Log in

Posts Tagged ‘Data Breaches’

You need more than a blue shield to secure data

October 30th, 2009

Earlier this month we wrote about breaches of medical data in the United Kingdom, but in these past few weeks the US medical community has been stunned by two major security breaches related to Blue Cross Blue Shield.

The Blue Cross and Blue Shield brands are the United State’s oldest and largest family of health benefits companies and are among the most recognized brands in the health insurance industry. They are the largest health benefits provider in America, serving 100 million people, or approximately one-in-three Americans.

However, a great brand and a long history did not do anything to protect Blue Cross and Blue Shield from these two security breaches.

Information on 850,000 Physicians was stolen

A file containing identifying information for every physician in the country contracted with a Blues-affiliated insurance plan was on a laptop computer stolen from a BlueCross BlueShield Association employee. The file included the name, address, tax identification number and national provider identifier number for about 850,000 doctors. Some 16% to 22% of those physicians listed — as many as 187,000 — used their Social Security numbers as a tax ID or NPI number, Smokler said.

Jeff Smokler, national Blue Cross-Blue Shield spokesman, said the insurance giant encrypts all the information on company computers, but an employee who was authorized to have the information violated company rules by downloading an unencrypted version onto a personal laptop. The employee’s personal laptop was stolen after the employee left headquarters with it.

Smokler said corrective action has been taken, but declined to elaborate. This ties directly to our earlier article on security of healthcare data where we noted:

It’s interesting to note that “a unit of hospital purchasing alliance Premier Inc. has begun offering insurance designed to protect members against the cost of data breaches” which highlights why the government regulation is so important. Unless the fines and implications are severe - this industry, which is accustomed to using insurance to alleviate risks is likely to continue to be a data security black hole.

It’s for this reason that Blue Cross Blue Shield should publicize the steps taken against this employee. Other employees in the healthcare industry and beyond need to see that there are repercussions of violating data security procedures. The powerful American Medical Association which represents most of the 850,000 impacted doctors has 6 asked the BlueCross BlueShield Association to meet regarding the data breach – so this story is far from over.

68 Blue Cross Blue Shield Hard Drives Stolen

In addition to reports of the missing laptop with from the national headquarters Blue Cross Blue Shield of Tennessee has announced the theft of 68 computer hard drives. Over the weekend of Oct. 2nd, unauthorized persons entered a data closet in a remote location that BlueCross BlueShield of Tennessee leases for training purposes and removed 68 hard drives. The stolen hard drives contained voice recordings of eligibility and coordination-of-benefit calls.

While BCBS has not specifically stated whether the drives were encrypted, they commented that “the retrieval of member data from these drives would require highly-specialized expertise and software.” The other term that was used was “encoded.” This tells us that while some of the files might have been secured and the data might be hard to retrieve, the drives were not protected by hard drive encryption.

One has to wonder – how many times will records have to be stolen, before companies in the healthcare industry step up and encrypt. Sure, we all know the economy is tough and money is tight – but today encryption is quite affordable.

2 comments »

Posted in Data Protection, Encryption

Tags: AlertSec Xpress breach notification breach notification laws data breach Data Breaches data encryption identity theft Information Loss laptop encryption medical

Healthy People Maybe, Healthy Laptops No!

October 9th, 2009

doctor-laptop-security Three health trusts in the UK have had 30 data breaches in the past two years, according to reports. According to the BBC, Devon Primary Care Trust, Derriford Hospital, and Torbay Primary Care Trust have reported that they’ve had 30 breaches in total.

Yes, you read those numbers correctly – three organizations and thirty breaches.

The lost information included patient data which may have included NHS numbers, names, medical conditions, and other information, depending on the breach. The losses included laptop thefts and the theft or loss of memory sticks with sensitive data. In no cases were any of the devices protected with hard drive encryption software which could have easily eliminated any instances of a data breach from occurring.

Rest easy, They’ve Learned Their Security Lesson

According to the BBC, “all the health trusts which lost data said they had learned from the cases.” Of course, one has to ask why it took 30 breaches to then create an environment that looked for solutions! But the claim is that now all data is stored on secure servers and all staff have been issued with encrypted memory sticks and associated training. Plus each trust now has an official whose job was make sure information is secure.

A Trust spokesman was unable to say exactly when the theft occurred and if patients were told at the time, but in a prepared statement pointed out that at least some of the laptops had password protection. However, unlike encryption, password protection can be breached in many ways.

Hospital Laptop Safety

medical-computer-security As our recent article Data Loss is the Other Guy’s Problem pointed out, hospital are at high risk for data loss. Yet, they remain slow to adapt and slow to realize that services like Alertsec with hard disk encryption that are so affordable as easy to manage. I just did a Google search on “hospital data breaches” to quickly find reports like:

These losses tie to the fact that “Health care is a treasure trove of personally identifiable information,” says Don Jackson, a researcher at security consulting company Secure Works Inc. Most health-care organizations collect patient’s names, Social Security numbers and dates of birth. Plus they store payment information such as insurance and credit-card data. This is the holy grail for a thief in terms of financial opportunity.

It’s interesting to note that “a unit of hospital purchasing alliance Premier Inc. has begun offering insurance designed to protect members against the cost of data breaches” which highlights why the government regulation is so important. Unless the fines and implications are severe - this industry, which is accustomed to using insurance to alleviate risks is likely to continue to be a data security black hole.

2 comments »

Posted in Encryption, Identity and Information loss

Tags: AlertSec Xpress breach notification breach notification laws data breach Data Breaches data encryption identity theft Information Loss laptop encryption medical

Losses from high-tech security breaches nearly double in 2009

October 5th, 2009

canadian-data-breach A new Canadian study from the Rotman School of Management reveals a major increase in annual losses related to Information Technology (IT) security breaches. According to this study, which surveyed more than 600 IT security professionals across the country, the costs associated with security breaches include:

IT security breaches cost the average Canadian organization an estimated $834,000 in 2009 – a 97 per cent increase from the $423,000 reported by the study last year.
Similarly, the average number of reported IT security breaches also increased 276 per cent to 11.3 per organization in 2009 – compared with an average of three in 2008.

While every type of organization incurred an increase in breach costs during 2009, the increases were different across sectors:

Government organizations more than tripled their average annual cost of breaches to $1,000,000 in 2009, up from $321,000 in 2008.
Private companies more than doubled their cost of breaches to $807,000 up from $294,000 in 2008.
Publicly traded companies reported a moderate increase of only six per cent year-over-year.

These alarming numbers bring with them a silver lining, as the increase in the number of reported cases could be attributed in part to higher detection levels due to compliance regulations. At the same time, it is a shame that IT departments are not adopting data encryption software like they should be. Even with increased reporting, proper use of tools like Alertsec could have led to a decrease is losses due to security breaches.

The study highlighted the value of IT investments in security as the top-performing respondents (those without breaches) spent at least 10 per cent of their IT expenditures on security, with the average security budget was seven per cent of the total IT spending. The study reports that Canadian organizations are finding it difficult to improve their security posture within the current economic climate – but the cost of ownership for hosted encryption services is a drop in the bucket for the millions that are spent on security.

stolen-laptop With a 56-per-cent jump in occurrences of laptop or mobile hardware devices being stolen in Canada alone, encrypting files on laptops should be so obvious a solution! File encryption is not a new technology – it’s an established technology. However, too many organization weigh security and convenience and land on the convenience side – not realizing how simple hosted encryption can be!

2 comments »

Posted in Encryption

Tags: AlertSec Xpress breach notification laws data breach Data Breaches data encryption disk encryption laptop encryption solution laptop security software security breach

Signs that the Media Understands Encryption

September 10th, 2009

I was amazed when I read about one of the latest data breaches in the Birmingham News. I was not amazed that there was another data breach at a hospital – in a recent post Data Loss is the Other Guy’s Problem we talked about how hospitals are one of the places most prone to data breaches. I was not amazed that this event took place in the United Kingdom because we have given Kudos to the United Kingdom and their Financial Services Authority (FSA) in prior posts.

What did amaze me was that the media got it right! The Birmingham News clearly identified the real issue not once but twice in this article:

1 – “None of the information on the missing laptops had been encrypted.”
2 – “A Trulife spokeswoman said although the laptops were password protected they had not been encrypted, and only contained “basic information” of name, address, date of birth, hospital number and orthotics appliance prescription.”

Let’s backtrack a bit on the details. Laptops containing the private and medical details of more than 7,000 Birmingham NHS patients, including sick children, have been stolen prompting a massive security alert. The first laptop went missing at the premises of a Birmingham hospital in March 2006, a second was stolen in a mugging in March 2007 and the third was stolen after being left in a Trulife employee’s car in February last year.

My guess is that you, like patient Yvonne Dass, are wondering why the reporting is taking place in 2009 for data stolen over the last three years.

“The letter says Trulife is truly sorry but that does not explain why it has taken so long to let people know that such personal information is in the hands of a stranger, who could use it for the wrong reasons,” said Yvonne.

Well the answer, albeit not a convincing one, is that is was only recently that Trulife discovered that the laptop held data about Sandwell and West Birmingham Hospitals NHS Trust patients. Alan Taman, of Birmingham Children’s Hospital, said: “Trulife informed us at the end of May about the potential loss of data related to our patients and we immediately instigated an internal investigation to ascertain the nature of the data loss and the risks that our patients were exposed to.”

So once again we mourn that innocent bystanders, these hospital patients, are having to deal with the hassles of potential identity theft. However, the fact that the mainstream media is starting to understand and report on the benefits of encryption bodes well for the future of both individuals and companies doing more to protect their computers.

2 comments »

Posted in Encryption, Identity and Information loss

Tags: Data Breaches data theft prevention desktop encryption software disk encryption drive encryption hard drive encryption laptop encryption laptop encryption solution laptop security software

Data Loss is the Other Guy’s Problem

June 15th, 2009

Except for the very paranoid, one of the main reasons why companies don’t take steps to better secure their data and their PCs is that they never think that their company will be affected by the issue. The next company is a bigger target. That other company has a bigger risk. They have already invested enough in security measures.

To test that theory, I took a look at the Data Loss Database managed by the The Open Security Foundation (OSF). Every day, their project curators and volunteers scour news feeds, blogs, and other websites looking for data breaches, new and old. We search for incidents that need to be updated, or incidents that are not yet in the database. So while they collect data – clearly they do not have the ability or bandwidth to locate information on all data breaches. Their reports clearly are undercounting the nature of this issue.

However, it is a great sample to illustrate the breadth of the data security issue. Lets look at the 20 reported incidents from May 2009. What companies were impacted? What types of companies were impacted?

Information Company
Community College
Not-for-profit religious organization
Government Agency
Hospital
University
Government Agency
Government Agency
Car dealership
Government Agency
Government Agency
Health Insurance Company
School
Financial Institution
Union
Financial Business
Electronics Manufacturer
Internet Store
School
Insurance Company

Sure Government agencies and Insurance companies are high on the list. But a car dealership has driver’s license information, home addresses and financial data. A Union has customers – all it’s members and they have addresses, social security numbers and more. A not for profit – clearly not an organization with deep pockets for technology – but encryption is affordable compared to the potential losses.

If you have computers and you have consumer customers – you have the risk of having information breached. You may think this is a problem for “some other company” but the reality is that it is an issue for every company. We’re just showing the industry – but the actual company names are available on the Open Security Foundation database. Consider the low cost of data encryption versus being on the above list.