Archive for the ‘Password’ category

Data breach due to stolen laptop

November 30th, 2016

Kineto Rehab PHysical Therapy, PLLC based in New York recently suffered data breach due to stolen laptop.  As per the reports, a bag containing a work laptop was stolen by the individual. Facility got hold of the footage which identifies thief. It also found out the bag later without laptop in it. Police are still working to track down the thief.

As per the statement, “We sincerely apologize for this incident and we regret any inconvenience it may cause you. Should you have questions or concerns regarding this matter, please do not hesitate to contact us.”

Affected information includes patient names, dates of birth, addresses, Social Security numbers, insurance information and clinical/physical therapy notes.

“There is no indication that your information has been accessed or used by an unauthorized individual,” read the Kineto statement, which was signed by CEO Shirley Agapito, DPT. “Please be assured that we have taken every step necessary to address the incident, and that we are committed to fully protecting all the information that has been entrusted to us.”

As per the OCR data breach reporting tool, the incident affected 665 individuals. Facility mentioned that affected Individuals will be offered a complimentary one-year membership identity protection services.

Website statement provides guidelines as below:

Fraud Alert

Place fraud alert when someone else tries to open a credit account in your name, get add on card or increase the credit limit.

Security Freeze

One can place security freeze on credit report which will stop lenders and others from accessing credit report completely.

Review Reports

Order free annual credit report and look for any discrepancies and spendings.

Credit providers and tools

Create message /email alerts on credit cards and bank accounts to notify you of any transaction or activity. Report the bank if you have not carried out that activity.

____________________________________________________________________________________________

Alertsec helps you comply with HIPAA, PCI and SOX requirements.

Ransomware attack affects 33K

October 23rd, 2016

Rainbow Children’s Clinic recently suffered a ransomware attack. According to the reports, the attack left the data encrypted which was stored on the facility’s system. Rainbow mentioned that it shut down the computer system immediately to prevent the information from being lost.

But a forensic investigation team found that the patient records has been irretrievably deleted. Affected information includes patient names, addresses, dates of birth, Social Security numbers, and medical information.

Ransomware is computer malware that installs on a victim’s computer. Hackers use the technique mostly for the purpose of extorting money. It encrypts data with certain passcode. A ransom payment is asked to decrypt it or not to publish it publicly. Simple ransomware may lock the system but the data can be recovered by a knowledgeable person. More advanced malware encryption makes data inaccessible.

Other information which got impacted in Rainbow Clinic incident involves personal information related to patients’ payment guarantors, including guarantors’ names, addresses, Social Security numbers, and medical payment information. Facility mentioned that the affected individuals will be offered complimentary identity monitoring and identity theft resolution services.

“Rainbow Children’s Clinic takes the security of its patients’ information very seriously and has taken steps to prevent a similar event from occurring in the future, including strengthening its security measures and ensuring that its networks and systems are now secure,” Rainbow said.

As per the OCR data breach reporting tool, total 33,698 records got affected. As per the statement:

Notification letters mailed today include information about the incident and steps potentially impacted individuals can take to monitor and protect their personal information. Rainbow Children’s Clinic has established a toll-free call center to answer patient questions about the incident and related concerns. Additional information and recommendations for protecting personal information can be found on the Rainbow Children’s Clinic website.

The privacy and protection of patient information is a top priority, and Rainbow Children’s Clinic deeply regrets any inconvenience or concern this incident may cause.

____________________________________________________________________________________________

Alertsec’s cloud-based information security service provides an easy and convenient way to protect information on your organization’s laptops and computers.

Securing data from departing employees

July 14th, 2016

Employees after leaving a company can take sensitive data with them intentionally or unintentionally. The harm caused by such incidents are huge. Consider example of an employee of the FDIC who exposed 44,000 FDIC customers’ personal information. She had downloaded the data to her personal storage device. More such data breaches can be found across the industry.

According to the survey by Veriato, a provider of employee monitoring software, third of participants believe they own or share ownership of the corporate data they work on and more than half feel it’s fine to take corporate data with them when they leave a job.

“The potential damage from even one employee taking confidential and proprietary customer data, software code or login credentials with them to a new job, especially with a competitor, is astronomical,” Veriato COO Mike Tierney said at the time.

Companies can potentially defuse such data threats.

It’s crucial to focus on what really matters in protecting sensitive data, said AvePoint product analyst Ben Oster. “You can have all these policies in place, but if HR lets somebody walk over and plug in a USB drive after they’ve been let go, it doesn’t matter,” he said.

Oster provided the example. “She plugged her drive in and just copied a folder that she thought was her information, and it turns out it wasn’t. The issue is not that she was able to copy that data; the issue is that that data existed outside of anyone’s knowledge of where it was.”

“If we can’t actually break down how to discover it or classify it, we can’t start to put things in place that say, ‘You can’t take this document,’ because we don’t know what’s in it.”

“You really need to get in there and figure out what that is, because if you don’t, you’re going to see things get even fuzzier,” he said.

Companies can take holistic approach to data loss prevention. Michela Menting, research director at ABI Research mentioned that the good data loss prevention (DLP) solution can be key to protecting your data.

“DLP systems act as enforcers of data security policies by performing deep content inspection and a contextual security analysis of transactions,” Menting said. “They provide a centralized management framework designed to detect and prevent the unauthorized use and transmission of confidential information.”

AvePoint’s Oster mentioned that the strong security awareness training program can help to great extent.

“As consumers and employees, we need to be more aware of what we’re doing with data, what that content actually means, and what the privacy and compliance implications are of everything we touch on a daily basis,” he said.

Encryption is the key to the problem. One can start encrypting the content with relevant softwares.

“If you’re encrypting every single piece of information everywhere, the workload becomes larger, it becomes harder for your end users to use that data, and you’re actually more likely to drive them onto a system that’s not under your control,” Oster said.

And once employees start saving corporate data to their own Dropbox or OneDrive, you’ve lost track of it. “So while encryption can protect the data when it’s in motion or at rest, anything that makes it harder for your end users to get their jobs done likely pushes them toward a solution that you don’t want,” Oster said.

“We saw a case once where a company terminated an employee, and then HR walked them back and let them plug in a USB drive — and they promptly took 20 GB worth of information,” Oster said. “It doesn’t matter how good your information security is if HR is letting them do that.”

____________________________________________________________________________________________

Alertsec is the full disk encryption service that delivers a mobile data protection system for all information stored on laptops used throughout your organization.

Identity and Access Management

May 9th, 2016

Research director Felix Gaehtgens at the Gartner Identity and Access Management (IAM) Conference in London mentioned that issuing one-time password (OTP) tokens to third-party organizations can cause many problems. He mentioned that some third-party organizations even hang one-time password tokens on a wall with the name of the companies they belong to, facing a webcam.

“For employees or contractors working internally who need privileged access, having OTP is great. But not for external third party workers,” he said. “Why? Because third parties leave OTPs on their desks; when they go on holiday they leave them for other people to use. It happens all the time.”

Also with shared password comes the biggest risk of accountability. Companies can take various steps to secure there data.

Phone

He suggested to call instead of OTP tokens.

“What you need to do is choose something that is hideous to share, like something linked to a particular mobile phone,” he said. “That’s because a worker isn’t going to leave his phone behind when he goes away on holiday.”

Many Phone-based authentication systems are available in the market.

Dedicated person for IAM

He suggested sponsorship approach where internal employees act as sponsors for external workers and keeps track of them.

“When I suggest this people say ‘Ooh, are you going to delegate third-party privileged access to a third party?’ said Gaehtgens. “The answer is ‘no.’ They have to make a request to your organization for access for a particular employee. But they can de-authorize their own people (for example when they leave the organization).”

Third Party Access

Providing short term access for related resources will secure the data after the work is done.

“So you need to be able to say ‘You can access this system for four hours’ and give out privileges in small chunks,” Gaehtgens said. “Instead of the general sys admin model, you need to give them just what they need.”

Access Management

One can use privilege access management (PAM) and shared account password management (SAPM) tools. to manage third-party access privileges.

IAM on the Record

When third parties have privileged access to your systems, Gaehtgens said it’s important to record at least some of their sessions. “You should let everyone know they are being recorded; at the very least this should make people less sloppy,” he advised.

“Every so often you will see a complete idiot who you never want on your systems again, as they clearly don’t know what they are doing,” he said. “But you may also learn something. Third parties may do something better than you, so you can watch what they do and use it to build up your best practices.”

————————————————————————————————————————————————————-

Alertsec is the full disk encryption service that delivers a mobile data protection system for all information stored on laptops used throughout your organization.

Phishing Scam and Data Breach

April 27th, 2016

Wyoming Medical Center recently suffered data breach when it was hit by phishing scam. According to the reports, 3,184 individuals received the notification letter by the medical center which mentioned that their PHI may have been accessed by an unauthorized user.

Facility explained the phishing email as,

“Phishing emails are email messages appearing to come from legitimate sources, such as a bank, a trusted friend or colleague, or trusted businesses, etc.  Phishing is an attempt to acquire sensitive information such as usernames, passwords, credit card information, email addresses, or Social Security Numbers.  Many times, it is difficult to identify phishing emails. “

Earlier in this February, the medical center found out that two email accounts were accessed by an outside entity.  Phishing email was sent to one of the employee and after opening it other employees also received emails. This unauthorized access lasted for around fifteen minutes.

Affected information included data related to hospital purchasing, wound care, and patients who were on isolation precaution. Also, PHI information was exposed which included names, medical record numbers, dates of hospital services, account numbers, dates of birth, and some medical information. Medical center mentioned that  EHR systems were not compromised.

Wyoming Medical Center has also reviewed its security policies. Facility also mentioned that there is limited scope of identity risk, “No, the information accessible by the unauthorized user was limited and did not include the proper information to allow for identity theft.  If you are concerned about potential identity theft, you may contact one of the credit reporting agencies that will place fraud protection on your credit report.  All you have to do is contact one of the three credit reporting agencies and ask them to put a fraud alert on your credit file, and they should automatically inform the other two credit agencies. “

Medical Center facility also mentioned that they take privacy very seriously by educating employees on privacy. It also has firewalls and necessary safeguards to avoid such incidents. It also performs routine audit to fine loopholes in the system. Also, information security firms are given contracts to monitor and audits systems routinely.

————————————————————————————————————————————————————-

Alertsec is the full disk encryption service that delivers a mobile data protection system for all information stored on laptops used throughout your organization.

Ransomware and Data Breach

April 21st, 2016

“Is ransomware considered a health data breach under HIPAA?”. The answer is explored in the recent issue of Forbes magazine by author Dan Munro. He researched healthcare and compliance domains.

According to the information presented, a ransomware attack should not be considered data breach as per PHI disclosure restrictions in HIPAA. It is more about the message of lax security that’s being broadcast to cyber-criminals around the world. But Dan believes otherwise.

Ransomware attacks should be considered as unauthorized exposures of private information. It is same as the outright theft of the laptop, desktop, or server breach.

Acccording to the records of Office of Civil Rights (OCR) in 2015, there were more than 300 disclosed healthcare breaches. One-third are due to the loss or theft of some piece of equipment like laptop, desktop, server, or other portable electronic device.

The report also states that more than 100 of the disclosed breaches were due to attack like ransomware. The breaches affected more than hundreds of thousands of records.  It is believed that the records under the hands of criminals can cause breach.

HIPAA rules states that the notification letters to be sent to affected individuals because the systems and the PHI are not under control of the healthcare provider.

Ransomware Attacks

Types of Ransomware –

Few attacks takes control of machine and lock it down. This action blocks the access to legitimate users. The system is unlocked only paying after ransom amount and clearly the system is under the control of criminals.

Few attacks involves remote access control by criminal. They awaits the Bitcoin payment to unlock and reconfigure the system.

Common form of ransomware includes a software which encrypts certain important files with certain password. The process includes accessing the files and encrypting and storing the files  in the same place. Once the payment is done, files are unlocked.

Now a days, ransomware attacks to extort money are on the rise.

There’s more and more documented evidence that this is going on,” says Ori Eisen, founder and chief innovation officer of fraud prevention company 41st Parameter. “It’s more prevalent in the United Kingdom, which is sort of a staging or testing ground. It’s starting there and getting more momentum.”

————————————————————————————————————————————————————-

Alertsec is the full disk encryption service that delivers a mobile data protection system for all information stored on laptops used throughout your organization.

Stolen laptop and data breach

April 14th, 2016

Laptop theft can lead to data breach. OptumRx, the pharmacy care branch of a health services and technology company in Minnesota suffered data breach due to the theft incident. An unencrypted laptop was stolen from an employee’s vehicle in Indianapolis, Indiana as per the reports. OptumRx mentioned that laptop belonged to an unnamed vendor who provides home delivery services to patients.

Affected information included names, health plan names,addresses, prescription drug information, and prescribing provider information. For some individuals, dates of birth may have been exposed.

It also confirmed that Social Security numbers, credit cards, and other financial information was not involved.

Company did not specify the number of affected individuals. Also, Office of Civil Rights data breach portal didn’t mention the number of individuals affected by the security incident.

OptumRx has now contacted local authorities and launched an outside investigation. It has also mailed notification letters to potentially affected individuals.

“In addition, we have worked with the vendor to put immediate and additional protections in place to prevent the occurrence of similar incidents in the future,” explained OptumRx’s notification letter. “These measures include additional security requirements on laptops they use for OptumRx work, training and reinforcement of existing policies and practices, and further evaluation of additional safeguards.”

The company is also working with local law enforcement. Vendor is asked to put in place additional levels of protection for its laptops. One free year of identity theft protection services is also offered to individuals. It is supplying each with a one-year subscription to LifeLock.

LifeLock subscription includes following facilities to users:

  • Identity Threat Detection and Alerts:

With this service, LifeLock actively monitors an extensive online network for attempts to use your personal information. Whenever suspicious activity is detected, user will receive an alert via email or phone.

  • Wallet Protection

It also provides services for missing wallet. It has asked users to just call— anytime, anywhere—and LifeLock will help cancel or replace the contents to stop fraudulent activities. Coverage under this scheme includes credit and debit cards, Social Security cards, driver’s licenses, insurance cards, checkbooks and travelers checks.

  • Address & Verification

Impersonating can be done and Identity thieves can redirect your mail, containing financial information and providing a fraudulent new address. LifeLock monitors these such kinds of requests and notifies the user.

  • Black Market Surveillance

Identity thieves also get involved in illegal buy, sell and trade sensitive personal information on black market Internet sites. LifeLock now patrols over 10,000 criminal websites. Any suspicious activity is  notified to the user.

  • Pre-Approved Credit Card Offers

LifeLock works with bank to reduce emailing to affected individuals to avoid identity theft.

  • LifeLock Member Service 24/7/365

Sign in to your secure member portal at LifeLock.com is available all the time.

————————————————————————————————————————————————————-

Alertsec is the full disk encryption service that delivers a mobile data protection system for all information stored on laptops used throughout your organization.

Data Breach Due to Email Misconduct

April 11th, 2016

Val Verde Regional Medical Center recently announced data breach when unsecured PHI in an email was discovered.

“On or about August 9, 2015, an independent healthcare provider downloaded unsecured protected health information and emailed it to a personal account without encryption protection,” explained the press release. “In addition, the independent contractor was not authorized to access some of the protect[ed] health information.”

Val Verde Regional Medical Center came to know about health data breach on December 8, 2015. Affected patient information in the email included names, addresses, phone numbers, medical record numbers, and visit numbers.

According to the OCR data breach portal, two thousand individuals were affected by the incident. Val Verde Regional Medical Center launched an investigation. It also notified patients who were possibly affected by the event.

Internal audit and improved security measures to the hospital’s HIPAA security program is being undertaken by the hospital.

Val Verde Medical Center  believes that there have been no reports of improper use of PHI, patient medical histories, or Social Security numbers by unauthorized individuals. It has encouraged all potentially affected patients to monitor credit reports for suspicious activity.

Users are advised to take necessary steps.They are advised to obtain credit reports from one or more of the major credit reporting agencies to monitor financial accounts for unauthorized activity. Consumers are entitled to  get a free copy of their credit report from each of the major nationwide credit reporting companies once every 12 months. They need to request the same as per the federal law.

Del Rio and surrounding communities received services from Val Verde Regional Medical Center since 1959. Val Verde Regional Medical Center considers the privacy of patients as a high priority task. It is guided by the mission to improve the health of the people in the communities served.

————————————————————————————————————————————————————-

Alertsec is the full disk encryption service that delivers a mobile data protection system for all information stored on laptops used throughout your organization.

Computer Virus Causes Data Breach

April 7th, 2016

Mercy Iowa City, an acute care hospital and regional referral center, recently suffered data breach  due to computer virus. Mercy Lowa City did not mention the number of affected individuals but the OCR data breach portal mentioned that 15,625 individuals were affected by the incident.

Mercy Iowa City came to know about computer virus on January 29. It had potentially infected some of its systems three days prior. The hospital now has secured the computer systems to prevent the spread of the virus.

“That’s a small percentage compared with the total number of patients the hospital serves”, said Margaret Reese, interim director of marketing and community relations and president of the Mercy Hospital Foundation. She said she did not know the total number of patients, adding that “it would be a huge number when you consider all of the many services.”

Internal investigation is carried out by forensics firm. Capturing personal data was the main motive of the computer virus. Thus it is believed that data breach has occurred.

Reese said Mercy has been working with federal law enforcement on its investigation. The hospital’s release said current safeguards have been enhanced to protect sensitive data. Reese said she could not comment on what the enhancements were.

According to the reports, unauthorized access to patients records by outside entity has resulted into the incident. which did not affect all Mercy Hospital and Mercy Clinic patients.

According to the statement, “Mercy deeply regrets any inconvenience this may have caused our patients. To help prevent something like this from happening in the future, we have enhanced our existing technical safeguards to protect patient information.”

Affected information included names, dates of birth, addresses, treatments, diagnoses, medication lists, names of health insurers, and health insurance policy numbers. Social Security numbers may also have been accessed for some patients.

“To help prevent something like this from happening in the future, we have enhanced our existing technical safeguards to protect patient information,” stated the press release.

The hospital also created a call center dedicated to answering questions about the data security event. Mercy Iowa City mentioned that there is no evidence patient information misuse.

————————————————————————————————————————————————————-

Alertsec is the full disk encryption service that delivers a mobile data protection system for all information stored on laptops used throughout your organization.

Cyber Security Budgets Not In Tune With Rising Threats

April 2nd, 2016

Businesses are increasing their investment in cyber security but the landscape of threat is changing very rapidly. To remain secured one has to understand the possibility of cyber attacks in advance and make sure data remains safe. Majority of security professionals believes that the budget should be increased.

Institute of Information Security Professionals (IISP) conducted survey to understand the current scenario. Two-thirds of professionals said that security budgets has increased. For 15% of respondents, budgets stayed the same.

“In times of financial pressure or instability, as we have seen in recent years, security is often seen as a supporting function or an overhead,” said IISP director Piers Wilson.

Sixty percent believes that budgets are low considering level of threats. Only seven percent of respondents reported that security budgets were rising faster than the level of threat.

The survey was conducted in participation with more than 2,500 members working in security across a wide range of industries and roles. UK cyber security space can be understood by the survey.

“Security budgets are hard won because they are about protection against future issues, so are a good indication of the state of risk awareness in the wider business community,” he said.

Wilson said that while it is good news that businesses are increasing investment, it is clear that spending on security is still not at a level that matches the changing threat dynamics.

Cyber security skills shortage is another issues which organisations are dealing. Participants mentioned that there is shortfall in the level of skills and experience which makes staff training, development and retention crucial to the future of the industry.

Ten percent of respondents felt that the security industry’s ability to protect data is declining rather than improving while forty nine percent said the opposite.

Survey found that there is awareness of security risks. Also, the impacts of a breach are driving an increase in investment, skills, experience, education and professionalism.

“While there is clearly much more to be done, the results of the survey are encouraging,” said Wilson.

————————————————————————————————————————————————————-

Alertsec is used by organizations that have recognized the need to protect their information. Customers range from single user sole traders and consultants to multinational companies with a large number of offices around the globe. Over 4 million users worldwide use Alertsec’s Check Point Full Disk Encryption.