Sunday, November 11, 2012

There are many breaches with victim counts in the 4, 5 or six digit range that I typically ignore, but occasionally I like to make the point that they continue to occur for exactly the same reasons. I think we need to change the laws so that failure to take even the most basic security measures results in an exponential increase in the fines.
By Dissent, November 10, 2012
More than 100,000 patients who take drugs to prevent blood clots are at risk of identity theft. An employee of Alere Home Monitoring, Inc. had the patient data on a laptop that was stolen. The computer file contained the names, Social Security numbers, addresses and diagnoses of patients who take anticoagulant drugs such as warfarin or Coumadin.
The company became aware [Often code for “Someone told them” Bob] of the data breach around Oct. 1, said Doug Guarino, director of corporate relations for Alere, Inc.
Read more on news-press.com.
So far, I haven’t found any statement on Alere’s web site nor any substitute notice in the media. With my usual “let’s keep digging” attitude, though, I did find where someone posted the contents of the notification they had received. I do not know if this is the complete letter, but here’s what I found:
Dear “Shezagirlie”,
We are writing to inform you of an incident that may have involved your personal information that occurred on September 23, 2012. A car belonging to an Alere Home Monitoring employee was burglarized. One of the items stolen from the car was the employee’s laptop. While the laptop was password protected, it did contain a file with your personal health information. Some of the information included in this file was your name, address, date of birth, Social Security number, and diagnosis.
[ … ]
We sincerely regret that this occurred and want to assure you that we have implemented steps to prevent it from happening again. [“We are thinking about planning to consider a policy that might go so far as to recommend closing the barn door” Bob] If you have further questions or concerns about this incident, you can contact us at 1-866-578-5412
Sincerely,
Sallie Kennedy
HIPAA Privacy Officer, Alere Home Monitoring
The recipient’s comment was spot on:
Yes, I definitely will be calling them tomorrow since I canceled my Alere INR Medicare scheme this past June. What was my information doing in a laptop. Why wasn’t it purged? Why was the employee carrying around a laptop with all that information on it? Geez…
To her questions, I would add:
1. Why weren’t the data encrypted?
2. Why was a laptop left in an unattended vehicle?
3. Was there a substitute media notice? If so, where was it published?
4. Why is there no prominently displayed notice on Alere’s home page?
5. Will HHS actually fine entities for leaving unencrypted data in cars?
Other people who received the letter were confused because they had never done business with Alere. A forum member responded:
This is how Alere got hold of the records. Anyone who dealt with QAS, Inverness Medical or Hemosense, your records are with Alere.
I cannot confirm the accuracy of that explanation, but Alere certainly should address it. We’ve seen this kind of problem before. All too often, people don’t know why or how an entity obtained their data. Entities would be well advised to include some statement in their notification letter if they had bought out another firm or entity, etc. If they don’t, people may suspect the letter is just a ruse to get their personal information and may ignore the advice to protect themselves.
I’ve sent an email inquiry to Alere’s corporate relations asking for a statement and some answers. I’ll update this entry when I get a response.

(Related) More “Worst Practices”
Bob Ward & Sons notifies online customers of security breach
November 10, 2012 by admin
Montana-based Bob Ward & Sons report that customers who ordered online between May 31 and August 3 had their names, addresses, and credit card information acquired by unauthorized individuals who used at least some of the data for fraudulent purposes.
In a letter dated October 23 to the New Hampshire Attorney General’s Office, Chad Ward writes that the firm was notified on April 30 by Discover [Don't they monitor access? Bob] that some customers had experienced fraudulent charges after making purchases on bobwards.com. A subsequent forensic investigation revealed that back on June 6, 2011, the site had been compromised, but it is not clear from their letter whether malware had been inserted by an employee falling for a phishing attempt or whether this was a hack, etc. June 2011 was a month notable for the flood of hacking reports involving members of Anonymous-related individuals and others.
Although the hackers were able to – and reportedly did – access data from June 6, 2011 through August 3, 2012, the credit card information was securely encrypted, it seems, until May 31, 2012. There’s no explanation as to how the credit card data lost their secure encryption on and after May 31.
The firm did not shut down its e-commerce site on April 30, and didn’t shut it down until August 3, when investigators were able to confirm the breach. [Why would it take anyone 3 months to look in the logs for an unauthorized user? Because they didn't keep logs until the breach was reported? Bob]
The breach affected all credit card transactions during the vulnerable time period, and included card security codes as well as card numbers. Customers were sent notification letters on October 24th. There does not seem to be any notice about the breach on bobwards.com at this time.


I'd like to see the arguments...
Ie: High Court orders Quinns to reveal passwords to receiver
November 10, 2012 by Dissent
TJ McIntyre writes:
In an interesting decision the High Court (Kelly J.) yesterday ordered that members of the Quinn family must provide passwords to personal email accounts and other information to the receiver appointed over their assets by the Irish Bank Resolution Corporation. While there’s no written judgment available, the order seems to have been made in support of the power of the receiver to recover personal assets following what the court described as a “mesmerisingly complex” asset-stripping scheme in breach of court orders.
This is significant and may well be the first time an Irish court has made an order requiring a party to civil litigation to reveal their passwords to the other side
Read more on IT Law in Ireland.


Perspective While they play with what we CAN do, I'm stuck in what we DO do...
U.S. city gets one of the world's fastest networks... for a week
Lucky Salt Lake. The annual conference of Super Computing is bringing 800Gbps of bandwidth with it to the mid-size Utah city.
… Using multiple 10 gigabit per second (Gbps) and 100Gbps circuits, SCinet links the convention center to other powerful networks around the world, including the Department of Energy's ESnet, Internet2, and National LambdaRail.
[I measured my connection at 1.1 Mbps on http://www.bandwidthplace.com/
Here's how that looks mathematically:
1,100,000 bps
800,000,000,000 bps That's 0.0001375% of Salt Lakes speed
OR They are more than 72,000 times faster than my connection.


For my students who won't read (not that I have high hopes they will adopt this Geek alternative either...)
If you are a busy person and don’t have the time to read all the online articles that are important for you, check out SoundGecko. It is a text-to-audio transcribing service that converts articles to MP3 audio format and lets you listen to them while you are driving in your car, in subway or walking home. Simply go to their website, enter the article’s link and your email address into the field and click “Get MP3″. Once the link is processed, you will get the MP3 version of the article in your email.
Furthermore, the app has an extension for Chrome. You simply press the SoundGecko button in your browser (while on the page) and it does the conversion. If you’d prefer to store the files in the cloud, the app integrates with Google Drive and Dropbox and automatically syncs the copy of your converted audio file to the cloud.


It's inevitable, but will it make me rich?
"Online education has had a fifty-year road to 'overnight' success. MIT Technology Review calls the emergence of free online education, particularly massive open online courses (MOOCs), The Most Important Education Technology in 200 Years. 'If you were asked to name the most important innovation in transportation over the last 200 years,' writes Antonio Regalado, 'you might say the combustion engine, air travel, Henry Ford's Model-T production line, or even the bicycle. The list goes on. Now answer this one: what's been the single biggest innovation in education? Don't worry if you come up blank. You're supposed to.' Writing about MOOC Mania in the Communications of the ACM, Moshe Y. Vardi worries that 'the enormous buzz about MOOCs is not due to the technology's intrinsic educational value, but due to the seductive possibilities of lower costs.' And in MOOCs Will Eat Academia, Vivek Haldar writes, 'MOOCs will almost certainly hollow out the teaching component of universities as it stands today... But all is not lost, because the other thing universities do is research, and that is arguably as important, if not more, than teaching.' So, are MOOCs the best thing since sliced bread, or merely the second coming of 1920s Postal Course Mania?"


Stuff for my students too
November 10, 2012
Speaker Presentations from Internet Librarian 2012
A range of presentations from the conference, Transformational Power of Internet Librarians: Promise & Prospect have been posted by InfoToday. A sample of the program links follow:

No comments: