It looks like today's theme is the true
cost of Computer Security...
...including the cost of properly
disposing of used computers.
By Dissent,
March 13, 2012
From HHS:
Blue Cross Blue
Shield of Tennessee (BCBST) has agreed to pay the U.S. Department of
Health and Human Services (HHS) $1,500,000 to settle potential
violations of the Health Insurance Portability and Accountability Act
of 1996 (HIPAA) Privacy and Security Rules, Leon Rodriguez, Director
of the HHS Office for Civil Rights (OCR), announced today. BCBST has
also agreed to a corrective action plan [Cost unknown
Bob] to address gaps in its HIPAA compliance program.
The enforcement action is the first resulting from
a breach report required by the Health Information Technology for
Economic and Clinical Health (HITECH) Act
Breach Notification Rule.
The investigation
followed a notice submitted by BCBST to HHS reporting that 57
unencrypted computer hard drives were stolen from a leased
facility in Tennessee. The drives contained the protected health
information (PHI) of over 1 million individuals,
including member names, social security numbers, diagnosis codes,
dates of birth, and health plan identification numbers. OCR’s
investigation indicated BCBST failed to implement
appropriate administrative safeguards to adequately
protect information remaining at the leased facility by not
performing the required security evaluation in response to
operational changes. In addition, the investigation showed a failure
to implement appropriate physical safeguards by not having adequate
facility access controls; both of these safeguards are required by
the HIPAA Security Rule.
“This settlement
sends an important message that OCR expects health plans and health
care providers to have in place a carefully designed, delivered, and
monitored HIPAA compliance program,” said OCR Director Leon
Rodriguez. “The HITECH Breach Notification Rule is an important
enforcement tool and OCR will continue to vigorously protect
patients’ right to private and secure health information.”
In addition to the
$1,500,000 settlement, the agreement requires BCBST to review,
revise, and maintain its Privacy and Security policies and
procedures, to conduct regular and robust trainings for all BCBST
employees covering employee responsibilities under HIPAA, and to
perform monitor reviews to ensure BCBST compliance with the
corrective action plan.
...
The HHS Resolution
Agreement can be found
athttp://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/resolution_agreement_and_cap.pdf.
Additional
information about OCR’s enforcement activities can be found
athttp://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/index.html.
(Related) It could be worse.
By Dissent,
March 13, 2012
It seems like a breach that I never
mentioned on this blog was the downfall of a firm.
In December, 2011, Impairment
Resources, LLC was the victim of a burglary. They reported
the incident and I had included it on DataLossDB.org,
but didn’t think much of it as there was nothing
wildly unusual in their reports to suggest it was particularly
newsworthy. Just another business that was reporting a
breach involving SSN and medical information, right?
Today, Katy
Stech reports on WSJ:
The New Year’s
Eve burglary of a California office building has led to the collapse
of a national medical records firm.
Impairment
Resources LLC filed for bankruptcy Friday after the break-in at its
San Diego headquarters led to the electronic escape of detailed
medical information for roughly 14,000 people,
according to papers filed in U.S. Bankruptcy Court in Wilmington,
Del. That information included patient addresses, social security
numbers and medical diagnoses.
Police never
caught the criminals, and company executives were required by law to
report the breach to state attorneys general and the Department of
Labor’s Office of Inspector General. Some of those agencies,
including the Department of Labor, are still investigating the
matter, the company said in court papers.
“The
cost of dealing with the breach was prohibitive” for the company,
Impairment Resources said when explaining its decision to file for
Chapter 7 bankruptcy protection. That type of bankruptcy is used
most often by companies to shut down and sell off what’s left to
pay off their debts.
The company said
its assets are worth about $226,000, an amount that, even after money
trickles in from liquidating sales, likely won’t be enough to pay
lender Insurance Recovery Group and its $583,000 loan, Impairment
Resources said in court papers.
The company also
faced the threat of even more debt with customers and individuals
threatening to sue it over the privacy breach.
Impairment
Resources reviewed medical records taken on workers’ compensation
and auto casualty claims for roughly 600 insurance companies and
other customers, according to court papers. It also had offices in
Framingham, Mass., and Kailua, Hawaii.
So…. this a case where a lack of
strong encryption was ultimately responsible for a business’s
failure? From their correspondence, it doesn’t sound like the data
were encrypted, but then, the company also doesn’t report a lot of
assets given the size of its clientele, so who knows?
Dude, there's an App for that!
An
App for Watching for Personal Data Breaches
March 14, 2012 by admin
I don’t usually comment on commercial
services, but this seems blog-worthy. Damon Darlin reports:
Want to know if
your identity has been stolen? Or if your or your child’s Social
Security number is being pawned off on the Internet?
There’s an app
for that.
On Wednesday,
AllClear ID, an identity protection service that scans the Internet
for stolen information, will offer a free mobile app for the iPhone
and iPad to alert users when their personal or financial records have
been compromised. The free app alerts
users if their credit card and Social Security numbers have been
stolen or if thieves are using their child’s identity.
Read more on The
New York Times.
I would hope that consumers don’t get
a false sense of security by downloading this app as there are so
many hacks of credentials. What percent of them are not reported to
the National Cyber-Forensics and Training Alliance on which their
fraud detection is based? It would be nice to get some sense of how
comprehensive their database is and I’d be interested to find out
more if they’d like to get in touch.
And of course, read the Privacy Policy
of any business or app you use. AllClear
ID’s privacy policy is written in pretty plain language as
these things go. I’m not happy about their “indefinite
retention” clause on data and would encourage them to re-think and
revise that (as I did with PopVox in reviewing their privacy policy).
At some point, consumers should have the right to know that their
account data has been permanently deleted and that it’s not at the
business’s discretion.
You can read more about their service
on AllClear ID.
The US as Global Copyright Cop. Break
US law anywhere in the world and we'll come for you, drag you to the
US and slap you in one of our overcrowded prisons...
"British student Richard
O'Dwyer, creator of the TVShack website, has had
his extradition to the United States approved by Conservative
Home Secretary Theresa May. Mr. O'Dwyer now has 14 days to appeal
the decision. The extradition was requested
by the U.S. Immigration and Customs Enforcement agency, which has
accused O'Dwyer of aiding copyright
infringement by publishing links to pirated content
hosted on external sites."
Looks like it's not a good day for the
Copyright Trolls either.
Judge
Orders Failed Copyright Troll to Forfeit ‘All’ Copyrights
Righthaven, a copyright-troll law firm
that failed in its attempt to make money for newspapers by suing
readers for sharing stories online, was dealt a death blow Tuesday by
a federal judge who ordered the Las Vegas company to forfeit “all
of” its intellectual property and other “intangible property”
to settle its debts.
Interesting that with floppy disk
desktops, everyone (everyone important) got a handheld device...
"In the first 40 days of
President Barack Obama's administration, the White House email system
was down 23% of time, according to White House CIO Brook Colangelo,
the person who also delivered the 'first presidential Blackberry.'
The White House IT systems inherited by the new administration were
in bad shape. Over
82% of the White House's technology had reached its end of life.
Desktops, for instance, still had floppy disk drives, including the
one Colangelo delivered to Rahm Emanuel, Obama's then chief of staff
and now Mayor of Chicago. There were no redundant email servers."
Apple backs into the corporate world?
Corporate
Types Are iPad-Crazy, Survey Finds
In the land of corporate tablets,
Apple’s iPad is king.
That’s what a recent survey of just
over 1,600 business technology buyers concluded. The study,
conducted by ChangeWave Research, found that 22
percent of respondents were planning to buy tablet
computers during the second quarter of 2012.
And of those tablet-hungry companies,
84 percent are going to go with Apple’s iPad.
We probably won't go to war to
ensure supplies since we can buy finished goods containing the rare
earths. It does tend to lock everyone in to Chinese manufacturers...
"China's rare
earth monopoly has resulted in a shortage as China blocks
their export and the rest of the world resumes their operations.
Now, in a first-ever joint filing from three members of the World
Trade Organization, Japan,
the EU and the U.S. are not sitting idly by as China
repeatedly ignores the WTO's orders to export rare earth metals
and raw materials at a fair price to other countries. China claims
the embargoes are in place to protect its environment, while Obama
denounces China as being unfair and not playing by the rules of the
WTO. In 2009, the WTO
released a report (PDF) that explained how actions like China's
hurt trade partners."
I'm sure this has nothing to do with
the vast amount of money they get from “obscene ebooks”
PayPal
reverses its ban on 'obscene' e-books
The economics of IT in the age of the
Cloud. Any work will be outsourced if it 1) is not a core function
of the firm and 2) is cheaper.
"IT pros feeling the pressure
to boost tech skills should expect
little support from their current employers, according to a
recent report on IT skills. '9 in 10 business managers see gaps in
workers' skill sets, yet organizations are more likely to outsource a
task or hire someone new than invest in training an existing staff.
Perhaps worse, a significant amount of training received by IT
doesn't translate to skills they actually use on the job.'"
Perspective An Infographic to explain
Pinterest – and you still have to request an Invite! (80% female
and NOT in Colorado...)
Data
You Can't Ignore: A Guide to Pinterest
… Pinterest began in 2009 with a
limited use policy. In 2010 it began to expand beyond
invitations to sign-ups. It took off, and boasts 12 million U.S.
users. At a minimum, 4 million college-aged students are using
Pinterest every day. In addition, Apple
has released a Pinterest
App, making it even more accessible. Further evidence of its
universal acceptance is the fact that it can now be pinned to Twitter
and Facebook.
… Pinterest pin boards have also
given bloggers a traffic boost because their blog post of a review or
rant gets shared and re-shared through the social network. [Hummm
Bob]
So is this a time to Cheer or grab a
future collector's item?
"According to the New York
Times, it's the
end of the road for the printed Encyclopedia Brittanica, saying,
'...in recent years, print reference books have been almost
completely wiped out by the Internet and its vast spread of
resources, particularly Wikipedia, which in 11 years has helped
replace the authority of experts with the wisdom of the crowds.' The
last print edition will be the 32-volume 2010 edition."
Minor rant: As I understand it, this
means that now someone with a PhD in Math can teach high school Math,
where before teachers with a BA in Education taught Math, Chemistry,
Physics, etc. Why would the Teachers Union fight this? Oh yeah.
They don't have many PhD's in Math, Chemistry, Physics, etc. Lots of
Universities, particularly the “for profit” Universities,
actively recruit teachers who have worked in the field they teach.
Does that mean they occasionally get a lousy teacher? You bet! But
that teacher doesn't last more than one semester.
Iowa
House Passes Bill Allowing the Instruction of Math and Science
without Teacher Training
As Iowa struggles to find and hire
teachers in math and science, a controversial solution has surfaced
again and is picking up steam in the Legislature.
In a largely party-line vote, the House
voted, 61-36, Tuesday for House File 2385, which would allow people
with at least three years of work experience in math, science or
engineering — but no formal training in teaching
— to teach in those shortage areas in high school.
No comments:
Post a Comment