Pathology Group of the Mid-South break-in, 75000 victims
Technorati Tag: Security Breach
Date Reported:
10/30/07
Organization:
Pathology Group of the Mid-South (PGM)
Contractor/Consultant/Branch:
None
Victims:
PGM clients
Number Affected:
75,000
Types of Data:
Name, address, Social Security number and other billing information.
Breach Description:
The billing office of the Pathology Group of the Mid-South on Knight Arnold was broken into on September 23rd, 2007 and four computers were stolen. One of the stolen computers contained sensitive billing information for 75,000 clients.
Reference URL:
WMC-TV Channel 5 Story
Memphis News Channel 3 Story (1)
Memphis News Channel 3 Story (2)
Report Credit:
Omari Fleming, Memphis News Channel 3
Response:
From the online articles cited above:
"There's a consumer alert about a major security breach at a local laboratory. One break-in into a billing office leaves more than 75,000 names addresses and social security numbers in the hands of theives."
"Pathology Group sent a letter out, notifying clients that someone broke into the locked office building on September 23 or 24th"
"In a three page letter from Pathology group of the Mid-South, it explains in detail the break-in that occurred at their billing office on Knight Arnold on September 23rd."
"According to the notice, several computers with flat screen monitors were stolen. One of those computers had patient information on about 75,000 people."
"Dr. Thomas Chesney is president of the pathology group. "We were victims of the burglaries as well as many of our clients." The company does lab work for medical facilities in the Tri-state area. He says though personal information was stolen, medical information wasn't. "Any information that we lost does not tell about people's diagnosis or about their personal health.""
Chesney adds, "We've added more sophisticated locks. We now have security people on site in the hours when we would be concerned about this."
[Comfyllama] Although more sophisticated locks and "security people" are helpful, what about encryption?!? If the computers had been encrypted, this would be a non-story other than the cost to replace the equipment.
Victim Reactions:
"One of those receiving a letter was Richard Hudelson. "If it gets out in the wrong hands it could destroy me," says Hudelson. "
"Hudelson is upset it happened and worried what could happen next. "The company waited too long to get the information out," he added."
"Hudelson says it's too late. "If it gets out in the wrong hands I will file a lawsuit.""
"It's no ones business where live, where I stay," "Nothing about me is any ones business. It doesn't need to be out in the street." - Meredith Fentress
"Someone should be telling the public other than these people who are not doing everything they could do in my estimation." - Billy Wheeler
[Comfyllama] Absolutely! This is one of my primary motivators for The Breach Blog. People need to know the truth about breaches and how organizations have failed to protect very sensitive information.
"My biggest concern is the timeliness," says Wheeler.
"They could compromise her bank account, take out cards in her name. Breach of identity theft is a serious thing," said Wheeler.
Commentary:
This breach points out that physical security is often just as important as logical security. People that understand information security understand that the discipline is holistic.
A failure of security in one area can lead to an easy defeat of other effective controls.
If you have been a Breach Blog reader for sometime, you may recognize that time and time again I preach the use of encryption for sensitive data. For less than the cost of more sophisticated locks and on-site after-hours security people, the Pathology Group could encrypt the hard drives and provide more information assurance to their clients.
Past Breaches:
Unknown
Date Reported:10/30/07
Organization:
Pathology Group of the Mid-South (PGM)
Contractor/Consultant/Branch:
None
Victims:
PGM clients
Number Affected:
75,000
Types of Data:
Name, address, Social Security number and other billing information.
Breach Description:
The billing office of the Pathology Group of the Mid-South on Knight Arnold was broken into on September 23rd, 2007 and four computers were stolen. One of the stolen computers contained sensitive billing information for 75,000 clients.
Reference URL:
WMC-TV Channel 5 Story
Memphis News Channel 3 Story (1)
Memphis News Channel 3 Story (2)
Report Credit:
Omari Fleming, Memphis News Channel 3
Response:
From the online articles cited above:
"There's a consumer alert about a major security breach at a local laboratory. One break-in into a billing office leaves more than 75,000 names addresses and social security numbers in the hands of theives."
"Pathology Group sent a letter out, notifying clients that someone broke into the locked office building on September 23 or 24th"
"In a three page letter from Pathology group of the Mid-South, it explains in detail the break-in that occurred at their billing office on Knight Arnold on September 23rd."
"According to the notice, several computers with flat screen monitors were stolen. One of those computers had patient information on about 75,000 people."
"Dr. Thomas Chesney is president of the pathology group. "We were victims of the burglaries as well as many of our clients." The company does lab work for medical facilities in the Tri-state area. He says though personal information was stolen, medical information wasn't. "Any information that we lost does not tell about people's diagnosis or about their personal health.""
Chesney adds, "We've added more sophisticated locks. We now have security people on site in the hours when we would be concerned about this."
[Comfyllama] Although more sophisticated locks and "security people" are helpful, what about encryption?!? If the computers had been encrypted, this would be a non-story other than the cost to replace the equipment.
Victim Reactions:
"One of those receiving a letter was Richard Hudelson. "If it gets out in the wrong hands it could destroy me," says Hudelson. "
"Hudelson is upset it happened and worried what could happen next. "The company waited too long to get the information out," he added."
"Hudelson says it's too late. "If it gets out in the wrong hands I will file a lawsuit.""
"It's no ones business where live, where I stay," "Nothing about me is any ones business. It doesn't need to be out in the street." - Meredith Fentress
"Someone should be telling the public other than these people who are not doing everything they could do in my estimation." - Billy Wheeler
[Comfyllama] Absolutely! This is one of my primary motivators for The Breach Blog. People need to know the truth about breaches and how organizations have failed to protect very sensitive information.
"My biggest concern is the timeliness," says Wheeler.
"They could compromise her bank account, take out cards in her name. Breach of identity theft is a serious thing," said Wheeler.
Commentary:
This breach points out that physical security is often just as important as logical security. People that understand information security understand that the discipline is holistic.
A failure of security in one area can lead to an easy defeat of other effective controls.
If you have been a Breach Blog reader for sometime, you may recognize that time and time again I preach the use of encryption for sensitive data. For less than the cost of more sophisticated locks and on-site after-hours security people, the Pathology Group could encrypt the hard drives and provide more information assurance to their clients.
Past Breaches:
Unknown
Posts Atom 1.0
Comments