Archive for March, 2016

Security Survey Conducted by SailPoint Market Pulse

March 31st, 2016

SailPoint Market Pulse conducted survey which showed interesting results. According to the result, 20 percent of respondents said they would sell their passwords to a third party. Twenty percent of U.S. respondents said they would do so. Forty Four percent would do so for less than $1,000. The survey was conducted on 1,000 employees at organizations with at least 1,000 employees.

Participants were located in U.S., the U.K., Germany, France, the Netherlands and Australia.

“One would think that as more breaches touched more people individually, they would be more vigilant about security processes,” the report states. “But, in a stark contrast, it seems that while they expect their personal information’s safety, when functioning as employees, these same users are practicing security incredibly ineffectively, leaving themselves and their employers exposed.”

Other highlights of survey includes –

  • One third of participants admitted having purchased a SaaS application without IT’s knowledge
  • Twenty six percent admitted having uploaded sensitive information to cloud apps with the specific intent of sharing that data outside the company
  • Forty percent of respondents said they were still able to access a variety of corporate accounts after leaving their last job
  • One third of respondents said they have been impacted on a personal level by recent data breaches
  • Eighty five percent said they would react negatively if their personal information was breached at a company with whom they do business
  • Eighty-four percent of respondents are concerned that incredibly sensitive information about them is being shared
  • Thirty two percent of respondents admitted sharing passwords with their co-workers, and 65 percent admitted using a single password between applications.

————————————————————————————————————————————————————-

Alertsec is used by organizations that have recognized the need to protect their information. Over 4 million users worldwide use Alertsec’s Check Point Full Disk Encryption.

Hospitals and Ransomware

March 28th, 2016

The Ottawa Hospital, Kentucky Methodist Hospital, Chino Valley Medical Center and Desert Valley Hospital was recently infected with ransomware.

As per Kentucky Methodist Hospital, “Methodist Hospital is currently working in an internal state of emergency due to a computer virus that has limited our use of electronic Web-based services. We are currently working to resolve this issue, until then we will have limited access to Web-based services and electronic communications.”

“It did cause significant disruptions of our IT systems,” Fred Ortega, spokesman for Prime Healthcare Services, which operates Chino Valley Medical Center and Desert Valley hospital, told BBC News. “However, most of the systems and the critical infrastructure has been brought back online.”

Locky ransomware was delivered by email and spread from the initial infected computer to others on the network. Jamie Reid, Kentucky Methodist’s information systems director mentioned in the statement.

“We have a pretty robust emergency response system that we developed quite a few years ago, and it struck us that as everyone’s talking about the computer problem at the hospital maybe we ought to just treat this like a tornado hit, because we essentially shut our system down and reopened on a computer-by-computer basis,” David Park, an attorney for Kentucky Methodist, told Krebs.

Attackers demanded four bitcoins (approximately $1,600) to decrypt the files.

Canada’s Ottawa Hospital was also infected. Around 9,800 computers were infected with ransomware. “The malware locked down the files and the hospital responded by wiping the drives,” hospital spokeswoman Kate Eggins told the National Post. “We are confident we have appropriate safeguards in place to protect patient information and continue to look for ways to increase security.”

————————————————————————————————————————————————————-

Alertsec is the full disk encryption service that delivers a mobile data protection system for all information stored on laptops used throughout your organization.

Computer glitch and Data Breach

March 26th, 2016

Laborers’ Health & Welfare Trust Fund for Northern California discovered that a computer glitch caused certain consumer health information to be processed incorrectly. The incident affected the processing of IRS Form 1095-B which included some patient health data in California.

According to the reports, some personal health information of workers were sent to other plan
participants and beneficiaries. Affected information included beneficiary names and names of dependents, Social Security numbers, and health plan coverage information. According to a press release, the Fund Office has notified potentially affected individuals personally, and will provide free credit monitoring to them.

The Fund Office mentioned that it will be taking steps to strengthen training processes and tighten security measures.

According to the press release –
The Fund Office has notified participants and provided credit monitoring services to all those participants and beneficiaries affected.The Fund Office has also instituted stronger security measures to guard against future mishaps.

According to the Wikipedia –
A computer glitch is the failure of a system, usually containing a computing device, to complete its functions or to perform them properly.In public declarations, glitch is used to suggest a minor fault which will soon be rectified and is therefore used as a euphemism for a bug, which is a factual statement that a programming fault is to blame for a system failure.

————————————————————————————————————————————————————-

Alertsec is the full disk encryption service that delivers a mobile data protection system for all information stored on laptops used throughout your organization.

Unencrypted email and data breach

March 24th, 2016

BJC Healthcare Accountable Care Organization (BCJ ACO) in the St. Louis area recently announced data breach when an unencrypted email was sent to a participating medical practice in the BCJ ACO.It mentioned that 2,393 patients were possibly affected by the data security breach.

As per the statement, an email was sent containing patient information without the necessary security encryption. Affected information includes patient names, gender, dates of birth, and Medicare beneficiary identification numbers.  Medical information was not sent via email.

“BJC ACO investigated the email transmission and has discovered no indication that anyone other than the intended and authorized recipient at the medical practice read or accessed the email. BJC ACO has taken steps to re-educate staff on the process for sending emails in a secure manner”, the statement confirmed.

According to the statement: BJC ACO has complied with all U.S. Department of Health and Human Services Office for Civil Rights notification requirements, including individual patient letters, public news release and website posting.

About BJC ACO

BJC HealthCare was the first provider in the St. Louis area and one of 89 U.S. health care providers selected in 2012 as an Accountable Care Organization by the Centers for Medicare and Medicaid Services. CMS established ACOs that year to encourage groups of doctors, hospitals and other providers to coordinate health care services for Medicare patients and share in savings obtained through high-quality, well-coordinated care. BJC ACO currently coordinates care for approximately 40,000 patients in the BJC service area of metropolitan St. Louis, southern Illinois and mid-Missouri.

————————————————————————————————————————————————————-

Alertsec is the full disk encryption service that delivers a mobile data protection system for all information stored on laptops used throughout your organization.

Walmart’s Pharmacy Suffered Data Breach

March 21st, 2016

Wal-Mart’s online pharmacy announced a healthcare data breach. The incident was result of coding error in a software. It caused some customers to be able to view other customers’ data. According to the reports, a patient could see health information belonging to another patient who was also logged in at the same time. Wal-Mart believes that any of this information has not been misused. Also, it was not a hacking job. “We had a software coding error for a 72-hour period from February 15 to 18 that affected a limited group of online pharmacy customers,” said company spokesman Dan Toporek.

“We moved quickly to fix the issue once it was discovered.” Affected information included patient names, addresses, dates of birth, and prescription histories. No Social Security numbers or other sensitive billing information were disclosed. Wal-Mart officials reported that only about 5,000 patients were potentially affected during this breach. The company offered one year free credit monitoring services.

The error happened during the migration of servers and was not a hack, Toporek said. Fewer than 5,000 users were potentially affected, a small percentage of the number of people who logged in during the 72-hour period, he said.

————————————————————————————————–

Alertsec is used by organizations that have recognized the need to protect their information. Customers range from single-user sole traders and consultants to multinational companies with a large number of offices around the globe. Over 4 million users worldwide use Alertsec’s Check Point Full Disk Encryption.

Unauthorised Access and Data Breach

March 19th, 2016

University Hospitals Geauga Medical Center suffered data breach when a former employee improperly accessed health data.The employee has since been terminated.Affected information
included patient names, dates of birth, medical record numbers, and health information related to medications. UH stated that there is no reason to believe this incident will lead to identity theft.

UH mentioned that 677 potentially individuals were potentially affected. It will be reeducating staff on HIPAA regulations. According to the statement, UH is unaware of any identity theft or harm to patients caused by the access of information. The concerned individuals are being notified of the incident. Also, law enforcement were notified about the incident.

UH have taken steps to correct the situation and prevent similar occurrences in the future.

HIPAA administrative safeguards consists of following main aspects –

  • Security management process
  • Assigned security responsibility
  • Workforce security
  • Information access management
  • Security awareness and training
  • Security incident procedures
  • Contingency plan
  • Evaluation

Business associate contracts and other arrangements

“Even in our increasingly electronic world, it is critical that policies and procedures be in place for secure disposal of patient information, whether that information is in electronic form or on paper,”

explained OCR Director Jocelyn Samuels, adding that PHI security is essential for entities of all sizes.

“All too often we see covered entities with a limited risk analysis that focuses on a specific system
such as the electronic medical record or that fails to provide appropriate oversight and
accountability for all parts of the enterprise,”Samuels said in a statement.

————————————————————————————————————————————————————-

Alertsec has created a web based encryption service that radically simplifies deployment and
management of PC encryption by using industry leading Check Point Full Disk Encryption (former
Pointsec) software.

Roark’s Pharmacy Data Breach Incident

March 17th, 2016

Pharmacy burglary and data breach in Oneida, Tenn. suffered a burglary which also resulted in a healthcare data breach. It potentially affected nearly 3,000 individuals, as per the Office of Civil Rights (OCR) data breach portal. Oneida Police Department investigator Blake Murphy, who is in charge of the investigation, noted that the burglars had destroyed the store’s alarm system, disconnected the phone lines from the system, and also disabled the system’s backup battery and backup cell phone.

The report didn’t mention the type of health data stored on that server, nor did it state what kind of mitigating measures the pharmacy will take toward potentially affected individuals. “It is unknown at this time how many narcotics were taken or a total value of damaged property,” Murphy wrote in the report.

According to the news article – While the burglars were successful in destroying any evidence of their intrusion inside the store, investigators were able to use video surveillance from Mike’s Service Station next door to capture footage of two unidentified people walking towards the store around 2:15 a.m. — at the same time Highland Telephone Cooperative technicians were able to determine that the store’s phone system had been disconnected.

————————————————————————————————————————————————————-

Alertsec is the full disk encryption service that delivers a mobile data protection system for all information stored on laptops used throughout your organization.

Phishing Attack and Data Breach

March 15th, 2016

A California-based cancer research and treatment center mentioned that some patient suffered data breach due to a phishing attack. According to the reports, four staff members had their email accounts accessed by an unauthorized party due to a phishing attack. Out of four, three accounts included emails that contained PHI, such as patient names, medical record numbers, dates of birth, addresses, email addresses, telephone numbers and some clinical information such as diagnoses, test results and dates of service.

“It does not appear that the phishing attack targeted protected health information; instead, it appears the accounts were accessed for the purposes of sending spam emails to other individuals,” the statement explained. “City of Hope is sending notification letters to the affected patients, and is taking all appropriate steps to mitigate any potential harm to affected individuals.” City Hope mentioned that only patients name and medical record number were affected for most.

Only one patient’s information which included Social Security numbers and financial information was affected. The statement failed to disclose how many individuals were potentially affected. “City of Hope took prompt action to secure the email accounts and end the intrusion,” the center stated. “In addition to notifying local law enforcement, City of Hope retained a leading forensic information technology firm to assist with its investigation of the incident, to evaluate its systems and processes and further strengthen its safeguards to protect against such attacks.”

————————————————————————————————————————————————————-

Alertsec is the full disk encryption service that delivers a mobile data protection system for all information stored on laptops used throughout your organization.

Oncology database and data breach

March 12th, 2016

21st Century Oncology database was inappropriately accessed by an unauthorized third party. According to the reports, Oncology immediately hired a leading forensics firm to support the investigation, assess its systems and bolster security. Affected information includes patient names, Social Security numbers, physicians’ names, diagnosis and treatment information, and insurance information. There is no indication that medical records were accessed.

According to the FBI, there may be a delay in data breach notification. There is no indication that information was potentially misused. Affected patients are offered one year credit monitoring services.

“We continue to work closely with the FBI on its investigation of the intrusion into our system” 21st Century stated. “In addition to security measures already in place, we have also taken additional steps to enhance internal security protocols to help prevent a similar incident in the future.”

The facility asked their patients to closely monitor their explanation of benefits that they receive from their health insurer to make sure that they have received all of the services listed.

“We deeply regret any concern this may cause our patients, and we want to emphasize that patient care will not be affected by this incident.”

————————————————————————————————————————————————————-

Alertsec is the full disk encryption service that delivers a mobile data protection system for all information stored on laptops used throughout your organization.

Stolen laptop and data breach

March 8th, 2016

Valley Hope Association, a Kansas-based non-profit suffered data breach after a work-issued laptop containing patient information was stolen from an employee’s car. Facility provides drug and alcohol addiction treatment. According to the statement, Valley Hope Association acknowledged that sensitive patient information is potentially at risk.

Affected information includes patient names in conjunction with one or more personal information identifiers, such as Social Security number, dates of birth, addresses, phone numbers, state identification or driver’s license numbers, physician name, treatment and treatment location, diagnosis, medical record numbers, disability code, usernames and passwords, tax identification numbers, patient account information, health insurance information, financial information, and medical information.

“The employee reported the theft to Valley Hope Association on December 30, 2015, and we immediately launched an investigation to determine the precise contents of the laptop at the time of the theft,” Valley Hope Association confirmed. “We also disabled the laptop’s network connection capabilities, disabled the employee’s access credentials, and confirmed that our network systems were not accessed by the laptop since the employee’s last valid access before the laptop was stolen.”

Valley Hope Association added that third-party forensics experts have been brought on to help “confirm the nature and scope of this incident.” The statement failed to disclose the number of affected individuals but OCR data breach tool reported that 52,076 individuals were possibly affected. Alertsec has created a web based encryption service that radically simplifies deployment and management of PC encryption by using industry leading Check Point Full Disk Encryption (former Pointsec) software.

————————————————————————————————————————————————————-

Alertsec is the full disk encryption service that delivers a mobile data protection system for all information stored on laptops used throughout your organization.