Archive for July, 2015

OhioHealth’s flash drive goes missing

July 31st, 2015

OhioHealth has issued health data breach notification letters after misplacing an unencrypted flash drive. Flash drive has not yet been recovered and the OhioHealth mentioned that there is no reason to believe that the missing flash drive was stolen or has been misused.

The affected information includes patient names, medical record numbers, names of insurance companies, physician names, addresses, dates of birth, referral and treatment dates, the type of procedures conducted, and in a few cases, clinical information and Social Security numbers.

As per the OhioHealth statement, few numbers of patients are affected. Specifically, only patients who were to receive valve replacements or those who participated in valve replacement studies at Riverside Methodist Hospital between July 2010 and December 2014 may have been affected by the health data breach.

The OhioHealth statement did not mention the number of affected patients. According to an article by The Columbus Dispatch, there were 1,006 patients affected and potentially 30 Social Security numbers compromised.

OhioHealth believes the flash drive has simply been misplaced by an employee.  It has still decided to send out data breach notification to all those who may have potentially been affected.

“OhioHealth is deeply committed to the sacred trust that we hold in providing quality care to our patients and families, including as it relates to the protection of their confidentiality,” OhioHealth said in a statement. “We sincerely apologize and regret that this incident has occurred.”

Alertsec strengthens security

Alertsec has created a web based encryption service that radically simplifies deployment and management of PC encryption by using industry leading Check Point Full Disk Encryption (former Pointsec) software.

Organizations, especially corporate giants, have to have an information security policy in place that proves they have taken the necessary steps and measures to safeguard the information they gathered. If these policies are not adhered to, the regulators may prosecute.

Alertsec Xpress is used by organizations that have recognized the need to protect their information. Customers range from single-user sole traders and consultants to multinational companies with a large number of offices around the globe. Over 4 million users worldwide use Alertsec Xpress’s Check Point Full Disk Encryption.

 

Healthfirst suffers data breach due to cyber attack

July 29th, 2015

Healthfirst’s online portal was attacked by cyber criminals. The health insurance company is notifying approximately 5,300 individuals that their PHI may have been compromised.  No Social Security information was disclosed in the data breach.

Healthfirst was first informed that it was a victim of fraud by the US Department of Justice (DOJ) and from there prosecuted the perpetrator and continued a joint investigation with the DOJ. After the investigation, the two organizations discovered that the culprit who also gained access to Healthfirst records, and that a PHI data breach had occurred.

Affected information includes patient names, dates of birth, addresses, health insurance plan information, description of missing services, physician numbers, Healthfirst member ID numbers, patient ID numbers, Medicare and Medicaid ID numbers, claim numbers, and diagnosis codes.

Healthfirst also notified the proper government channels such as the US Department of Health and Human Services (HHS).  Healthfirst is also taking preventative measures to keep this from happening in the future which includes revising its security policies and its online portal securities.

According to the statement:

“Healthfirst sincerely regrets that this incident occurred,” the company said in its statement. “Healthfirst takes the privacy and security of its members’ health information very seriously. Healthfirst values the trust its members have placed in it as their health plan and it is Healthfirst’s priority to reassure its members that it is taking steps to ensure its members’ information is protected.”

Alertsec strengthens security

Alertsec has created a web based encryption service that radically simplifies deployment and management of PC encryption by using industry leading Check Point Full Disk Encryption (former Pointsec) software.

Organizations, especially corporate giants, have to have an information security policy in place that proves they have taken the necessary steps and measures to safeguard the information they gathered. If these policies are not adhered to, the regulators may prosecute.

Alertsec Xpress is used by organizations that have recognized the need to protect their information. Customers range from single-user sole traders and consultants to multinational companies with a large number of offices around the globe. Over 4 million users worldwide use Alertsec Xpress’s Check Point Full Disk Encryption.

Georgia Divisions of Aging Services suffers data breach

July 27th, 2015

According to a statement by the Georgia Department of Human Services (DHS), the Georgia Divisions of Aging Services data breach affected approximately 3,000 clients. The breach, which affected individuals in the Community Care Services Program (CCS) has minimum impact and has been completely resolved.

The reason of the breach was an accidental email sent to one of the program’s contracted providers. According to the reports, email contained information regarding patient diagnoses. Sensitive data like contact information, Social Security numbers, or Medicaid numbers were not included in the email. All individuals affected have been notified in accordance with federal mandates.

Despite the small impact, the Department of Aging Services is still taking measures to improve its security systems. The Department has added new safeguards to their data systems, and also implemented new training practices for members of the department.

Officials from the Department expressed regret for the incident. They also emphasized that patient safety and security are of the utmost concern.

“While we are confident that this data breach was limited in nature and resolved almost immediately, we are obligated to ensure that our clients and the public can trust the integrity of our programs,” said Georgia’s Human Services Commissioner Robyn A. Crittenden. “We take client privacy very seriously, and it is important that the public is fully aware of this situation and aware of our efforts to prevent such an event in the future.”

Get your personal as well as office laptops encrypted by Alertsec

Unencrypted laptops present a major risk of data loss. 80% of information theft is due to lost or stolen laptops and other equipment. About 50% of network intrusions are performed with credentials gathered from lost or stolen devices. The penalties for a data breach are severe not only in terms of the monetary fines imposed on the organization, but also the potential loss of trust from customers and suppliers. Encryption software greatly enhances the security of your organization’s data as the information is not compromised if a laptop is lost or stolen.

Alertsec Xpress is the full disk encryption service that delivers a mobile data protection system for all information stored on laptops used throughout your organization.

UPMC suffers second data breach

July 25th, 2015

Recent data breach in University of Pittsburgh Medical Center (UPMC) Health Plan affected 722 patients. This is the second health data breach at a UPMC facility in just under two months. The incident involved emailing of a data file with certain PHI to the incorrect address.

The affected information includes patient names, member ID numbers, dates of birth, phone numbers, name of the primary care physician’s office, and insurance plan types. Social Security numbers or information about medical histories were not disclosed.

UPMC Health Plan Director of Public Relations Gina Pferdehirt mentioned in an email response that “in context the breach is very minor,” but added that the healthcare organization

was taking the incident seriously.

The data breach occurred when  a former MML employee copied certain items of personal information from the billing system over the past two years and then illegally disclosed that information to a third party.

“MML takes this matter very seriously and terminated this employee after being informed of this criminal investigation,” according to a Medical Management statement. “MML is cooperating with federal law enforcement authorities in their criminal investigation.”

According to the statement:

“We apologize for any anxiety or inconvenience that this incident may cause our members,” Chief Compliance Officer of the UPMC Insurance Services Division William Gedman said in a statement. “Based on our ongoing investigation, we will make all changes necessary to further enhance our already stringent privacy protections. UPMC Health Plan is committed to doing our utmost to minimize the chance that this type of issue will occur again.”

Alertsec strengthens security

Alertsec has created a web based encryption service that radically simplifies deployment and management of PC encryption by using industry leading Check Point Full Disk Encryption (former Pointsec) software.

Organizations, especially corporate giants, have to have an information security policy in place that proves they have taken the necessary steps and measures to safeguard the information they gathered. If these policies are not adhered to, the regulators may prosecute.

Alertsec Xpress is used by organizations that have recognized the need to protect their information. Customers range from single-user sole traders and consultants to multinational companies with a large number of offices around the globe. Over 4 million users worldwide use Alertsec Xpress’s Check Point Full Disk Encryption.

Data breach in Mayo Clinic Health

July 23rd, 2015

The Mayo Clinic Health System in Red Wing, Minnesota reported data breach when 601 patient records were inappropriately accessed by an employee. According to the Mayo Clinic Public Affairs Manager Asia Zmuda – “an employee accessed patient records beyond the scope of authorized access and assigned job responsibilities.” The employee is no longer employed at the health system, according to the emailed statement.

“An internal investigation was immediately launched and a detailed analysis of the individual’s access yielded no evidence that financial information was accessed or that any health information was further disclosed,” Mayo Clinic explained. “Mayo Clinic will continue the proactive monitoring of patient records to prevent further incidents from occurring. Mayo Clinic takes this matter very seriously and is committed to maintaining the highest levels of integrity and trust for those it serves.”

Mayo Clinic is currently in the process of notifying patients who were affected by this incident, according to the organization’s statement. It was not specified what type of information was accessed, but Zmuda underlined the fact that financial information was not involved and that health information was not further disclosed.

Get your personal as well as office laptops encrypted by Alertsec

Unencrypted laptops present a major risk of data loss. 80% of information theft is due to lost or stolen laptops and other equipment. About 50% of network intrusions are performed with credentials gathered from lost or stolen devices. The penalties for a data breach are severe not only in terms of the monetary fines imposed on the organization, but also the potential loss of trust from customers and suppliers. Encryption software greatly enhances the security of your organization’s data as the information is not compromised if a laptop is lost or stolen.

Alertsec Xpress is the full disk encryption service that delivers a mobile data protection system for all information stored on laptops used throughout your organization.

Two computers stolen from Arkansas Blue Cross

July 21st, 2015

Arkansas Blue Cross Blue Shield members sent out potential data breach notification letters after its computers were stolen. Computers belonged to Treat Insurance Agency, which solicits applications from individuals for insurance coverage through multiple insurers which includes Arkansas Blue Cross.  ABCBS did not reveal the details of information present on the computers.

“Treat Insurance Agency very much regrets that theft from their offices has affected Arkansas Blue Cross members and applicants,” Arkansas Blue Cross Senior Vice President Ron DeBerry said in a statement.

“To reduce the risks that any similar thefts might affect our valuable customers, we will request independent insurance agents to protect their computer records by using encryption

technology on all computers storing any applications for Arkansas Blue Cross.”

The computers contained sensitive information of 560 Arkansas Blue Cross applicants. According to the reports, affected individuals by this incident will receive one year of complimentary identity protection services. The details of the theft are not known.

“The notification required by this section shall be made after the law enforcement agency determines that it will not compromise the investigation,” the legislation states. “Notification under this section is not required if after a reasonable investigation the person or business determines that there is no reasonable likelihood of harm to customers.”

As the device is stolen, ABCBS explained that there is no way to determine if an unauthorized person attempted to access the patient information. Also, it did not specify if the stolen computers were encrypted.

Alertsec strengthens security

Alertsec has created a web based encryption service that radically simplifies deployment and management of PC encryption by using industry leading Check Point Full Disk Encryption (former Pointsec) software.

Organizations, especially corporate giants, have to have an information security policy in place that proves they have taken the necessary steps and measures to safeguard the information they gathered. If these policies are not adhered to, the regulators may prosecute.

Alertsec Xpress is used by organizations that have recognized the need to protect their information. Customers range from single-user sole traders and consultants to multinational companies with a large number of offices around the globe. Over 4 million users worldwide use Alertsec Xpress’s Check Point Full Disk Encryption.

 

Howard University Hospital suffers data breach

July 18th, 2015

Howard University Hospital in Washington, D.C. suffered data breach when more than 1,400 patients received letters intended for other individuals. The letters included names, account numbers, and dates that other individuals visited Howard University doctors. Social Security numbers, dates of birth, and other personal information were not included

According to the reports, data error reportedly caused letters to go out to people with the right surnames, but the wrong addresses. Howard University explained that California Healthcare Medical Billing, Inc. and JP Recovery Services, Inc. had been hired to mail letters to patients who had not yet paid their bills.

University said that they become aware of the incident on May 11 and will notify affected individuals.

Similar incident includes the breach at Virginia Commonwealth University Health System. The incident involves employee taking CDs which were no longer needed for the organization’s services and donating them to assist with children’s art projects. The affected information includes names and one or more of the following for 1000 patients: home addresses, dates of birth, medical record numbers, clinical information and health insurance information.

“This error brought to light a vulnerability in our system that developed over time and that we are working to correct, and we are deeply sorry for the inconvenience this may have caused some of our patients,” said John Duval, CEO of MCV Hospitals and Clinics.

Get your personal as well as office laptops encrypted by Alertsec

Unencrypted laptops present a major risk of data loss. 80% of information theft is due to lost or stolen laptops and other equipment. About 50% of network intrusions are performed with credentials gathered from lost or stolen devices. The penalties for a data breach are severe not only in terms of the monetary fines imposed on the organization, but also the potential loss of trust from customers and suppliers. Encryption software greatly enhances the security of your organization’s data as the information is not compromised if a laptop is lost or stolen.

Alertsec Xpress is the full disk encryption service that delivers a mobile data protection system for all information stored on laptops used throughout your organization.

Medical document found in confetti

July 15th, 2015

The incident involves confetti during the world cup victory parade of U.S. Women’s soccer team. According to the New York news station, some of the confetti used in the victory parade for the US Women’s soccer team contained medical information.

The incident came to notice when a reporter tweeted a photo with confetti strips which made up an entire prescription after pieced together. Affected information includes patient names and the doctor’s office address.

The incident could be a case of official confetti versus confetti made by local businesses and residents. In similar incident during year 2012 Thanksgiving Day, the official confetti supplied by Downtown Alliance was just colored paper while police department reports mention documents ended up as confetti containing information. Also, Downtown Alliance reported that it provided two tons of confetti in 2012, yet its cleaning crew picked up 34 tons of confetti.

In the current incident, news station also reported that Atlas Packaging Company provided two tons of strip cut, blank, news roll which can be considered as the official confetti for the victory parade. It seems that good intentions like victory parades potentially led to health data security issues, which is not entirely uncommon.

Alertsec strengthens security

Alertsec has created a web based encryption service that radically simplifies deployment and management of PC encryption by using industry leading Check Point Full Disk Encryption (former Pointsec) software.

Organizations, especially corporate giants, have to have an information security policy in place that proves they have taken the necessary steps and measures to safeguard the information they gathered. If these policies are not adhered to, the regulators may prosecute.

Alertsec Xpress is used by organizations that have recognized the need to protect their information. Customers range from single-user sole traders and consultants to multinational companies with a large number of offices around the globe. Over 4 million users worldwide use Alertsec Xpress’s Check Point Full Disk Encryption.

Cyber War

July 9th, 2015

Cyber war is soon becoming a reality. Recent attack on Sony is just the beginning. Security expert Bruce Schneier mentioned the possible destruction caused by cyber war in his address at the recent InfoSec Europe security conference in London.

“We are in the early years of a cyber war arms race,” he said. “We have seen China attack Github, we have seen countries attacking companies, and I think we are going to see much more of that in the future.”

He also mentioned that countries like North Korea have a natural advantage in this type of cyber warfare because of the basic level of technical infrastructure that they possess.

“North Korea has natural cyber-defenses in that it only has about 1,000 IP addresses, and it has only very few computers so its ‘terrain’ is very defensible. By contrast the U.S. is extremely vulnerable because it has lots of computers and Internet infrastructure.”

Also, some cyber warfare attacks may be carried out by groups (such as terrorist organizations) rather than countries.

“We are living in a world now where we can be attacked and not know if the attacker is a foreign government or just a couple of guys, and that is freaky,” Schneier said. “Technology is spreading capabilities, and the same weapons and tactics are available to everyone.”

In the real world scenario it is difficult to understand who is behind the attacks. Schneier mentioned one incident where Israeli war planes attacked and destroyed a nuclear facility in the Middle East 10 years ago.

“Four years later the Israelis and the U.S. attacked an Iranian uranium enrichment facility plant (at Natanz) using a cyber-weapon (Stuxnet). But the Iranians didn’t know that they had been attacked, let alone who did it,” he said. “Attribution can take weeks or months.”

Types of Cyber Attacks

  • Low focus, low skill attacks – Carried out by newbie
  • Low focus, high skill attacks – Involves identity theft and credit card breaches
  • Low skill, high focus attacks – It generally includes bypassing security measures
  • High focus, high skilled attacks- Most advanced

“To defend against low focus attacks you just need to be more secure than the guy next to you,” said Schneier. “With highly focused attacks this relative security is irrelevant; your security has to beat the attacker’s skill. With a high focus, high skill attack, a sufficiently skilled attacker will always get in. We are all vulnerable.”

Without the ability to attribute attacks, Schneier pointed out that it is also impossible to distinguish between computer network exploitation, a classic data breach where an attacker exploits vulnerabilities to steal things, and computer network attacks, where the attacker’s motivation is to cause damage. It’s the difference between copy *.* and delete *.*, in other words, he said.

Alertsec strengthens security

Alertsec has created a web based encryption service that radically simplifies deployment and management of PC encryption by using industry leading Check Point Full Disk Encryption (former Pointsec) software.

Organizations, especially corporate giants, have to have an information security policy in place that proves they have taken the necessary steps and measures to safeguard the information they gathered. If these policies are not adhered to, the regulators may prosecute.

Alertsec Xpress is used by organizations that have recognized the need to protect their information. Customers range from single-user sole traders and consultants to multinational companies with a large number of offices around the globe. Over 4 million users worldwide use Alertsec Xpress’s Check Point Full Disk Encryption.

 

Cloud more secure, says Amazon CTO

July 7th, 2015

With the rising cloud penetration in the IT world, there is more focus on the security

aspect because of its nature of shared environment usage.  Multiple organizations make virtual use of same physical infrastructure.  But Amazon CTO believes that Amazon Cloud is more secure than OnPrem.

During Amazon Web Services (AWS) Summit, Amazon CTO Werner Vogels mentioned – ‘But far from being insecure, the cloud will improve the security postures of most organizations’.

“You can actually move to the cloud to improve your security, compliance and governance,” he said.

There are various aspects in the statement by Vogels.

  • Increase in Amazon’s level of investment in and focus on security in AWS cloud security.
  • Investment in  intellectual property as well as human capital to make sure its infrastructure is secure for users

Amazon has achieved  “a very broad range of accreditation’s and certifications”  in its data centers.

  • The certifications include PCI-DSS and U.S federal government certifications like FedRAMP.
  • Amazon CTO is especially proud of Amazon’s certification for HIPAA (Health Insurance Portability and Accountability Act).

“HIPAA is a really important certification as it allows health care applications to be built on top of AWS,” he said.

Amazon has also built a whole range of tools for users to secure their applications and data including AWS’ own secure infrastructure. The tools help provide granular visibility into the usage and resources consumed by AWS cloud deployments.

Alertsec strengthens security

Alertsec has created a web based encryption service that radically simplifies deployment and management of PC encryption by using industry leading Check Point Full Disk Encryption (former Pointsec) software.

Organizations, especially corporate giants, have to have an information security policy in place that proves they have taken the necessary steps and measures to safeguard the information they gathered. If these policies are not adhered to, the regulators may prosecute.

Alertsec Xpress is used by organizations that have recognized the need to protect their information. Customers range from single-user sole traders and consultants to multinational companies with a large number of offices around the globe. Over 4 million users worldwide use Alertsec Xpress’s Check Point Full Disk Encryption.