Big, but not a record. Another case of
backups being lost (or perhaps stolen?)
By Dissent,
September 29, 2011
TRICARE, the health care program
serving Uniformed Service members, retirees and their
families worldwide, issued the following public
statement on their web site:
STATEMENT
On September 14,
2011, Science Applications International Corporation (SAIC) reported
a data breach involving personally identifiable and protected health
information (PII/PHI) impacting an estimated 4.9 million military
clinic and hospital patients. The information was
contained on backup tapes from an electronic health care
record used in the military health system (MHS) to capture patient
data from 1992 through September 7, 2011, and may include Social
Security numbers, addresses and phone numbers, and some personal
health data such as clinical notes, laboratory tests and
prescriptions. There is no financial data, such as credit card or
bank account information, on the backup tapes.
Notice that they haven’t told us the
nature of the breach, but Sig Christenson of MySanAntonio.com
reports that a SAIC spokesperson indicated the breach “consisted
of the loss of storage media, not an electronic breach. There was a
loss of magnetic storage media.”
“Loss” as in, “we lost it” or
as in “loss due to theft?” It would be nice to have some
clarification on that. The fact that it was reported to the police
as soon as the loss was discovered leads me to think this may have
involved theft, but we’ll find out eventually.
SAIC has been involved in previous
breaches affecting large numbers of individuals. Some breach-related
news on SAIC prior to 2009 can be found on archive.pogowasright.org
while a 2010 incident involving stolen backup tapes was reported to
the Maryland
Attorney General’s Office.
Apparently neither backup nor portable
drives were addressed in their security policy. Perhaps they never
created a backup last November? Perhaps they sued an employee's
drive and he took it home? Perhaps they are totally out of control?
By Dissent,
September 28, 2011
Sandra Davis reports:
A
new policy regulating the storage of electronic personal
health information will be in place within the next two weeks as a
result of the disappearance of a USB memory stick last
November at the Saint John Regional Hospital.
The memory stick
contained personal patient information, including Medicare numbers,
of about 1,500 patients of a hospital
pediatric endocrinologist over the past six years, Nancy Lindsay,
chief privacy officer for Horizon Health, confirmed Tuesday.
Lindsay said she
was made aware that the memory stick – used as
backup to the main system – was missing on
Aug. 8, after extensive searching failed to locate it.
“We don’t have
the sense that it was stolen,” Lindsay said.
“They think it
has been accidentally misplaced.”
Affected patients
were notified via letter earlier this month.
Read more on Telegraph-Journal.
So patients first got notified 10
months after the drive went missing? That’s definitely
unacceptable.
Is the fact that they didn't
“intentionally disclose” the information sufficient to protect
them? There is no requirement to “adequately” or even
“reasonably” protect the data? Wow, dumb law.
Sony
did not breach Australian Privacy law, says Privacy Commissioner
Timothy Pilgrim
September 29, 2011 by admin
Chris Griffith reports:
SONY Computer
Entertainment Australia did not breach the Privacy Act when it fell
victim to a cyber-attack, Privacy Commissioner Timothy Pilgrim has
found.
In a report
released this afternoon, Mr Pilgrim found “no
evidence that Sony intentionally disclosed any personal information
to a third party”.
“Rather, its
Network Platform was hacked into,” he said.
[...]
While the Privacy
Commissioner found no breach of the Privacy Act by SCE Australia, he
was concerned about the time that elapsed between Sony becoming aware
of the incident and notifying customers and the Office of the
Australian Information Commissioner.
Read more on The
Australian. You can find the Office of the Australian
Information Commissioner’s report on the OAIC
site.
This is one of those long, boring
self-congratulatory press releases that seem mandatory after any
trivial success, but it raises a few questions. Was this a security
breach? If so, why not report it? Why make a (very poor) attempt to
hide the names of the breached firm?
By Dissent,
September 28, 2011
Eric McNeal, 37, of Atlanta, Georgia,
pleaded guilty today in federal district court to intentionally
accessing a protected computer of a competing perinatal medical
practice without authorization.
United States Attorney Sally Quillian
Yates said, “The citizens of our community should expect that their
confidential patient information is just that—confidential—and
that it will not be hacked and used for direct-mail marketing
purposes. This criminal misuse of sensitive personal information
resulted in a federal felony conviction for this defendant, which
should serve as a warning for anyone else considering such hacking.”
… According to United States
Attorney Yates, the charges, and other information presented in
court: McNeal worked as an information technology specialist for
“A.P.A.,” a perinatal medical practice in Atlanta. He separated
from employment with A.P.A. in November 2009, and subsequently joined
a competing perinatal medical practice, which was located in the same
building as A.P.A. In April 2010, McNeal used his home computer to
hack into A.P.A.’s patient database without authorization.
He downloaded the names, telephone numbers, and addresses of
A.P.A.’s patients, and then “wiped” A.P.A.’s database,
deleting all the patient information from A.P.A.’s system.
McNeal subsequently used the patient
names and contact information to facilitate a direct-mail marketing
campaign for the benefit of his new employer. There is no evidence
that he downloaded or misused specific patient medical information.
McNeal was charged in a criminal
information on September 16, 2011, and pleaded guilty to its count of
intentionally accessing a protected computer without authorization.
He could receive a maximum sentence of five years in prison and a
fine of up to $250,000.
SOURCE: U.S. Attorney’s Office,
Northern District of Georgia
So how was McNeal able
to access his former employer’s database after his
employment terminated? Did he still having a working password/login?
Although court documents refer to
McNeal’s previous employer as “A.P.A.,” a simple Google search
reveals that at one time, he had listed himself as Vice President of
Operations at Atlanta Perinatal Associates. His
subsequent employer, listed as “S.B.” in court documents, is
revealed by a Google search as SeeBaby, where
McNeal’s position was listed as Office Manager. Both APA and
SeeBaby are in the same building on Peachtree St. Northeast in
Atlanta.
There is no breach
listing in HHS’s breach tool for this incident, so it is not clear
to me whether less than 500 patients were involved or if APA did not
report the incident. Nor is it clear whether APA ever
notified its patients of the breach. I’ve sent APA an inquiry
about the incident and will update this entry if/when I hear back
from them.
Guilty (of focusing on just one facet
of the problem)
Privacy
legal fights should focus on intrusion, not hurt feelings
September 28, 2011 by Dissent
Jessica Martin writes:
Privacy lawsuits
in the United States usually seek damages for revealing embarrassing
but true facts by the media— the so-called “disclosure tort” —
but this is a “poor vehicle for grappling with the problems of
privacy and reputation in the digital age,” says Neil M. Richards,
JD, privacy law expert and professor at Washington University in St.
Louis School of Law.
“The disclosure
tort has never really worked successfully,” he says.
“It’s largely
unconstitutional. The problem with suing the press for publishing
the truth is that it’s their job. And the government can’t be in
the business of telling the press what’s in the public interest and
what’s private.”
Read more on Washington
University in St. Louis.
As long as we're considering new angles
on Privacy, perhaps we should consider how anyone subject to FOIA or
SEC restrictions or any other record retention requirements can use
“personal” communications technologies.
Does
Gove’s webmail policy breach Data Protection Act too?
September 29, 2011 by Dissent
Amberhawk Training writes:
Does the use of
Gmail or Hotmail by a Minister’s Private Office (in order to evade
Freedom of Information (FOI) obligations) also lead to breaches in
the Data Protection Act? Well, I can see how this could be the case.
The press has
raised this issue only in the context of FOI. Yesterday’s Sunday
Times, for example, noted that the allegations
facing Michael Gove and his special adviser, Dominic Cummings, were
that by using personal email accounts, they were
assuming that any requested information could not be held by a public
authority and therefore not subject to a FOI regime.
Read more on The
Register of their analysis of the situation and whether the
private email accounts, even if exempt under FOI, fall under the Data
Protection Act and would impose certain obligations on them.
Imagine that!
If you didn’t watch Mark Zuckerberg’s
Facebook announcements last week — and of course the vast majority
of Facebook users did not — you may be in for a surprise.
… Facebook is making sharing even
easier by automatically sharing what you’re doing on
Facebook-connected apps. Instead of having to “Like” something
to share it, you’ll just need to click “Add to Timeline” on any
website or app, and that app will have permission
to share your activity with your Facebook friends.
What activity, you ask? It could be
the news articles you read online, the videos you watch, the photos
you view, the music you listen to, or any other action within the
site or app. Facebook calls this auto-sharing “Gestures.”
Can you see the possible issue here?
(Related) Is Facebook about to
confront problems of their own making?
Reddit
users overwhelm Facebook with data requests
September 28, 2011 by Dissent
The
floodgates have already opened, it seems. Emil Protalinski
reports:
Reddit users have
flooded Facebook with personal data requests via the service’s
official form. This appears to have overwhelmed Facebook’s Data
Access Request Team, forcing the group to send out e-mails telling
users there will be a significant delay.
It all started
with a Reddit submission titled “How to annoy Facebook” by Reddit
user realbigfatty.
Read more on ZDNet.
(h/t, @moniquealtheim)
I was interested to read the following
on Kashmir
Hill’s blog yesterday:
(What I was
surprised not to see here was a list of the things that L.B. had
looked at and/or clicked, such as other peoples’ profile pages,
photos, or status updates. As we have seen before, that is something
Facebook knows
about its users.)
If Facebook does retain that
information, shouldn’t it have been provided in response to the
access request? And if they have withheld data they
collected, then that sets up an interesting complaint/investigation
under Ireland’s data protection laws, doesn’t it? And
what will the DPC do if Facebook fails to comply with the 40-day
response requirement of law?
Perhaps a project for my Ethical
Hackers?
"American
court judges need to learn science. That's the message from the
National Academies and the National Research Council, which today
released the first new edition in 11 years of the Reference
Manual of Scientific Evidence. It has new chapters
about forensic science, mental health, and neuroscience, but
unfortunately nothing about computer science.
The manual
is available as a free download and it's
also online."
Sometimes jokes become law and often
laws are jokes... Didn't Will Rogers say something like that?
Obama
proposes letting the jobless sue for discrimination
Advocates for the unemployed have
cheered a push by the Obama administration to ban discrimination
against the jobless. But business groups and their allies are
calling the effort unnecessary and counterproductive.
The job
creation bill that President Obama sent to Congress earlier this
month includes a provision that
would allow unsuccessful job applicants to sue if they think a
company of 15 more employees denied
them a job because they were unemployed.
Geek out, dude!
Try
Out Windows 8 In VirtualBox Right Now For Free
All you need to do is download the free
ISO file and set up VirtualBox properly.
… Just head to Microsoft’s
free Windows 8 download page to get started. There’s no need
to sign up, and the download links are direct. You’ll need to
choose between the 32 and 64 bit versions of Windows 8.
… You’ll need to install
VirtualBox next, which
you can download here. It works on Windows, OS X and Linux
computers. If you don’t know much about VirtualBox,
here’s what you need to know. It allows you to run an entire
operating system within the one you already have. Check out the
MakeUseOf VirtualBox manual for more information.
These should work almost as well for
non-teachers...
Wednesday, September 28, 2011
No comments:
Post a Comment