“etc.” is a weasel word that makes
me (and the victims?) suspect much more was taken.
Yanez Dental Corporation in California
recently reported a data breach to HHS.
In a
notice
on their web site dated June 15, they write, in part:
Our dental office
was burglarized (5/22/2011). We have reported this incident to the
police for investigation. The vandals stole three of our computers
among other things. Personal information stored in these computers
included names, birthdate, address, Social Security Number, telephone
number, etc. It is important to mention that we are not aware that
any personal information has been accessed or used inappropriately.
For the purpose of security, each of the three computers has four
level of passwords protection. However, we feel it is important for
us to inform you of any potential situation, and explain steps you
can to prevent or reduce any potential risk of identity theft or
fraud loss.
[...]
According to HHS’s breach tool,
10,190 patients had information on the stolen computers.
I’m not quite sure I understand what
the practice means by the “etc.” in types of information. Does
“etc” include insurance account numbers, any financial
information, etc.? It would have been helpful for them to be more
inclusive in their description.
When will the default be “Encrypt
sensitive data?” Demanding that one of their “Business
Associates” improve their security isn't sufficient. All of their
associates should be required to follow reasonable security
practices.
On August 8, the Saint Barnabas
Health Care System in New Jersey publicly disclosed a breach
involving a Business Associate, MedAssets:
MedAssets, Inc.,
an independent revenue management and supply chain company that
provides certain administrative and business services to the Saint
Barnabas Health Care System, informed us on July 1, 2011 that an
unencrypted external computer hard drive was stolen on
June 24, 2011, from a MedAssets employee’s car, parked in a
restaurant parking lot. The hard drive contained personal
information used to determine eligibility for governmental benefits
for certain patients of our six acute care hospitals.
The data contained
patient names and for each such patient, information from one or more
of the following categories: Medical Center account number, medical
record number, date of birth, Medical Center charges incurred,
amounts paid to the Medical Center, information on health insurance,
eligibility for applicable governmental benefit programs and/or
Medical Center admission and discharge dates. Social security
numbers were included for about seven percent of the affected
patients. The hard drive did not include any patient addresses,
other financial information, or any clinical information regarding
the patient’s care.
… MedAssets
has provided written confirmation that it is implementing improved
privacy safeguards to avoid similar incidents in the future,
including eliminating the use of all unencrypted hard
drives used for data back-up by its employees and
strengthening the enforcement of its existing policy prohibiting
their use.
… This is not the first time that
Saint Barnabas has reported a breach involving a business associate.
In September 2010, they disclosed a breach involving
KPMG.
Also last year, Newark Beth Israel Medical Center disclosed a web
exposure breach involving
Professional
Transcription Company.
Saint Barnabas wasn’t
the only hospital system affected by the MedAssets breach, however.
Patients at the Cook County Health and Hospitals System
in Chicago, Illinois was also affected.
… An unencrypted drive left in a
car in a restaurant parking lost. Heads should have rolled for that
one. What did this breach cost in terms of investigation and
notifications? Those costs will ultimately drive up the cost of our
health care. I find this type of breach inexcusable in this day and
age and wish HHS/OCR would hand out a hefty fine or two to send the
word that entities had damned well make compliance with good security
practices more of a priority.
Think of it as an automated sideshow
barker...
Inspired
By ‘Minority Report,’ Immersive Labs Raises $810K For Digital
Display Recognition
Immersive Labs is working on futuristic
advertising displays like those in the well known book and film
Minority Report,
which tailor advertising to the individual viewer. Immersive Labs’
digital signs use cameras and facial recognition technology to
determine viewer characteristics like gender, age, distance and time
spent viewing the ad in order to then serve up the advertising that
would be most relevant (see the demo video below).
The targeting technology has shown an
over 60% increase in viewer attention time during pilot tests,
according to CEO Jason Sosa.
What is the cost of a security breach?
I'm sure it was a “separate” company to firewall the liabilities,
but there must have been some assets...
"DigiNotar,
the Dutch certificate authority which was recently at the centre of a
significant hacking case, has
been declared bankrupt. The CA
discovered it was compromised on 19 July, leading to 531 rogue
certificates being issued. It was only in August that the attacks
became public knowledge. Now the company has gone bankrupt, parent
firm VASCO said today. VASCO admitted the financial losses
associated with the demise of DigiNotar would be 'significant.' It
all goes to show how quickly a data breach can bring down a company."
Adds reader Orome1:
"This is
unsurprising, since a report issued by security audit firm Fox-IT,
who has been hired to investigate the now notorious DigiNotar breach,
revealed that things were far
worse than we were led to believe."
What is a violation of Privacy worth?
News
Corp. Paying Phone Hack Victim’s Family $4.7 Million
Damon Poeter reports:
News International
will reportedly pay the family of a British murder victim about £3
million ($4.7 million) in a settlement to close
a
phone-hacking case that led to the closure of
the
News of the World tabloid and rocked Rupert Murdoch’s
News Corporation media empire to its core.
The settlement
includes a £2 million payment to Milly Dowler’s family and the
donation of an additional £1 million to charity,
Reuters
reported
Monday, citing “sources close to the case.”
(Related) Hacking a phone is so easy,
even a caveman could do it...
Il:
Police Arrest 22 in Phone Tapping Case
Gavriel Queenann reports:
Israel’s
Hebrew-language Maariv reported Monday that Israel Police arrested 22
‘private investigators’ for installing spyware on mobile phones
allowing access to private conversations and text messages.
Documents filed in
a Rishon Letzion court revealed the Israel Police Lahav 433 unit and
Computer Crimes unit conducted a covert protracted investigation into
11 detective agencies allegedly using software
previously reserved for the security services.
[From the article:
The software allows mobile phones to be
remotely accessed without leaving a trace or revealing to the owner
they are being surveilled. All calls, text messages, and e-mail
messages are transmitted to and from the infected phone can be
received and recorded in real time.
A spokesman for the
Israel Police said investigators believe hundreds of people across
the country are using similar software to spy on competing
businesses, family, or romantic partners.
[Try it yourself!
Tap
A Cell Phone To Track Your Spouse Or Significant Other
How
To Tap A Cell Phone | Can You Really Tap A Cell Phone?
Is
Your Cell Phone Bugged?
I'm not sure I'd be bragging about this
just yet. However, it does look like “location tracking” is
getting some Privacy consideration.
Location based social network
Foursquare has quietly released a new feature
that allows places user categorize as their homes to be included in
the system but not expose their exact addresses. Venues categorized
as homes will now show up as a general area on a map, instead of a
pin and street number, as restaurants and stores are displayed. The
move was first reported by the independent blog
AboutFoursquare.
It's a great little change that will
enable users to check in at home without exposing too much
information.
This new feature will also allow people
whose homes were listed on Foursquare against their wishes to easily
obscure their addresses. [How does one learn if their home address
is listed on Foursquare? Bob] Respecting
home/away privacy is a key part of making people feel safe enough to
expose their location at all, anywhere.
Foursquare's approach is reminiscent of
the
new private location geofences Flickr launched
earlier this month.
[From the
AaboutFoursquare blog:
It appears foursquare has gone through
and properly categorized lots of venues that appear to be homes,
either by name or by checkin pattern (i.e., only one person has
checked in). The number of venues named “home” but without a
category has declined drastically over the past few days.
Venues that didn’t get caught by
foursquare won’t receive any of the privacy protections, so it’s
important for users to take the time to make sure their homes are
properly categorized. If you have friends who’ve abandoned
foursquare but left their miscategorized home venues in place, it
might be worth a nudge to get them to come back to foursquare to get
their home updated properly, too.
This is a great enhancement to user
privacy on foursquare. Thousands of users have added
their homes without realizing the privacy implications of posting
that information on the internet, so it’s nice that
foursquare has taken these proactive steps to help increase the
security of their homes.
[In the same article,
but completely(?) unrelated:
Below, a video about
Flusquare - an interesting mash-up between
Foursquare and CDC flu reports. Foursquare integration lets
the app determine where you went when you were contagious!
This little app hints at the potential of consumer geolocation
technologies for the future.
The data is public and as far as I know
legal to aggregate. So, aside from self-promotion, what;s the fuss
about? (Or do the Senators have something they want to hide?)
"Social Intelligence Corp's
online employment screening service, which preserves users' social
media profiles and other data for use by potential employers,
infringes
on consumers' privacy and could be a violation of the law
according to Senators Richard Blumenthal (D-CT) and Al Franken
(D-MN). The Senators wrote to Social Intelligence Corp on Monday
demanding answers to a host of questions about the service and how it
collects data."
[From the article:
The firm
says
it looks for publicly posted content that is racially insensitive,
sexually explicit, or demonstrates clearly illegal activity.
Flagrant displays of weaponry are also flagged. Content limited only
to users' friends is not included in the searches.
… The letter also suggests that
Social Intelligence's practice of taking screenshots of social media
profiles and pictures may violate the sites' terms of
service.
"More troubling than the apparent
disregard of these websites’ terms of service are what appear to be
significant violations of users’ intellectual property rights to
control the use of the content that your company collects and sells,"
the letter states, noting that pictures taken from sites like Flickr
and Picasa are often licensed by the owner for a narrow set of uses.
Politicians
without paper?
"The
British government is examining whether it could save money by
getting rid of its printers and giving civil servants free iPads
instead. The head of the UK government skunkworks told silicon.com
that if he got rid of all of a major government department's printers
and gave staff iPads, the savings on printing costs would
pay for the tablets in less than 18 months.
The UK parliament has already
let tablets into the debating chamber,
with politicians already starting to choose to use tablets rather
than bundles of papers in debates."
For my Ethical Hackers...
How
To Change The Apple ID On Your iPod Touch/iPhone
For my Math students
Desmos,
a free online graphing calculator that I
reviewed
in June, recently added a
handful
of new options that should be appealing to
mathematics instructors and students. The new features enable better
handling of strict inequalities, polar inequalities, internalization,
slider bars, and graph tracing. The video below provides an overview
of the Desmos graphing calculator.
“I know it's here somewhere...”
Figure
Out Folder Contents With Better Directory Analyzer
Better
Directory Analyzer, which I will from now on
call BDA, is a simple freeware program that scans through the
contents of any selected folder and spits out more information about
it than you thought was possible. All scanned files can be sorted in
a handful of different ways, which helps you quickly find certain
files that you may be looking for. So how is this helpful compared
to Windows Search?
Although
Windows
XP‘s version of Windows Search actually
packed more of a punch,
Windows
7‘s version only lets you search by filename,
file size, and date modified (without using
hidden
operators). Windows 7 users can find benefit
the most by using BDA as there are many different parameters to
search and select files.
Worth a look?
3
Light & Simple Ways To Take Screenshots In A Snap
A word to the wise...
Transfer
Your Delicious.com Bookmarks By September 23 Or Lose Them [News]