apple iMac was to be delivered at some point this afternoon. But alas, it was not to be. But the reason why is a truly great WTF moment. Apparently, the U.S. Food and Drug Administration has to approve its delivery to me.

… I don’t want to believe that either UPS or the U.S. Government are so stupid as to think that my Apple computer is actually an apple, but I can’t come up with any other explanation



The first 100 each month are free

http://www.killerstartups.com/Web-App-Tools/convert-io-a-new-tool-for-the-conversion-of-documents?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+killerstartups%2FBkQV+%28KillerStartups.com%29

Convert.io - A New Tool For The Conversion Of Documents

http://www.convert.io/

It could be said that Convert.io is a simple document conversion service that was designed with the intention to optimize all the processes involving a large amount of files. This is a simple service that will help users to save time and energy by simplifying these processes with a secure open interface.

No comments: