Saturday, September 22, 2012

One of my least favorite topics: theft of unencrypted laptops. Why can't managers understand that it is the electronic equivalent of carrying one, ten or 500 four-drawer file cabinets fulle of sensitive records? Would they care more if laptop threats got them fired?
By Dissent, September 21, 2012
HHS added 10 incidents to its breach tool in its most recent update. Somewhat depressingly, five of the incidents involved the theft of unencrypted laptops.
In terms of newly revealed details on known incidents, the University of Miami reported that it had notified 64, 846 patients of the insider breach involving theft and possible sale of patient “face sheets.”
The Howard University Hospital breach of January 25th involving theft of a laptop was updated to reflect 66,601 patients notified. Initially, Howard University had reported 34,503 patients affected.
Here are some of the newly disclosed incidents that had not been previously mentioned on this blog:
Central States Southeast and Southwest Areas Health and Welfare Fund in Illinois notified 754 about an incident on July 31st involving “Unauthorized Access/Disclosure,Other” of paper records. There is no notice on their web site at this time and I can find no substitute notice or media coverage. They have not yet responded to a request for a statement explaining the breach.
Liberty Resources, Inc.” in Pennsylvania notified 3,183 of a laptop theft on August 4th. I cannot find any statement on their web site and I can find no media coverage or substitute notice. They have not yet responded to a request for a statement explaining the breach.
Tricounty Behavioral Health Clinic in Acworth, Georgia notified 4,000 patients after a laptop was stolen on August 26th. They do not seem to have a web site, but I was able to locate a brief media report in the Rome News-Tribune under one of their doctor’s names:
An Acworth doctor had a laptop stolen from her office, according to a Cherokee County Sheriff’s Office report.
According to the report:
Someone broke into the office on Dr. Swarnalatha Inderjith, of 4661 Jefferson Township Lane, and stole a laptop that contained patient information on Aug. 27.
A 32-inch television was also stolen.
The doctor has set up a toll free number for patients or former patients to learn additional information. The number is 888-261-6360.
And yes, there seems to be a small discrepancy as to the date of the theft.
Charlotte Clark-Neitzel, MD of Olympia, Washington notified 942 patients following the July 24th theft of a laptop. I was able to locate a cached copy of Sept. 11 substitute notice:
The home office of Charlotte B. Clark-Neitzel, M. D. was broken into on July 24, 2012. In addition to other personal items, the thieves stole both her medical bags and a laptop. The laptop contained access to Dr. Clark-Neitzels electronic medical record (EMR) system [Are they suggesting an automatic signon? Bob] which was used daily to manage patient information. The Olympia Police Department was notified and is conducting their investigations. All affected patient notification letters were mailed on September 7, 2012. A thorough investigation shows that patient name, address, Social Security number, date of birth and medical information was included on the laptop. Patient billing and banking information was not stored on the laptop and therefore not breached. At this time there has been no indication of malicious use of patient information. Dr. Clark-Neitzel has hired ID Experts to aid in notification and provide services to affected patients. Patients with questions regarding this incident or to determine if they were affected can contact ID Experts at 1-800-809-2956. This public notice is in accordance with the Health Information Technology for Economic and Clinical Health (HITECH) Act. Dr. Clark-Neitzel has sent notification letters to the affected patients and the Department of Health and Human Services (HHS).
Lana Medical Care in Florida notified 500 patients after a laptop was stolen on August 18. I can find no web site for the practice, nor any substitute notices under that name or under the names of two physicians associated with the practice.
As additional info becomes available, I’ll update this post.

(Related) After all, failure to encrypt can cost you big time...
By Dissent, September 21, 2012
Kathy Roberton reports:
A hearing is scheduled in Sacramento on Sept. 27 on a class action against Sutter Health over last year’s theft of a personal computer that held data on 4.24 million patients.
Twelve lawsuits filed over the incident have been coordinated in Sacramento County Superior Court.
The Sutter Health breach reportedly affecting 4.2 million after an unencrypted computer was stolen from their offices was disclosed in November 2011. Within two weeks, at least two lawsuits had been filed. Sutter subsequently reported that 943, 434 were affected.


So much for their “We want you to be secure” lip flapping... (“It's not a failure, it's a feature!”) That means my password “Icanneverremembermypassworddammit!” has to be changed?
"Microsoft doesn't like long passwords. In fact, the software giant not only won't let you use a really long one in Hotmail, but the company recently started prompting users to only enter the first 16 characters of their password. Let me rephrase that: if you have a password that has more than 16 characters, it will no longer work. Microsoft is making your life easier! You no longer have to input your whole password! Just put in the first 16 characters!"
At least they warn you; I've run into some sites over the years that silently drop characters after an arbitrary limit.

(Related) “We left all those decisions to our entry-level programmers...”
"'If you are one of the six million Virgin subscribers, you are at the whim of anyone who doesn't like you.' The Hacker News describes how the username and password system used by Virgin Mobile to let users access their account information is inherently weak and open to abuse."
Computerworld also describes the problem: essentially, hard-coded, brute-force guessable passwords, coupled with an inadequate mechanism for reacting to failed attempts to log on.


“Well, you started it with the attack on our nuclear facilities.”
“Did not!”
“Did too!”
At what point do we reach the electronic equivalent of war?
"Evidence suggests the Iranian government is behind cyberattacks this week that have targeted the websites of JPMorgan Chase and Bank of America. The attacks are described by one source, a former U.S. official, as being 'significant and ongoing,' and looking to cause 'functional and significant damage.' Another source suggested the attacks were in response to U.S. sanctions on Iranian banks."


“Contrary to what I say in public, this is my real agenda, don't tell anyone...”
Recording Romney, Part One
September 21, 2012 by Dissent
Earlier this week, I pointed to some coverage questioning the legality of recording presidential candidate Mitt Romney’s comments at a private fund-raising event. Now there’s a more in-depth legal analysis of the issue by Jeffrey P. Hermes of Citizen Media Law Project that is well worth reading:
As will be discussed below, there are a patchwork of laws on this topic, but the ultimate determination will largely turn on two issues: (1) whether there was consent to the recording that would protect the individual who made the video against liability; and (2) whether there was a reasonable expectation of privacy in Romney’s remarks. Part One of this post will discuss the laws that might apply, and the question of consent. Part Two, which will be posted tomorrow, will discuss whether Romney (or anyone else) had a reasonable expectation of privacy in the remarks, and certain other relevant legal issues (such as protection that Mother Jones enjoys in such situations under the First Amendment).
Read Part One on CMLP.

(Related)
Recording Romney, Part Two
September 21, 2012 by Dissent
The second part of Jeffrey P. Hermes’ analysis of the legality of recording Mitt Romney at a private fundraiser is now up on Citizen Media Law Project (Part One here).
What a great example of information being freely available on the Internet. Kudos to Jeff Hermes and CMLP for informing those of us who want to understand the nuances of laws involving recording as they apply in this case.


Interesting. Who (if anyone) inherits the rights to her Facebook account?
Facebook fights for deceased beauty queen’s privacy
September 21, 2012 by Dissent
Sometimes even when you’re right, you’re perceived as wrong. For those of us who criticize Facebook’s lack of sufficient regard for user’s privacy, here’s a case where by attempting to protect user privacy, they will undoubtedly leave many understandably upset with them. Declan McCullagh reports:
Facebook has successfully fought a subpoena trying to seek access to the account of a beauty queen who died after falling from the 12th floor of her ex-lover’s apartment, CNET has learned.
A federal judge in California yesterday rejected a attempt from representatives of the estate of Sahar Daftary to gain access to her Facebook account.
Her mother is hoping to show a Manchester, U.K., coroner’s inquest that Daftary, a onetime Face of Asia beauty contest winner, did not commit suicide when falling from the apartment of property developer Rashid Jamil in 2008.
But U.S. Magistrate Judge Paul Grewal said that a federal law called the Stored Communications Act does not require Facebook to comply with such a subpoena in a civil case.
Read more about the case on CNET.

(Related) “We had to do it over there, we don't have as many lobbyists in Europe... Yet.”
"Facebook has disabled face recognition features on its site for all new European users. The move follows privacy recommendations made by the Irish Data Protection Commissioner. Tag Suggest information has been turned off for new users, and Facebook plans to delete the information for existing EU users by October 15th. 'The DPC says today’s report (PDF) is the result of evaluations it made through the first half of 2012 and on-site at Facebook’s HQ in Dublin over the course of two days in May and four in July. The DPC says FB has made just about all of the improvements it requested in five key areas: better transparency for the user in how their data is handled; user control over settings; more clarity on the retention periods for the deletion of personal data, and users getting more control over deleting things; an improvement in how users can access their personal data; and the ability of Facebook to be able to better track how they are complying with data protection requirements.'"

(Related) “We may not be able to use facial recognition...”
"Freedom to go under a pseudonym is, miraculously, one freedom to survive the security lock-down of the previous decade. Now Facebook wants to change this. James Firth shows Facebook is clamping down on pseudonyms, with an interesting screenshot of being asked whether a friend is using their real name."

(Related) Are some of these changes just cost savings to boost the stock price?
Facebook’s About-Face on Sharing Gives News Sites Whiplash
Facebook giveth and Facebook taketh away. App startups have known this for a long time; now The Washington Post and other news publishers are learning the same lesson as Facebook makes it harder for articles to go viral.
Facebook’s manager of media partnerships was quoted at a journalism conference saying the social network is moving away from so-called “passive sharing,” in which reader apps from the likes of the Post and The Wall Street Journal are able to broadcast activity without any prompting.


My Ethical Hackers would never do this (probably)
"At the EUSecWest security conference in Amsterdam, researchers showed how their 'UltraReset' Android app can read the data from a subway fare card, store that information, and reset the card to its original fare balance. The researchers said that the application takes advantage of a flaw found in particular NFC-based fare cards that are used in New Jersey and San Francisco, although systems in other cities, including Boston, Seattle, Salt Lake City, Chicago and Philadelphia, could also be vulnerable."


This is interesting. A library of free tools (some assembly required)
"The Public Laboratory for Open Technology and Science is putting together an open hardware spectrometer kit on Kickstarter. The kits are built using an HD webcam, discarded DVD, and a couple other odd bits. They've also put together a kit for your smart phone and open-source software for desktop, Android, and iOS. Need to analyze the contents of your coffee, the output of your new grow lights, or a distant star on a budget? Just build your own spectrometer, or pick up the limited edition steampunk version."
Besides making cool hardware, they'd like to "build a Wikipedia-style library of open source spectra, and to refine and improve sample collection and analysis techniques. We imagine a kind of 'SHAZAM for materials' which can help to investigate chemical spills, diagnose crop diseases, identify contaminants in household products, and even analyze olive oil, coffee, and homebrew beer."


Global Warming! Global Warming! ...and would the capture of that much carbon cause global cooling?
Canada's far north could be forested by century's end
… "According to the data model, climate conditions on Bylot Island will be able to support the kinds of trees we find in the fossilized forest that currently exist there, such as willow, pine and spruce," says Alexandre Guertin-Pasquier of the University of Montreal.

(Related) Short answer: It sure doesn't look like it. Probably the reporter could find nothing informative to write about.
Does the expanding Antarctic sea ice disprove global warming?


Just another reason why I am FROM New Jersey...
Reader Presto Vivace blesses us with news that the state of New Jersey "has banned motorists from making big smiles [for their license pictures] because such expressions don't work with facial recognition software." Now that passports are by decree grim and glasses-free, I'm expecting the next phase to involve the banning of facial hair, lips, and any hair that blocks the ears.


Show your students (children, whatever) what cell phones looked like back in Ye Olde Days


Odd & Ends I find interesting...
Degreed, a startup that seeks to “jailbreak the degree” — that is, to help people get “credit” for all their learning, whether it happens at a 4 year college or not — opened its doors this week. It’s still in beta, and there are definitely kinks to work out. But the site lets you translate your degrees, transcripts, and badges into a score that recognizes what you know, not just what your diploma says.
The Saylor Foundation says that it plans to take advantage of the newly released Google Course Builder to create open enrollment online classes. The Saylor Foundation has created some 200 courses which it will now start offering via the new Google platform.

No comments: