Florida's Agency for Health Care Administration reports a breach
Technorati Tag: Security Breach
Date Reported:
7/7/08
Organization:
State of Florida
Contractor/Consultant/Branch:
Agency for Health Care Administration
Victims:
registered organ donors
Number Affected:
"about 55,000"
Types of Data:
"names, addresses, birth dates, driver license numbers and Social Security numbers"
Breach Description:
"TALLAHASSEE, Fla. - State health officials say a security breach in the Organ and Tissue Donor Registry may have exposed thousands of donors' personal information, including their social security numbers."
Reference URL:
AHCA FAQs
Sarasota Herald-Tribune
WCTV CBS News
Orlando Sentinel
Report Credit:
Sarasota Herald-Tribune
Response:
From the online sources cited above:
TALLAHASSEE, Fla. - State health officials say a security breach in the Organ and Tissue Donor Registry may have exposed thousands of donors' personal information, including their social security numbers.
The Agency for Health Care Administrations said Monday it has corrected the flaw, which may have allowed unauthorized users to view the personal information of roughly 55,000 donors.
"We stopped all access to the database, identified the flaws and corrected them."
[Evan] This breach makes me wonder a couple of things. Is information security testing part of the development lifecycle and change control? I also wonder if AHCA uses a formal change control process with segregated development, test, and production environments.
The database includes donors' names, addresses, birth dates and driver license numbers.
The agency is sending letters to inform individuals of the flaw.
[Evan] What kind of flaw, do you suppose? A Code flaw, an administrative/process flaw, a configuration flaw?
AHCA Secretary Holly Benson said they have not received any indication that the information was accessed inappropriately.
[Evan] No logging? Logging of the systems, processes, and people accessing confidential information is a must. Extensive logging would be able to determine if the information "was accessed inappropriately" (assuming the logs weren't subject to unauthorized modification).
The breach happened on June 20 and was fixed a day later, but officials say they thought it best to make the public aware.
[Evan] What does the "breach happened on June 20" mean? It could mean that a flaw was detected on June 20, but could have been in existence for longer. It could mean that a vulnerability was actually exploited on June 20. I guess it really depends on your definition. I assume that the author means that something changed (code push, updated information, configuration, etc.) on June 20.
"If you have not received a letter our logs note that your information was not affected by this security flaw."
A couple of FAQs:
Q: If I have additional questions regarding this issue, what should I do?
A: You can call . This number is open Monday through Friday from 8AM to 7PM Eastern.
Q: If I am a registered donor and I receive a letter, does this mean that I am a victim of identity theft?
A: No. It is unlikely that someone has accessed your information or used it inappropriately. It does not mean that you are a victim of identity theft or that the information may be used to commit fraud. The Agency for Health Care Administration wanted to let you know about the incident so you are aware and may take steps as you see fit.
[Evan] Again, poor logging and other detective controls lead to statements such as "It is unlikely that someone accessed...".
Commentary:
Ugh! I am left with too many questions about this breach. On the surface, this breach doesn't look all that significant unless of course, you are a victim. When I read into it more, I realize that I have some serious concerns surrounding process, control, and detection mechanisms used at AHCA. With less detail, it is easier to imagine.
Past Breaches:
State of Florida:
January, 2008 - Five stolen Florida Department of Children and Families laptops
Date Reported:7/7/08
Organization:
State of Florida
Contractor/Consultant/Branch:
Agency for Health Care Administration
Victims:
registered organ donors
Number Affected:
"about 55,000"
Types of Data:
"names, addresses, birth dates, driver license numbers and Social Security numbers"
Breach Description:
"TALLAHASSEE, Fla. - State health officials say a security breach in the Organ and Tissue Donor Registry may have exposed thousands of donors' personal information, including their social security numbers."
Reference URL:
AHCA FAQs
Sarasota Herald-Tribune
WCTV CBS News
Orlando Sentinel
Report Credit:
Sarasota Herald-Tribune
Response:
From the online sources cited above:
TALLAHASSEE, Fla. - State health officials say a security breach in the Organ and Tissue Donor Registry may have exposed thousands of donors' personal information, including their social security numbers.
The Agency for Health Care Administrations said Monday it has corrected the flaw, which may have allowed unauthorized users to view the personal information of roughly 55,000 donors.
"We stopped all access to the database, identified the flaws and corrected them."
[Evan] This breach makes me wonder a couple of things. Is information security testing part of the development lifecycle and change control? I also wonder if AHCA uses a formal change control process with segregated development, test, and production environments.
The database includes donors' names, addresses, birth dates and driver license numbers.
The agency is sending letters to inform individuals of the flaw.
[Evan] What kind of flaw, do you suppose? A Code flaw, an administrative/process flaw, a configuration flaw?
AHCA Secretary Holly Benson said they have not received any indication that the information was accessed inappropriately.
[Evan] No logging? Logging of the systems, processes, and people accessing confidential information is a must. Extensive logging would be able to determine if the information "was accessed inappropriately" (assuming the logs weren't subject to unauthorized modification).
The breach happened on June 20 and was fixed a day later, but officials say they thought it best to make the public aware.
[Evan] What does the "breach happened on June 20" mean? It could mean that a flaw was detected on June 20, but could have been in existence for longer. It could mean that a vulnerability was actually exploited on June 20. I guess it really depends on your definition. I assume that the author means that something changed (code push, updated information, configuration, etc.) on June 20.
"If you have not received a letter our logs note that your information was not affected by this security flaw."
A couple of FAQs:
Q: If I have additional questions regarding this issue, what should I do?
A: You can call . This number is open Monday through Friday from 8AM to 7PM Eastern.
Q: If I am a registered donor and I receive a letter, does this mean that I am a victim of identity theft?
A: No. It is unlikely that someone has accessed your information or used it inappropriately. It does not mean that you are a victim of identity theft or that the information may be used to commit fraud. The Agency for Health Care Administration wanted to let you know about the incident so you are aware and may take steps as you see fit.
[Evan] Again, poor logging and other detective controls lead to statements such as "It is unlikely that someone accessed...".
Commentary:
Ugh! I am left with too many questions about this breach. On the surface, this breach doesn't look all that significant unless of course, you are a victim. When I read into it more, I realize that I have some serious concerns surrounding process, control, and detection mechanisms used at AHCA. With less detail, it is easier to imagine.
Past Breaches:
State of Florida:
January, 2008 - Five stolen Florida Department of Children and Families laptops
Posts Atom 1.0
Comments