UNCG malware infection may have exposed more than 2,500 patients
|
Date Reported:
8/9/10
Organization:
The University of North Carolina at Greensboro ("UNCG")
Contractor/Consultant/Branch:
Speech and Hearing Center
Psychology Clinic
Location:
Victims:
Patients
Number Affected:
"more than 2,500 individuals"
Types of Data:
"names, addresses, social security numbers, dates of birth, telephone numbers, insurance companies, insurance ID numbers, group numbers, diagnosis codes, procedure codes and charges"
Breach Description:
"GREENSBORO, N.C. (AP) — Officials at the University of North Carolina at Greensboro say computer security breaches at two clinics allowed unauthorized access to information on about 2,500 people."
Reference URL:
University of North Carolina at Greensboro News
Associated Press via MyFOX8.com
Report Credit:
The University of North Carolina at Greensboro
Response:
From the online sources cited above:
GREENSBORO, N.C. — Computer security breaches at two UNCG clinics allowed unauthorized access to information about more than 2,500 individuals.
The university has mailed letters to the last known addresses of those whose personal information was exposed and posted notices on the clinics’ websites.
The two computers infected with malware via the Internet were in the university’s Speech and Hearing Center and Psychology Clinic, which provide services to the public.
Although the problems were discovered days apart in June, they are believed to be unrelated.
Employees of the clinics and Information Technology Services have been working since then to determine what records were vulnerable and who might be affected.
It is not known how long the breaches lasted before detection.
[Evan] A more detailed and thorough forensic analysis may have provided this information. It's probably too late now.
Although it was determined that the malware would have allowed access to data on the computers, it is unknown whether any information was actually taken from the computers.
[Evan] A more detailed forensic analysis may have provided this information too.
“It is our responsibility to secure the information of individuals who come to us for health services, and that is a responsibility we take very seriously” said David H. Perrin, provost and executive vice chancellor. “We apologize to everyone whose records were vulnerable and ask them to closely monitor their credit for unauthorized activity. We fixed the security breaches as soon as they were detected, and we have taken steps to minimize the potential for future breaches.”
If you believe that your personal health information may have been exposed by the breach at the Speech and Hearing Center and you have questions or concerns, please call the center’s toll-free number, , between 8 a.m. and 5 p.m. Monday-Thursday or between 8 a.m. and 4:30 p.m. Friday.
For more information about the breach at the Psychology Clinic, call the clinic’s toll-free number, , between 9 a.m. and 4 p.m. weekdays, beginning Wednesday, Aug. 11.
Both the Speech and Hearing Center and the Psychology Clinic have taken steps to better protect personal health information and to prevent future breaches. They have:
- investigated to determine the extent of the breaches,
- strengthened technology safeguards and administrative policies to prevent future intrusions, and
- isolated computers containing personal health information from likely sources of malware, such as untrusted Internet sites
The bulk of the impacted records are in the Speech and Hearing Center, where a breach was found June 10 and corrected the same day.
[Evan] This is a little concerning. A detailed forensic analysis would most probably take more than a day to complete. It appears as though they identified the breach (infection), corrected it (cleaned it), then began an analysis of what may have happened. I could be wrong, but this is a typical (incorrect) response. Most organizations do not have trained forensic analysts on staff, nor do they know where to find one quickly. We suggest that you plan for a breach through the development and testing of an incident management program. An important part of incident management includes how you treat evidence (evidence collection, evidence protection, and evidence analysis). Another important part of an incident management program is establishing the appropriate resources necessary to respond to an incident, including in-house and external professionals. It may have been possible, through a detailed forensic analysis, to determine that unauthorized access to sensitive information was not gained, and thus no reason to alert authorities and victims. I don't know the details surrounding how this breach was responded to, so I am not criticizing this response per se.
The compromised computer was used for billing and contained records for about 2,300 people who have received services from the Center since 1997. Vulnerable data included names, addresses, social security numbers, dates of birth, telephone numbers, insurance companies, insurance ID numbers, group numbers, diagnosis codes, procedure codes and charges.
The problem at the Psychology Clinic, involving malware on a computer used to document incoming phone calls, was detected and fixed June 7.
The vulnerable computer contained a spreadsheet with names, dates of birth, telephone numbers, cities of residence, whether or not callers had insurance and dates of contact from about 240 callers between Sept. 20, 2006, and Sept. 22, 2009.
In some cases, the spreadsheet also contained reference to the caller or caller’s family member as “client,” symptoms reported by the caller, reference to an inquiry about testing or evaluation, and reference to “therapist/treatment/provider and/or services.” No social security numbers appeared on the spreadsheet.
The Psychology Clinic computer also held 18 phone intake/client data forms from March 2009 through June 2010.
The forms included names, ages, dates of birth, telephone numbers, addresses, insurance providers (if any), social security numbers and dates of contact.
In some cases, one or more of the following types of information also appeared on the form: therapist, case number, status of previous treatment, service requested and description of the problem.
The university encourages individuals whose information was exposed to review account statements and monitor credit reports for suspicious activity.
Commentary:
Overall, I am very impressed with UNCG's response to this breach. They have had practice though (see section below). I certainly get the feeling that they take information security seriously and that they genuinely want to do the right thing. We have witnessed numerous organizations that never even think of sensitive information compromise through malware, and respond to an infection with a simple clean, wipe, and/or re-install. The fact that this organization went the extra steps, shows a lot about how this organization is managed. Malware (virus, trojan, spyware, etc.) infections can and often do lead to unauthorized access to sensitive information, so be prepared to respond appropriately.
Past Breaches:
December, 2008 - Virus hits personal information at The University of North Carolina Greensboro
Posted by Evan Francen at 8/20/2010 9:50 AM 
Categories: University of North Carolina Greensboro, Malware
Categories: University of North Carolina Greensboro, Malware
Posts Atom 1.0
Comments