There are many breaches with victim
counts in the 4, 5 or six digit range that I typically ignore, but
occasionally I like to make the point that they continue to occur for
exactly the same reasons. I think we need to change the laws so that
failure to take even the most basic security measures results in an
exponential increase in the fines.
By Dissent,
November 10, 2012
More than 100,000
patients who take drugs to prevent blood clots are at risk of
identity theft. An employee of Alere Home Monitoring, Inc.
had the patient data on a laptop that was stolen. The computer file
contained the names, Social Security numbers, addresses and diagnoses
of patients who take anticoagulant drugs such as warfarin or
Coumadin.
The company became
aware [Often code for “Someone told them” Bob] of the
data breach around Oct. 1, said Doug
Guarino, director of corporate relations for Alere, Inc.
Read more on news-press.com.
So far, I haven’t found any statement
on Alere’s web site nor any substitute notice in the media. With
my usual “let’s keep digging” attitude, though, I did find
where someone posted the contents
of the notification they had received. I do not know if this is
the complete letter, but here’s what I found:
Dear
“Shezagirlie”,
We are writing to inform you of an incident that may have involved your personal information that occurred on September 23, 2012. A car belonging to an Alere Home Monitoring employee was burglarized. One of the items stolen from the car was the employee’s laptop. While the laptop was password protected, it did contain a file with your personal health information. Some of the information included in this file was your name, address, date of birth, Social Security number, and diagnosis.
We are writing to inform you of an incident that may have involved your personal information that occurred on September 23, 2012. A car belonging to an Alere Home Monitoring employee was burglarized. One of the items stolen from the car was the employee’s laptop. While the laptop was password protected, it did contain a file with your personal health information. Some of the information included in this file was your name, address, date of birth, Social Security number, and diagnosis.
[ … ]
We sincerely
regret that this occurred and want to assure you that we
have implemented steps to prevent it from happening again. [“We are
thinking about planning to consider a policy that might go so far as
to recommend closing the barn door” Bob] If you have
further questions or concerns about this incident, you can contact us
at 1-866-578-5412
Sincerely,
Sallie Kennedy
HIPAA Privacy Officer, Alere Home Monitoring
Sallie Kennedy
HIPAA Privacy Officer, Alere Home Monitoring
The recipient’s comment was spot on:
Yes, I definitely
will be calling them tomorrow since I canceled my Alere INR Medicare
scheme this past June. What was my information doing in a laptop.
Why wasn’t it purged? Why was the employee carrying around a
laptop with all that information on it? Geez…
To her questions, I would add:
1. Why
weren’t the data encrypted?
2. Why was a laptop left in an unattended vehicle?
3. Was there a substitute media notice? If so, where was it published?
4. Why is there no prominently displayed notice on Alere’s home page?
5. Will HHS actually fine entities for leaving unencrypted data in cars?
2. Why was a laptop left in an unattended vehicle?
3. Was there a substitute media notice? If so, where was it published?
4. Why is there no prominently displayed notice on Alere’s home page?
5. Will HHS actually fine entities for leaving unencrypted data in cars?
Other people who
received the letter were confused because they had never done
business with Alere. A forum member responded:
This is how Alere
got hold of the records. Anyone who dealt with QAS,
Inverness Medical or Hemosense, your
records are with Alere.
I cannot confirm the accuracy of that
explanation, but Alere certainly should address it. We’ve seen
this kind of problem before. All too often, people
don’t know why or how an entity obtained their data.
Entities would be well advised to include some statement in their
notification letter if they had bought out another firm or entity,
etc. If they don’t, people may suspect the letter is just a ruse
to get their personal information and may ignore the advice to
protect themselves.
I’ve sent an email inquiry to Alere’s
corporate relations asking for a statement and some answers. I’ll
update this entry when I get a response.
(Related) More “Worst Practices”
Bob
Ward & Sons notifies online customers of security breach
November 10, 2012 by admin
Montana-based Bob Ward & Sons
report that customers who ordered online between May 31 and August 3
had their names, addresses, and credit card information acquired by
unauthorized individuals who used at least some of the data for
fraudulent purposes.
In a letter
dated October 23 to the New Hampshire Attorney General’s Office,
Chad Ward writes that the firm was notified on April
30 by Discover [Don't they monitor access? Bob] that some
customers had experienced fraudulent charges after making purchases
on bobwards.com. A subsequent forensic investigation revealed that
back on June 6, 2011, the site had been
compromised, but it is not clear from their letter whether malware
had been inserted by an employee falling for a phishing attempt or
whether this was a hack, etc. June 2011 was a month notable for the
flood of hacking reports involving members of Anonymous-related
individuals and others.
Although the hackers were able to –
and reportedly did – access data from June 6, 2011 through August
3, 2012, the credit card information was securely
encrypted, it seems, until May 31, 2012. There’s no
explanation as to how the credit card data lost their secure
encryption on and after May 31.
The firm did not shut
down its e-commerce site on April 30, and didn’t shut it
down until August 3, when investigators were able to
confirm the breach. [Why would it take anyone 3 months to look in the
logs for an unauthorized user? Because they didn't keep logs until
the breach was reported? Bob]
The breach affected all credit card
transactions during the vulnerable time period, and included card
security codes as well as card numbers. Customers
were sent notification letters on October 24th. There
does not seem to be any notice about the breach on bobwards.com at
this time.
I'd like to see the arguments...
Ie:
High Court orders Quinns to reveal passwords to receiver
November 10, 2012 by Dissent
TJ McIntyre writes:
In an interesting
decision the High Court (Kelly J.) yesterday ordered
that members of the Quinn family must provide passwords to
personal email accounts and other information to the receiver
appointed over their assets by the Irish Bank Resolution Corporation.
While there’s no written judgment available, the order seems to
have been made in support of the power of the receiver to recover
personal assets following what the court described as a
“mesmerisingly complex” asset-stripping scheme in breach of court
orders.
This is
significant and may well be the first time an Irish
court has made an order requiring a party to civil litigation to
reveal their passwords to the other side
Read more on IT
Law in Ireland.
Perspective While they play with what
we CAN do, I'm stuck in what we DO do...
U.S.
city gets one of the world's fastest networks... for a week
Lucky Salt Lake. The annual conference
of Super Computing is bringing 800Gbps
of bandwidth with it to the mid-size Utah city.
… Using multiple 10 gigabit per
second (Gbps) and 100Gbps circuits, SCinet links the convention
center to other powerful networks around the world, including the
Department of Energy's ESnet, Internet2, and National LambdaRail.
Here's how that looks mathematically:
1,100,000 bps
800,000,000,000 bps That's
0.0001375% of Salt Lakes speed
OR They are more than 72,000 times
faster than my connection.
For my students who won't read (not
that I have high hopes they will adopt this Geek alternative
either...)
If you are a busy person and don’t
have the time to read all the online articles that are important for
you, check out SoundGecko. It is a text-to-audio transcribing
service that converts articles to MP3 audio format and lets you
listen to them while you are driving in your car, in subway or
walking home. Simply go to their website, enter the article’s link
and your email address into the field and click “Get MP3″. Once
the link is processed, you will get the MP3 version of the article in
your email.
Furthermore, the app has an extension
for Chrome. You simply press the SoundGecko button in your browser
(while on the page) and it does the conversion. If you’d prefer to
store the files in the cloud, the app integrates with Google Drive
and Dropbox and automatically syncs the copy of your converted audio
file to the cloud.
Similar tools: Announcify,
Zazu,
TweJay,
RoboVoice,
Text
To Voice, BlindSpeak,
DragonDictate,
Vozme, SpokenText,
Odiogo,
Text-to-Speech,
PedioPhon and
Spesoft
Text to Speech Software.
It's inevitable, but will it make me
rich?
"Online education has had a
fifty-year
road to 'overnight' success. MIT Technology Review calls the
emergence of free online education, particularly massive open online
courses (MOOCs), The
Most Important Education Technology in 200 Years. 'If you were
asked to name the most important innovation in transportation over
the last 200 years,' writes Antonio Regalado, 'you might say the
combustion engine, air travel, Henry Ford's Model-T production line,
or even the bicycle. The list goes on. Now answer this one: what's
been the single biggest innovation in education? Don't worry if you
come up blank. You're supposed to.' Writing about MOOC
Mania in the Communications of the ACM, Moshe Y. Vardi worries
that 'the enormous buzz about MOOCs is not due to the technology's
intrinsic educational value, but due to the
seductive possibilities of lower costs.' And in
MOOCs
Will Eat Academia, Vivek Haldar writes, 'MOOCs will almost
certainly hollow out the teaching component of universities as it
stands today... But all is not lost, because the other thing
universities do is research, and that is arguably as important, if
not more, than teaching.' So, are MOOCs the best thing since sliced
bread, or merely the
second coming of 1920s Postal Course Mania?"
Stuff for my students too
November 10, 2012
Speaker
Presentations from Internet Librarian 2012
A range of presentations from the
conference, Transformational
Power of Internet Librarians: Promise & Prospect have been
posted by InfoToday. A sample of the program links follow:
- Über Analytics - Customizing Google Analytics to track multiple library platforms, M Ryan Hess, Web Services Coordinator, DePaul University
- Super Searcher Secrets, Mary Ellen Bates
- Competitive & Business Info in Social Tools, Scott Brown
- Free & Easy to Use Web 2.0 Resources, Cheryl Ann Peltier-Davis
- Starting a New Library in the Google Age, Ronald Snijder
No comments:
Post a Comment