One of my least favorite topics: theft
of unencrypted laptops. Why can't managers understand that it is the
electronic equivalent of carrying one, ten or 500 four-drawer file
cabinets fulle of sensitive records? Would they care more if laptop
threats got them fired?
By Dissent,
September 21, 2012
HHS added 10 incidents
to its breach
tool in its most recent update. Somewhat depressingly, five
of the incidents involved the theft of unencrypted laptops.
In terms of newly revealed details on
known incidents, the University of Miami reported that
it had notified 64, 846 patients of the insider breach
involving theft and
possible sale of patient “face sheets.”
The Howard University Hospital
breach of January 25th involving theft
of a laptop was updated to reflect 66,601 patients
notified. Initially, Howard University had reported 34,503 patients
affected.
Here are some of the newly disclosed
incidents that had not been previously mentioned on this blog:
Central States Southeast and
Southwest Areas Health and Welfare Fund in Illinois notified
754 about an incident on July 31st involving “Unauthorized
Access/Disclosure,Other” of paper records. There is no notice on
their web site at this time and I can find no substitute notice or
media coverage. They have not yet responded to a request for a
statement explaining the breach.
Liberty Resources, Inc.”
in Pennsylvania notified 3,183 of a laptop theft on August 4th. I
cannot find any statement on their web site and I can find no media
coverage or substitute notice. They have not yet responded to a
request for a statement explaining the breach.
Tricounty Behavioral Health
Clinic in Acworth, Georgia notified 4,000 patients after a
laptop was stolen on August 26th. They do not seem to have a web
site, but I was able to locate a brief media report in the Rome
News-Tribune under one of their doctor’s names:
An Acworth doctor
had a laptop stolen from her office, according to a Cherokee County
Sheriff’s Office report.
According to the
report:
Someone broke into
the office on Dr. Swarnalatha Inderjith, of 4661 Jefferson Township
Lane, and stole a laptop that contained patient information on Aug.
27.
A 32-inch
television was also stolen.
The doctor has set
up a toll free number for patients or former patients to learn
additional information. The number is 888-261-6360.
And yes, there seems to be a small
discrepancy as to the date of the theft.
Charlotte Clark-Neitzel, MD
of Olympia, Washington notified 942 patients following the July 24th
theft of a laptop. I was able to locate a cached
copy of Sept. 11 substitute notice:
The home office of
Charlotte B. Clark-Neitzel, M. D. was broken into on July 24, 2012.
In addition to other personal items, the thieves stole both her
medical bags and a laptop. The laptop contained
access to Dr. Clark-Neitzels electronic medical record (EMR) system
[Are they suggesting an automatic signon? Bob] which was
used daily to manage patient information. The Olympia Police
Department was notified and is conducting their investigations. All
affected patient notification letters were mailed on September 7,
2012. A thorough investigation shows that patient name, address,
Social Security number, date of birth and medical information was
included on the laptop. Patient billing and banking information was
not stored on the laptop and therefore not breached. At this time
there has been no indication of malicious use of patient information.
Dr. Clark-Neitzel has hired ID Experts to aid in notification and
provide services to affected patients. Patients with questions
regarding this incident or to determine if they were affected can
contact ID Experts at 1-800-809-2956. This public notice is in
accordance with the Health Information Technology for Economic and
Clinical Health (HITECH) Act. Dr. Clark-Neitzel has sent
notification letters to the affected patients and the Department of
Health and Human Services (HHS).
Lana Medical Care in
Florida notified 500 patients after a laptop was stolen on August 18.
I can find no web site for the practice, nor any substitute notices
under that name or under the names of two physicians associated with
the practice.
As additional info becomes available,
I’ll update this post.
(Related) After all, failure to
encrypt can cost you big time...
By Dissent,
September 21, 2012
Kathy Roberton reports:
A hearing is
scheduled in Sacramento on Sept. 27 on a class action against Sutter
Health over last year’s theft of a personal computer that held data
on 4.24 million patients.
Twelve lawsuits
filed over the incident have been coordinated in Sacramento County
Superior Court.
Read more on Sacramento
Business Journal.
The Sutter Health breach reportedly
affecting 4.2 million after an unencrypted computer was
stolen from their offices was disclosed
in November 2011. Within two weeks, at least two lawsuits
had been filed. Sutter subsequently reported that 943, 434 were
affected.
So much for their “We want you to be
secure” lip flapping... (“It's not a failure, it's a feature!”)
That means my password “Icanneverremembermypassworddammit!” has
to be changed?
"Microsoft
doesn't like long passwords. In fact, the software giant not only
won't let you use a really long one in Hotmail, but the company
recently started prompting users to
only enter the first 16 characters of their password. Let me
rephrase that: if you have a password that has more than 16
characters, it will no longer work. Microsoft is making your life
easier! You no longer have to input your
whole password! Just put in the first 16
characters!"
At least they warn you; I've run into
some sites over the years that silently drop characters after an
arbitrary limit.
(Related) “We left all those
decisions to our entry-level programmers...”
"'If you
are one of the six million Virgin subscribers, you are at the whim of
anyone who doesn't like you.' The Hacker News describes how the
username and password system used by Virgin Mobile to let users
access their account information is inherently
weak and open to abuse."
Computerworld also describes the
problem: essentially, hard-coded, brute-force guessable
passwords, coupled with an inadequate mechanism for reacting to
failed attempts to log on.
“Well, you started it with the attack
on our nuclear facilities.”
“Did not!”
“Did too!”
At what point do we reach the
electronic equivalent of war?
"Evidence suggests the
Iranian government is behind cyberattacks this week that have
targeted the websites of JPMorgan Chase and Bank of America. The
attacks are described by one source, a former U.S. official, as being
'significant and ongoing,' and looking to cause 'functional and
significant damage.' Another source suggested the attacks were in
response to U.S. sanctions on Iranian banks."
“Contrary to what I say in public,
this is my real agenda, don't tell anyone...”
Recording
Romney, Part One
September 21, 2012 by Dissent
Earlier this week, I pointed to some
coverage questioning the legality
of recording presidential candidate Mitt Romney’s comments at a
private fund-raising event. Now there’s a more in-depth legal
analysis of the issue by Jeffrey P. Hermes of Citizen
Media Law Project that is well worth reading:
As will be
discussed below, there are a patchwork of laws on this topic,
but the ultimate determination will largely turn on two issues: (1)
whether there was consent to the recording that would protect the
individual who made the video against liability; and (2) whether
there was a reasonable expectation of privacy in Romney’s remarks.
Part One of this post will discuss the laws that might apply, and the
question of consent. Part Two, which will be posted tomorrow, will
discuss whether Romney (or anyone else) had a reasonable expectation
of privacy in the remarks, and certain other relevant legal issues
(such as protection that Mother Jones enjoys in such
situations under the First Amendment).
Read Part One on CMLP.
(Related)
Recording
Romney, Part Two
September 21, 2012 by Dissent
The second part of Jeffrey P. Hermes’
analysis of the legality of recording Mitt Romney at a private
fundraiser is now up on Citizen
Media Law Project (Part One here).
What a great example of information
being freely available on the Internet. Kudos to Jeff Hermes and
CMLP for informing those of us who want to understand the nuances of
laws involving recording as they apply in this case.
Interesting. Who (if anyone) inherits
the rights to her Facebook account?
Facebook
fights for deceased beauty queen’s privacy
September 21, 2012 by Dissent
Sometimes even when you’re right,
you’re perceived as wrong. For those of us who criticize
Facebook’s lack of sufficient regard for user’s privacy, here’s
a case where by attempting to protect user privacy, they will
undoubtedly leave many understandably upset with them. Declan
McCullagh reports:
Facebook has
successfully fought a subpoena trying to seek access to the account
of a beauty queen who died after falling from the 12th floor of her
ex-lover’s apartment, CNET has learned.
A federal judge in
California yesterday rejected a attempt from representatives of the
estate of Sahar Daftary to gain access to her Facebook account.
Her mother is
hoping to show a Manchester, U.K., coroner’s inquest that Daftary,
a onetime Face of Asia beauty contest winner, did not commit suicide
when falling from the apartment of property developer Rashid Jamil in
2008.
But U.S.
Magistrate Judge Paul Grewal said that a federal law called the
Stored Communications Act does not require Facebook to comply with
such a subpoena in a civil case.
Read more about the case on CNET.
(Related) “We had to do it over
there, we don't have as many lobbyists in Europe... Yet.”
"Facebook has disabled
face recognition features on its site for all new European users.
The move follows privacy recommendations made by the Irish Data
Protection Commissioner. Tag Suggest information has been turned off
for new users, and Facebook plans to delete the information for
existing EU users by October 15th. 'The DPC says today’s
report (PDF) is the result of evaluations it made through the
first half of 2012 and on-site at Facebook’s HQ in Dublin over the
course of two days in May and four in July. The DPC says FB has made
just about all of the improvements it requested in five key areas:
better transparency for the user in how their data is handled; user
control over settings; more clarity on the retention periods for the
deletion of personal data, and users getting more control over
deleting things; an improvement in how users can access their
personal data; and the ability of Facebook to be able to better track
how they are complying with data protection requirements.'"
(Related) “We may not be able to use
facial recognition...”
"Freedom to go under a
pseudonym is, miraculously, one freedom to survive the security
lock-down of the previous decade. Now Facebook wants to change this.
James Firth shows Facebook
is clamping down on pseudonyms, with an interesting screenshot of
being
asked whether a friend is using their real name."
(Related) Are some of these changes
just cost savings to boost the stock price?
Facebook’s
About-Face on Sharing Gives News Sites Whiplash
Facebook giveth and Facebook taketh
away. App startups have known this for a long time; now The
Washington Post and other news publishers are learning the same
lesson as Facebook makes it harder for articles to go viral.
Facebook’s manager of media
partnerships was quoted
at a journalism conference saying the social network is moving away
from so-called “passive sharing,” in which reader apps from the
likes of the Post and The Wall Street Journal are
able to broadcast activity without any prompting.
My Ethical Hackers would never do this
(probably)
"At the EUSecWest security
conference in Amsterdam, researchers showed how their 'UltraReset'
Android app can read the data from a subway fare card, store that
information, and reset
the card to its original fare balance. The
researchers said that the application takes advantage of a flaw found
in particular NFC-based fare cards that are used in New Jersey and
San Francisco, although systems in other cities, including Boston,
Seattle, Salt Lake City, Chicago and Philadelphia, could also be
vulnerable."
This is interesting. A library of free
tools (some assembly required)
"The
Public Laboratory for Open Technology and Science is putting together
an open
hardware spectrometer kit on
Kickstarter. The kits are built using an HD webcam, discarded
DVD, and a couple other odd bits. They've also put together a kit
for your smart phone and open-source
software for desktop, Android, and iOS. Need to analyze the
contents of your coffee, the output of your new grow lights, or a
distant star on a budget? Just build your own
spectrometer, or pick up the limited
edition steampunk version."
Besides making cool hardware, they'd
like to "build a Wikipedia-style library of open source spectra,
and to refine and improve sample collection and analysis techniques.
We imagine a kind of 'SHAZAM for materials' which can help to
investigate chemical spills, diagnose crop diseases, identify
contaminants in household products, and even analyze olive oil,
coffee, and homebrew beer."
Global Warming! Global Warming!
...and would the capture of that much carbon cause global cooling?
Canada's
far north could be forested by century's end
… "According to the data
model, climate conditions on Bylot Island will be able to support the
kinds of trees we find in the fossilized forest that currently exist
there, such as willow, pine and spruce," says Alexandre
Guertin-Pasquier of the University of Montreal.
(Related) Short answer: It sure
doesn't look like it. Probably the reporter could find nothing
informative to write about.
Does
the expanding Antarctic sea ice disprove global warming?
Just another reason why I am FROM New
Jersey...
Reader Presto
Vivace blesses us with news that the state of New Jersey "has
banned
motorists from making big smiles [for their license pictures]
because such expressions don't work with facial
recognition software." Now that passports are by
decree grim and glasses-free, I'm expecting the next phase to involve
the banning of facial hair, lips, and any hair that blocks the
ears.
Show your students (children, whatever)
what cell phones looked like back in Ye Olde Days
Odd & Ends I find interesting...
… Degreed,
a startup that seeks to “jailbreak the degree” — that is, to
help people get “credit” for all their learning, whether it
happens at a 4 year college or not — opened its doors this week.
It’s still in beta, and there are definitely kinks to work out.
But the site lets you translate your degrees, transcripts, and badges
into a score that recognizes what you know, not just what your
diploma says.
… The
Saylor Foundation says that it plans to take
advantage of the newly released Google
Course Builder to create open enrollment online classes. The
Saylor Foundation has created some 200 courses which it will now
start offering via the new Google platform.