Many questions still remain in St. Mary's breach
Technorati Tag: Security Breach
Date Reported:
7/24/08
Date Reported:7/24/08
Updated on 9/9/08:
"Hospital officials say the credit reporting bureau Equifax sent initial notification letters to incorrect post office boxes.", See Reference URL section below.
Organization:
Catholic Healthcare West
Contractor/Consultant/Branch:
Saint Mary's
Victims:
"patients and clients"
Number Affected:
~128,000
Types of Data:
"personal information such as names and addresses, limited health information and some Social Security numbers"
Breach Description:
"Saint Mary’s Regional Medical Center recently discovered that an intruder may have gained access to a proprietary database through the on-line registration area of Saint Mary’s public facing website. The database is used for health education classes and wellness programs and contains personal information including name, address, limited health information and some Social Security numbers."
Reference URL:
Saint Mary's News Release
Reno Gazette-Journal
Union-Tribune
Reno Gazette-Journal (2)
Organization:
Catholic Healthcare West
Contractor/Consultant/Branch:
Saint Mary's
Victims:
"patients and clients"
Number Affected:
~128,000
Types of Data:
"personal information such as names and addresses, limited health information and some Social Security numbers"
Breach Description:
"Saint Mary’s Regional Medical Center recently discovered that an intruder may have gained access to a proprietary database through the on-line registration area of Saint Mary’s public facing website. The database is used for health education classes and wellness programs and contains personal information including name, address, limited health information and some Social Security numbers."
Reference URL:
Saint Mary's News Release
Reno Gazette-Journal
Union-Tribune
Reno Gazette-Journal (2)
Update URLs:
Associated Press via KRNV Channel 4 News
Report Credit:
Saint Mary's Marketing Department
Response:
From the online sources cited above:
Saint Mary’s Regional Medical Center recently discovered that an intruder may have gained access to a proprietary database through the on-line registration area of Saint Mary’s public facing website.
[Evan] A database containing sensitive information that is accessible through a publicly available website can be a very risk proposition and would generally not be recommended if possible. There are no technical details available publicly. My first guess would be SQL injection.
The potential breach was discovered in April 28.
[Evan] This doesn't support the "recently discovered" claim in the official news release, does it?
Saint Mary's officials said they immediately shut down the database and launched an investigation.
"What happened was that an unauthorized person may have accessed the database," Aldax said. (Gary Aldax, marketing manager for Saint Mary's)
[Evan] Either the unauthorized person did, or did not access the database. The lack of detective controls such as effective logging (basic information security) leaves an organization with no option but to claim "may have accessed".
"We're currently working with Equifax, which is one of the three major credit agencies, to help handle this for us."
[Evan] What exactly does "handle this for us" mean? Does Equifax offer incident response services?! I don't think they do.
The delay in notifications occurred because the database had to be reconstructed, Aldax said.
[Evan] This is a helluva long time to reconstruct a database! April 28 - July 23 is almost 3 months. This would not be an acceptable incident response for any of the organizations that we support. Is this a result of having Equifax "handle this for us"?
The database is used for health education classes and wellness programs and contains personal information including name, address, limited health information and some Social Security numbers.
The database did not contain any hospital medical records or credit card numbers.
“We sincerely regret that this incident occurred and have put new security measures in place to minimize the likelihood of this occurring again,” said Mike Uboldi, Saint Mary’s president and CEO.
[Evan] I appreciate that the President and CEO made a statement regarding this breach, but I am not impressed with "new security measures" without any detail. After reading this same type of statement in hundreds of breach responses, I am not convinced that they are anything more than words.
“Our first concern is for the continued privacy and well-being of our patients and customers.”
[Evan] Wait a second, "continued privacy"?
Saint Mary’s has no evidence that any identity theft or fraud has occurred as a result of this incident, but is notifying in writing all persons whose information was included in the database.
Saint Mary's Regional Medical Center sent warning letters this month to about 128,000 patients and clients
Free credit monitoring is being offered to those customers whose Social Security numbers were in the database.
[Evan] There is no information available that mentions how many people this may be.
More information is available on Saint Mary’s website at www.saintmarysreno.org, or by calling Saint Mary’s infoline at .
Eighty-year-old Wilma Sheldon of Reno thought the letter she received -- dated July 15 -- was a scam when she first read it. Sheldon said she became especially suspicious after she found out her daughter got a letter, too.
[Evan] I think there are a number of people who throw these letters away and/or question their authenticity.
The last time her daughter had anything to do with Saint Mary's occurred when she got her tonsils removed about 40 years ago, Sheldon said. The letter has Sheldon seething.
[Evan] Whoa! Does this mean that the information contained in the database could be 40 years old, or did St. Mary's obtain this information in some other manner?
"I threw (the letter) in the waste basket, but then I started to think about it," Sheldon said. "Now I'm just really mad. We're supposed to have this privacy act and all, and that sure sounds like a bunch of baloney now. I think it's awful."
The fallout continued Thursday from the announcement by Saint Mary's Regional Medical Center
Several recipients of the letters expressed concern about the nature of the database, including its size, about 128,000 records, and how their information was collected.
[Evan] These recipients have valid concerns in my opinion. Should they have the right to their answers? After all, they are the information owners.
Saint Mary's officials said they were trying to determine if everyone affected was informed and the records were compiled properly.
Bonnie Palka, 68, of Sparks, said she was baffled she was on the list. She said her only dealing with Saint Mary's involved treatment for a blood poisoning incident more than 30 years ago.
"I went to the emergency room," Palka said. "It certainly wasn't for a wellness program."
Bob Pyne, a 49-year-old Reno resident who also received a letter, said he has never been involved with any facet of Saint Mary's.
"How can they have my information when I've never dealt with them?" Pyne said. "The thing that concerns me is why they have my information, for what purpose and how did they get it?"
[Evan] These victim statements seem to indicate that St. Mary's collected this information from sources other than their hospital. The fact that the St. Mary's marketing department was responsible for the official news release and that Gary Aldax, a St. Mary's marketing manager is a quoted spokesman leads me to speculate that this database could have been meant for marketing/sales/donation purposes under the guise of "education classes and wellness programs".
Others wondered how Saint Mary's managed to find them and whether the center keeps personal information for decades after treatment. Palka, who has moved at least five times, including once out-of-state, likened how she felt to being "stalked."
Saint Mary's officials said the database is "absolutely separate" from hospital medical records and that Palka was not added to the database as a result of an emergency room visit.
Information for people, such as Palka and Pyne, likely was added through community screenings or workplace flu shots, said Gary Aldax, marketing manager for Saint Mary's.
"They may have never even set foot in any of our facilities," Aldax said. "Many companies contract with us to do health fairs and flu shots. Say, you were at Scolari's during flu season to get a shot, you usually fill out a form and that gets added to the database."
Saint Mary's did not purchase marketing data to include in the database, Aldax said. The database is so big because it's more than a decade old and contains more than 10 years worth of records, he said.
[Evan] I wonder if Saint Mary's has a data retention policy. Mr. Aldax claims that Saint Mary's did not purchase marketing data to include in the database, but he did not deny (or confirm) that the purpose of the database was for marketing purposes.
Aldax said Saint Mary's does not track clients and patients for years.
[Evan] What? The database is self-admittedly 10 years old!
He said the medical center hired the Equifax company to investigate the breach, reconstruct the database, set up a dedicated hot line and compile addresses for the notification of customers.
[Evan] Equifax as incident responders and forensic experts? Huh.
That's why it took so long to notify clients after discovering the breach April 28, Aldax said.
Pyne said he was put on hold for 25 minutes when he called the Equifax hot line.
"I think the time it took them to notify people was not that untimely given they had to do their research and find out how many people were affected," Pyne said. "Overall, I think they have handled the incident OK so far.
"Of course, if it turns out they actually had my Social Security number in there, then we're now talking about a whole different thing."
Commentary:
There are many serious questions surrounding this breach. The only way for victims to get answers is to demand them and not let up. Most of my questions are presented above.
Past Breaches:
Unknown
Report Credit:
Saint Mary's Marketing Department
Response:
From the online sources cited above:
Saint Mary’s Regional Medical Center recently discovered that an intruder may have gained access to a proprietary database through the on-line registration area of Saint Mary’s public facing website.
[Evan] A database containing sensitive information that is accessible through a publicly available website can be a very risk proposition and would generally not be recommended if possible. There are no technical details available publicly. My first guess would be SQL injection.
The potential breach was discovered in April 28.
[Evan] This doesn't support the "recently discovered" claim in the official news release, does it?
Saint Mary's officials said they immediately shut down the database and launched an investigation.
"What happened was that an unauthorized person may have accessed the database," Aldax said. (Gary Aldax, marketing manager for Saint Mary's)
[Evan] Either the unauthorized person did, or did not access the database. The lack of detective controls such as effective logging (basic information security) leaves an organization with no option but to claim "may have accessed".
"We're currently working with Equifax, which is one of the three major credit agencies, to help handle this for us."
[Evan] What exactly does "handle this for us" mean? Does Equifax offer incident response services?! I don't think they do.
The delay in notifications occurred because the database had to be reconstructed, Aldax said.
[Evan] This is a helluva long time to reconstruct a database! April 28 - July 23 is almost 3 months. This would not be an acceptable incident response for any of the organizations that we support. Is this a result of having Equifax "handle this for us"?
The database is used for health education classes and wellness programs and contains personal information including name, address, limited health information and some Social Security numbers.
The database did not contain any hospital medical records or credit card numbers.
“We sincerely regret that this incident occurred and have put new security measures in place to minimize the likelihood of this occurring again,” said Mike Uboldi, Saint Mary’s president and CEO.
[Evan] I appreciate that the President and CEO made a statement regarding this breach, but I am not impressed with "new security measures" without any detail. After reading this same type of statement in hundreds of breach responses, I am not convinced that they are anything more than words.
“Our first concern is for the continued privacy and well-being of our patients and customers.”
[Evan] Wait a second, "continued privacy"?
Saint Mary’s has no evidence that any identity theft or fraud has occurred as a result of this incident, but is notifying in writing all persons whose information was included in the database.
Saint Mary's Regional Medical Center sent warning letters this month to about 128,000 patients and clients
Free credit monitoring is being offered to those customers whose Social Security numbers were in the database.
[Evan] There is no information available that mentions how many people this may be.
More information is available on Saint Mary’s website at www.saintmarysreno.org, or by calling Saint Mary’s infoline at .
Eighty-year-old Wilma Sheldon of Reno thought the letter she received -- dated July 15 -- was a scam when she first read it. Sheldon said she became especially suspicious after she found out her daughter got a letter, too.
[Evan] I think there are a number of people who throw these letters away and/or question their authenticity.
The last time her daughter had anything to do with Saint Mary's occurred when she got her tonsils removed about 40 years ago, Sheldon said. The letter has Sheldon seething.
[Evan] Whoa! Does this mean that the information contained in the database could be 40 years old, or did St. Mary's obtain this information in some other manner?
"I threw (the letter) in the waste basket, but then I started to think about it," Sheldon said. "Now I'm just really mad. We're supposed to have this privacy act and all, and that sure sounds like a bunch of baloney now. I think it's awful."
The fallout continued Thursday from the announcement by Saint Mary's Regional Medical Center
Several recipients of the letters expressed concern about the nature of the database, including its size, about 128,000 records, and how their information was collected.
[Evan] These recipients have valid concerns in my opinion. Should they have the right to their answers? After all, they are the information owners.
Saint Mary's officials said they were trying to determine if everyone affected was informed and the records were compiled properly.
Bonnie Palka, 68, of Sparks, said she was baffled she was on the list. She said her only dealing with Saint Mary's involved treatment for a blood poisoning incident more than 30 years ago.
"I went to the emergency room," Palka said. "It certainly wasn't for a wellness program."
Bob Pyne, a 49-year-old Reno resident who also received a letter, said he has never been involved with any facet of Saint Mary's.
"How can they have my information when I've never dealt with them?" Pyne said. "The thing that concerns me is why they have my information, for what purpose and how did they get it?"
[Evan] These victim statements seem to indicate that St. Mary's collected this information from sources other than their hospital. The fact that the St. Mary's marketing department was responsible for the official news release and that Gary Aldax, a St. Mary's marketing manager is a quoted spokesman leads me to speculate that this database could have been meant for marketing/sales/donation purposes under the guise of "education classes and wellness programs".
Others wondered how Saint Mary's managed to find them and whether the center keeps personal information for decades after treatment. Palka, who has moved at least five times, including once out-of-state, likened how she felt to being "stalked."
Saint Mary's officials said the database is "absolutely separate" from hospital medical records and that Palka was not added to the database as a result of an emergency room visit.
Information for people, such as Palka and Pyne, likely was added through community screenings or workplace flu shots, said Gary Aldax, marketing manager for Saint Mary's.
"They may have never even set foot in any of our facilities," Aldax said. "Many companies contract with us to do health fairs and flu shots. Say, you were at Scolari's during flu season to get a shot, you usually fill out a form and that gets added to the database."
Saint Mary's did not purchase marketing data to include in the database, Aldax said. The database is so big because it's more than a decade old and contains more than 10 years worth of records, he said.
[Evan] I wonder if Saint Mary's has a data retention policy. Mr. Aldax claims that Saint Mary's did not purchase marketing data to include in the database, but he did not deny (or confirm) that the purpose of the database was for marketing purposes.
Aldax said Saint Mary's does not track clients and patients for years.
[Evan] What? The database is self-admittedly 10 years old!
He said the medical center hired the Equifax company to investigate the breach, reconstruct the database, set up a dedicated hot line and compile addresses for the notification of customers.
[Evan] Equifax as incident responders and forensic experts? Huh.
That's why it took so long to notify clients after discovering the breach April 28, Aldax said.
Pyne said he was put on hold for 25 minutes when he called the Equifax hot line.
"I think the time it took them to notify people was not that untimely given they had to do their research and find out how many people were affected," Pyne said. "Overall, I think they have handled the incident OK so far.
"Of course, if it turns out they actually had my Social Security number in there, then we're now talking about a whole different thing."
Commentary:
There are many serious questions surrounding this breach. The only way for victims to get answers is to demand them and not let up. Most of my questions are presented above.
Past Breaches:
Unknown
Posts Atom 1.0
Comments