Archive for the ‘data encryption’ category

Data breach due to hacking

March 2nd, 2017

Emory Healthcare’s Orthopaedics & Spine Center and Brain Health Center (EHC) at Emory Clinic recently suffered data breach, which impacted almost 80,000 patients. Facility came to know about the incident on Jan 3, 2017. It involved third party database called Waits & Delays. As per the statement, the affected database was used for patients’ appointment information.

Affected information included patient names, dates of birth, contact information, internal medication record numbers, dates of service, and physician names. The above information was removed from the server by an unauthorized individual. The person demanded payment from EHC to restore the data.

As per the reports, individuals who scheduled an appointment at the Orthopaedics & Spine Center within Emory Clinic between March 25, 2015 and January 3, 2017, and any patients with an appointment at Emory Clinic Brain Health Center between December 6, 2016 and January 3, 2016 are potentially affected.

As per the OCR data breach reporting tool, incident affected 79,930 individuals.  Facility mentioned that no Social Security numbers, financial information, diagnoses, or any other information from patient EHRs were accessed during the incident.

Another instance of unauthorized access by an independent security research center was also noticed. It resulted due to efforts of finding gaps in application security to alert companies of areas needing improvement by security company.

Facility launched an internal investigation after the incident. It also notified law enforcement. Potentially affected individuals are also notified. EHC is performing analysis on its current security measures. Internal and external systems which contained patient information will be changed as per the reports.

EHC mentioned that it has no information or indication of accessed data misuse.

“Please refer to the notice you will receive in the mail regarding steps that you can take to protect yourself. In general, we recommend, as a precautionary measure, that you remain vigilant to protect against potential fraud and/or identity theft by, among other things, reviewing your account statements and monitoring credit reports closely. If you detect any suspicious activity on an account, you should promptly notify the financial institution or company with which the account is maintained. You should also promptly report any fraudulent activity or any suspected incidents of identity theft to proper law enforcement authorities, including the police and your state’s attorney general.”

___________________________________________________________________________________

Alertsec’s cloud-based information security service provides an easy and convenient way to protect information on your organization’s laptops and computers.

Financial companies get new security law

February 28th, 2017

The State of New York will be implementing new regulations that require banks, financial services companies to have cyber security programs and also maintain them to specific standards.

“As our global financial network becomes even more interconnected and entities around the world increasingly suffer information breaches, New York is leading the charge to combat the ever-increasing risk of cyber attacks,” Maria T. Vullo, superintendent of the New York State Department of Financial Services, said in a statement.

Financial companies now need to check security at third party vendors. Also, they need to maintain adequately funded and staffed cyber security program. It should be monitored by qualified management. The team should report to organisation’s senior body.

Standards are also set for access controls, encryption and penetration testings. Breaches should have response plan. Preservation of data comes under this new rule. And notification to the Department of Financial Services should be sent.

Prevalent director of product management Jeff Hill told “The economic wake of a substantial data breach can stretch for years, impacting not only tangible bottom line results, but also inflicting reputational damage that can linger indefinitely.”

“New York State’s new rules are particularly forward-looking in that they emphasize the importance of understanding and managing third party risk, the source of more than half of all breaches according to a number of studies,” Hill added. “Addressing what is often the soft underbelly of many enterprises’ cyber security defenses — third parties/vendors — the State of New York is forcing a critical element of its economic infrastructure to cover all its bases.”

“In recent times, the regulatory pendulum has begun to swing in favor of a ‘lighter’ approach for banks, financial services and for other industries too, for that matter,” VASCO Data Security head of global marketing David Vergara said by email. “It’s good to see, however, that good sense regulations like this one have survived to offer additional consumer protection via thorough evaluations of third party vendors, comprehensive risk assessments and advocacy for stronger multi-factor authentication.”

___________________________________________________________________________________

Alertsec’s cloud-based information security service provides an easy and convenient way to protect information on your organization’s laptops and computers.

Healthcare companies to increase security spending

February 26th, 2017

As per the recent survey of more than 1,100 senior security executives worldwide, here are the results-

  • Seventy six percent of global healthcare organizations plan to increase security budget
  • Eight one percent of U.S. healthcare organizations mentioned that they will increase the security budget

As per the survey conducted by Thales Data Threat, sixty percent healthcare are deploying to cloud, big data, and IoT or container environments without proper security measures.  Ninety percent believes that they can face data breach.

“For healthcare data to remain safe from cyber exploitation, encryption strategies need to move beyond laptops and desktops to reflect a world of Internet-connected heart-rate monitors, implantable defibrillators and insulin pumps,” Thales e-Security vice president of strategy Peter Galvin said in a statement. “Adhering to the security status quo will create vulnerabilities that lead to breaches, and further erode customer trust.”

As per the Redspin’s Breach Report there is increase in data breach incidents in 2016.

“Healthcare providers have become the primary targets of malicious hackers, and their attacks are becoming increasingly sophisticated and disruptive to operations,” Dan Berger, vice president at CynergisTek, said in a statement (Redspin is now part of the CynergisTek portfolio).

“The dramatic increase in hacking attacks in 2016, coupled with the large number of patient records copmromised in those incidents, points to a pressing need for providers to take a much more proactive and comprehensive approach to protecting their information assets in 2017 and beyond,” Berger added.

Accenture conducted survey which concluded that 26 percent of U.S. consumers faced data breach. Fifty percent faced medical identity theft.

“Health systems need to recognize that many patients will suffer personal financial loss from cyber attacks of their medical information,” Reza Chapman, managing director of cyber security in Accenture’s health practice, said in a statement. “Not only do health organizations need to stay vigilant in safeguarding personal information, they need to build a foundation of digital trust with patients to help weather the storm of a breach.

Fifty percent found the breach by themselves by looking at their credit card statement. Twenty five percent changed their healthcare providers after the breach. Twenty one percent changed insurance plan. And nineteen percent took help of legal counsel.

___________________________________________________________________________________

Alertsec helps you comply with HIPAA, PCI and SOX requirements. The implemented encryption is powered by CheckPoint and has the highest security certifications: FIPS 140-2, Common Criteria EAL4 and BITS.

Break In causes data breach

February 14th, 2017

Wichita, Family Medicine East, Chartered based in Kansas reported that it suffered data breach due to theft of an unencrypted desktop computer and printer from its facility. As per the reports, an individual got into the building by breaking an exterior window. Family Medicine mentioned that police have not yet caught the thief. Also, stolen items are not recovered.

Family East mentioned that “a significant number contained images of typed office notes dictated by Family Medicine East physicians during 2002 and 2003.”

Affected information included patient names, dates of birth, appointment dates, and the name or initials of the physician or PA who saw patients were in the notes. Social Security numbers and addresses are not included in the breach. Letters written to other physicians discussing a Family Medicine referral were included for few. Letters were also identified by name and information about their medical condition.

“[The notes and letters] were typed by transcriptionists engaged for that purpose in 2002 and 2003,” Family East said in its online statement. “The files remained on the computer that was stolen as a result of an employee’s oversight, and were not detected during a number of risk analyses undertaken prior to the theft, as part of efforts to secure all individually identifiable health information.”

Individuals who got treated in 2002 or 2003 are asked “to take steps to eliminate or minimize potential harm that could be caused by the theft.” Steps also include obtaining credit reports and monitoring their financial and baking accounts for activities.

Facility mentioned that it is offering complimentary credit monitoring services to potentially affected patients. It also said that all computers and systems will be encrypted.

“While Family Medicine East hopes to recover the stolen computer, this may not be possible,” the statement explained. “As part of its ongoing effort to prevent breaches of protected health information, Family Medicine East began the process of encrypting health information stored on laptop computers used by the doctors, PAs and nurses for patient care some time ago.”

_____________________________________________________________________________________________________

Alertsec’s cloud-based information security service provides an easy and convenient way to protect information on your organization’s laptops and computers.

Hackers demand ransom to open disabled door locks

February 12th, 2017

Austria’s four-star, 111-year-old Romantik Seehotel Jagerwirt mentioned that its internal systems were recently breached. Hackers disabled both the hotel’s electronic door locks and the reservation system. The attack against the facility means that the new keys couldn’t be created and also reservations couldn’t be checked or confirmed.

Hotel has to pay 2 Bitcoins (almost $2,000) to get control of the systems back to the hotel.

“The house was totally booked with 180 guests, we had no other choice,” hotel managing director Christoph Brandstaetter told The Local. “Neither police nor insurance help you in this case.”

This was the third cyber attack for the hotel, Brandstaetter said.  It also faced fourth attack as new computers were placed along with new security standards.

“The restoration of our system after the first attack in summer has cost us several thousand Euros,” Brandstaetter said. “We did not get any money from the insurance so far because none of those to blame could be found.”

“We are planning at the next room refurbishment for old-fashioned door locks with real keys,” he said. “Just like 111 years ago at the time of our great-grandfathers.”

As per the recent research survey of nearly 1,000 enterprise IT buyers, half believe that the security is crucial.  Still many are moving towards IOT. Around 90 percent of enterprises plan to increase IoT spending. The research showed that the IoT-related spending will increase by 33 percent.

Other finding include:

Fifty four percent said a lack of trained IoT staff is not an issue for their organizations.

Forty six percent said they’re having difficulty filling IoT-related positions.

“When it comes to IoT adoption, pragmatism rules,” 451 Research director Laura DiDio said in a statement. “The survey data indicates enterprises currently use IoT for practical technology purposes that have an immediate and tangible impact on daily operational business efficiencies, economies of scale and increasing the revenue stream.”

___________________________________________________________________________________

Alertsec helps you comply with HIPAA, PCI and SOX requirements.

Funding for bug bounty vendor

February 9th, 2017

As per the recent news, one can make money in the rewarding business of security researchers for finding security vulnerabilities. HackerOne published that they have raised a $40M Series C round of funding. Total funding received till date for the San Francisco based company is $74 Million.

Dragoneer Investment Group led new round of funding. It will be used to help HackerOne grow its business.

“HackerOne is at the forefront of the burgeoning bug bounty movement,” Marc Stad, Founder and Managing Partner of Dragoneer Investment Group, said in a statement. “It is borderline silly for a company not to utilize a bug bounty platform given the immediate reduction in security vulnerabilities and the relatively low price point compared to other security options.”

Rice, co-founder and CTO of HackerOne in the video interview mentioned the statistics of business growth. Also, discussed the bugs found by HackerOne’s community of researchers.

Hacking the pentagon program was one of the major successes of HackerOne. The results were positive. It has 1,400 security researchers participating in the program. It also discovered 138 serious vulnerabilities which were fixed quickly. Also, the U.S. Department of Defense also got involved in the program.

HackerOne faces competition from bug bounty vendor Bugcrowd. The rival has raised $24 million in funding to date which includes $15 million Series B round.

“When I started the company in 2013, I spent most of my time explaining what a bug bounty was to people,”Bugcrowd founder and CEO Casey Ellis said. “I don’t have to do that anymore.”

“How we do things today is we prove a concept manually first, apply human intelligence to the problem set and then take the repeatable learnings and codify that,” Ellis said.

The market of buy bounty is competitive but there is demand. Rice also mentioned that more bugs have been found by third party bug bounty companies as compared to vendors.

_____________________________________________________________________________________________________

Alertsec’s cloud-based information security service provides an easy and convenient way to protect information on your organization’s laptops and computers.

Stolen laptop results in data breach

February 2nd, 2017

Children’s Hospital Los Angeles (CHLA) and Children’s Hospital Los Angeles Medical Group (CHLAMG) recently suffered data breach when one of its unencrypted laptop was stolen. The laptop contained personal health information of 3,600 patients.

According to the reports, laptop was taken away by thief from the locked vehicle of a CHLAMG physician at CHLA. Investigation conducted by the facility found that the laptop was encrypted to up-to-date institutional standards along with password-protection. But later review mentioned the possibility of unencrypted status of laptop.

Facility is notifying patients whose information was stored on the laptop. Affected information includes names, addresses, medical record numbers, and certain clinical information.

“Following the notification regarding the burglary, an investigation took place to determine whether patient health information existed on the laptop,” CHLA spokesman Lorenzo Benet said in a statement. “Based on the investigation, the laptop has not been used to access the internet. From that information, we believe that all data may have been erased from the device without any patient data being accessed.”

Also, a protocol is created to erase data from the laptop when it logs onto the internet next time. Notification letters sent by facility will instruct individuals to review health insurance documents for evidence of misuse or identify theft.

Facility also asked patients to review their Explanation of Benefits statements in case of any unusual behavior . Also, they are advised to notify the hospital immediately for any issues.

About Childrens Hospital Los Angeles

“Children’s Hospital Los Angeles has been named the best children’s hospital in California and among the top 10 in the nation for clinical excellence with its selection to the prestigious U.S. News & World Report Honor Roll. Children’s Hospital is home to The Saban Research Institute, one of the largest and most productive pediatric research facilities in the United States. Children’s Hospital is also one of America’s premier teaching hospitals through its affiliation with the Keck School of Medicine of the University of Southern California since 1932.”

___________________________________________________________________________________

Alertsec Endpoint Encrypt is certified according to Common Criteria AEL4 and FIPS 140-2.

Data breach due to billing service provider

November 24th, 2016

A physical therapy provider recently suffered data breach which involves personal information. The security incident may have affected 1,100 patients at Best Health Physical Therapy. secure-data

Best Health is owned by Travis Lombardi, PT, MSPT.  It provides solution and services to meet rehabilitation goals of individuals. It provides solution for orthopedic and sports medicine, neurological, arthritis, fracture and other issues.

Facility came to know that one of the computer from its billing services provider was inappropriately accessed. The person who got access to the accounts writes blogs on internet security. The individual was reportedly looking for data vulnerabilities. He said that he has no intention of misusing any of the accessed information.

Potentially affected information includes names, addresses, dates of birth, insurance information, driver’s license information and health information. Best Health said that there is no evidence that the data was misused. It also highlighted the fact that the vulnerability was not on its computer system. Billing provider’s system failed to secure its system.

“Best Health took immediate steps to investigate and determine the source and extent of any access to our patients’ information,” Best Health said. “The vulnerability was identified and closed by the billing service provider immediately. Updated access controls are now in place to secure the account. Best Health has terminated its relationship with the billing service provider.”

Best Health did not mention the number of affected individuals but as per the OCR data breach reporting tool,  total 1,100 patients’ information were affected.

“Best Health takes the privacy and protection of its patients very seriously and we sincerely apologize for any concern that this may cause. If you are a patient of Best Health and have questions or concerns regarding this matter and/or the protections available to you, please do not hesitate to call.”

____________________________________________________________________________________________

Alertsec Endpoint Encrypt helps you protect your valuable data from falling into the wrong hands by encrypting it at the source.

Kaiser Permanente data breach

July 24th, 2016

Kaiser Permanente may have suffered possible data breach due to theft of its ultrasound units. This incident has affected 1,100 members of the facility. Undisclosed number of ultrasound units were stolen by the two former employees. Facility recovered a “significant portion” of the stolen machines which contained ePHI, such as names, medical record numbers, and medical images.

Kaiser Permanente is an integrated managed care system which maintains healthcare coverage for 9 million individuals. According to the reports, the stolen machines were found in a locked storage unit. Some units are yet to be located. It mentioned that that the only reason for the theft was to sell the units for profit. It has nothing to do with disclosing or misusing PHI. Also, there is no evidence that ePHI was accessed by an unauthorized entity.

Facility launched an investigation to identify which members may have had their information exposed by the incident. It has also contacted local law enforcement officials. Notifications letters specifically addressing the ePHI data elements found for each affected individual are sent.

“Kaiser Permanente is committed to protecting the confidentiality of our members’ personal information,” explained the statement. “We are continuing our investigation of this incident and are taking appropriate actions to prevent similar errors in the future. We are cooperating fully with law enforcement in this matter.”

“We sincerely apologize for any inconvenience or concern this incident may cause. Because Social Security numbers were not accessed, the risk for any fraud is quite low. Additionally, we believe that this equipment was only stolen to sell for profit, and not to reveal or misuse member information. There is no sign that health information has been used for fraud or other criminal activity,” said Angela Anderson, Regional Privacy & Security Officer, Kaiser Permanente Northern California.

___________________________________________________________________________________________

Alertsec is used by organizations that have recognized the need to protect their information. Customers range from single-user sole traders and consultants to multinational companies with a large number of offices around the globe. Over 4 million users worldwide use Alertsec Check Point Full Disk Encryption.

TX data breach incident

June 23rd, 2016

The Texas Health and Human Services Commission possibly suffered data breach which affected  600 individuals. The data breach incident was the result of missing documents. Iron Mountain, one of TX contractors and a document shredding company mentioned that 15 boxes containing client information went missing from the Irving, Fort Worth, and Dallas facilities.

Iron Mountain was hired by the Texas Health and Human Services Commission to destroy the client documents. The missing boxes contained confidential information from individuals who may have applied for medical assistance between January 1, 2008 and August 31, 2009.

Both TX and Iron Mountain did not mention about the reason for misplaced boxes. Affected information included Social Security numbers, addresses, Social Security claim numbers, dates of birth, names, medical record numbers, Medicaid or individual numbers, case numbers, and bank account information.

As per the statement,

“HHSC is committed to ensuring that our clients’ confidential information is secure. The agency is conducting an investigation into Iron Mountain’s handling of this event and taking steps to secure confidential information and reduce the chances of this event happening again. After the investigation is complete, HHSC will review processes and procedures, making any changes needed to prevent this type of event in the future.”

The Texas Health and Human Services Commission reached all affected individuals mentioning them about the healthcare data security incident. They are provided complimentary credit monitoring services for one year. Iron Mountain has taken steps to improve data security measures for confidential information.

“The agency is conducting an investigation into Iron Mountain’s handling of this event and taking steps to secure confidential information and reduce the chances of this event happening again,” explained the statement. “After the investigation is complete, HHSC [Health and Human Services Commission] will review processes and procedures, making any changes needed to prevent this type of event in the future.”

————————————————————————————————————————————————————–

Alertsec is the full disk encryption service that delivers a mobile data protection system for all information stored on laptops used throughout your organization.