data breach incidents

Truck and Data Breach

April 29th, 2016

A mail delivery truck which was having health information was stolen. This has resulted into a potential healthcare data breach for Kaiser Permanente, a healthcare system based in California. According to the reports, health information of approximately 2,400 individuals was affected . The truck was stolen from the parking lot.

The truck was not parked in a secure area even there are guidelines by Kaiser Permanente’s. Truck contained “Evidence of Coverage” handbooks for Kaiser Permanente patients who are on the Inland Empire Health Plan. Affected information included personal information, such as names, addresses, and an overview of plan benefits.

According to the reports, thieves gained entry to the vehicle. They drove to an unspecified location and left the empty truck behind.

After the incident, the healthcare facility reported the stolen vehicle to local law enforcement officials.Michelle Simms, a Kaiser Permanente spokeswoman, said the health care provider spoke to Los Angeles County Sheriff’s station in Santa Clarita. Truck was found with missing health records. Facility believes that there is no evidence of misuse of PHI information. Also, the file didn’t contain Social Security numbers, medical record numbers, descriptions of health services, health statuses, and financial information.

“We are in the process of notifying and apologizing to our members affected by this incident,” officials said in a statement. “We have investigated this matter and are taking appropriate steps to prevent similar errors in the future.”

With the rise in data breaches due to stolen records, it is better to go for digitization with proper safeguards. Some of the responsible health data handling includes –

  • Administrative safeguards includes policies and procedures to protect the privacy, and security of patients’ PHI
  • Physical safeguards includes measures to protect the hardware and the facilities
  • Technical safeguards includes health IT system to protect health information and to control access to it

————————————————————————————————————————————————————-

Alertsec has created a web based encryption service that radically simplifies deployment and management of PC encryption by using industry leading Check Point Full Disk Encryption (former Pointsec) software

Computer Virus Causes Data Breach

April 7th, 2016

Mercy Iowa City, an acute care hospital and regional referral center, recently suffered data breach  due to computer virus. Mercy Lowa City did not mention the number of affected individuals but the OCR data breach portal mentioned that 15,625 individuals were affected by the incident.

Mercy Iowa City came to know about computer virus on January 29. It had potentially infected some of its systems three days prior. The hospital now has secured the computer systems to prevent the spread of the virus.

“That’s a small percentage compared with the total number of patients the hospital serves”, said Margaret Reese, interim director of marketing and community relations and president of the Mercy Hospital Foundation. She said she did not know the total number of patients, adding that “it would be a huge number when you consider all of the many services.”

Internal investigation is carried out by forensics firm. Capturing personal data was the main motive of the computer virus. Thus it is believed that data breach has occurred.

Reese said Mercy has been working with federal law enforcement on its investigation. The hospital’s release said current safeguards have been enhanced to protect sensitive data. Reese said she could not comment on what the enhancements were.

According to the reports, unauthorized access to patients records by outside entity has resulted into the incident. which did not affect all Mercy Hospital and Mercy Clinic patients.

According to the statement, “Mercy deeply regrets any inconvenience this may have caused our patients. To help prevent something like this from happening in the future, we have enhanced our existing technical safeguards to protect patient information.”

Affected information included names, dates of birth, addresses, treatments, diagnoses, medication lists, names of health insurers, and health insurance policy numbers. Social Security numbers may also have been accessed for some patients.

“To help prevent something like this from happening in the future, we have enhanced our existing technical safeguards to protect patient information,” stated the press release.

The hospital also created a call center dedicated to answering questions about the data security event. Mercy Iowa City mentioned that there is no evidence patient information misuse.

————————————————————————————————————————————————————-

Alertsec is the full disk encryption service that delivers a mobile data protection system for all information stored on laptops used throughout your organization.

Phishing Attack and Data Breach

March 15th, 2016

A California-based cancer research and treatment center mentioned that some patient suffered data breach due to a phishing attack. According to the reports, four staff members had their email accounts accessed by an unauthorized party due to a phishing attack. Out of four, three accounts included emails that contained PHI, such as patient names, medical record numbers, dates of birth, addresses, email addresses, telephone numbers and some clinical information such as diagnoses, test results and dates of service.

“It does not appear that the phishing attack targeted protected health information; instead, it appears the accounts were accessed for the purposes of sending spam emails to other individuals,” the statement explained. “City of Hope is sending notification letters to the affected patients, and is taking all appropriate steps to mitigate any potential harm to affected individuals.” City Hope mentioned that only patients name and medical record number were affected for most.

Only one patient’s information which included Social Security numbers and financial information was affected. The statement failed to disclose how many individuals were potentially affected. “City of Hope took prompt action to secure the email accounts and end the intrusion,” the center stated. “In addition to notifying local law enforcement, City of Hope retained a leading forensic information technology firm to assist with its investigation of the incident, to evaluate its systems and processes and further strengthen its safeguards to protect against such attacks.”

————————————————————————————————————————————————————-

Alertsec is the full disk encryption service that delivers a mobile data protection system for all information stored on laptops used throughout your organization.

Sony drops fine appeal; agrees to pay £250,000

July 12th, 2013

Sony is a Japanese multinational conglomerate corporation headquartered in Tokyo, Japan. Ranked 87th on the 2012 list of Fortune Global 500, it is one of the leading manufacturers of electronic products. Back in April 2011, Sony’s PlayStation Network and Qriocity online music and video service were compromised after an external intrusion into their network. The company was hit with £250,000 fine by the Information Commissioner’s Office (ICO) because of the data breach incident in 2011.

Sony has decided not to appeal the fine imposed by the ICO and agrees to pay £250,000 as a fine. Earlier when ICO had imposed the fine on the company, they had appealed for it explaining that the exposure of users’ data was the result of a “focused and determined criminal attack”.

The Japanese electronic giant further says that their decision to pay the fine was taken not because they agree with the ICO’s decision but because Sony fears that the appeal procedure will reveal information related to their security procedures. The ICO confirms that Sony will drop its appeal via Twitter.

“It is a company that trades on its technical expertise, and there’s no doubt in my mind that they had access to both the technical knowledge and the resources to keep this information safe” ICO deputy commissioner David Smith said when announcing the fine.

Sony spokesperson said “After careful consideration we are withdrawing our appeal. This decision reflects our commitment to protect the confidentiality of our network security from disclosures in the course of the proceeding. We continue to disagree with the decision on the merits”.

ICO welcomes Sony’s decision, saying “We welcome Sony Computer Entertainment Europe Limited’s decision not to appeal our penalty notice following a serious breach of the Data Protection Act.”

Flashback:

The Sony PlayStation Network and Qriocity online music and video service were compromised sometime between April 16 and April 19 in 2011 after an external intrusion into the network. Sony temporarily turned off both services to prevent any more attacks. Personal information belonging to 77 million account holders had been stolen. The information included names, addresses, log-in and password credentials, password security answers, email addresses, and birth dates. User purchase history and credit card information might had been compromised.

 

Alertsec strengthens security

Alertsec has created a web based encryption service that radically simplifies deployment and management of PC encryption by using industry leading Check Point Full Disk Encryption (former Pointsec) software.

Organizations, especially corporate giants, have to have an information security policy in place that proves they have taken necessary steps and measures to safeguard the information they gathered. If these policies are not adhered to, the regulators may prosecute.

Alertsec Xpress is used by organizations that have recognized the need to protect their information. Customers range from single-user sole traders and consultants to multinational companies with a large number of offices around the globe. Over 4 million users worldwide use Alertsec Xpress’s Check Point Full Disk Encryption.

Enhanced by Zemanta

Legislation on Data Breach notification is needed

April 8th, 2013

According to a recently published report by Paul smith, The Australian Bankers Association made an attempt to defend the potentiality of the IT security processes in place across the banking system of Australia. Following the revelation of the data privacy of Reserve Bank of Australia invaded by Chinese computer hackers, ABA strives for computer protection.

Despite this, security experts had a view that the incident highlighted the need for Australian data breach notification laws which can be tightened to force organizations when they get to hear any such news against data security being hacked.

Chief Executive officer of ABA, Steven Münchenbergin told in an interview with The Australian Financial Review that there were no such reports of data breach attacks found on other local banks, and that the effective processes were already in place to coordinate the fraud investigations with federal as well as the state police.

Technology security experts along with the former head of investigations at the Federal Police’s Australian Hi-Tech Crime Centre, Nigel Phair, warned about the data breach that most of the businesses were vulnerable to computer hackers, and many such attacks were being ­resolved to divert the negative publicity of the organization.

“The Australian Bankers Association is not aware of any successful ­hacking attempts on Australian banks,” Mr Münchenberg said. According to him, “Banks have systems in place to protect customer information and accounts – such as employee training, employee accountability, strict privacy policies, rigorous security standards, encryption and fraud detection software.”

CYBER ATTACKS – DAILY OCCURRENCE

The data breach risks are invariably assessed by the security teams within banks posed by the computer hackers, said Mr Münchenberg and then implementing the additional security levels accordingly.

At an event of National Australia Bank investor day, bank’s outgoing technology chief, Gavin Slater said that the cyber attacks were a daily occurrence for banks.

In the recent scenario, it goes without saying that these cyber attacks are daily happening in US banks. “Just a couple of weeks ago, 11 such banks were targeted by the terrorist organizations and the criminals attacked banks in response to something that happened in the Middle East regions.

“Not a day goes by when somebody is not attempting to hack into any of the banks around Australia,” Mr Slater said.

LEGISLATION ON DATA BREACH NOTIFICATION IS NEEDED

The Director of the Centre for Internet Safety, Mr Phair at the University of Canberra, said it was important to reveal the breach took place at the Reserve Bank of Australia. He also drew attention towards the need for a long-planned legislation on data breach notification to be passed by the government.

“The RBA story was hugely important, because the attack happened some time ago, and we only found out about it because of a freedom of information request,” Mr Phair said.

“We desperately need data breach legislation; we are quite behind in ­global terms on that, to force businesses to disclose when sensitive data is breached. I don’t know what is holding it up, and I would like to think it is achievable. It will help other government agencies and businesses, to be aware that it is not just them being ­targeted, that the threats are pretty wide ranging.”

CODE OF SILENCE – AN AID TO CYBER ATTACKERS

Phair said, “In the beginning of such attacks, the companies tried to keep it purely confidential and kept silent on the data loss news of the intellectual property and customer details, particularly the listed ones until hit by the spooked company investors. But he said, the current code of silence is making it easier for the cyber criminals.

According to a study by the Ponemon Institute, KPMG estimated 75% of the 1000 largest Australian companies went through material data breach, which reported to amount an estimated $2.16 million per company per year to Australian companies.

A spokesperson for Attorney-General, Mark Dreyfus said in an interview that there were voluntary guidelines made on how Australian companies and organizations should report to a security breach, but growing risks need for tougher laws to be enforced.

The spokeswoman preceded by saying, “The Australian Institute of Criminology has highlighted the increasing risk of identity fraud and theft. As more consumers put personal details into websites and use their credit cards online, the risk of privacy breaches will increase.”

“The Attorney-General is considering proposals that would require companies to report to consumers and the Commonwealth Privacy Commissioner when a data breach occurs, to improve privacy, bolster the security culture within organizations and bring Australia into line with international jurisdictions.”

Mr Phair cautioned that a significant number of Australian businesses including the government agencies were unprepared for the social engineering attacks that were taking place, which were penetrating into the Reserve Bank of Australia. For such attacks, it was only required to trick the internal staffs by causing them to click on a fake email asserting to be from management.

He concluded, “Lots of organizations like the RBA have great perimeter and other security mechanisms in place, but this was basically just a phishing, social engineering attack. If I was one of the decent cybercriminals, that is what I would be doing.”

“People are the most susceptible and the weakest link, so you target them with what looks like a bona fide email, with an executable file in an attachment, and that is how you gain a weakness.”

According to Mr Phair, RBA’s consequent claims are that the attacks had been contained and that no sensitive data had been stolen were to a great extent, a public relations move to calm fears in the market.

He said that it is impossible to estimate what exactly people do once they gain access to various networks.

It was also believed by him that the case was much widespread than it was needed to report, as a very large number of victims of computer hacking remain unaware of the fact.

He also believed the problem was much wider spread than is ever reported, because a large number of hacking victims remain ignorant of the fact. And it was very appropriate for RBA to come out with its response publicly.

A security specialist named Raymond Choo, based at the University of South Australia, said that in order to encourage organizations to come forward, it was necessary to simplify the process of security data breach reporting.

Dr Choo also said, introducing the citizens as well as the business companies of a one-stop 24/7 reporting website which will report about malicious cyber crime activities taking place online would increase openness about the cyber crime too, and it could also lead to further collaboration of the community as well as the authorities.

He also said that it has become very vital to engender better data sharing and information among the public sector and private sectors as well as the association of researchers and other key stakeholders.

“The 2011 revised NATO policy on cyber defence sets out a clear vision of how the alliance plans to bolster its cyber efforts. . . which includes working with partners, international organizations, academia and the private sector in a way that promotes complementarity and avoids duplication,” Dr Choo said.

“This would allow co-ordinated action by government and law enforcement agencies, and enable all stakeholders to have a better understanding of the frequency and extent of cyber crime incidents and be better equipped to respond to them.””

Encryption software prevents data breaches

Traditional antivirus approaches don’t work any more and a new approach to endpoint security is required to better protect your company from malicious threats.

The above threat could have simply been reduced to an insurance matter by a mere investment of $13/month. The information would have been secure with no loss what so ever. That is certainly a small price to pay compared to what can happen if you lose confidential or sensitive data. Alertsec Xpress offers a very good and easy-to-use laptop security service that includes more than the traditional software licensing model. Feel free to subscribe for your personal 30-day free trial

Alertsec further offers computer protection software from Check Point as a fully customizable and pre-packaged data encryption software solution. It can help you dramatically reduce your cost of ownership for encrypting your laptops.

Enhanced by Zemanta

Security breach of student data at Community College

March 15th, 2013

The Tallahassee Community College officials announced on Friday, about an unauthorized acquisition of computerized data on their systems. The recently occurred data breach at the community college may put previous data security, confidentiality, or integrity of personal information in jeopardy. In a recent notification disclosed by the federal officials, the administration of the Tallahassee College was told of the occurred data breach. The investigation carried out by the federal officials, resulted in the conviction of a Miami, Florida man on submitting false claims to the Internal Revenue Service and on the charge of access device fraud as well as of the aggravated personal identity theft. This attempt can be overlooked in the presence of a data security.

“TCC values the protection of private information, so we take this matter very seriously,” said a TCC Chief of Police David Hendry. He continued, “We have identified the group of individuals whose information may have been compromised, and we will immediately begin the process of contacting each one.”

According to Hendry, it is believed by the college officials that the occurred data breach has occurred internally and affects more than approximately 3,000 individuals. The investigation into the occurred data breach will be ongoing. Also, personalized letters by TCC will be mailed to the persons who are potentially affected by the occurred data breach. The letters will contain the details regarding what steps can be taken by the individuals to make sure the security of their identities; TCC will also provide additional resources, including a TCC hotline to provide further information.

How an encryption software like Alertsec’s would have helped!

The use of encryption software would have helped to keep files protected on the computer. With encryption installed, none of the information or credentials would have been lost. Alertsec uses industry leading Check Point Full Disk Encryption (former Pointsec) software to create a web based encryption service that simplifies deployment and management of PC encryption. The best way to protect information stored on a PC is by using encryption. Alertsec Xpress offers full disk encryption and is therefore superior to other encryption methods when comparing security, performance, robustness and ease-of-use for both administrators and users.

Alertsec is part of the Durator Group which has been awarded the highest credit rating available.

Enhanced by Zemanta