Thursday, January 14, 2010

Today's theme seems to be examples of the Blanche DuBois theory of Computer Security, “I have always depended on the kindness of strangers.” Did no one on the Board of Directors every ask about Security? About compliance to the law? About anything?



I suspect that politically ambitious AGs (that's all of them, right?) will find that these cases are like shooting fish in a barrel. Big numbers (of both victims and dollars), protect the citizens of my state, clear evidence of failure on the part of the health care provider, etc.

http://www.databreaches.net/?p=9426

CT Sues Health Net For Massive Security Breach (updated)

January 13, 2010 by admin Filed under Breach Incidents, Healthcare Sector, Of Note, U.S.

Leave a Comment

Attorney General Richard Blumenthal today sued Health Net of Connecticut, Inc. for failing to secure private patient medical records and financial information involving 446,000 Connecticut enrollees and promptly notify consumers endangered by the security breach.

Blumenthal is also seeking a court order blocking Health Net from continued violations of HIPAA [Thar is both repetitious and redundant. Bob] (Health Insurance Portability and Accountability Act) by requiring that any protected health information contained on a portable electronic device be encrypted.

This case marks the first action by a state attorney general involving violations of HIPAA since the Health Information Technology for Economic and Clinical Health Act (HITECH) authorized state attorneys general to enforce HIPAA.

“Sadly, this lawsuit is historic — involving an unparalleled health care privacy breach and an unprecedented state enforcement of HIPAA,” Blumenthal said. “Protected private medical records and financial information on almost a half million Health Net enrollees in Connecticut were exposed for at least six months — most likely by thieves — before Health Net notified appropriate authorities and consumers.

… On or about May 14, 2009, Health Net learned that a portable computer disk drive disappeared from the company’s Shelton office. The disk contained protected health information, social security numbers, and bank account numbers for approximately 446,000 past and present Connecticut enrollees.

Blumenthal alleges that Health Net failed to promptly notify his office or other Connecticut authorities of this missing protected health and other personal and private information.

The missing information included 27.7 million scanned pages of over 120 different types of documents, including insurance claim forms, membership forms, appeals and grievances, correspondence and medical records.

Update: see Health Net’s statement here.


(Related) Could you ask for a closer parallel to the case of the “T. J. Hooper?” (I only know the facts in about 6 cases, so you should be impressed when I find a match.)

http://it.slashdot.org/story/10/01/14/0350216/Only-27-of-Organizations-Use-Encryption?from=rss&utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot+%28Slashdot%29

Only 27% of Organizations Use Encryption

Posted by samzenpus on Thursday January 14, @03:31AM from the here's-all-my-data dept.

An anonymous reader writes

st year have more remote users connecting to the corporate network from home or when traveling, compared to 2008. The clear majority (77%) of businesses have up to a quarter of their total workforce consisting of regular remote users. Yet, regardless of the growth in remote users, just 27% of respondents say their companies currently use hard disk encryption to protect sensitive data on corporate endpoints. In addition, only 9% of businesses surveyed use encryption for removable storage devices, such as USB flash drives. A more mobile workforce carrying large amounts of data on portable devices leaves confidential corporate data vulnerable to loss, theft and interception."


Q: What happens when you don't follow “Best Practices?” A: This.

http://www.databreaches.net/?p=9431

FINRA notifies Lincoln National of security vulnerability

January 13, 2010 by admin Filed under Financial Sector, Of Note, Other

A vulnerability in the portfolio information system for broker-dealer subsidiaries of Lincoln National Corporation potentially exposed the records of 1,200,000 people, 18,900 of whom are New Hampshire residents.

By letter dated January 4, attorneys for Lincoln Financial Securities Corporation and Lincoln Financial Advisors notified the New Hampshire Attorney General’s Office that although an outside forensic review found no reason to believe that client data were actually accessed or misused, information such as names, addresses, Social Security numbers, account numbers, account registration, transaction details, account balances, and in some cases, dates of birth and email addresses had been potentially exposed. The affected system is not used to transfer funds or effect trades.

Lincoln first became aware of the problem on August 17, when it was notified by FINRA, the Financial Industry Regulatory Agency, that someone had contacted them with a username/password combination that gave access to the portfolio information system. The user/pass had reportedly been shared among various employees of LFS and employees of affiliated companies, in violation of LNC’s policies. FINRA declined to inform LNC as to whether the provider of the user/pass was a current employee, but when FINRA investigated, they discovered that LFA was also using a shared user/pass.

LNC’s investigation subsequently determined that there were six shared user/password combinations, going back as early as 2002.



Is there a class in the PR curriculum that teaches these people to “low ball” their estimates in the first press releases with the assumption that doubling and tripling the numbers later won't be noticed?

http://www.phiprivacy.net/?p=1829

(follow-up) Stolen Tenn. BlueCross hard drives affect at least 220,000

By Dissent, January 13, 2010 8:00 pm

The Associated Press reports that BCBS in Chattanooga now says that 220,000 members had personal information on the hard drives reported stolen in October, but that the number could go up to 500,000.

In other words, they still don’t know who had what on the stolen hard drives. By today’s standards, it’s taking them too long to sort this out, even if, as they claim, there’s no evidence that the data have been misused (yet). The statement on their site says:

In October 2009, 57 hard drives containing audio and video files related to coordination of care and eligibility telephone calls from providers and members were stolen from a leased facility in Chattanooga that formerly housed a BlueCross BlueShield of Tennessee call center. The video files were images from computer screens of BlueCross customer service representatives and the audio files were recorded phone conversations from January 1, 2007 to October 2, 2009.

The files contained BlueCross members’ personal data and protected health information that was encoded but not encrypted, including:

* Members’ names and BlueCross ID numbers

* In some recordings – but not all – diagnostic information, date of birth and/or a Social Security number

BlueCross immediately investigated the theft and continues to work closely with local and federal authorities in their investigation of this crime. In addition, BlueCross hired Kroll, a global leader in security services, to conduct an independent assessment of its system-wide security and has taken several actions to strengthen these protocols.



Reads like a list of proposed topics for the Privacy Foundation. (Hint, hint)

http://www.eff.org/deeplinks/2010/01/trends-2010

12 Trends to Watch in 2010

Deeplink by Tim Jones January 13th, 2010


(Related) Potential speakers

http://www.pogowasright.org/?p=6950

The Year in Privacy Books 2009

January 14, 2010 by Dissent Filed under Other

Daniel Solove has posted a list of six notable books published in 2009 that you might want to know about, here.



What were they worried about? Would their force seem excessive in preventing “suicide by overdose?” Were they ever charged? Was there even a complaint?

http://www.pogowasright.org/?p=6936

Police fight cellphone recordings

January 13, 2010 by Dissent Filed under Court, Featured Headlines, Surveillance, U.S.

Daniel Rowinski reports:

Simon Glik, a lawyer, was walking down Tremont Street in Boston when he saw three police officers struggling to extract a plastic bag from a teenager’s mouth. Thinking their force seemed excessive for a drug arrest, Glik pulled out his cellphone and began recording.

Within minutes, Glik said, he was in handcuffs.

“One of the officers asked me whether my phone had audio recording capabilities,’’ Glik, 33, said recently of the incident, which took place in October 2007. Glik acknowledged that it did, and then, he said, “my phone was seized, and I was arrested.’’

The charge? Illegal electronic surveillance.

[...]

In 1968, Massachusetts became a “two-party’’ consent state, one of 12 currently in the country. Two-party consent means that all parties to a conversation must agree to be recorded on a telephone or other audio device; [video only would be Okay? Bob] otherwise, the recording of conversation is illegal. The law, intended to protect the privacy rights of individuals, appears to have been triggered by a series of high-profile cases involving private detectives who were recording people without their consent.

In arresting people such as Glik and Surmacz, police are saying that they have not consented to being recorded, that their privacy rights have therefore been violated, and that the citizen action was criminal.

“The statute has been misconstrued by Boston police,’’ said June Jensen, the lawyer who represented Glik and succeeded in getting his charges dismissed. The law, she said, does not prohibit public recording of anyone. “You could go to the Boston Common and snap pictures and record if you want; you can do that.’’

Read more in The Boston Globe.



Update on the Sino-Google war. (This may be a much bigger story than I thought.)

http://yro.slashdot.org/story/10/01/14/1321218/China-Emphasizes-Laws-As-Google-Defies-Censorship?from=rss&utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot+%28Slashdot%29

China Emphasizes Laws As Google Defies Censorship

Posted by CmdrTaco on Thursday January 14, @08:40AM from the going-to-war dept.

Lomegor writes

"Chinese Foreign Ministry spokeswoman Jiang Yu said on Thursday that all companies are welcome to operate in China but that they must do so under local laws. Although not explicitly, this is in some way a response to Google's threat to leave the country. China also stated that they have strict cyber laws and that they forbid any kind of 'hacking attack'; when asked if those laws apply to the government as well it was quickly avoided. 'It is still hard to say whether Google will quit China or not. Nobody knows,' the official in the State Council Information Office was quoted as saying."

I sure would love to be a fly on the wall of these discussions. We certainly live in interesting times.


(Related)

http://it.slashdot.org/story/10/01/13/2150245/Gmail-Moves-To-HTTPS-By-Default?from=rss&utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot+%28Slashdot%29

Gmail Moves To HTTPS By Default

Posted by timothy on Wednesday January 13, @05:34PM from the you-mean-I-gotta-log-in-again? dept.

clone53421 writes

"Although Gmail has long supported HTTPS as an option, Gmail announced their decision yesterday to switch everyone to HTTPS by default: ' We initially left the choice of using it up to you because there's a downside: https can make your mail slower since encrypted data doesn't travel across the web as quickly as unencrypted data. [The protocol is slightly slower as it is encrypting on the fly. You can send an encrypted message via insecure (HTTP) protocols. That is slower only if encryption adds volume. Bob] Over the last few months, we've been researching the security/latency tradeoff and decided that turning https on for everyone was the right thing to do.' I wonder if this has anything to do with the reports of Chinese users having their accounts hacked? 'Only two Gmail accounts appear to have been accessed, and that activity was limited to account information (such as the date the account was created) and subject line, rather than the content of emails themselves,' said David Drummond in that blog update. That does sound like it perhaps could be a result of insecure HTTP traffic being intercepted in transit between the users and Gmail's servers."


(Related) but unlikely.

http://blogs.computerworld.com/15401/microsoft_should_follow_google_and_drop_censorship_in_china

January 13, 2010 - 11:08 A.M.

Microsoft should follow Google and drop censorship in China


(Related) It is unlikely to rise to the level of standing in front of tanks, but something is happening.

http://www.latimes.com/business/la-fi-china-google-2010jan14,0,3880471.story

Chinese Internet users praise Google's threat to exit

By David Pierson Barbara Demick January 13, 2010 | 8:39 a.m.

Reporting from Beijing - Bouquets of flowers were laid in front of Google Inc.'s headquarters in China today, a show of support for a company whose threat to exit China rather than tolerate more censorship is a dramatic shot across the bow of the Chinese Communist Party.



Here's one I really want to follow...

http://www.pogowasright.org/?p=6943

Have You Been Subjected to Suspicionless Laptop Search or Seizure at the Border?

January 14, 2010 by Dissent Filed under Court, Surveillance

Jennifer Granick of EFF writes:

… the National Association of Criminal Defense Lawyers is seeking potential plaintiffs for a lawsuit challenging suspicionless laptop searches. As a first step in this effort, NACDL is seeking to identify defense lawyers who have had their laptops searched at the border and are willing to serve as individual plaintiffs. In order to demonstrate the effect of this policy on members of the criminal defense bar and to support the constitutional challenge, NACDL plans to assemble a group of individual plaintiffs who will develop affidavits describing the harm they suffer by having their electronic information exposed to government officials.

Read more on EFF.



Don't all the 'phone companies do this?

http://arstechnica.com/tech-policy/news/2010/01/lawsuits-claim-att-collects-illegal-taxes-on-internet-access.ars

Lawsuits: AT&T collects illegal taxes on Internet access

Over the last month, a series of federal lawsuits around the country have charged AT&T with illegally collecting "taxes" on wireless data plans. The suits, which all seek class action status, say that there are no such taxes.

By Nate Anderson Last updated January 12, 2010 7:52 PM



Another fun case to watch. (and another industry very low on my list of favorites.)

http://arstechnica.com/tech-policy/news/2010/01/digital-music-prices-are-they-illegally-fixed.ars

Digital music prices: are they illegally fixed?

A federal lawsuit against the major music labels calls them a cartel which has banded together illegally to fix the prices of digital music. A New York appeals court has ruled the case can proceed.

By Nate Anderson Last updated January 13, 2010 9:29 PM



Technology alert. The porn industry is an early adopter of technologies. They may be a bit reluctant here, since someone could get hurt if certain anatomical bits start popping out of the screen.

http://hardware.slashdot.org/story/10/01/13/2130205/Porn-Industry-Tiptoes-Into-3D-Video?from=rss&utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot+%28Slashdot%29

Porn Industry Tiptoes Into 3D Video

Posted by timothy on Wednesday January 13, @04:43PM from the been-there-seen-that dept.

itwbennett writes

"The 3D porn experience is coming (eventually) to a home theater near you. Most adult filmmakers are moving slowly toward 3D video because of higher production cost, the small number of 3D TVs in the home, and, of course, the glasses. Rob Smith, director of operations at Hustler Video Group says he hopes that market penetration of 3D TVs in the home is high enough that 'by the fourth quarter of this year it will be at the point where we can justify doing a 3D product.' The average adult movie costs around $25,000 to $40,000 to make, and 3D movies cost about 30% more, [First estimate I've seen. Bob] says Ali Joone, founder of Digital Playground. But Joone thinks the biggest hurdle for 3D isn't so much the cost as the glasses: people don't want to be encumbered by eyewear when viewing a film, says Joone."



Free is good. (Yes, I'm cheap. What's your point?)

http://www.makeuseof.com/tag/the-freebie-hunters-toolkit/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Makeuseof+%28MakeUseOf.com%29

The Freebie Hunter’s Toolkit

By Ann Smarty on Jan. 13th, 2010



This is full of all that politically correct, green is good stuff. I still think it has some value for my students.

http://www.commutesolutions.org/calc.htm

True Cost of Driving

When considering the cost of driving, most people think only about how much they pay for gas. Drivers also pay to buy and maintain a car, including tune-ups, oil and tires, as well as for insurance, registration, and parking.

No comments: