Log in

Posts Tagged ‘Health’

Dumfries and Galloway Council in deep soup over data breach

October 20th, 2011

Data breach blunder by Dumfries and Galloway council

Being transparent is one thing and publicly disclosing private data is another!

What were Dumfries and Galloway Council thinking when they placed details of 900 people online? Was it a freak accident or an oversight?

This latest bizarre case talks about data breach exposing records of hundreds of current and former employees of the council. The data includes names, salaries and dates of birth that were a part of a Freedom of Information request response.

Apparently the data was made public to those who visited the site between 23 March and 1 June 2011. This private data was pulled off after affected individuals and a trade union started complaining. ICO also received direct complaints from the employees.

Ken Macdonald, assistant commissioner for Scotland at the ICO, said “Being open about council pay is a fundamental way that citizens can hold local authorities to account, but that should never be at the expense of upholding individuals’ privacy rights,” said Ken Macdonald, assistant commissioner for Scotland at the ICO. “Procedures clearly went wrong in this case and I’m pleased that the council is reviewing its practices in light of the lessons that have been learned.”

It is time for the council to tighten its data management procedures. The council commissioned an external audit of its procedures for responding to information requests and has undertaken an audit which will help uncover discrepancies. The report will be submitted by January 2012.

The council has also agreed to introduce checks to ensure that personal data is handled in compliance with the Data Protection Act.

Currently the ICO has audit powers only for central government departments. This has to change. The Information Commissioner has requested powers to conduct data protection audits in areas of local government, the health service and the private sector to make sure data protection laws are followed.

According to the ICO data breaches in the NHS are becoming a major problem. Out of the total 47 undertakings over 40% (19) were in the healthcare sector. The most serious ones were from the local government sector. Four of the six penalties served involved the local authorities.

The ICO has sent letters to 29 banks and building societies and only 6 of them have agreed for the audit. The insurance sector is not cooperating either. As far as companies are concerned, ICO wrote to 19 of them out of which only 2 agreed!

Plan cyber-security with Alertsec

Alertsec has created a web based encryption service that radically simplifies deployment and management of PC encryption by using industry leading Check Point Full Disk Encryption (former Pointsec) software. There are no short cuts to Data security in any organization. This news stresses the need for data protection applications. In an incident which highlights the need of Data encryption software and recovery software, the threat could have simply been reduced to an insurance matter by a mere investment of $13/month. The information would have been secure with no loss what so ever. That is certainly a small price to pay compared to what can happen if you lose confidential or sensitive data. Alertsec Xpress offers a very good and easy-to-use laptop security service that includes more than the traditional software licensing model.

No comments »

Posted in Computer security, Data Protection, computer security software, data breach, data encryption

Tags: Dumfries Dumfries and Galloway Dumfries and Galloway Constabulary Freedom of information Galloway Council Health Recreation and Sports Scotland

TRICARE in trouble for data breach

October 11th, 2011

TRICARE data breach affects millions

Data breach incidents are on the rise and even though effects of some of them many not be that serious, data loss and identities are at stake.

A data breach involving personal health information of an estimated 4.9 million military clinic and hospital patients made headlines last week. The report was about Tricare Management Activity, the federal government’s health care coverage for active and retired military personnel and their families.

What Tricare had to say?

According to TRICARE the data was stolen from a backup system that contained electronic patient data from 1992 through Sept. 7, 2011 from patients that were treated at San Antonio area military treatment facilities (MTFs) (including the filling of pharmacy prescriptions) and some of them whose laboratory data was processed in these same MTFs although the patients had received treatment somewhere else.

A total of 4.9 million patient’s documents were affected. The stolen data includes Social Security numbers, addresses and phone numbers, and some personal health data. Fortunately no financial data, such as credit card or bank account information was compromised.

The incident is still under investigation and it could take anywhere between 4 to 6 weeks for Tricare to notify those who have been affected by the breach. Tricare further stated that the risk of harm to patients is fairly low. Affected Tricare beneficiaries will receive personalized letters with details about the data breach.

In the past Tricare contractors had received free credit monitoring but in this case TRICARE has not promised anything.

TRICARE releases statement

“Reading the tapes takes special machinery. Moreover, it takes a highly skilled individual to interpret the data on the tapes. Since we do not believe the tapes were taken with malicious intent, we believe the risk to beneficiaries is low.”

How was the data stolen?

The data was stolen from the car of an employee of Science Applications International Corp. It contained backup tapes of electronic health records. According to the police report the car was parked at 300 Convent from 7:53 a.m. to 4:30 p.m. Sept. 13. Along with the backup tapes a stereo system valued at $300 and a GPS device were stolen.

Apparently the employee was planning to transport this data between federal facilities.

According to a SAIC spokesman the data was partially encrypted.

What users had to say?

“The fact that the tapes were encrypted should go to show how important it is to keep the information safe. That is not a way for the Govt employee or contractor transporting to feel safer about leaving them unattended in a vehicle. Had this happened in the military equivalent with secret media, they would be run through. The lack of disciplinary action is somewhat disturbing”.

Data Protection with Alertsec

Alertsec Xpress is the laptop security service that supplies SMBs with the leading data security software for their laptop encryption implementation. The core function in any mobile data protection system is the hard drive encryption – outperforming file encryption and other kinds of data encryption software on speed, security and flexibility.

No comments »

Posted in Computer security, Data Protection, Uncategorized, data breach, data encryption

Tags: data breach Electronic health record Encryption Facilities Health Health care Hospital Medicine Personally identifiable information SAIC San Antonio Science Applications International Corp Social Security number TRICARE Tricare Management Activity United States

Henry Ford Health System didn’t Learn from its Previous Mistake

February 28th, 2011

Lost Flash USB Drive

This is the second news of data breach within the Henry Ford Health System in less than a year. On 31st January 2011 an employee of Henry Ford Health System in Detroit lost an official flash drive. In the previous incident, a Henry Ford employee’s laptop was stolen from an unlocked office. Laptop encryption software was not used in the stolen laptop. This was the second case of data breach occurring within the hospital which took place just before three months of the latest incident in September but this time again the stolen drive was not encrypted.

Personal Data of 2,777 Patients is on Risk

The drive was containing the personal information of 2,777 patients and the security lapse within the Henry Ford put their information on huge risk. The lost information included names, address, e-mail address, phone number and date of birth, medical record numbers, type of treatment, test information and results of the patients. The drive contained information of only those patients who tested for urinary tract infections between July and October 2010.

An investigation of the breach started on 8th February 2011 but it is still not clear as to how, the device was lost. Henry Ford’s Chief Privacy Officer Meredith Phillips said in a statement there is no evidence the flash-drive data was misused.

Federal Health Information Privacy Law

According to the federal health-information privacy law, health care organizations are required to notify patients within 60 days of such a breach and health systems also must pay for identity monitoring for a year to help guard against identity theft.
In such case of data breach HIPAA require Henry Ford Health System to notify the affected patients, local media and the Department of Health and Human Services. Henry Ford has not placed a prominent notice of the breach on its Web site but it is notifying affected patients individually and offering one year of free credit monitoring services. Patients seeking information on activating ID monitoring may call 877-835-0549 between 9 AM to 9 PM on weekdays.

Security Flaw because of Unencrypted Devices

Everyday there are cases of security and identity breaches in the news and most of them occurred because of the unencrypted portable devices. What an organization should do in such case of data security? I will say the idea is to become a little more proactive. A simple solution like Data encryption software has a special option to encrypt the data. Which keeps your documents safe and protect your sensitive data against un-authorized users by utilizing the latest data encryption technologies.

Keep your Sensitive Data Safe with Alertsec

Above incident shows that in the absence of full disk encryption, privacy of such a huge number of people can get affected. To keep your sensitive data safe from thefts and hacking, it is vital to use Data encryption software. There are many incidents taking place across global organizations which highlight the need of a data security and recovery software. By a mere investment of $13/month, the information can be secured with no loss what so ever. That is certainly a small price to pay compared to what can happen if you lose confidential or sensitive data. Alertsec Xpress offers a very good and easy-to-use laptop security service that includes more than the traditional software licensing model. Feel free to subscribe for your personal 30-day free trial.

800,000 patient records missing? (medicineandtechnology.com)
US works to secure networks as hackers advance (boston.com)
America’s Most Dangerous Computer Security Breach Was Caused By a Flash Drive [Security] (gizmodo.com)
US works to secure networks as hackers advance – The Associated Press (news.google.com)

1 comment »

Posted in full disk encryption

Tags: data breach data encryption data security full disk encryption hard drive encryption Health Henry Ford Henry Ford Hospital Patient United States

California Hospital fails to report data breach, fined $250,000

September 18th, 2010

Lucile Salter Packard Children’s Hospital at Stanford University has been fined $250,000 by California health officials for failing to report a breach of 532 patient medical records within 5 days of an apparent theft of a hospital computer by an employee.

The penalty imposed on the hospital is the maximum allowed amount, a spokesman for the California Department of Public Health, Ralph Montano said. He also added, “The penalty is assessed at the rate of $100 for every day of delayed reporting after the first five days for each patient medical record that was breached.”

State officials released a document on Thursday, called “2567,” summarizing the results of the state’s investigation of the Lucile Packard computer theft. It said an unauthorized hospital employee and her husband, another employee, were observed on January 5 in the hospital’s Heart Center removing a computer that contained protected health information on 532 patients.

State officials added, “Based on interviews and record review, the hospital failed to notify a privacy breach of patients’ protected health information (PHI) to 532 patients within five days after the hospital confirmed the breach on 2/1/10. The hospital failed to send notifications to the patients until 2/19/10.”

“The confidential data included names, date of birth, medical record numbers, diagnoses, procedures, insurance information and/or social security numbers.”

On Thursday, Lucile Packard officials posted a lengthy statement on their website stating that they intend to appeal against the $250,000 fine.

“The computer in question was used by an employee whose job required access to patient information,” the hospital said.

“Even though the employee had signed written commitments to keep patient information confidential and secure in accordance with legal requirements and hospital policies, the hospital received reports that the now-former employee allegedly removed the computer from hospital premises and took it home.”

“The hospital immediately began a thorough investigation and also reported the matter to law enforcement in an attempt to recover the computer quickly. As soon as the hospital and law enforcement determined the computer was not recoverable, the hospital voluntarily reported the incident to the California Department of Public Health (CDPH) and federal authorities, as well as the families of potentially-affected patients. The hospital also provided to the families identity theft protection and other support services.”

“Theft charges have been filed against the former employee.”

Spokesman for Lucile Packard, Robert Dicks forwarded this statement from Susan Flanagan, RN, chief operating officer: “This theft was very unfortunate. We hold ourselves to the highest standards in taking care of the children we treat, and we are committed to providing the best care possible and to protecting our children’s privacy.”

“The incident in question was related to the apparent theft earlier in the year of a password-protected desktop computer that contained information about 532 patients. The hospital immediately began a thorough investigation and also reported the matter to law enforcement in an attempt to recover the computer quickly.”

“As soon as the hospital and law enforcement determined the computer was not currently recoverable, the hospital reported the incident to the CDPH and federal authorities, as well as the families of potentially-affected patients.”

“The privacy and security safeguards we employ are some of the most advanced technologies and controls available to hospitals today.”

Ed Kopetsky, chief information officer at Packard Children’s added, “Even though the investigation revealed that no patients were harmed and apparently no patient information was compromised, we are using this incident to further tighten our security and provide additional education to our staff.”

Moreover, Dicks added a date has not been set for the ruling on the appeal.

How Alertsec Xpress Would Have Helped

If you use a data security software a theft would simply be reduced to an insurance matter and cost of the hardware plus time to rebuild the computer. That is certainly a small price to pay compared to what can happen if you lose confidential or sensitive data. Alertsec Xpress offers a very good and easy-to-use laptop security service that includes more than the traditional software licensing model. Feel free to subscribe for your personal 30-day free trial.

Google Health Gets More Useful, More Personalized (webpronews.com)
Accenture Inks Health IT Deal With Stanford (informationweek.com)

No comments »

Posted in Data Protection, data breach

Tags: California Department of Public Health Facilities Health identity theft Medical record Medicine Social Security number Stanford University

Laptop of Portland Psychologist stolen, 4000 patients face possible identity breach

August 17th, 2010

Dr. David Gostnell, a Portland psychologist is alerting 4,000 patients after his laptop, which contained personal health information, was stolen from his car on July 7.

The laptop contained clinical evaluations, with patients’ full names, Social Security Numbers & diagnosis. Gostnell’s briefcase was taken as well, but was recovered from a nearby garbage bin. It contained individual evaluation records. The theft was reported to the police the next day.

Although the laptop was password protected but he was not using any computer protection software. Also, there was a disc in the CD drive that contained a partial backup of the hard drive, Gostnell said. He also added, the breach doesn’t involve any patients he evaluated at Oregon Health and Science University Hospital. Patients at his Northeast Portland practice, however, should call 1-877-461-7657.

He doubts if the laptop was stolen for the purpose of identity theft and believes that till now none of the personal information has been misused or leaked.

According to OHSU’s website, David Gostnell, Ph.D. is a clinical assistant professor in the Departments of Neurological Surgery and Medical Psychology, consulting with neurosurgeons and other physicians in chronic pain conditions and performing pre-surgical psychological assessments.

At OHSU and in his private practice in Northeast Portland, he assesses and treats patients with neurological disorders. He also acts as a consultant with Kaiser Permanente.

How Alertsec Xpress Would Have Helped

If you use a laptop encryption software a theft would simply be reduced to an insurance matter and cost of the hardware plus time to rebuild the laptop. That is certainly a small price to pay compared to what can happen if you lose confidential or sensitive data. Alertsec Xpress offers a very good and easy-to-use laptop security service that includes more than the traditional software licensing model. Feel free to subscribe for your personal 30-day free trial.