Relatively small breaches, but it makes me wonder
if there is someone who does not like Ascension Health or if this is
part of a broader targeting of health providers because of the type
of information they store about their “customers?” (Perhaps
details of their medical insurance coverage?)
Is Ascension Health being targeted by
attackers successfully acquiring employee e-mail account logins via
phishing?
Zach Lozano reports that Seton
Family of Hospitals will provide free identity
monitoring and protection services for patients who had their
personal information leaked in a phishing attack targeting employee
emails:
Approximately 39,000 patients received letters about the breach in which hackers accessed protected patient information, including demographic information, medical record numbers, insurance information and Social Security numbers. Seton was notified of the breach on Feb. 26.
Well, that last statement is not quite accurate,
as I’ll explain below, but you can read the rest of his report on
KXAN.
In looking into this incident, I became suspicious
when I noted that Seton is part of Ascension
Health.
This past week, another Ascension member, St.
Vincent Medical Group in Indiana, also
reported a phishing attack but they learned of theirs on December
3, not in February. So I started digging more, wondering if
Ascension hospitals are being targeted just as we saw both Baylor
facilities and Franciscan
Health/Catholic Health Initiatives facilities being targeted by
phishing attacks. And sure enough, I found a notice on Seton’s
site that reports that they actually became aware of the phishing
attack on December 4 – the day after St. Vincent’s learned of
their breach. Seton’s notification is basically the same as St.
Vincent’s notification after adjusting for date of discovery
and number affected. Here’s the main part of Seton’s
notice:
The privacy and security of patient information is of utmost importance to Seton Family of Hospitals, a division of Seton Healthcare Family (“Seton”), and Seton has implemented significant security measures to protect such information. Regrettably, despite the efforts to safeguard patient information, an email phishing attack has affected Seton’s patients.
Seton experienced an email phishing attack on December 4, 2014, which targeted the user names and passwords of Seton employees. Upon the determination that an email account had been compromised, the user name and password was immediately shut down. Seton launched an investigation into the matter, and the investigation has required electronic and manual review of affected e-mails to determine the scope of the incident. Seton engaged computer forensics experts to assist with the investigation. Through the ongoing investigation of this matter, we determined on February 26, 2015, that the employee e-mail accounts subject to the phishing attempt contained some personal health information for approximately 39,000 patients.
The personal health information in the e-mail accounts included demographic information (i.e., name, address, gender, date of birth, etc.), medical record numbers, insurance information, limited clinical information and, in some cases, Social Security numbers. The hackers did not gain access to individual medical records or billing records.
[…]
I wonder whether we’ll learn that other
Ascension Health members have been similarly targeted. Ascension
Health describes itself as the largest non-profit health system in
the U.S., with 131 hospitals. As their site also indicates,
Ascension Information Services (“AIS”) was formed as a nonprofit
corporation in 2005, and AIS provides information technology
infrastructure and software application support services to all
member entities of Ascension. But
who provides the training to employees how to not fall for phishing
attempts?
Wow! Five whole months!
Josh Dickey reports:
No one has been the victim of identity theft in the five months since the cyber attack on Sony Pictures Entertainment exposed reams of sensitive data, so a class-action lawsuit should be dismissed, the studio argues in court documents acquired Friday by Mashable.
Read more on Mashable.
No one has noticed for 25 years? I wonder if the
“new” password procedure came before or after the article on
their password? I'm guessing very soon after.
Earlier today, DataBreaches.net asked Verifone
for a comment or response to the report about an unnamed
firm using the same default password for 25 years, as it was
pretty easy to figure out from a Google search that an unnamed vendor
was them.
Gene Cyranski, Vice President of Zeno Group kindly
sent this statement in response:
The Verifone default password is Z66831 and is loaded on all Verifone devices in the field. The purpose of this default password is to simply initiate terminal installation, and it is not intended to serve as a strong security control. The default password made its way over the years into the public domain and can be found on the Internet, along with instructions on programming terminals. The important fact to point out is that even knowing this password, sensitive payment information or PII cannot be captured. To date, Verifone has not witnessed any attacks on the security of its terminals based on default passwords. What the password allows someone to do is to configure some settings on the terminal; all executables have to be file signed, and it is not possible to enter malware just by knowing passwords. While Verifone has not changed the passwords, clients/partners/merchants are always strongly advised to change the “default” password upon terminal installation and set-up. New Verifone products come with a “pre-expired” password, which will require merchants to change the password during installation and set-up.
Still very little on offensive thinking? I can
recommend plenty of offensive students.
Department
of Defense Unveils New Cyber Strategy
The
U.S. Department of Defense (DoD) on Thursday unveiled its latest
cyber
strategy, described as a way to guide the development of DoD's
cyber forces and strengthen its cyber defense and cyber deterrence
posture.
… “There
may be times when the President or the Secretary of Defense may
determine that it would be appropriate for the U.S. military to
conduct cyber operations to disrupt an adversary’s military related
networks or infrastructure so that the U.S. military can protect U.S.
interests in an area of operations," the strategy says. "For
example, the United States military might use cyber operations to
terminate an ongoing conflict on U.S. terms, or to disrupt an
adversary’s military systems to prevent the use of force against
U.S. interests. United States Cyber Command (USCYBERCOM) may also be
directed to conduct cyber operations, in coordination with other U.S.
government agencies as appropriate, to deter or defeat strategic
threats in other domains."
"In
contrast, the 2011 DOD Strategy for Operating in Cyberspace made
little reference to the Pentagon’s operational or offensive cyber
capabilities, although U.S. officials have spoken about the issue,
and there are leaked classified documents that outlined U.S. policy
and planning for offensive cyber operations," noted
Denise E. Zheng, Deputy Director and Senior Fellow at the Center for
Strategic and International Studies.
… The
full transcript of Carter's speech is available online.
As any good accountant would say, “What do you
want the cost to be?”
Robert Hackett reports:
A single stolen customer record costs probably somewhere between $0.58 and $201. What’s the best model?
A few weeks ago Fortune visited a law firm where one partner lamented the quality of cost estimates for big companies suffering data breaches—a vital consideration for businesses seeking to manage their risk and score reasonably priced insurance policies. (Who and where are unimportant for the purposes of the story.) Prompted by a recent analysis of 10-k filings which concluded that the impact of breaches to corporate bottom lines is trivial, the conversation stirred the lawyer’s excitement—and vexation. There are no good estimates, the lawyer rued.
Read more on Fortune.
How do you start your search? Do you Google
“gang” or do you Google “black kids?” Has anyone published
guidelines?
Rose Hackman reports:
Critics say the NYPD’s trawling of social media for gang activity – affecting children as young as 10 – is disproportionate and may amount to racial profiling.
Read more on Raw
Story.
When you have no control, everything becomes more
complicated.
Court
reminds State to produce Clinton emails in ‘shortest’ time
possible
An appeals court gently warned the State
Department on Friday to release relevant public documents quickly
from among the large batch of emails Hillary Clinton turned over to
the agency from her private server.
The U.S. Appeals Court for the District of
Columbia ruled
the best way to handle a Freedom of Information Act case involving
the emails would be to send it back to the district court, which will
determine the “most efficient way to proceed under FOIA.”
… The agency is sorting through the emails for
potential redactions in process it says could take months. [State
can't rely on the claim that there was “nothing classified”
discussed on any of the emails. Bob]
In the meantime, outside groups have argued their
previous Freedom of Information Act requests to the State Department
were incomplete because they lacked Clinton’s emails.
Something for my students?
5 GIF
Search Engines & Tools You Haven’t Heard Of Yet
GIFs are the
language of the web, but some people are better at speaking it
than others. If you’ve got a friend who always amazes you with her
ability to find the perfect reaction
GIFs, you need to find better tools.
Today, Cool Websites and Apps points out five
websites for finding, and creating, GIFs – all of which we’ve yet
to mention as a site. We’ve shown you obvious things, like the
GIF search engine Giphy, but as GIFs (continue!) to grow in
popularity more sites pop up.
Even major media corporations are getting in on
it.
Eventually, I'd like my Data Management students
to understand this kind of analysis as well as purely internal number
crunching. (Also for my statistics students)
You may have doubts, as
some readers did, about whether Google searches are a reliable
way to predict that an NHL
expansion team would struggle in Las Vegas. But it’s actually
a pretty good way to forecast this kind of thing, and there’s
another way to prove it:
It turns out that there’s a strong relationship
between Google searches and an NHL team’s bottom line. How often
fans are Googling the term “NHL” in a metro area reliably
predicts how much they’re spending on hockey tickets.
In the chart
below, I’ve estimated how much fans spent on tickets at each NHL
arena during the past regular season. The process is simple: I just
took total
home attendance and multiplied it by the average ticket price.1
Then I compared ticket spending against the estimated
number of NHL fans in each market based on Google search
traffic.2
For my student twits?
How to Cite
a Tweet in MLA, APA, and Chicago Style
As social media has evolved it has crept into
academic work. I've even given research assignments in which I've
asked my students to seek out and cite quotes from people on Twitter.
More and more I'm asked, "how do I cite a Tweet?" In fact,
I was asked this in an email last night. If you're citing for a blog
post, you can just embed
the Tweet. If you're citing for a more formal work you will want
to follow guidelines of MLA, APA, or Chicago Style.
Guidelines and examples for citing a Tweet in MLA
style can be found here.
Guidelines and examples for citing
Tweets in APA are available here.
If you need guidelines and examples of citing
a Tweet in Chicago Style, click here.
Those who use tools like EasyBib or RefMe should
note that the Tweet citations generated by those tools don't exactly
match the guidelines set by APA, MLA, or Chicago Style. I tried both
tools for citing Tweets and found that I had to slightly modify the
formatting produced by those tools.