Archive for April, 2015

Medical Records exposure leads to data breach

April 29th, 2015

LAC+USC Medical Center (LAC+USC) – Augustus F. Hawkins (Hawkins) Mental Health Center mentioned  that patients’ records were found in the home of a facility employee, when a search warrant was being served at the residence. Authorities reportedly found confidential patient information for 900 Hawkins patients in the nurse’s home. The search was unrelated to County business.

“The incident has been reported to the Health Authority Law Enforcement Task Force (HALT), and we are also actively working with other law enforcement agencies,” the LAC+USC and Hawkins statement read. “We will notify the California Department of Public Health, the California Attorney General, and federal authorities in accordance with statutory requirements LAC+USC Medical Center is conducting a review of its privacy and security practices and will revise them as needed based on the findings.”

The affected information includes information such as names, medical record numbers, addresses, phone numbers, dates of birth, diagnoses, dates of admit, insurance carriers, insurance identification numbers, and Social Security numbers. Other personal data, including driver’s license information, may also have been compromised.

According to the reports, the nurse who allegedly took the documents has resigned and is no longer working at the hospital.

Get your personal as well as office laptops encrypted by Alertsec

Unencrypted laptops present a major risk of data loss. 80% of information theft is due to lost or stolen laptops and other equipment. About 50% of network intrusions are performed with credentials gathered from lost or stolen devices. The penalties for a data breach are severe not only in terms of the monetary fines imposed on the organization, but also the potential loss of trust from customers and suppliers. Encryption software greatly enhances the security of your organization’s data as the information is not compromised if a laptop is lost or stolen.

Alertsec Xpress is the full disk encryption service that delivers a mobile data protection system for all information stored on laptops used throughout your organization.

Maryland facility scam hit by Email Phishing scam

April 27th, 2015

Maryland-based St. Agnes Health Care, Inc. recently mentioned on its website that it suffered data breach when one of its employees was the victim of an email phishing scam. St. Agnes said that it sent data breach notification letters to approximately 25,000 patients. It included the warning as protected information was potentially exposed.

“We are taking the necessary and appropriate steps to prevent this type of incident from occurring in the future,” Saint Agnes Corporate Responsibility Officer Sharon McNamara said in a statement. “Specifically, we will continue to implement administrative, technical and physical safeguards against unauthorized access of protected health information.  In this instance, we reported the incident to our email service provider and are evaluating additional ways to enhance our already robust security program.”

The affected information includes patient names, dates of birth, genders, medical record numbers, insurance information, and limited clinical information. There were four cases where Social Security numbers were exposed.

“Through a fraudulent e-mail communication, sophisticated hackers gained access to protected health information contained in an employee e-mail account,” the statement read.

The statement failed to mention the date and time of breach incident.  Identity monitoring and protection services will be offered free of charge as appropriate for individuals whose social security number has been compromised by this incident.

Get your personal as well as office laptops encrypted by Alertsec

Unencrypted laptops present a major risk of data loss. 80% of information theft is due to lost or stolen laptops and other equipment. About 50% of network intrusions are performed with credentials gathered from lost or stolen devices. The penalties for a data breach are severe not only in terms of the monetary fines imposed on the organization, but also the potential loss of trust from customers and suppliers. Encryption software greatly enhances the security of your organization’s data as the information is not compromised if a laptop is lost or stolen.

Alertsec Xpress is the full disk encryption service that delivers a mobile data protection system for all information stored on laptops used throughout your organization.

Ascension Health Facility hit by Email Phishing Scam

April 25th, 2015

Ascension Health Facility suffered consecutive data breaches due to email phishing scam. It is not confirmed whether two incident were related to each other. Seton Family of Hospitals, a division of Seton Healthcare Family (“Seton”) announced the breach on the website. According to the reports, 39,000 patients’ got affected. Username and passwords was targeted by the scammers.

“St.Vincent Medical Group sincerely apologizes for any inconvenience this unfortunate incident may cause and assures all of its patients that the faith-based organization is taking appropriate measures to avoid an incident of this nature happening in the future,” the facility said in a statement.

The exposed information includes patient demographic information, such as names and dates of birth, medical record numbers, insurance information, limited clinical information, and Social Security numbers in a few cases. Medical records or billing records were not included in the breach.

“Seton launched an investigation into the matter, and the investigation has required electronic and manual review of affected emails to determine the scope of the incident,” Seton said in its statement. “Seton engaged computer forensics experts to assist with the investigation.”

The facility said that patients who had their Social Security numbers potentially exposed will receive free identity monitoring and protection services. Seton said that it is working with its email service provider “to evaluate ways to enhance its already robust security program,” and will provide more employee education on email phishing scams.

“We value the privacy and security of protected information, and we are committed to protecting the confidentiality and privacy of our patients and employees,” Garza said. “It is our priority to support those who have been affected.”

Washington’s attorney general and two lawmakers’ favors stronger data breach laws

April 22nd, 2015

Washington’s attorney general and two lawmakers are calling for stronger data breach laws after the recent incidents of Premera Blue Cross and Anthem, Inc. data breaches. Attorney General Bob Ferguson, Sen. John Braun, and Rep. Zack Hudgins wrote an opinion piece in The Olympian this week.

As per the statement, current state data breach law is a decade old and obsolete and more meaningful and timely notification laws are necessary. They are trying to close current loopholes. The proposed legislation would require that individuals and the attorney general be notified within 45 days of a data breach occurring.

“In the present statute, there are too many loopholes about when notification must be provided, leaving consumer’s vulnerable to financial fraud and identity theft,” the opinion piece said. “The current law is alarmingly vague on the timeline to notify consumers when data has been compromised. And unlike other states, our current statute does not require notification to the Attorney General when a data breach puts state residents at risk.”

The proposed legislation states that HIPAA covered entities are “deemed to have complied with the notice requirements” if they have “complied completely with section 13402(f) of the federal health information technology for economic and clinical health act, Public Law 111-5.”

Murray discussed the data breach notification process as he was upset with the Premera data breach. He said that it was troubling that it took Premera so long to notify individuals, the media, and lawmakers that an incident took place.

“These failures are particularly troubling given the scope of the attack,” Murray wrote. “It is my hope that Premera can move with great speed and efficiency to ensure that my constituents receive prompt notice and information about the services that are being made available to them.”

Get your personal as well as office laptops encrypted by Alertsec

Unencrypted laptops present a major risk of data loss. 80% of information theft is due to lost or stolen laptops and other equipment. About 50% of network intrusions are performed with credentials gathered from lost or stolen devices. The penalties for a data breach are severe not only in terms of the monetary fines imposed on the organization, but also the potential loss of trust from customers and suppliers. Encryption software greatly enhances the security of your organization’s data as the information is not compromised if a laptop is lost or stolen.

Alertsec Xpress is the full disk encryption service that delivers a mobile data protection system for all information stored on laptops used throughout your organization.

Email Phishing scam leads to data breach

April 20th, 2015

St. Vincent Medical Group, Inc. suffered data breach when approximately 760 patients’ PHI got exposed. Employee’s username and password was compromised because of an email phishing scam which resulted in to the incident. St. Vincent learned about the data breach on Dec. 3, 2014, and said that it “immediately shut down the username and password of the impacted account and launched an investigation into the matter.”

The affected information includes patient names, demographic information such as dates of birth and phone numbers, account numbers, and Social Security numbers in a few cases. Limited clinical information related to services patients received was also included.

“The investigation has required electronic and manual review of affected emails to determine the scope of the incident,” As per the statement.

As per the St.Vincent individual medical records and billing records were not accessed.

“St.Vincent Medical Group sincerely apologizes for any inconvenience this unfortunate incident may cause and assures all of its patients that the faith-based organization is taking appropriate measures to avoid an incident of this nature happening in the future,” the facility said.

St. Vincent mentioned that complimentary identity monitoring and protection services will be offered to patients whose Social Security number was exposed. It will also be providing further employee education on how to avoid phishing scams.

This is not the first time St.Vincent suffered data breach. Earlier, St. Vincent Breast Center mistakenly sent letters with patient information to the wrong addresses.

As per the previous statement:

“Please be assured that the Center is taking steps to mitigate this incident by notifying affected individuals through this substitute notice, media notice, and destroying all letters that have been returned,” St. Vincent said on its website. “The Center is also evaluating and making changes to its patient mailing processes internally and with external vendors to avoid an incident of this nature in the future.”

Get your personal as well as office laptops encrypted by Alertsec

Unencrypted laptops present a major risk of data loss. 80% of information theft is due to lost or stolen laptops and other equipment. About 50% of network intrusions are performed with credentials gathered from lost or stolen devices. The penalties for a data breach are severe not only in terms of the monetary fines imposed on the organization, but also the potential loss of trust from customers and suppliers. Encryption software greatly enhances the security of your organization’s data as the information is not compromised if a laptop is lost or stolen.

Alertsec Xpress is the full disk encryption service that delivers a mobile data protection system for all information stored on laptops used throughout your organization.

Malicious Software

April 17th, 2015

Malicious Software

Malicious Software is a kind of software which gives partial to full control of your computer to do whatever the malware creator wants. Malware can be a virus, worm, trojan, adware, spyware, root kit, etc.

What is the purpose of Malicious Software?

Malware may be intended to steal personal information or spy on computer users without their knowledge or it may be designed to cause harm, often as sabotage or to extort payment.

Types of Malware

Viruses

A computer program usually hidden within another seemingly useful program that duplicates itself to inserts them into other programs or files and destroys the data or performs intended action.

Trojan Horses

Trojan Horses is computer program that asks users to install it under the pretext of description which appears useful. It is the way to fool users by providing fake information for malware.

Rootkits

Malicious Software which conceals their identity by modifying the host’s operating system to hide from the user.

Backdoor Access

A backdoor is the method by which normal authentication procedures are bypassed, usually over a network connection such as internet.

Alertsec strengthens security

Alertsec has created a web based encryption service that radically simplifies deployment and management of PC encryption by using industry leading Check Point Full Disk Encryption (former Pointsec) software.

Organizations, especially corporate giants, have to have an information security policy in place that proves they have taken necessary steps and measures to safeguard the information they gathered. If these policies are not adhered to, the regulators may prosecute.

Alertsec Xpress is used by organizations that have recognized the need to protect their information. Customers range from single-user sole traders and consultants to multinational companies with a large number of offices around the globe. Over 4 million users worldwide use Alertsec Xpress’s Check Point Full Disk Encryption.

Common sense can stop phishing attack

April 15th, 2015

What is phishing attack?

Phishing emails, websites and phone calls are designed to steal money. It can be also be done by installing malicious software. Cybercriminals asks you to install malware under pretext of useful software.

How to stop phishing attack?

Spelling & Grammar – Cybercriminals are not that good at spellings and grammar. Professional organizations have dedicated writers for drafting emails. So, the possibility of error in the phishing write up is more.

Fake Alerts – You may get the update from the company you know. Please check for the authenticity of the email and then take any action.

Website Links – Do not click the links from the email. They may also include direct download .exe file which installs malicious software on your computer.

Threats – One of the popular ways to steal the user is by threatening email which states that your account will get closed if you didn’t respond to the said email. Ignore such emails or mark them as spam.

Report Phishing Attack

Company Pretension – Verify the information with the official company helpdesk before taking action for the email, phone etc.

Phone Calls – Report to your local authorities if you receive any phishing phone call.

Emails – Report it to your email service provider like Google, Yahoo etc. if you receive phishing emails.

Alertsec strengthens security

Alertsec has created a web based encryption service that radically simplifies deployment and management of PC encryption by using industry leading Check Point Full Disk Encryption (former Pointsec) software.

Organizations, especially corporate giants, have to have an information security policy in place that proves they have taken necessary steps and measures to safeguard the information they gathered. If these policies are not adhered to, the regulators may prosecute.

Alertsec Xpress is used by organizations that have recognized the need to protect their information. Customers range from single-user sole traders and consultants to multinational companies with a large number of offices around the globe. Over 4 million users worldwide use Alertsec Xpress’s Check Point Full Disk Encryption.

IT security Professional Survey about Insider threat

April 12th, 2015

The SANS 2015 Survey on Insider Threats provided below results:

  • 74 percent of the IT security professionals said they’re worried about insider threats from negligent or malicious employees
  • 32 percent said they have no capacity to prevent an insider breach
  • 28 percent said insider threat detection and prevention isn’t a priority in their organizations
  • 44 percent of respondents said they don’t know how much they currently spend on solutions to mitigate insider threats
  • 45 percent said they don’t know how much they plan to spend on such solutions in the next 12 months
  • 69 percent of respondents said they currently have an incident response plan in place
  • More than 52 percent of survey respondents said they didn’t know what their losses might amount to in the case of an insider breach.

“While it’s good to see that a strong majority of security professionals are concerned about the dangers posed by insider threats, I was struck by the fact that investment in solutions that can help does not appear to be keeping pace with that concern,” SpectorSoft COO Mike Tierney said in a statement. “I believe a key action item called out by the survey data is that increased focus on, and investment in, addressing the concerns is required.”

According to the  2015 Vormetric Insider Threat Report:

  • 92 percent U.S.-based healthcare IT decision makers said their organizations are vulnerable to insider threats
  • 49 percent felt “very” or “extremely” vulnerable to insider threats.

According to the Harris Poll Survey-

  • 48 percent of healthcare organizations experienced a data breach or failed a compliance audit in the past year.
  • 48 percent of healthcare organizations experienced a data breach or failed a compliance audit in the past year.

“Healthcare data has become one of the most desirable commodities for sale on black market sites, yet U.S. healthcare organizations are failing to secure that data,” Vormetric CEO Alan Kessler said in a statement. “An overreliance on compliance requirements and a cursory nod to data protection point to systemic failures that are putting patient data at risk.”

Get your personal as well as office laptops encrypted by Alertsec

Unencrypted laptops present a major risk of data loss. 80% of information theft is due to lost or stolen laptops and other equipment. About 50% of network intrusions are performed with credentials gathered from lost or stolen devices. The penalties for a data breach are severe not only in terms of the monetary fines imposed on the organization, but also the potential loss of trust from customers and suppliers. Encryption software greatly enhances the security of your organization’s data as the information is not compromised if a laptop is lost or stolen.

Alertsec Xpress is the full disk encryption service that delivers a mobile data protection system for all information stored on laptops used throughout your organization.

Skill gap widens for information security professionals

April 9th, 2015

Today, organizations are finding it difficult to manage IT security threats and avoid error. They also face challenges to recover after cyber attack. According to the survey, by 2020 there will be shortfall of 1.5 million information security professionals.

The IT security of companies is being threatened by understaffed workforce and the high level of complexities. (ISC)2 conducted survey polled 3,000 information security professionals and practitioners worldwide.

“Our first workforce study was conducted in 2004 to illuminate critical concerns within the information and cyber security that were struggling for attention,” said Adrian Davis, managing director, Emea, at (ISC)2.

“The 2015 report shows that many of these issues are finally getting much-needed budget and priority, but we are facing new challenges and our skills and staffing challenge is growing,” he added.

Davis mentions that the findings are more or less similar to US and Europe.

“There are some small differences from country to country, but at a higher level, as information security environments become increasingly homogeneous, there is not much variance,” he told Computer Weekly.

“This is likely to be due to the fact that the legal and privacy environment in Germany may make companies more sensitive to protecting information,” he said.

The study also shows that security spending is increasing across the companies.

“We are playing catch-up in an environment where information security has never really made its case as being an interesting and exciting career, and where security professionals are retiring faster than they are being replaced,” said Davis.

Sony like attack possible

April 6th, 2015

According to the security researchers, many hackers across the globe can launch Sony like attack. Around 90% of the companies can suffer possibilities of hacking considering their current security standards.

There is no shortage of technically proficient people willing to launch such an attack, said Jon Miller, a former hacker who now serves as vice president of strategy at Cylance, an antivirus software maker.

“There are probably a couple thousand, three, four, five-thousand people that could do [the Sony] attack today,” Miller tells “60 Minutes”‘ Steve Croft in an interview airing Sunday evening on CBS television stations.

Complicating things for companies is the sheer number of computers that must be protected, usually from the employees operating them, said Kevin Mandia, chief operating officer of FireEye, the anti-malware company that worked with Sony to mitigate the effects of the hack.

“The advantage goes to the offense in cyber,” Mandia says. The defense must defend every computer, thousands in some cases, but “the offense side thinks, ‘I only need to break into one and I’m on the inside.’…Nation-state threat actors, or hackers, target human weakness, not system weakness.”

The Sony security breach was more serious that it was perceived. Hackers leaked the personal information which includes Social Security numbers of more than 47,000 celebrities, freelancers, and current and former Sony employees. They also leaked movies which were not released, as well as embarrassing emails between Sony Pictures executives, among other internal documents.

Alertsec strengthens security

Alertsec has created a web based encryption service that radically simplifies deployment and management of PC encryption by using industry leading Check Point Full Disk Encryption (former Pointsec) software.

Organizations, especially corporate giants, have to have an information security policy in place that proves they have taken necessary steps and measures to safeguard the information they gathered. If these policies are not adhered to, the regulators may prosecute.

Alertsec Xpress is used by organizations that have recognized the need to protect their information. Customers range from single-user sole traders and consultants to multinational companies with a large number of offices around the globe. Over 4 million users worldwide use Alertsec Xpress’s Check Point Full Disk Encryption.