The Breach Blog

Expectant and new mothers at risk after University of Kentucky laptop theft

2010-08-30T13:19:00Z

Date Reported:
8/19/10

Organization:
University of Kentucky

Contractor/Consultant/Branch:
UK HealthCare

Location:
Lexington, Kentucky

Victims:
"mothers in the Newborn Screening Program"

Number Affected:
2,027

Types of Data:
"patient names, medical record numbers as well as the date of birth, diagnosis, mother’s name, and in some instances, the social security numbers"

Breach Description:
"The University of Kentucky is notifying 2,027 people of a breach of protected health information. Between June 18 and June 21, 2010, a laptop computer containing information from the Newborn Screening Program was stolen from the Department of Pediatrics Newborn Screening Program."

Reference URL:
UK HealthCare
FOX41.com
HealthData Management
Lexington Herald-Leader

Report Credit:
University of Kentucky

Response:
From the online sources cited above:

The University of Kentucky is notifying 2,027 people of a breach of protected health information.

Between June 18 and June 21, 2010, a laptop computer containing information from the Newborn Screening Program was stolen from the Department of Pediatrics Newborn Screening Program.
[Evan] Does this mean that new mothers and newborns are affected by this breach?

The theft was reported to the UK Police Department which is handling the investigation.

We do not believe the laptop, which had been stored in a locked private office, was stolen for the information it contained or that any information has been released or used.
[Evan] I have a couple of issues with this statement. What good is a "locked" private office if it doesn't prevent or deter a theft? What other preventative physical measures were in place? My other issue deals with the motive for the theft. How does UK HealthCare come to believe that the laptop was stolen for the hardware and not the information it contained? What would be more valuable to a thief? I think that this is a dangerous assumption.

Access to the laptop was password-protected but the hard drive was not encrypted.
[Evan] How many times have I written this? A Windows XP Pro password is bypassed in less than 60 seconds, so what kind of protection is password-protection? Shame on UK HealthCare for not encrypting laptop hard drives.

Information on the laptop consists of patient names, medical record numbers as well as the date of birth, diagnosis, mother’s name, and in some instances, the social security numbers of some of the mothers in the Newborn Screening Program.

The University of Kentucky deeply regrets this incident and continues its commitment to safeguard the privacy of its patients.
[Evan] Why didn't this "commitment" take into account the very well known risks surrounding this breach? If you can't adequately account for the risks associated with collecting information, don't collect it! If you are in the health care field you really only have one option.

UK HealthCare has policies and procedures in place to protect patient information, and is currently undertaking additional steps to reinforce those measures.
[Evan] Policies and procedures are a good start, but they are worthless without supporting action.

No credit card, debit card or bank account numbers were in this information.
[Evan] I would rather lose credit card, debit card, and bank account numbers than I would the information contained on this laptop.

The parents or guardians of affected patients, who were notified by mail, are encouraged to take the following steps recommended by the Federal Trade Commission to prevent any possible misuse of personal information.

The University of Kentucky is following all of the requirements of the American Recovery and Reinvestment Act of 2009 and the Health Information Technology for Economic and Clinical Health Act by notifying patients of the breach, publicly disclosing the breach to the local media, and posting information about the breach on our website.

For additional information, call toll-free at 1-877-528-3970.

We can be reached via email at: privacy@uky.edu. Local residents may call 859-323-6044.

Commentary:
I think I have completely lost patience with organizations that permit sensitive data to be accessed from or stored on unprotected laptops and/or other mobile devices.

Past Breaches:
Unknown

Yale School of Medicine breach is under investigation by AG

2010-08-27T02:15:00Z

Share|

Date Reported:
8/18/10

Organization:
Yale University

Contractor/Consultant/Branch:
Yale School of Medicine

Location:
New Haven, Connecticut

Victims:
Patients

Number Affected:
"about 1,000"

Types of Data:
"health information"

Breach Description:
"The security of personal health information of up to 1,000 people could have been compromised when a laptop was stolen from Yale Medical School."

Reference URL:
NBC News
WJTV.com
Wall Street Journal

Report Credit:
NBC News

Response:
From the online sources cited above:

NEW HAVEN, Conn. (AP) The Yale School of Medicine says it has begun notifying about 1,000 people whose health information was contained on a stolen laptop computer.
[Evan] How many times have we read about breaches concerning lost/stolen laptops containing sensitive information? It's a broken record that just keeps going around and around.

Yale officials said there was no indication any information on the computer has been misused.

Yale and New Haven police are investigating.

The computer was stolen July 28 from the office of a data analyst at the School of Medicine.
[Evan] It is important to note that this laptop was stolen from the facility. What physical controls are used by the School of Medicine to prevent theft from the facility?

Yale officials said no Social Security, financial or insurance numbers were contained in the computer's files.
[Evan] I am more concerned with compromised health information than I am about other personally identifiable and/or financial information.

While access to the laptop was protected by a password, files were not encrypted.
[Evan] Password protection is not adequate protection. Windows XP Pro passwords are easily bypassed in less than 60 seconds. There is no excuse for not encrypting laptop hard drives that may access and/or store sensitive information.

Dr. Robert Alpern, dean of the School of Medicine, said Yale deeply regrets the incident and is moving quickly to introduce security upgrades.

Attorney General Richard Blumenthal said his office is investigating to determine what caused the security breach and whether state or federal laws have been violated.
[Evan] Blumenthal is in the midst of a hotly contested U.S. Senate race. He is running as a Democrat against Republican Linda McMahon. I don't know how it's relevant to this breach, but I just though you should know if you didn't.

“Yale Medical School is cooperating with my office -- recognizing that it has a profound responsibility to safeguard sensitive health information, and must be accountable to approximately 1,000 individuals whose information may be at risk,” Blumenthal said. “My office has begun an investigation to identify the cause of the breach and assure ongoing protections for patients.”

“This breach -- similar to recent breaches by others -- must be a reminder to guardians of sensitive health information about their significant legal and moral obligation to protect privacy.”
[Evan] This breach is absolutely similar to other breaches, so you think that you should know better by now.

Commentary:
What is there to say? This is another breach that should have been prevented. I don't have a good answer for why people/organizations allow people to use unencrypted laptops.

Past Breaches:
Yale University:
August, 2007 - Yale University Exposes 10,200 in Stolen Computers

Four Massachusetts hospital patients at risk after illegal dumping is discovered

2010-08-26T01:59:00Z

Share|

Date Reported:
8/13/10

Organization:
Milton Hospital
Caritas Christi Health Care
Milford Hospital
Holyoke Medical Center

Contractor/Consultant/Branch:
Goldthwait Associates

Location:
Georgetown, Massachusetts

Victims:
Patients

Number Affected:
"thousands", there are an estimated 8,000 - 12,000 patients from Milton Hospital; Holyoke puts the number between 16,000 and 24,000 patients.

Types of Data:
"individuals' full names, addresses, dates of birth, Social Security numbers, insurance information including policy numbers, patient identification numbers, as well as protected health information including diagnoses relating to pathology tests"

Breach Description:
A Boston Globe photographer discovered thousands of billing records from four area hospitals at an transfer station (dump) in Georgetown, Massachusetts. The confidential records were allegedly discarded (unsecurely) by the hospitals' common billing services provider, Goldthwaite Associates.

Reference URL:
The Patriot Ledger
The Boston Globe
Milton Hospital
Caritas Christi Health Care

Report Credit:
Liz Kowalczyk, The Boston Globe

Response:
From the online sources cited above:

Four Massachusetts community hospitals are investigating how thousands of patient health records, some containing Social Security numbers and sensitive medical diagnoses, ended up in a pile at a public dump.

The unshredded records included pathology reports with patients’ names, addresses, and results of breast, bone, and skin cancer tests, as well as the results of lab work following miscarriages.
[Evan] Holy cow. This is some very sensitive and potentially damaging personal information. Social Security numbers, insurance policy numbers, and patient identification numbers were also involved.

By law, medical records and documents containing personal identifying information must be disposed of in a way that protects privacy, and leaving them at a dump is probably illegal, privacy lawyers and hospital officials said.
[Evan] This most definitely is illegal. The acts that led to this breach are not compliant with Massachusetts 201 CMR 17.00 and HIPAA/HITECH. There is really no question about it.

Violators face steep fines.

A Globe photographer discovered the records July 26 when he was dumping his trash at the Georgetown Transfer Station.

When he got out of his car, he said, he saw a huge pile of paper about 20 feet wide by 20 feet long. Upset that the paper wasn’t being recycled, he looked more closely.

The photographer said he saw health and insurance records from at least four hospitals and their pathology groups — Milford, Holyoke, Carney, and Milton — mostly dated 2009.
[Evan] In actuality, breaches like this are very common. The practices surrounding confidential hard copy (paper) destruction are not closely scrutinized. Detailed auditing for compliance can be very challenging, especially when it comes to third-party vendors. Most auditors simply ask about the data destruction practices, and leave it at that. We have started to see companies securely shred all documents, not just those containing sensitive information. They are moving this way in an effort to account for all sensitive documents.

The Globe notified the hospitals.

It is unclear how many other hospitals’ records might have been discarded in the dump.

Hospital executives and pathologists said they are distraught about the violation of patient privacy and, as required by law, are developing plans to notify the thousands of patients whose records may have been left at the dump.
[Evan] This is not going to be cheap.

The hospitals said they also plan to formally notify the Massachusetts attorney general’s office; preliminary information has already been passed along.

Based on that, the attorney general’s office said in a statement it is reviewing “whether there has been a data breach.’’
[Evan] Uh, I think we are pretty safe to assume that this was/is a data breach.

Executives at two hospitals said the former owner of a medical billing company used by pathologists told them he had the records dumped in Georgetown.

“I was absolutely shocked,’’ said Dr. Kevin Dole, a pathologist at Caritas Carney Hospital. “We are trying to figure out the extent of the problem. We’re very concerned here about protecting patient data.’’

In this case, the hospitals transferred patient information to the pathologists they contract with, who in turn provided some of it to a Massachusetts company, Goldthwait Associates, that does their billing.

“This is a perfect example of how complicated the security of confidential information is,’’ said Clark Fenn, vice president for quality improvement, risk management, and corporate compliance at Holyoke Medical Center. “There are many hands that touch things. All it takes is one slip in that process for information to be released.’
[Evan] Information security is not "complicated". Unfortunately, there are too many poor information security practitioners who have given our profession a bad reputation. Too many poor practitioners have made information security appear to be complicated. Good information security programs are thorough, but uncomplicated. Don't confuse thorough with complicated. People will not follow complicated security requirements, and thus, you will have no compliance.

Goldthwait was purchased around June 1.

The new owner’s lawyer, Anthony Turco, said the new owner took records only from 2010, and any older records would have been disposed of by the former owner, Joseph Gagnon.
[Evan] Ouch! Called out by name.

Contacted at his home in Marblehead, Gagnon said, “I really can’t comment on that because it might become a legal matter.’’

David Szabo, a partner at the Boston law firm Edwards Angell Palmer & Dodge who specializes in health care and privacy law, said state law requires records containing personal identifying information, such as names and Social Security numbers, to be disposed of so it is unreadable.

Federal law governing health records has similar requirements. Shredding and incineration are considered the standard methods that meet the law, he said.

Goldthwait employees come to hospital pathology labs and print out the information they need to bill insurers — or the pathologists mail the information to the company.

Dole, the Carney pathologist, said he required Gagnon to sign an amendment to their contract in 2003 stating that he would dispose of the paper in a way that complied with newly passed federal legislation designed to protect patients’ health information — though the amendment did not specify exactly how Gagnon would do that.
[Evan] Including this language in contracts is a great practice, but compliance should be measured on a regular basis. We suggest that most contracts contain right to audit language which allows the customer company to inquire about information security compliance. Don't expect a contract by itself to ensure information security compliance.

At Holyoke Medical Center, pathologist Dr. John Blanchette said he does not know what the group’s contract with Goldthwait said about disposal, but “we had an understanding that they know how to dispose of medical records.
[Evan] Compliance requires more active engagement than a simple "understanding".

We’ve done business with this company for 22 years and we’re pretty upset about this. Everything as far as we knew was fine.’’
[Evan] Operating under blind assumptions that a vendor is doing what they said they would do can be dangerous. It really doesn't work. Organizations who employ third-parties must actively assess the risks involved in doing business with their third-party providers.

Hospital officials said they are struggling with the legal issues surrounding the dumping.

They believe the records dumped went back two or three years.

They have to search for every patient who had pathology testing during that period and determine which patients need to be notified.

Jason Bouffard, Milton Hospital spokesman, estimates that number between 8,000 and 12,000 patients; Holyoke puts the number between 16,000 and 24,000 patients.

Then officials have to determine who is legally responsible for notifying patients — the hospitals, the doctors, or Goldthwait.
[Evan] This is pretty easy. Unless the contract specifically states otherwise, the hospitals are responsible for notification. We need to understand roles and responsibilities. The owners of the information are the victims. The custodians of the information are the hospitals. A case could be made that the Goldthwaite Associates assumed custodianship, but in my mind this is discounted because it was not clear to the data owner.

Milton and Holyoke said they will take responsibility for notifying patients, while Carney said it will do so if need be. Milford has just started its investigation.

Commentary:
Poor data destruction practices on the part of a third-party provider leads to a breach. From the hospital's perspective, what could have been done to prevent this? Active audits of the information security practices used by the provider? Active enforcement of hospital information security requirements? A combination of the two? I have my ideas as I always do. ;) What are yours?

Past Breaches:
Unknown

Laptop stolen from the University of Connecticut affects 10,174 applicants

2010-08-25T00:07:00Z

Share|

Date Reported:
8/19/10

Organization:
University of Connecticut

Contractor/Consultant/Branch:
None

Location:
West Hartford, Connecticut

Victims:
School applicants

Number Affected:
10.174

Types of Data:
"undergraduate admissions data, including applicants' contact information, Social Security numbers and other data"

Breach Description:
"WEST HARTFORD, Conn., Aug. 19 (UPI) -- A laptop computer stolen from a Connecticut university contained names and sensitive information on 10,174 school applicants, school officials said."

Reference URL:
United Press International
Associated Press via the Hartford Business Journal Online
Associated Press via Norwich Bulletin

Report Credit:
Associated Press

Response:
From the online sources cited above:

WEST HARTFORD, Conn., Aug. 19 (UPI) -- A laptop computer stolen from a Connecticut university contained names and sensitive information on 10,174 school applicants, school officials said.
[Evan] There is no mention of encryption in the news reports that I read, so I am going to assume that this laptop was not protected by encryption. It makes no security sense to store this sensitive information on a mobile device without encryption. It makes little security sense to store this information on a mobile device with encryption!

The computer stolen from the University of Connecticut's West Hartford campus contained undergraduate admissions data, including applicants' contact information, Social Security numbers and other data from 2004 through July 30, 2010
[Evan] In case you're paying attention, that six years worth of data; on a laptop.

The computer, stored in a cabinet in the information technology department, was noticed missing Aug. 3.
[Evan] There is no information about what physical security controls were in place to prevent and/or detect this breach, but there are obviously some significant vulnerabilities.

Officials said no one has tried to to break into university resources through the computer, and they don't think it was meant as identity theft.
[Evan] Nobody has used the laptop to access other university resources. This statement does not address the "university resources" on the laptop.

"The university is contacting, in writing, everyone whose name was on the computer, and is offering those individuals credit monitoring coverage for a period of two years at the university's expense," the school said.

Jason Pufahl, the school's interim chief information security officer, said campus officials "deeply regret" what happened.

"The university takes security of personal data seriously and is continuing its investigation to determine whether any university policies were not followed," Pufahl said. "The university will take corrective steps and, if warranted, disciplinary action."

University police were investigating the theft, the newspaper said.

University police were investigating the theft, the newspaper said.

"My office is investigating to determine the cause of this security breach - putting more than 10,000 applicants at risk for identity theft," Richard Blumenthal said.

Commentary:
This is a story of another poorly secured lost/stolen laptop containing sensitive information. How are these breaches still allowed to happen?

Past Breaches:
Unknown

Laptop stolen from Oregon doctor's car affects 4,000 patients

2010-08-24T01:49:00Z

Share|

Date Reported:
8/11/10

Organization:
Dr. David Gostnell*

*This page is Dr. Gostnell's staff page at OHSU. OHSU is not involved in this breach.

Contractor/Consultant/Branch:
None

Location:
Portland, Oregon

Victims:
Patients

Number Affected:
4,000

Types of Data:
"full names, diagnoses and Social Security numbers"

Breach Description:
"PORTLAND, Ore. -- A Portland psychologist is alerting 4,000 patients after his laptop, which contained personal health information, was stolen from his car last month."

Reference URL:
FOX 12 Oregon
Examiner.com
The Oregonian

Report Credit:
FOX 12 Oregon, KPTV

Response:
From the online sources cited above:

PORTLAND, Ore. -- A Portland psychologist is alerting 4,000 patients after his laptop, which contained personal health information, was stolen from his car last month.
[Evan] We've never heard of a laptop being stolen from a car before, have we? Of course we have! It is dangerous to leave your laptop in your car.

Dr. David Gostnell said his computer and briefcase were taken July 7.

The laptop contained evaluations which listed patients' full names, Social Security numbers and diagnoses, he said.
[Evan] This type of information should never be stored on a laptop computer, or any other mobile device.

The briefcase, which contained individual evaluation records, was found in a nearby garbage bin.

The theft was reported to Portland police the next day.

Although the laptop was password protected, there was a disc in the CD drive that contained a partial backup of the hard drive, Gostnell said.
[Evan] Puhleez! Operating system password protection is NOT adequate protection. The password can be bypassed in less than 60 seconds. To even mention it seems misleading. The fact that a backup CD was left in the drive is only icing on the cake. Not much of a backup if you keep the disc in the drive and the laptop is stolen. Now we have two copies of the confidential data to be concerned about.

The breach doesn't involve any individuals evaluated by Gostnell at Oregon Health and Science University Hospital, he said.

Gostnell said he has no reason to believe the laptop or briefcase was stolen for reason of identity theft or that any personal information has been released or used.
[Evan] It may not have been. When the thief realizes what he/she has, the original motivation doesn't mean so much. The fact of the matter is that multiple poor information security practices have led to a significantly increased likelihood of unauthorized disclosure and misuse. Off the top of my head, I can't think of a better way to expose the information.

Patients at Gostnell’s OHSU practice were not affected. Patients at his Northeast Portland practice, however, should call 1-877-461-7657.

Oregon's Board of Psychologist Examiners lists David R. Gostnell, Ph.D., License #600, as active and not under discipline or supervision.
[Evan] This and the next snippet were published on Examiner.com

His address is 1923 NE Broadway, Portland, Oregon, and his phone number is 503-281-6615.

Commentary:
Breaches like this really get under my skin. It's negligence.

Past Breaches:
Unknown

126,000 people affiliated with six Florida schools involved in CCLA breach

2010-08-22T13:25:00Z

Share|

Date Reported:
8/10/10

Organization:
Broward College
Florida State College at Jacksonville
Northwest Florida State College
Pensacola State College
South Florida Community College
Tallahassee Community College

Contractor/Consultant/Branch:
College Center for Library Automation ("CCLA")*

*Established in 1989, CCLA operates Florida's Library Information Network for Cooperative Content (LINCC) and associated web-based information portal, LINCCWeb. CCLA is a cooperative effort between the Florida Department of Education's Division of Florida Colleges and the College Council of Presidents.

Location:
Online

Victims:
"students, faculty, and staff of six Florida public colleges"

Number Affected:
"As many as 126,000"

Types of Data:
"personal information, as defined by Section 817.5681(5)(a)-(c), Florida Statutes"*

*CCLA has not defined what personal information was exposed. Section 817.5681(5)(a)-(c), Florida Statutes, states:
For purposes of this section, the term "personal information" means an individual's first name, first initial and last name, or any middle name and last name, in combination with any one or more of the following data elements when the data elements are not encrypted: (a) Social security number; (b) Driver's license number or Florida Identification Card number; (c) Account number, credit card number, or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account.

Breach Description:
"On August 10, 2010, CCLA notified students, faculty, and staff of six Florida public colleges that some of their personal information, as defined by Section 817.5681(5)(a)-(c), Florida Statutes, was temporarily open to online access for a five-day period between May 29 and June 2, 2010." The information was inadvertently made available during the installation of a software upgrade

Reference URL:
CCLA "Information About Security Incident"
CCLA Media Release
CCLA Notification e-mail to affected individuals
The Miami Herald
eSecurity Planet

Report Credit:
CCLA

Response:
From the online sources cited above:

August 10, 2010 - Tallahassee, FL
The College Center for Library Automation (CCLA), which provides automated library services and electronic resources to Florida's public colleges, today began informing students, faculty, and staff of six colleges that some of their personal information was inadvertently open to online access between May 29 and June 2, 2010.
[Evan] The breach announcement from CCLA is not specific about what information was exposed, but there have been reports that mention Social Security numbers. If this is true, why does an organization that provides "automated library services and electronic resources" need this type of information?

Importantly, while there is evidence of either viewing by unauthorized persons or search engine posting of some of the personal information, CCLA has found no indication that the data has actually been obtained or misused.
[Evan] Due to the nature of the Internet and HTTP/FTP traffic, if the information was viewed by unauthorized persons, it was actually obtained by unauthorized persons.

The temporarily exposed personal information, as defined by Section 817.5681(5)(a)-(c), Florida Statutes, belongs to perhaps as many as 126,000 individuals at six colleges.

CCLA is notifying the potentially affected individuals in writing, recommending that they place a fraud alert on their credit files to minimize the risk of identity theft, and providing instructions on placing the alert.

CCLA's instructions also include information on reporting any suspected fraudulent activity.

The institutions affected are Broward College, Florida State College at Jacksonville, Northwest Florida State College, Pensacola State College, South Florida Community College, and Tallahassee Community College.

The records of these institutions were contained in temporary work files that were being processed by CCLA at the time of the exposure.

"We pride ourselves on protecting private information and deeply regret this inadvertent exposure. I apologize to those involved for any worry or inconvenience this may cause them," said CCLA's Chief Executive Office Richard Madaus.
[Evan] I found the use of the word "pride" interesting. How many times do we see pride lead to a false sense of security?

"As evidenced by our quick response to this incident, CCLA takes the security of personal data very seriously. We will continue to enhance our technology to safeguard all of the information entrusted to us."

CCLA has determined that the installation of a software upgrade left the personal data unintentionally accessible for five days.
[Evan] I can't speak specifically to CCLA's change management procedures, but I do know that good change management procedures should prevent (or at least reduce the likelihood) things like this from happening. Formal change management procedures should account for all resources necessary to complete the change, review by information security personnel, change plans, test plans, etc.

CCLA first learned of the error on June 23, 2010, notified leaders of the colleges affected, initiated a security investigation, and began working with the Leon County Sheriff's Office Financial Crimes Unit.

Investigators discovered that some personal information has been accessed by unauthorized persons and that some was available through Google until the search engine was notified.

All online access to the sensitive information was removed within 18 hours or less of discovery, and no further access is possible.

For more information about this issue, please visit CCLA's Security page at www.cclaflorida.org/security or call (877) 506-2210.

Selected FAQs:
Who has been potentially affected by this incident?
Students, faculty, and staff members at the following Florida colleges: Broward College, Florida State College at Jacksonville, Northwest Florida State College, Pensacola State College, South Florida Community College, and Tallahassee Community College.

Why were these colleges affected?
All libraries maintain records for each user (borrower records), which include personal information. Because CCLA provides library management services to Florida's public colleges, the borrower records for college students, faculty, and staff reside in CCLA's system. These colleges were affected because their borrower records were contained in temporary work files that were being processed by CCLA at the time of exposure.
[Evan] I can understand the need for libraries to maintain certain personal information about patrons, but I question what types of personal information may be required. I am also very concerned with how this information finds itself exposed to the internet. Ideally, confidential information will be stored in a centralized location with very restrictive access controls.

How and when was this issue discovered?
CCLA staff was alerted to this issue on June 23, 2010, when a Florida College System institution advised CCLA that a student reported finding their own personal information embedded in a set of Google search results.
[Evan] Embarrassing.

What actions has CCLA taken to ensure that this kind of incident will not reoccur in the future?
After determining the cause of this issue, CCLA staff immediately took additional steps to ensure the security of all personal data. CCLA staff worked with representatives from Google to ensure that all borrower information was completely removed and that Google no longer had access to any of CCLA's secure servers. All sensitive information was purged from Google by June 24, 2010. CCLA has made every effort to ensure that internally used sites are not accessible by anyone outside of its internal network.
[Evan] This doesn't answer the question! What will CCLA change or improve in order to ensure that this type of incident will not (or be much less likely to) occur again?

Does CCLA have any specific information about who may have accessed the information?
Unfortunately, CCLA is unable to identify the individuals who may have accessed the data or to determine what they may have done with any data that they accessed. There was insufficient evidence to make any determination.

How can I contact CCLA regarding this issue?
Contact CCLA by e-mail at ciso@cclaflorida.org or by telephone at (877) 506-2210.

Commentary:
This breach didn't result from any criminal action or intent, it was a simple mistake that occurred while conducting routine tasks. Perhaps a thorough change management process would reduce the likelihood of this happening again.

Past Breaches:
Unknown for the seven (7) entities involved

Discarded insurance documents return to haunt three years later

2010-08-20T17:31:00Z

Share|

Date Reported:
8/16/10

Organization:
American Fidelity Assurance Company

Contractor/Consultant/Branch:
None

Location:
Oklahoma City, Oklahoma

Victims:
Customers

Number Affected:
"hundreds"

Types of Data:
Personal information typically found on "insurance and related employee forms". Names, addresses, Social Security numbers, etc.

Breach Description:
An Edmond, Oklahoma couple found hundreds of confidential documents inside storage containers located on a curb during trash day. The couple stored the documents for three years, and only recently reported their finding. The documents include hundreds of insurance-related forms, allegedly from American Fidelity Assurance Company.

Reference URL:
KWTV News9.com
Official statement from American Fidelity Assurance Company

Report Credit:
Ed Murray, News 9

Response:
From the online source cited above:

OKLAHOMA CITY -- When you work for a company that provides health insurance and you fill out all that personal paperwork, you think that information will stay private.
[Evan] Yes, you would like to think this.

But that's not always the case.
[Evan] Not even close.

An Edmond couple said they found hundreds of personal employee documents that were supposed to be in the care of American Fidelity Assurance.

NEWS 9 is one of the many Oklahoma companies whose employee records are involved.

The people who found these documents asked their identity be protected in this story.

"I had two to three drawers full of this information," an Edmond woman said.

The woman said she and her husband found the documents inside storage containers on a curb they salvaged on a trash day in an Edmond neighborhood.
[Evan] Identities treated like trash, or at least the information tied to identities.

"Really, frankly, made us kind of mad because people, their lives are in this," she said.

The couple said they found more than 50 folders full of insurance and related employee forms for companies across Oklahoma.

"I have a lot of your staff members Social Security numbers, their dependents, all their information, when they get paid...all of that is in here," the woman said.

The folders came from American Fidelity Assurance, which is headquartered in Oklahoma City and is one of the largest private, family owned life and health insurance companies in the United States.

"We took the folders and put them away in the filing cabinets in our storage room because we didn't know what to do with them because we didn't want to throw them out either," she said.
[Evan] Not a good idea. If you take possession of sensitive information, you become involved as a custodian of the information. There could be some liability on the part of this couple if they had lost the information.

Three years later the couple discovered the documents again while emptying that storage room for a garage sale.
[Evan] So these people had the information for three years!? And they didn't tell anyone about it until now? What were these people thinking?

"And it just made me mad all over again," she said.

The woman called NEWS 9 and we called American Fidelity.

Two days later, NEWS 9 gave all of the documents to an AFA representative.

Company officials don't want to go on camera at this point, but did give a statement:
"Though it appears these documents have been safely secured since they were obtained a few years ago, they should have never left our possession. There is no evidence at this time that the information has been misused, and we believe the likelihood of misuse is low...We are in the process of notifying those customers involved. We regret this happened and apologize."
[Evan] How does the company explain a breach like this that happened three years ago?

NEWS 9 contacted the State Insurance Commissioner's office. A spokesman said there is no state law that spells out exactly how records must be stored or destroyed, but there are penalties for handling them with negligence.

The commissioner's office will be contacting parties involved in this situation which could lead to a full investigation.
[Evan] Nobody wants a full investigation from the commissioner's office, do they?

Commentary:
A breach like this drives home one of our guiding principles; "Information security is not an IT issue".

Past Breaches:
Unknown

UNCG malware infection may have exposed more than 2,500 patients

2010-08-20T14:50:00Z

Share|

Date Reported:
8/9/10

Organization:
The University of North Carolina at Greensboro ("UNCG")

Contractor/Consultant/Branch:
Speech and Hearing Center
Psychology Clinic

Location:
Greensboro, North Carolina

Victims:
Patients

Number Affected:
"more than 2,500 individuals"

Types of Data:
"names, addresses, social security numbers, dates of birth, telephone numbers, insurance companies, insurance ID numbers, group numbers, diagnosis codes, procedure codes and charges"

Breach Description:
"GREENSBORO, N.C. (AP) — Officials at the University of North Carolina at Greensboro say computer security breaches at two clinics allowed unauthorized access to information on about 2,500 people."

Reference URL:
University of North Carolina at Greensboro News
Associated Press via MyFOX8.com

Report Credit:
The University of North Carolina at Greensboro

Response:
From the online sources cited above:

GREENSBORO, N.C. — Computer security breaches at two UNCG clinics allowed unauthorized access to information about more than 2,500 individuals.

The university has mailed letters to the last known addresses of those whose personal information was exposed and posted notices on the clinics’ websites.

The two computers infected with malware via the Internet were in the university’s Speech and Hearing Center and Psychology Clinic, which provide services to the public.

Although the problems were discovered days apart in June, they are believed to be unrelated.

Employees of the clinics and Information Technology Services have been working since then to determine what records were vulnerable and who might be affected.

It is not known how long the breaches lasted before detection.
[Evan] A more detailed and thorough forensic analysis may have provided this information. It's probably too late now.

Although it was determined that the malware would have allowed access to data on the computers, it is unknown whether any information was actually taken from the computers.
[Evan] A more detailed forensic analysis may have provided this information too.

“It is our responsibility to secure the information of individuals who come to us for health services, and that is a responsibility we take very seriously” said David H. Perrin, provost and executive vice chancellor. “We apologize to everyone whose records were vulnerable and ask them to closely monitor their credit for unauthorized activity. We fixed the security breaches as soon as they were detected, and we have taken steps to minimize the potential for future breaches.”

If you believe that your personal health information may have been exposed by the breach at the Speech and Hearing Center and you have questions or concerns, please call the center’s toll-free number, (877) 550-6012, between 8 a.m. and 5 p.m. Monday-Thursday or between 8 a.m. and 4:30 p.m. Friday.

For more information about the breach at the Psychology Clinic, call the clinic’s toll-free number, (877) 550-6008, between 9 a.m. and 4 p.m. weekdays, beginning Wednesday, Aug. 11.

Both the Speech and Hearing Center and the Psychology Clinic have taken steps to better protect personal health information and to prevent future breaches. They have:

investigated to determine the extent of the breaches,
strengthened technology safeguards and administrative policies to prevent future intrusions, and
isolated computers containing personal health information from likely sources of malware, such as untrusted Internet sites

[Evan] Good.

The bulk of the impacted records are in the Speech and Hearing Center, where a breach was found June 10 and corrected the same day.
[Evan] This is a little concerning. A detailed forensic analysis would most probably take more than a day to complete. It appears as though they identified the breach (infection), corrected it (cleaned it), then began an analysis of what may have happened. I could be wrong, but this is a typical (incorrect) response. Most organizations do not have trained forensic analysts on staff, nor do they know where to find one quickly. We suggest that you plan for a breach through the development and testing of an incident management program. An important part of incident management includes how you treat evidence (evidence collection, evidence protection, and evidence analysis). Another important part of an incident management program is establishing the appropriate resources necessary to respond to an incident, including in-house and external professionals. It may have been possible, through a detailed forensic analysis, to determine that unauthorized access to sensitive information was not gained, and thus no reason to alert authorities and victims. I don't know the details surrounding how this breach was responded to, so I am not criticizing this response per se.

The compromised computer was used for billing and contained records for about 2,300 people who have received services from the Center since 1997. Vulnerable data included names, addresses, social security numbers, dates of birth, telephone numbers, insurance companies, insurance ID numbers, group numbers, diagnosis codes, procedure codes and charges.

The problem at the Psychology Clinic, involving malware on a computer used to document incoming phone calls, was detected and fixed June 7.

The vulnerable computer contained a spreadsheet with names, dates of birth, telephone numbers, cities of residence, whether or not callers had insurance and dates of contact from about 240 callers between Sept. 20, 2006, and Sept. 22, 2009.

In some cases, the spreadsheet also contained reference to the caller or caller’s family member as “client,” symptoms reported by the caller, reference to an inquiry about testing or evaluation, and reference to “therapist/treatment/provider and/or services.” No social security numbers appeared on the spreadsheet.

The Psychology Clinic computer also held 18 phone intake/client data forms from March 2009 through June 2010.

The forms included names, ages, dates of birth, telephone numbers, addresses, insurance providers (if any), social security numbers and dates of contact.

In some cases, one or more of the following types of information also appeared on the form: therapist, case number, status of previous treatment, service requested and description of the problem.

The university encourages individuals whose information was exposed to review account statements and monitor credit reports for suspicious activity.

Commentary:
Overall, I am very impressed with UNCG's response to this breach. They have had practice though (see section below). I certainly get the feeling that they take information security seriously and that they genuinely want to do the right thing. We have witnessed numerous organizations that never even think of sensitive information compromise through malware, and respond to an infection with a simple clean, wipe, and/or re-install. The fact that this organization went the extra steps, shows a lot about how this organization is managed. Malware (virus, trojan, spyware, etc.) infections can and often do lead to unauthorized access to sensitive information, so be prepared to respond appropriately.

Past Breaches:
December, 2008 - Virus hits personal information at The University of North Carolina Greensboro

Lost DVD affects over 11,000 pharmacy patients

2010-08-19T21:11:00Z

Share|

Date Reported:
8/4/10

Organization:
Walsh Pharmacy of Fall River, MA

Contractor/Consultant/Branch:
McKesson Pharmacy Systems

Location:
Undisclosed, lost/stolen in transit

Victims:
Patients

Number Affected:
"approximately 11,440"

Types of Data:
Personal information, including "names and in some instances social security, health care and driver’s license numbers, as well as prescription information"

Breach Description:
Walsh Pharmacy has notified the New Hampshire Attorney General as well as local news outlets about a breach involving a lost/stolen DVD that contained sensitive personal information belonging to the pharmacy's patients.

Reference URL:
New Hampshire Attorney General breach notification
The Herald News

Report Credit:
New Hampshire Attorney General

Response:
From the online sources cited above:

FALL RIVER — Customers of a neighborhood pharmacy are being warned to take measures against identity theft after a DVD containing personal information went missing.
[Evan] There is no mention of whether or not the information was encrypted. Usually if there is no mention of encryption, it wasn't used. Shipping information on any type of removable media (flash drives, CDs, DVDs, USB hard drives, etc.) without encryption is often a very bad idea. I can understand how a small organization like Walsh Pharmacy may not know these things, but what excuse would McKesson make? Read on.

The warning affects pharmacy patients of Walsh Pharmacy, 202 Rock St.

Regular customer information was not compromised.
[Evan] Just the irregular customer's information was compromised? ;)

According to a legal notice in The Herald News on Thursday, the breach comes after a DVD containing prescription and other information mailed on June 3 by McKesson Pharmacy Systems — a business associate systems vendor for Walsh Pharmacy — containing prescription and other information was not received at the pharmacy.

A sealed envelop (sp) that was supposed to contain the DVD was received at Walsh Pharmacy on June 5, but was empty and there was no evidence of tampering.
[Evan] So are we safe to assume that the DVD never made it to the envelope? Many companies are implementing CCTV camera coverage in shipping/delivery areas to aid in the investigation of events occurring in these areas. CCTV may have provided evidence as to whether or not the DVD actually made it into the envelope. Of course it is possible (and even likely) that non-shipping/delivery personnel packed (or didn't pack) the envelope.

The DVD contained personal information of pharmacy patients, including names and in some instances social security, health care and driver’s license numbers, as well as prescription information.

No credit or debit card, or bank account numbers were on the DVD.
[Evan] I would rather lose credit/debit card and/or bank account information. It's easier to get this information changed.

Attorney Paul Garbarini said approximately 11,440 people in six or seven states were notified of the breach in letters sent Wednesday.

“The best belief of the company, and they tore their place apart and found nothing, is that the disk was probably compacted and shredded, as they do with any information that contains personal information,” Garbarini said.
[Evan] We can only hope, eh? People want assurance though.

Owner Tom Pasternak said the notification, which also offers patients two free years of credit monitoring service, was done out of an abundance of caution.
[Evan] Abundance of caution? An abundance of caution would have been to send confidential in a more secure manner. How will credit monitoring help against someone who will use the medical information against a victim?

Anyone who has questions about the breach is asked to call 1-877-631-0440 and refer to No. 2359080410 when prompted anytime between 8 a.m. and 5 p.m., Monday through Friday.

“I did this because I want to their interests more than anyone else’s,” Pasternak said. “Personally, I don’t think anyone has anything to worry about, but I just wanted to take this precaution. I’m extremely confident no data got breached.”
[Evan] This reminds me about a post that I am planning to make soon. What is a breach, anyway? Stay tuned.

Pasternak and Garbarini said the information is also protected through the use of multiple passwords and can only be opened on a specific operating system.
[Evan] This is interesting, and this could be adequate to prevent unauthorized access to the data. I don't have enough detail.

“You’d have to be a computer whiz to get at that language,” Garbarini said.
[Evan] I wouldn't rely too much on this. What may be a "computer whiz" to Mr. Garbarini may be a novice to others.

Garbarini said precautions have also been taken to ensure a similar scenario fails to play out in the future. He said the information will no longer be sent via mail, and instead sent through a secure e-mail system.
[Evan] Hey, there you go! More secure and more efficient. Too bad it took a breach to move in this direction.

“I don’t know what else to say besides ‘I’m sorry,’” Pasternak said.
[Evan] Wouldn't it be nice if more people were honest like this? I respect this.

Commentary:
We run into behavior like this too often. There are free tools available to encrypt sensitive data stored on removable media and you don't have to be a "computer whiz" to use them. I can't think of any good excuse. Even though Mr. Pasternak doesn't believe that the data was or will be compromised, he has still incurred real costs as a result of the lost DVD.

Past Breaches:
Walsh Pharmacy - Unknown
McKesson - 68,767 Patients Affected by McKesson Stolen Computers

Portland Community College notifies victims of lost flash drive

2010-08-19T00:07:00Z

Share|

Date Reported:
8/12/10

Organization:
State of Oregon

Contractor/Consultant/Branch:
Oregon Department of Human Services
Portland Community College
Oregon Food Stamp Employment Transition Program, also known as OFSET

Location:
One or more campuses

Victims:
"Multnomah County participants in the Oregon Food Stamp Employment Transition Program"

Number Affected:
"an estimated 2,900"

Types of Data:
Personal information including "names and Social Security numbers"

Breach Description:
"A car owned by an employee of Portland Community College was broken into on Thursday, Aug 5. Among the stolen items was a data-storage device containing the names and Social Security numbers of an estimated 2,900 Multnomah County participants in the Oregon Food Stamp Employment Transition Program, also known as OFSET."

Reference URL:
Portland Community College Announcement
The Oregonian
Portland Community College Incident Response

Report Credit:
Portland Community College

Response:
From the online sources cited above:

On Aug. 5, a PCC employee reported that a car had been broken into and items were stolen.

The employee had been transferring information from one PCC work location to the other.
[Evan] Not by any means a good excuse for this breach.

One of items taken was a data storage device that held the names and Social Security numbers of participants in the Oregon Food Stamp Employment and Transition Program.
[Evan] Breaches resulting from the theft of media and/or computing devices from vehicles is way too common. You would think that people would get it by now. The "data storage device" referred to is a flash drive. If only there was a way to encrypt data on a flash drive. Wait! There is.

PCC recently became aware of this matter and has moved quickly to notify those concerned, even though there is no indication at this point that any of the personal information in question has been accessed by anyone outside the college.
[Evan] What do you suppose most people do when they find a flash drive? They connect it to their computer because they are curious about its contents. There have been multiple studies to support this. We can almost be certain that these files will be accessed. The question then becomes; what will the person do with the data?

We have notified participants in the Oregon Food Stamp Employment and Transition Program who we identify as potentially impacted by this incident and offered them free online credit monitoring services in an effort to prevent them from becoming a victim of identity theft.

Copy of letter that was delivered to each impacted participant [pdf]

To assist in protecting the identities of those affected, PCC has offered, at no cost, for one year, Debix Credit Protection.

Frequently Asked Questions:

Why is my personal information at risk?
The employee whose car was broken into was working at two PCC locations and was transferring information from one site to the other when the theft occurred. Among the stolen items was a data-storage device containing the names and Social Security numbers of an estimated 2,900 participants in the Oregon Food Stamp Employment Transition Program.

There is no indication at this point that any of the personal information in question has been accessed by anyone outside the college. To err on the side of caution, we’re encouraging affected individuals to consider taking appropriate precautions.

Were addresses and phone numbers in the student data files?
No.
[Evan] Addresses and phone numbers for most of the people will be pretty easy to find in phone books and/or other directories.

Does PCC have policies in place to try and prevent this sort of data loss?
PCC’s Information Security Policies can be found here: www.pcc.edu/resources/tss/info-security/
[Evan] I took a look at their policies. If this is all that they have, then they are missing quite a bit. Let's hope that there's more somewhere. According to the policies posted online, the behavior that led to this breach was not in violation of policy. Of course, FRSecure would be glad to help PCC design and implement a thorough information security program ;).

Commentary:
The use of flash drives can be dangerous without taking the proper precautions. Only those people who have a business justified business need to use removable media should be allowed to do so. Policy should state what acceptable use is for removable media including when removable media may be used, what data may be stored on removable media, and under what conditions. Once policy is defined, technical controls should be deployed and personnel should be trained. Of the 50 or so information security assessments we have done in the past 12 months, I would say around 50% of the organizations did not have adequate controls around removable media use. If you are in the same boat, it's time to do something about it!

Past Breaches:
Unknown

Benefits consultant loses backup tape containing employee personal information

2010-08-18T14:07:00Z

Share|

Date Reported:
8/4/10

Organization:
Marsh & McLennan Companies

Contractor/Consultant/Branch:
Seabury & Smith, Inc.
Mercer
Marsh
Undisclosed third-party courier

Location:
Undisclosed

Victims:
Employees and employee dependents of client companies

Number Affected:
Undisclosed

Types of Data:
"personal information, such as name and Social Security Number"

Breach Description:
Mercer Health & Benefits LLC and its affiliates (Mercer) has updated the New Hampshire Attorney General about a breach that occurred in April, 2010. The breach was the result of a lost (or stolen) backup tape.

Reference URL:
New Hampshire Attorney General breach notification (updated)
New Hampshire Attorney General breach notification (original)

Report Credit:
New Hampshire Attorney General

Response:
From the online sources cited above:

Letter to Attorney General:

Marsh and Mercer wrote to you in June to advise of a potential information security incident involving data maintained by Marsh's Association business, which operates through Seabury & Smith, Inc., and Mercer Health & Benefits LLC.
[Evan] The June letter is referenced above. I'm not a big fan of the word "potential" when referencing a security breach. This was a real information security incident, not a potential information security incident.

This letter is intended to serve as an update to that notice and to provide you with information on the total number of potentially affected individuals in New Hampshire.

Based on additional investigation to date, this incident may involve certain personal information of a total of 131 individuals in New Hampshire in their capacity as recipients of employee benefits.
[Evan] We have no clue as to how many people may be affected by this nationwide.

As noted in our previous letter, a server back-up tape being sent from on Marsh and Mercer office to another by a third-party courier was lost during shipment.
[Evan] We are probably safe to assume that the data on the backup tape was not encrypted. Sending unencrypted backup tapes off-site is not a good information security practice. As I was doing more reading about breach notification laws (again), I noticed something that I missed previously. I am no lawyer, so I don't want to imply that I am giving any kind of legal advice. I encourage you to read the New Hampshire statute "Notice of Security Breach", Section 359-C:19 Definitions, look at IV. (a) ""Personal information":

IV. (a) ""Personal information'' means an individual's first name or initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted:
          (1) Social security number.
          (2) Driver's license number or other government identification number.
          (3) Account number, credit card number, or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account.

I have read other legal resources which state there is no exemption for encryption in the New Hampshire breach notification statute, but as I read it, it appears that there could be. I'd love to hear your take.

This tape may have contained personal information, such as name and Social Security Number.
[Evan] Either the tape did or it did not contain personal information. The company retained by Mercer to assist in this breach is Kroll (at the time of the breach, Kroll was also owned by Marsh & McLennan). Kroll employs some very good (top notch) forensic investigators, and I am pretty sure that they would be able to determine what data was on the tape with some certainty.

Because of the complex nature of the security of and information on the tape, and the technical measures which are necessary to determine and analyze the data elements contained on the tape, we believe that the risk of identity theft resulting from this incident is extremely low.
[Evan] Wouldn't it be interesting to know what the "complex nature of the security" is? Or maybe how technical the "technical measures which are necessary" to access the data are? Without strong encryption and sound key management, I remain unconvinced. For all we know, the technical measures are nothing more than a computer, tape drive, backup software, and some cables. Not exactly what I would call "complex nature of the security".

Regardless, we are committed to the security of personal information and have taken immediate steps to fortify the protective measures surrounding those already in place in order to prevent a similar incident from occurring in the future.
[Evan] Have you decided to encrypt the data going forward?!

Marsh and Mercer take privacy and information security seriously.

In order to ensure that potentially affected individuals are able to protect themselves from possible identity theft or other damage, Marsh and Mercer, on behalf of themselves and any potentially affected clients, alerted individuals about the situation by sending out individual notices.

As related to you before, Marsh and Mercer have retained Kroll Inc. to provide toll-free access to Kroll's Consumer Solutions Center, along with credit monitoring, identity restoration and related services at no cost to the potentially affected individuals.

Letter to victims:

Mercer Health & Benefits LLC and its affiliates (Mercer) provide consulting, insurance broking and related administration services regarding employee benefits plans maintained by Mercer's employer clients.

In this capacity, it was necessary for Mercer to collect certain personal information regarding its clients' employees and their dependents.
[Evan] I am guessing that most of the victims had no idea that Mercer had collected and retained their personal information. The victims are the owners of the information and should have been informed of who their employer shares their information with.

In April, 2010, we confirmed that an information security incident occurred involving data held by Mercer.

The incident involved a server back-up tape that was lost in transit during shipment from a Mercer office to another site.

Working with the third-party courier, a thorough search for this lost tape has been conducted.
[Evan] Who was/is the third-party courier?

Unfortunately, the location of the tape remains unknown at this time.

While we have no reason to believe that the tape or the information it contained has been inappropriately accessed or misused in any way, we do believe the back-up tape may have included your personal information such as your name, address and Social Security number.
[Evan] Again, "may have". Either it did, or it did not. If the organization is unable to determine for sure, then they have more serious issues to deal with.

Even though the risk of identity theft resulting from this incident is extremely low, the security of your personal information is paramount.
[Evan] In order to assign a risk level, we need to understand what risk is. I am going to grossly oversimplify things here, more for readers who may not know. In this case, risk is essentially the likelihood of something bad (event) happening combined with the impact to the affected party(ies). Here we know that the likelihood of something bad happening has been increased to some extent, and the impact is/was already moderate to high. Let's use numbers, like a scale of 1 -5. 1 is good (or low) and 5 is bad (or high). Before the incident, let's say that the likelihood was 1-2 and the impact was 4-5. The risk assigned before the incident was maybe a 2. Post incident the likelihood may be raised to 2-3 and the impact remains essentially the same; 4-5. The risk assigned after the incident could then be 2-3. The risk was not "extremely low" before the incident and certainly is not afterward either. Hopefully you get what I'm trying to say here ;)

For that reason, Mercer has engaged Kroll Inc… at no cost for one year.

We reiterate our deep commitment to protecting the privacy and security of your personal data and have taken immediate steps to fortify the protective measures that were already in place in order to prevent a similar incident occurring in the future.

Commentary:
I made more than my share of comments above. If you have some, we would love to hear them.

Past Breaches:
Unknown

Local break-in at allergy clinic results in 25,000 stolen patient records

2010-08-16T20:47:00Z

Share|

Date Reported:
8/6/10

Organization:
Fort Worth Allergy and Asthma Associates

Contractor/Consultant/Branch:
None

Location:
Fort Worth, Texas

Victims:
Patients

Number Affected:
25,000

Types of Data:
Personal information including Social Security numbers, birth dates, addresses, and diagnoses

Breach Description:
FORT WORTH -- In June, employees at a Fort Worth allergy clinic discovered that the office door had been kicked in and four computers containing patients' personal information including Social Security numbers and birth dates had been stolen.

Reference URL:
Star-Telegram

Report Credit:
Jan Jarvis, Star-Telegram

Response:
From the online source cited above:

FORT WORTH -- In June, employees at a Fort Worth allergy clinic discovered that the office door had been kicked in and four computers containing patients' personal information including Social Security numbers and birth dates had been stolen.
[Evan] Too many people consider information security to be an IT issue, and this is a good example of where a physical security compromise can also lead to a breach. Do you suppose there was an alarm system in place, or any camera surveillance?

This week Fort Worth Allergy and Asthma Associates spent $15,000 mailing letters notifying the clinic's 25,000 patients of the burglary.
[Evan] Fifteen grand is a bargain. Of course you could lose patients, and there could be some legal costs including regulatory fines and/or civil penalties. What about the victims? Will they suffer costs as a result of this easily preventable breach?

The stolen computer database also contained patient's addresses and diagnoses, Dr. Robert Rogers said.

"In terms of sensitive clinical information that could be taken, we're an allergy clinic so I don't think there was anything embarrassing taken," he said. "It's bad enough that they did get identity information like Social Security numbers."
[Evan] What?! Does this like a statement from someone who doesn't get it? The clinic should be embarrassed about the lack of protection given to sensitive patient information. The patients are the owners of this information, not the clinic. An attitude like this would tick me off if I were personally involved.

"The cost of doing the mailing is more than cost of replacing the equipment," Rogers said.
[Evan] What about the potential costs to your patients?!

After the burglary, Rogers said he had no idea what kind of challenge his office would face notifying every patient.

"We had a backup of the database, so once we got the new computers in we had to re-establish the database, then create this enormous mailing list," he said.

After some researching they discovered they could outsource the task of addressing all the letters. And the clinic's business insurance covered it.
[Evan] Insurance covered it, so this will eventually raise premiums for others (even if slightly). So, it only cost the clinic $15,000 (so far). We don't know how much it may cost victims or other business insurance customers, do we?

The clinic has not converted to an electronic medical record system and none of the patients' charts were taken in the June 29 burglary. But because the database was password-protected, there was a possibility that someone could circumvent the security, Rogers said.
[Evan] Did anyone think to encrypt sensitive fields in the database?

As a precaution, patients were advised to notify one of the credit bureaus to place a fraud alert on their accounts.

None of the stolen property has been recovered. But to prevent a similar loss, all personal information is now stored in an off-site server with access allowed only through a secured, encrypted virtual private network, Rogers said.
[Evan] Good, I suppose. What are the physical security protections employed at the off-site location, and is there any option to encrypt the sensitive data at rest?

Commentary:
Judging from what I read, the clinic is much more concerned about themselves than they are about their patient's sensitive information. I could be wrong, and I hope I am.

Past Breaches:
Unknown

More than 150 people affected by Doherty Hotel breach

2010-08-16T02:51:00Z

Share|

Date Reported:
8/13/10

Organization:
Doherty Hotel & Convention Center

Contractor/Consultant/Branch:
None

Location:
Clare, Michigan

Victims:
Customers

Number Affected:
"more than 150"

Types of Data:
Credit and/or debit card information

Breach Description:
"CLARE – More than 150 credit card holders who frequented a local business that had its database accessed have seen fraudulent charges appear on their cards in a case that is being investigated by the U.S. Secret Service, according to authorities."

Reference URL:
The Clare Sentinel

Report Credit:
Cindy Cranmer, The Clare Sentinel

Response:
From the online source cited above:

CLARE – More than 150 credit card holders who frequented a local business that had its database accessed have seen fraudulent charges appear on their cards in a case that is being investigated by the U.S. Secret Service, according to authorities.
[Evan] The investigation appears to be far from completion. Investigators are not sure if this breach resulted from an insider (employee) or someone gaining unauthorized access through networked means (wireless, internet, etc.).

It was determined in the ongoing investigation that the “location that was compromised” was the Doherty Hotel & Convention Center in Clare, according to Douglas Zloto, resident agent in charge for the United States Secret Service.

“The Doherty Hotel has been very cooperative,” Zloto said.

He said it was determined cards that were used at the restaurant of the Doherty Hotel were targeted by the person who is fraudulently charging them.

“We’re in the process of determining the exact point of compromise,” he said.

This means that the investigation will show whether an employee accessed the data or someone was able to get around firewalls from outside the company to retrieve the card numbers.
[Evan] Do you really think that this hotel has more than one firewall? Actually, I would not be entirely surprised if the hotel had no firewall.

Zloto said the hotel has put additional protections in place so an outside hacker would not be able to retrieve information again.
[Evan] Seems like a bold statement when the investigators aren't sure how the breach happened.

“There is no other way for the system to be compromised if it was an outside hacker.”
[Evan] Uh, wrong. No offense, but statements like this usually come from someone who has limited knowledge of information security.

“If it was an inside person, it would be incredibly brazen to continue knowing the intensity of the investigation,” Zloto said. “The compromises taking place were not necessarily an employee though.

The first fraudulent charges appeared on an individual’s credit card in May 2010

Since then more than 150 other individuals have had charges appear on their credit cards.

Clare City Manager Ken Hibl said credit card fraud is a reality of today’s society. “Unfortunately, we’re all faced with that today,” he said.
[Evan] There is some truth to this, but it certainly should not lead to complacency.

A large number of the credit cards did have international purchases charged to the cards.

The average of total charges put on the credit cards are between $2,000 and $3,000.

Zloto said the purchases are being charged in multiple sales throughout the day until they reach the larger amount.

“Credit card companies are not going to hold an individual responsible for the charges,” Zloto said. “Debit cards may take longer to get the money replaced. That money is physically missing from your account.”

Zloto said area residents can contact their local police agency or the Saginaw office of the Secret Service at (989) 497-0580 if their credit card has been used fraudulently or they have information on the case.

Commentary:
What I find most interesting in this case is the number of quotes from a Secret Service agent. We don't see many Secret Service agents speaking to the media in the middle of an investigation.

Past Breaches:
Unknown

Destination Hotels in 12 states affected in massive card breach

2010-08-16T02:03:00Z

Share|

Date Reported:
8/6/10

Organization:
Destination Hotels & Resorts ("DHR") *

*This is an update and continuation of a previous Breach Blog post; see: More than 700 upscale hotel guests affected by credit card breach

Contractor/Consultant/Branch:
None

Location:
Various

Victims:
Patrons of 22 DHR properties

Number Affected:
Undisclosed*

*There is no disclosure of the total number, but according to the New Hampshire Attorney General letter there are approximately 470 New Hampshire residents affected.

Types of Data:
"credit or debit card information, including card numbers and expiration dates"

Breach Description:
"Between April 2009 and June 2010, the computer systems of some DHR hotels were accessed without authorization. As a result, credit or debit card information, including card numbers and expiration dates, may have been subjected to unauthorized access by third parties."

Reference URL:
New Hampshire Attorney General breach notification

Report Credit:
New Hampshire Attorney General

Response:
From the online source cited above:

Letter to Attorney General:

I write on behalf of my client, Destination Hotels & Resorts, Inc. ("DHR"), to inform you of a recent incident involving the personal information about some of your state's residents.

Between April 2009 and June 2010, the computer systems of some DHR hotels were access without authorization.
[Evan] Are they unable to determine when the breach occurred exactly, or did this breach begin in April, 2009 and not get noticed until June, 2010. I am guessing the latter. 14 months without detection. Ugh.

As a result, credit or debit card information, including card numbers and expiration dates, may have been subjected to unauthorized access by third parties.
[Evan] This information WAS subjected to unauthorized access, not "may have been". There is a difference.

At this time DHR has no reason to believe that any other personal information, such as Social Security numbers, was stolen.
[Evan] Well, no surprise here. What hotel asks for a Social Security number when you book a room or dine in their restaurant?!

This incident affected 22 DHR properties in Arizona, California, Colorado, New Jersey, New Mexico, New York, North Carolina, Oregon, South Carolina, Texas, Vermont, and Washington.

There were no affected properties in the State of New Hampshire.
[Evan] Could this be because Destination Hotels & Resorts doesn't have any properties in New Hampshire?

Approximately 470 citizens of the State of New Hampshire were affected by this security breach.

DHR took action by immediately notifying the payment card processing companies that this payment card information may have been subjected to compromise as a result of the breach.

DHR also engaged a specialized computer forensics company to conduct a comprehensive investigation of the computer security breach.

DHR is notifying all affected individuals via first class mail, e-mail and/or substitute notice, and is providing then with precautionary information and measures they can take to safeguard their information.

These notifications began mailing on or about July 20, 2010.

Letter to victims:

Destination Hotels & Resorts values your business and respects the privacy of your information, which is why we wish to inform you that between _________ of this year the computer systems of some Destinations hotels were accessed without authorizations.
[Evan] This breach occurred through unauthorized access of the management company's computer systems.

This unauthorized access was in violation of both civil and criminal laws.
[Evan] Yeah, criminals are really concerned about laws!

Destination has been coordinating with law enforcement, including the FBI, to assist in the investigation of this incident.

The hotels that we believe were affected include those listed on the other side of this letter.

As a result of this unfortunate incident, your credit or debit card information, including your card number and expiration date, may have been subjected to unauthorized access by third parties.
[Evan] Not "may have", it was.

Destination Hotels & Resorts took action immediately by engaging a specialized computer forensics company to conduct a comprehensive investigation of the computer security breach.

We are also taking several steps to enhance existing security controls.

As a result of the quick response, we have no reason to believe that you payment card data is currently at risk within any Destination hotels.
[Evan] Quick response?! Didn't we read earlier that the timeframe was 14 months? Doesn't seem so quick.

Other than in the form of this written letter, Destination Hotels & Resorts will not initiate further contact with you about this incident, either by phone or in writing, and will not ask you to confirm any sensitive personal information, such as your Social Security number.

Destination Hotels & Resorts regards the privacy of consumer information with the utmost of importance.

To that end, Destination Hotels & Resorts has numerous security measures in place to safeguard our customers' payment card information.
[Evan] We can only imagine.

Further, Destination Hotels & Resorts continues to implement additional security measures in order to meet the demands of today's computer based society.

If there is anything we can do to assist you further, please feel free to call us at 1-800-XXX-XXXX

We truly regret any inconvenience for this situation.

List of Destination Properties

The Carolina Inn
The Driskill Hotel
Estancia La Jolla Hotel & Spa
Hamilton Park Hotel & Conference Center
Hotel ICON
Inn and Spa at Loretto
The Inverness Hotel and Conference Center
L'Auberge Del Mar Resort and Spa
Manor Vail Lodge
Miramonte Resport & Spa
Resort at Squaw Creek
Paul J. Rizzo Conference Center
Skamania Lodge
Stowe Mountain Lodge
Suncadia Resort
Tarrytown House Estate & Conference Center
Tempe Mission Palms Hotel and Conference Center
Vail Cascade Resort & Spa
Wild Dunes Resort
Destination Resorts Snowmass
Destination Resorts Vail
The Gant

Destination Hotels & Resorts does not appear to be offering any identity theft protection services to victims.

Commentary:
According to news reports, there is confirmed fraud tied to this breach. We have very little information surrounding the details of this breach, so speculation is the best we can offer in terms of how this breach happened and what controls may have been missing. The investigation is likely ongoing, and this may be a reason for limited disclosure.

For more information see: More than 700 upscale hotel guests affected by credit card breach

Past Breaches:
Unknown

Littleton Regional Hospital employee fired for inappropriate information access

2010-08-11T03:02:00Z

Share|

Date Reported:
6/29/10

Organization:
Littleton Regional Hospital

Contractor/Consultant/Branch:
None

Location:
Littleton, New Hampshire

Victims:
Patients

Number Affected:
"several"

Types of Data:
Personal demographic and diagnostic information, including:

Name, Address, and Phone Number,
Date of Birth and Age,
Insurance Information,
Primary Care Provider and Referring Physician names,
Medical History and Allergies,
Date, Time, Type, Provider name and Reason for visit, and;
Provider notes regarding the visit in question

Breach Description:
Littleton Regional Hospital has notified the New Hampshire Attorney General of a breach concerning unauthorized employee access to personal health information belonging to patients who visited the hospital during "the spring months of 2010".

Reference URL:
New Hampshire Attorney General breach notification

Report Credit:
New Hampshire Attorney General

Response:
From the online source cited above:

In response to information received from an employee on May 21, 2010, we initiated an investigatory audit of our computer system.
[Evan] It appears as though one employee turned in another employee for what he/she perceived to be inappropriate behavior. This is a good sign. The employee was educated enough to identify the behavior and classify it as inappropriate, knew how to report the inappropriate behavior, and felt safe enough to report the behavior. Organizations must clearly communicate these things to employees.

Through this investigation, we determined that an employee accessed a limited amount of personal information for several patients during the month of May 2010 for a purpose that was not related to the patients' treatment or other Hospital business.

Appropriate disciplinary action has been taken in this matter.
[Evan] As you will read later, the employee is no longer employed with the hospital.

On May 21, 2010, a hospital employee informed our office that a fellow employee had improperly accessed the personal information of several patients.

Our investigation indicates that the employee who engaged in this improper behavior accessed progress notes of patient care encounters you have had with a Littleton Regional Hospital employed physician during the spring months of 2010.

The computer screens that were improperly accessed contained personal demographic and diagnostic information, including:

Name, Address, and Phone Number,
Date of Birth and Age,
Insurance Information,
Primary Care Provider and Referring Physician names,
Medical History and Allergies,
Date, Time, Type, Provider name and Reason for visit, and;
Provider notes regarding the visit in question

We have no reason to believe that this information has been disclosed to any third-parties, and we do not believe that there are any particular steps you need to take to protect yourself from potential harm resulting from this employee's improper activities.
[Evan] What was the employee's motivation for accessing these records? Simple curiosity?

We have taken the necessary steps to ensure that this will not occur in the future and the employee who engaged in this improper behavior is no longer employed by the hospital.
[Evan] Sad for the employee, but good for the hospital and its patients. A policy without enforcement is nothing more than a piece of paper.

We have also provided additional education to staff of Littleton Regional Hospital and its Physician Practices regarding federal and state privacy laws.

We sincerely apologize for any inconvenience this may have caused you.

Should you have any further questions regarding this situation, please do not hesitate to contact the Littleton Regional Hospital Quality Services office by calling (603) 444-9280.

Commentary:
I don't know enough about the hospital's information security program to comment in detail, but there are some indications that appear to bode well for their information security program (at least in regards to incident response). We can read about or infer that some best practices were followed including:

An employee was educated enough to identify a breach and/or suspect events. This may speak to the organization's training and awareness program.
The employee knew how to report the suspected incident.
The employee felt safe enough to report the suspected incident.
The reported incident was escalated through the proper channels to enable an investigation.
The investigation was able to identify the source and potential impact of the incident.
The organization enforced the policy up to and including termination of employment

Employee behavior often poses the most significant risk to unauthorized information disclosure, modification, and/or destruction. I don't know enough about the hospital's preventative measures to comment, but this is the second similar incident reported by the hospital in the past 16 months.

Past Breaches:
April, 2009 - A former employee accessed personal patient information without authorization.

Laptop lost during airport layover affects more than 32,000 employee candidates

2010-08-03T16:18:00Z

Share|

Date Reported:
7/27/10

Organization:
CoreLogic

Contractor/Consultant/Branch:
First Advantage
First Advantage Tax Consulting Services ("TCS")

Location:
An undisclosed airport

Victims:
Job applicants from TCS clients

Number Affected:
32,842

Types of Data:
Personal information including "names and Social Security numbers"

Breach Description:
"Through its lawyers, Indianapolis-based First Advantage Tax Consulting Services (TCS) has notified the New Hampshire Attorney General’s Office that on June 10, a laptop containing sensitive personal information was lost during an airport layover. "

Reference URL:
Office of Inadequate Security
New Hampshire Attorney General breach notification

Report Credit:
Office of Inadequate Security and the New Hampshire Attorney General

Response:
From the online sources cited above:

Reed Smith LLP provides legal counsel to First Advantage Tax Consulting Services ("TCS").

TCS helps employers determine their eligibility for tax credits.

As a necessary step in that process, the employers provide TCS with certain personal information about employee candidates, including names and Social Security Numbers.
[Evan] I wonder if the "employee candidates" are aware of the fact that TCS client companies are sharing their personal information with TCS. After all, the employee candidate is the owner of the information, not the client company or TCS.

This letter is to inform the Office of the Attorney General that a TCS laptop was lost during an airport layover.
[Evan] Interesting. Obviously (or maybe not), it is not a good idea to leave a laptop unattended in an airport. Do you suppose TCS has a policy to prohibit such a practice?

The documents on that laptop contained some information acquired by TCS while providing employer services, including the names and Social Security Numbers of individuals from New Hampshire.

Through its internal investigation, TCS has determined that approximately 32,842 Social Security Numbers were on the laptop.
[Evan] Typically it is not a good idea to store sensitive information on a laptop or other mobile device, whenever possible. Strike 2.

Upon discovery that the laptop had been lost, TCS took prompt steps to address the loss.

TCS reported the lost laptop to appropriate authorities.

Although the laptop was already protected by a strong, complex password, TCS changed that password remotely.
[Evan] OK. So what? Can we assume that the laptop was not encrypted and protected with pre-boot authentication? An operating system (Windows XP Pro anyway) password can be circumvented in less than 60 seconds. There is absolutely no need to crack the password which would be the only reason to have a "strong, complex password". Strike 3. TCS changing the password remotely is irrelevant, but I am curious to know how they changed a password on a machine that they probably didn't have any access to.

The laptop's ability to access the TCS network was also shut off.
[Evan] This does nothing to protect the data that was stored on the laptop.

To date, the laptop has not been recovered.

TCS has no evidence that the laptop was stolen, nor that the laptop's password has been circumvented, nor that any file on the laptop has been viewed by any unauthorized party, much less one with bad intent.
[Evan] I don't think that the laptop grew legs and just walked away. How would TCS obtain evidence of password circumvention, local file access, and intent without recovering the laptop?

Out of an abundance of caution, TCS is offering one year of credit monitoring to the individuals notified at no charge.
[Evan] Really? An "abundance of caution"? An abundance of caution would have been to protect the information better through preventative measures.

This week, TCS is sending a notice letter to persons from New Hampshire notifying them of the incident.

At Tax Consulting Services we are dedicated to protecting your privacy and truly regret that this incident occurred.
[Evan] Almost as if TCS was the victim.

If you have questions or concerns, please contact 866-578-0352.

Commentary:
I took exception to many of the points made in the letter to the New Hampshire Attorney General. Do people really believe this stuff at face value?

Past Breaches:
Unknown

Cooper University Hospital flash drive with personal info goes missing

2010-08-03T15:17:00Z

Share|

Date Reported:
7/27/10

Organization:
Cooper University Hospital

Contractor/Consultant/Branch:
None

Location:
Camden, New Jersey

Victims:
"graduate medical education residents and fellows for the current and prior academic years"

Number Affected:
Undisclosed

Types of Data:
Personal information including "Social Security numbers, addresses, and phone numbers"

Breach Description:
"A thumb drive that contained personal data about current and past graduate medical education residents and fellows at Cooper University Hospital has gone missing. Hospital sources tell Action News the thumb drive went missing on July 8th."

Reference URL:
Channel 6 Action News
The Courier-Post

Report Credit:
Katherine Scott, Channel 6 Action News

Response:
From the online sources cited above:

CAMDEN, N.J. - July 27, 2010 (WPVI) -- A thumb drive that contained personal data about current and past graduate medical education residents and fellows at Cooper University Hospital has gone missing.

Hospital sources tell Action News the thumb drive went missing on July 8th.

Last Friday the hospital reported the incident to the NJ State Police Cyber Crimes unit and Tuesday to Camden Police who are now looking into the potential security breach.
[Evan] This is not a "potential" security breach. It IS a security breach.

"We are going to investigate to see if it was stolen or lost property," said Lt. Jason Pike.

Stolen or lost, both scenarios are cause for concern according to Drexel University's Robert D'Ovidio, Ph.D. because you cannot be absolutely certain the information won't fall in the wrong hands.
[Evan] We can never be "absolutely certain" that information won't be compromised, but we reduce risks wherever its appropriate to do so. Using unsecured flash drives to store sensitive information is certainly a risk that is unacceptable to most organizations (and regulators).

It's information that hospital sources say includes Social Security numbers, addresses, and phone numbers.

"That data is a goldmine for lines of credit in your name," said D'Ovidio.

Making matters worse, the hospital source tells Action News the data on the thumb drive was not secure.
[Evan] I suppose meaning that the drive was not adequately secured with encryption (and good password/key management).

Cooper refused an interview but released the following statement:

"Cooper University Hospital is investigating the circumstances surrounding a missing thumb drive.

The thumb drive contained information with personal data about graduate medical education residents and fellows for the current and prior academic years.

We have advised the residents and fellows who were advised to contact their local police.
[Evan] Huh? Cooper University Hospital has advised that the victims contact their local police?! What are the local police going to do? Take a report, maybe.

No other employee information was compromised.

Further, No patient information or records were compromised.
[Evan] Thank God. If storing sensitive information on unprotected flash drives is permitted by the hospital, I suppose it's only a matter of time before patient records are included. Too much of a stretch?

The incident was reported to the New Jersey State Police Cyber Crimes Unit on Friday, July 23 as per the state notification procedure.

The hospital is conducting a thorough investigation and has initiated an aggressive plan to protect any personnel who could be affected by this potential security breach."
[Evan] Again, this is not a "potential security breach". It is a breach.

It's still early in the investigation, but Camden police say they will be reviewing security tapes to see if that will shed some light on what happened to that drive.

Commentary:
The use of removable media must be addressed in an organization's information security policy(ies). If the organization deems that it is necessary to use flash drives (or other removable media) to conduct business, then it must account for the risk of unauthorized information disclosure through the loss and/or theft of these devices. One possible solution to reduce risk is encryption. The majority of organizations that we (FRSecure) have worked with lately are prohibiting the use of removable media altogether.

Here is an interesting analysis. Consider this; we can buy a 32 GB flash drive for less than $90. 1 GB is enough space to store over 4 million names and Social Security numbers (given an average 11 digit name). 32 GB could easily store the names and Social Security numbers of every single United States citizen alive today (a couple times over).

Past Breaches:
Unknown

Who is to blame in Regeneron / Ceridian breach?

2010-08-02T13:27:00Z

Share|

Date Reported:
7/26/10

Organization:
Regeneron Pharmaceuticals, Inc.

Contractor/Consultant/Branch:
Ceridian Corporation

Location:
Undisclosed/Web-based

Victims:
Current and former employees

Number Affected:
Undisclosed

Types of Data:
"names and bank account numbers"

Breach Description:
Regeneron has notified the New Hampshire Attorney General of a breach concerning unauthorized access to their payroll provider's (Ceridian Corporation) system. Once access was gained to the system, the "hackers" attempted to redirect employee paychecks to fraudulent accounts.

Reference URL:
New Hampshire Attorney General breach notification letter

Report Credit:
The New Hampshire Attorney General

Response:
From the online source cited above:

On or about June 18, 2010, Regeneron became aware that data on file with the company's payroll provider, Ceridian Corporation ("Ceridian"), was apparently accessed by persons other than registered, authorized users.
[Evan] Is Ceridian at fault, or did the unauthorized access come from a compromised authorized account at Regeneron?

The hackers obtained unauthorized access to the Ceridian system and attempted, unsuccessfully, to redirect the paychecks of nine employees into fraudulent accounts.

Regeneron immediately informed the nine affected employees and canceled the fraudulent direct deposit accounts before any payroll funds were diverted.
[Evan] Good luck, good incident response, or maybe a bit of both. It is always ideal if you can contain an incident before real damage is done.

In the course of investigating this matter, though, Regeneron also learned that the hackers accessing the Ceridian system may have viewed a list of employees' and former employees' names and their bank account numbers, which are included in the system for direct deposit purposes.
[Evan] Would it be a good idea for the affected employees to inform their bank, close their accounts, and open new accounts with new account numbers?

Regeneron soon will begin notifying employees by personal letter.

The letter to employees will include information on preventing identity theft and an email address and telephone number employees may contact to obtain further information about the incident.

Regeneron will also offer all employees a year of complimentary credit monitoring services.

Commentary:
I can't determine from this information if there was some flaw (or vulnerability) that was exploited in the Ceridian system. I kind of doubt it. This thing would probably be much bigger if there is/was.

My guess is that this breach resulted from the compromised credentials of an authorized (HR?) Regeneron employee. So let's assume that this was the case. The question is then how? Malware infection? Poor password management (i.e. weak passwords, writing passwords down, using the same password everywhere, et al.)? If our assumptions are correct, what do you think about the notification letter that implies a breach of Ceridian's security?

Past Breaches:
Unknown

Thomas Jefferson Hospitals notifies 21,000 patients of stolen laptop

2010-07-29T18:27:00Z

Share|

Date Reported:
7/23/10

Organization:
Jefferson Health System

Contractor/Consultant/Branch:
Thomas Jefferson University Hospitals

Location:
Philadelphia, Pennsylvania

Victims:
Patients who "received inpatient care at Thomas Jefferson University Hospitals in 2008 between March 9 and June 9 and between August 1 and November 1"

Number Affected:
"approximately 21,000"

Types of Data:
"name, birth date, gender, ethnicity, diagnosis, social security number, insurance information, hospital account number and other internal and administrative coding"

Breach Description:
"Thomas Jefferson University Hospitals has notified approximately 21,000 patients that there was a theft of a laptop computer containing personal information."

Reference URL:
Office of Inadequate Security
Thomas Jefferson University Hospitals Data Security Breach notice

Report Credit:
Office of Inadequate Security and Thomas Jefferson University Hospitals

Response:
From the online sources cited above:

Thomas Jefferson University Hospitals has notified approximately 21,000 patients that there was a theft of a laptop computer containing personal information.
[Evan] We don't see quite as many breaches resulting from lost/stolen laptops as we used to.

Affected patients have been sent a letter detailing the extensive identity protection resources being made available to them.

On June 14, 2010, an employee reported to Thomas Jefferson University Hospitals' security personnel that his password-protected, personal laptop computer was stolen from an office in the hospital.
[Evan] We have preached this many times before; password-protection is no where near adequate protection. It takes less than 60 seconds to bypass a Windows XP login (password protection). So we preach encryption, but even encryption is inadequate without following sound information security principles (key/password management).

In violation of hospital policy, the computer contained protected health information.
[Evan] Good policy is great! Everything in information security should start with policy, but policy is only the start. Policy without enforcement is useless.

Individuals whose records were affected received inpatient care at Thomas Jefferson University Hospitals in 2008 between March 9 and June 9 and between August 1 and November 1.

The data included name, birth date, gender, ethnicity, diagnosis, social security number, insurance information, hospital account number and other internal and administrative coding.
[Evan] Ugh, another ID theft bonanza.

Though the computer was password-protected, it was not hospital-issued and the information was not encrypted.
[Evan] Really? The laptop was not "hospital-issued"?! This is a big bad no no. An employee permitted (administratively, technically and/or physically) to use a personal (or non-issued) computing device to create, receive, store, process, and/or transmit sensitive information is bad security practice.

To date, there has been no indication of inappropriate use of the information stored on the stolen computer.

"On behalf of everyone at Jefferson Hospitals, please accept our apologies and know that we are committed to providing assistance to the affected patients," said Hospitals President and Chief Executive Officer Thomas J. Lewis.
[Evan] I am always appreciative of remarks made by a corporate leader with respect to information security. In my opinion, it demonstrates commitment and responsibility.

"Jefferson Hospitals has extensive internal policies reflecting our commitment to the appropriate use of personal health information and employees receive training on these policies annually. The storage of patient data on an employee’s unencrypted computer – even while on TJUH premises – is a breach of hospitals’ policy.”

Subsequent to notifying police, Thomas Jefferson University Hospitals engaged Kroll Inc. to assist with the internal investigation and to provide patients with personal assistance.

Additionally, Thomas Jefferson University Hospitals has taken appropriate action with the employees involved, is reviewing internal protocols, and will be reinforcing these protocols through employee education at all Jefferson Hospitals.

Each patient affected by this incident is currently being notified via first class U.S. mail.

Anyone concerned about whether or not his or her information was affected can call 1-877-309-0186 for more information (9 a.m. to 6 p.m. Eastern Time, Monday – Friday).

Commentary:
I am used to reading about and commenting on breaches concerning lost or stolen laptops containing sensitive personal information, but this is one of the few that I recall concerning a personally-owned or non-company issued laptop. The fact that this constitutes poor information security practice seems like common sense to me, but I guess this only supports FRSecure's Information Security Principle #6 - There is no common sense in information security. Read (pdf): FRSecure's Information Security Principles

Past Breaches:
Unknown

Resnick Investment Advisors is victim of unauthorized intrusion

2010-07-28T02:06:00Z

Share|

Date Reported:
7/21/10

Organization:
Resnick Investment Advisors, LLC

Contractor/Consultant/Branch:
None

Location:
Westport, Connecticut

Victims:
Clients

Number Affected:
Undisclosed

Types of Data:
Account information

Breach Description:
Resnick Investment Advisors, LLC has notified the New Hampshire Attorney General of an "electronic intrusion" of their computer network that could have exposed client account information to an unauthorized third party. The alleged incident took place sometime in June, 2010.

Reference URL:
New Hampshire Attorney General breach notification letter(s)

Report Credit:
The New Hampshire Attorney General

Response:
From the online source cited above:

Letter written to the New Hampshire Attorney General by Resnick's outside legal counsel, Marshall, Dennehey, Warner, Coleman & Coggin:

We are writing on behalf of our client, Resnick Investment Advisors, Inc. ("Resnick").

In June 2010, Resnick experienced an electronic intrusion of its computer network by an outside party.

Resnick discovered the intrusion on or about June 22nd.

Resnick identified the means of the unlawful intrusion, and we reported the incident to the FBI.
[Evan] Use care in how and when you contact law enforcement with respect to a suspected information security related incident. Consider which law enforcement agency is best given the circumstances surrounding the incident. Before reporting the crime, ask yourself a couple of questions. What is your motivation for reporting the crime? What are your expectations from the agency? The FBI will do what they can, but you need to understand the fact that they may have a substantial caseload involving incidents that are more significant in scope and/or impact. All of these things (and much more) should be documented in your incident response procedures. You do have incident response procedures, right?

An investigation by Resnick's IT service provider leads us to believe that the motive of the intruder was not to access records of Resnick's clients, but rather to launch a malicious attack on another entity using Resnick's corporate identity.
[Evan] This scares me a little (OK, maybe a lot). To give the benefit of the doubt, I don't know the skill set or level of expertise that Resnick's "IT service provider" possesses. I just know from past experience that IT service providers do NOT make good information security professionals, incident response specialists, or forensic analysts. Information security, and especially incident response requires specialized skills that are not commonly found in an IT service provider's repertoire. A poor response and/or poor investigation often destroys evidence, prohibits root cause analysis and eventual prosecution. Next point. How did the IT service provider determine the motive of the "intruder"? I would be more interested in using factual data surrounding the incident to determine the series of events from start to finish. What data did the "intruder" access?

In fact, we have no evidence that client accounts were accessed, altered or affected.
[Evan] We don't know what the evidence supports.

The controls in place on Resnick's network do not allow files to be downloaded.
[Evan] This remark is mentioned a couple of times and is a little confusing to me. If an unauthorized person has gained access, what prohibits them from downloading files? What type of access is allowed?

As a precautionary measure, Resnick is notifying its clients of this incident and offering them credit monitoring through Experian.

Resnick has in place administrative and technical procedures consistent with safeguarding its client's personal information in order to avoid a reoccurrence of any such incidents.

Resnick is also continually reviewing its policies and procedures and working with its IT service provider to further enhance the security of its network.

Resnick has implemented additional login procedures for access to its network, restricted remote access and deployed additional logging and monitoring on its network.
[Evan] Does this statement provide some hint about how the "intruder" may have gained unauthorized access to the Resnick network?

Resnick continues to work with its IT service provider to take the necessary and appropriate steps to further secure its computer network in order to help avoid future incidents.
[Evan] Like what? The statements provided by the organization are too vague. If I were a client (information owner), I would want to know more!

From the letter to affected clients:

Throughout our 20 year history, Resnick Investment Advisors, LLC has always considered the privacy and security of your personal information to be of the utmost importance, and we take significant measures to protect it.
[Evan] Demonstrate the "utmost importance" by hiring specialized talent to adequately secure your information resources. IT services providers are used to provide IT services. Information security professionals are used to secure information. Information security is NOT an IT issue.

Regrettably, however, we are writing to notify you that, in June 2010, we experienced an electronic intrusion of our computer network by an outside party.

We have identified the means of the unlawful intrusion, and reported the incident to the FBI.

We also have contacted our IT service provider who has assisted us in responding to this situation, and in taking the necessary and appropriate steps to further secure our computer network.

We have no evidence that client accounts were accessed, altered, or affected, but you should immediately report any unauthorized activity in your Resnick accounts to your financial advisor.

We also have no reason to believe that any of your personal information was accessed by the intruders, and the controls in place on our network do not allow files to be downloaded.
[Evan] If the company has NO reason to believe that personal information was accessed, then why are they notifying clients? Maybe a better statement is we have "little reason to believe". You see what I'm saying? Words are powerful and sometimes misleading.

Our IT service provider's investigation leads us to believe that the motive of the intruder was not to access records of our clients, but we are notifying you of this event in an abundance of caution.

Also in an abundance of caution, we are providing you with a free one-year membership in Triple Alert from ConsumerInfo.com, Inc.
[Evan] People who know me or have followed me for a while know how much I dislike the "abundance of caution" statement made by companies. These guys used it twice!

Please be reassured that we have acted responsibly in handling this situation.
[Evan] A rare statement.

We have established a call center to address any questions you may have regarding this event; please call (866) 271-3084.

Commentary:
It would not be my recommendation to rely on your IT service provider as a primary source of information security guidance. It would also not be my recommendation to use your IT service provider as the primary incident responder or investigator. We (FRSecure ) work closely with many IT service providers and our mutual clients to address information security issues. An IT service provider compliments our work and the partnerships have worked out very well.

Past Breaches:
Unknown