Image via Wikipedia

How many healthcare organizations today are following the HIPPA (Healthcare Insurance Portability Act and Accountability Act of 1996)? Looking at the increase in health care data breaches, one know how much security laws are being followed.

The US healthcare system has always been the best choice for hackers. Every other data breach news item talks about health-care data thefts. According to the Ponemon Institute’s data security survey 96% of US healthcare organisations have been a victiom of at least one data breach in the last two years. Medical data handling practices are very sloppy and a disturbing reality check for patients. Data breach risks are very high especially related to identity theft and medical identity theft. Obviously patient’s privacy is affected. Every time a breach takes place, hospitals lose an average of  $2.24 million. Annually it would come around $6.5 billion.

What is the exact reason for this severe problem? – Silly mistakes on the employee’s part is the main culprit here. Although the mistakes are ’silly’, the consequences are disastrous. In addition t0 the employees, third parties and sub-contractors are to be blamed for data breaches. Needless to say, lost or stolen devices add to the reasons.

The survery also showed that the use of unsecured mobile devices contributed  to data theft. Most of the providers  do not do much to protect the data on these devices. These devices are used for gathering, transmitting, and storing patient information but obviously they are not secured enough. According to the report “An area that needs to become more of a priority is privileged user and access governance, with only 29 per cent agreeing that the prevention of unauthorised access to patient data and loss or theft of such data is a priority,”. “Hospitals and healthcare providers suffered an average of four data breaches in the past year, according to the report.”

The worst part of these data breaches is that once discovered they are notified to the customers only after a couple of months.

HIPPA needs to step in and enforce security laws. Every hospital has a data security policy but how many actually follow them? Very few, it is clear from the upsurge of data breaches. An HIPPA audit is a must for very organization. But that’s not enough. What is required is data encryption, virtual or dedicated firewalls, offsite backup and antivirus to meet HIPAA/HITECH standards and keep data secure.

Following are the consequences of a data breach that healthcare organizations suffer from:

81% Diminished productivity and lost time78% Brand or reputation diminishment75% Loss of patient goodwillResult of these conseqences: dissatisfied patient,an average loss of $113,400 per customer/patient.
Data breaches are discovered through:
51% Employees43% Audit/Assessment35% Patient compliant

Alertsec is into the data encryption business

You cannot afford to wait any longer. Alertsec Xpress, the market leader in data encryption, is the need of the hour. Alertsec Xpress offers full disk encryption and is therefore superior to other encryption providers in security, performance, strength and ease-of-use for administrators and users. Alertsec also offers a very good and easy-to-use laptop security service that includes more than the traditional software licensing model.

Hack on backup server of Maple Story

We are back with another case of data theft that involves gamers IDs being stolen. We are talking about the latest breach in the gaming industry, the Nexon Security Breach.

According to the company’s spokesperson the incident took place on 24 November and it had informed law enforcement agencies to investigate urgently. This breach was only limited to players of the online role-playing game Maple Story. Nexon added that Maple Story is “completely independent of the service”.

The official further added that the exposed details did not include information on financial transactions or bank account numbers and had not affected overseas subscribers of the online game.

For prevention sake, the company has requested game subscribers to change passwords although the exposed data is said to be encrypted. As of today the total subscription membership of Maple Story is about 18 million. Minors are also members of this site and have a legal consent of their parental guardians. Nexon reports that “The information concerning legal guardians of users who are under 14 years of age is not involved in the hacking as it is stored in a different server.”

This breach has chosen a bad timing for Nexon as it is in the midst of planning an IPO. The IPO is planned for Dec 6.

This is what one encryption expert had to say about the case “This is unfortunately the latest in a string of attacks against gaming sites; hackers have realised that they represent a virtual treasure trove of personal consumer data,” Pauker said. “It’s time for the gaming companies to realise that security can’t be an afterthought. Good security is just as important as good graphics.”

This is a wake-up call for Nexon and it is bolstering its security policies. As a freebee it is offering game items to gamers who agree to change their passwords.

Alertsec offers data security services

Alertsec has created a web based encryption service that radically simplifies deployment and management of PC encryption by using industry leading Check Point Full Disk Encryption (former Pointsec) software.

Organisations, especially corporate giants, have to have an information security policy in place that proves they have taken necessary steps and measures to safeguard the information they gathered. If these policies are not adhered to, the regulators may prosecute.

Alertsec Xpress is used by organizations that have recognized the need to protect their information. Customers range from single-user sole traders and consultants to multinational companies with a large number of offices around the globe. Over 4 million users worldwide use Alertsec Xpress’s Check Point Full Disk Encryption.

The First Circuit's decision may change some data breach laws

An appeals court’s decision may bring a major change in the data breach laws. The court’s decision is to permit negligence and contract putative class action litigation. This is specifically related to a grocery store chain data breach because of the alleged damages incurred.

Maine Law

The First Circuit has held that consumer claims for reimbursement of the cost of identity theft insurance and of fees for replacement of credit and debit cards following a breach of their personal information can be a cognizable injury under certain circumstances. For now, Maine Law recognizes this decision.

Case history

In the year 2007 hackers breached Hannaford’s – a popular grocery store chain – electronic payment processing system and stole up to 4.2 million credit and debit card numbers, with expiration dates and security codes. Fortunately customer names were not stolen. Hannaford made a public announcement about the breach and added that it had received a total of 1,800 reports of fraudulent credit and debit card activity. Some financial institutions canceled/reissued customer cards and monitored the accounts. But some of these institutions assessed fees on the consumers for offering such services. To be on the safer side, some consumers purchased identity theft insurance and/or credit monitoring services. The plaintiffs in the above lawsuit of Hannaford claimed damages that included these fees and services. In addition, allegations included loss of accumulated miles reward points, inability to earn reward points, emotional distress, and the time and effort spent during this period.

As per the initial Maine law time and effort were not to be counted as cognizable offences. Hence previously the court had ruled in Hannaford’s favor dismissing all claims.

The circuit court’s appeal

The First Circuit  was trying to assess whether the mitigation damages alleged by plaintiffs for negligence and breach of implied contract could be considered as a cognizable injury under Maine law.

The court’s ruling

First Circuit held that mitigation damages that arise from negligence and breach of implied contract claims can be cognizable under Maine law. But they have to be “reasonably foreseeable” and “reasonable,” and are for actual financial losses rather than just time or effort expended.

The Hannaford decision is a classic example of what a common man can do against a faulty legal system. The legal system is harsh but if you are armed with information and know your rights, you can appeal in the court of law and get your voice heard. Data breach victims can now heave a sigh of relief.

Alertsec helps keep Data Safe

The above case is a clear indication that in the absence of full disk encryption, privacy of people can get affected. To keep your sensitive data safe from thefts and hacking, it is very important to use Data encryption software. Everyday we are reading incidents taking place across global organizations which highlight the need of a data security and recovery software. By a mere investment of $13/month, the information can be secured with no loss what so ever. That is certainly a small price to pay compared to what can happen if you lose confidential or sensitive data. Alertsec Xpress offers a very good and easy-to-use laptop security service that includes more than the traditional software licensing model.

State of Massachusetts has seen the maximum number of data breaches in the past twenty months. Personal information of about two million Massachusetts residents i.e. one in every three people who are residents of Massachusetts, has been breached through electronic data breaches.

According to the 2007 state laws all companies doing business in Massachusetts must inform consumers and state regulators about security breaches that might result in identity theft. The list includes leaks of individual names along with sensitive data like Social Security numbers, bank account, credit card and debit card numbers. The law came into being in 2007 as a result of a 45 million hack of credit card numbers from Framingham-based retailer TJX Cos.

Martha Coakley, Attorney General, said that nearly 1,200 data breaches have been reported. Quarter of these were the result of intentional hacking.

The largest breach in the time period was the hacking of information of about 800,000 people that was lost by a vendor hired to destroy it. In addition, information on 210,000 residents entrusted to a state agency was put at risk.

These data breaches contained information from names and addresses to medical histories.

What MA residents had to say?

Daniel Paul, a courier, gets the jitters when he thinks about it. He made online purchases with his credit card but started getting charged for things he didn’t buy: his credit card had been hacked. It was a nightmare to get things back on track.

Here is what he had to say ”Just going through getting everything changed back, changed over, getting charges off your account, your credit– it was awful,” said Paul.  ”I hope I never have to go through it again.”

Mike Paquette, Chief Strategy Officer for Corero Network Security in Hudson, MA said ”In today’s internet world there are so many opportunities where information can be disclosed, as an individual, unfortunately there is very little that you can do,”said.

Consumers do have the option of suing, but it really doesn’t get them anywhere as it is very difficult to prove data theft.

Consumers must carefully keep a track of their online transactions. It is always advisable to deal with well-known companies and do your homework about the company’s info.

Data security with Alertsec

Alertsec is here to take care of our security issues especially for anyone working with PCs. Alertsec Xpress is the service that automatically protects ALL information you store on your PC. The fact that we now buy more laptops than desktops shows that the information we all store is increasingly more vulnerable to be exposed. It is a much higher risk to lose a laptop than a desktop computer.

Encryption is the only secure method for complete protection of data stored on your hard disk. Today laptops are overtaking desktop PCs as the major source of computing and media storage, laptops frequently store an organization’s most valuable information. Thus laptop encryption is becoming more and more important.

Alertsec Xpress offers full disk encryption and is therefore superior to other encryption methods when comparing security, performance, robustness and ease-of-use for both administrators and users.

.

Vending machine exposes visitors' personal data

Should you be staying away from vending machines? Many folks keep themselves away from vending machines for health sake.

There is one more reason to stay away now. Your personal information is at risk here ! Folks swipe credit cards whilst buying from the vending machines thereby storing personal data.

The following incident makes one think twice before putting that chip from the vending machine into your mouth.

A hacker gained entry into certain parts of Vacationland Vendors point-of-sale systems used to process payment-card transactions at Wilderness Resorts located in Tennessee and in the city of Wisconsin Dells, Wisconsin. The breach has affected around 40,000 people. Company’s spokesperson said “a computer hacker improperly acquired credit card and debit information.”

It is still not known how the breach was discovered or when. Whether those affected by the breach have been notified or not is also not known. The breach affected only arcade systems. Fortunately the resort operations and systems — reservations, restaurants, and shops — were not breached.

According to Vacationland, internal security has nothing to do with the breach at either of the two Wilderness Resorts. The statement further adds “Vacationland Vendors has learned that other businesses just like its own have been affected by this computer hacker,”.

Vacationland Vendors is working with an outside consultant and has beefed up its security of point of sale systems to protect from future breaches.

Customers who have used their credit card or debit card at the Wilderness Resort locations from December 12, 2008 through May 25, 2011have been asked to take the following immediate steps in order to prevent the unauthorized and unlawful use of their personal information.

According to Bill Bray, spokesperson for the Wisconsin Dells-based Vacationland Vendors, the same intruder had hacked other businesses as well.

a. Keep a close watch on bank statements and credit card bills and if you notice something strange immediately get in touch with authorities

Why is Alertsec the number 1 laptop encryption service?

3 easy steps to encrypt your data

a. Register for your subscription or 30-day free trial of our encryption software

b. Download and activate Alertsec Xpress online

c. Your laptop is now powered by Check Point Full Disk Encryption

Data breach at ODOT exposes participants social security numbers

2011 has probably seen the most and the worst set of data breaches. In April 2011, Sony reported a data breach within their Playstation Network. Expedia’s Trip Advisor, email marketing provider Epsilon and professional engineering society Institute of Electrical and Electronics Engineers followed suit.

In the latest incident of data breach, data of 62 current and former employees remained exposed to the public online for nine long years. The breach was reported on Friday.

Details of the breach

Oregon Department of Transportation immediately removed the data from the site and apologized to its users who had participated in the environmental program. Fortunately, no one has had any problems with the exposed data.

Aug. 26 email gave details of this breach to all its users.

According to Theresa Masse, the state’s chief information security officer with the Department of Administrative Services ”Some were electronic — misdirected email, lost laptop, or a file exposed on a website,”. She further added “Others involved misdirected letters or a lost folder. The largest affected 500 people; the smallest, one individual.”

ODOT found out about the breach two weeks ago when it got a call from a citizen who brought to notice that a file in the agency’s file transfer protocol site contained encoded Social Security numbers. A file-transfer protocol site is used to transfer large files to internal and external users. The file contained names and encoded Social Security numbers of 62 people working with ODOT’s environmental programs. This information could have been online since 2002.

This is what ODOT spokesman Dave Thompson had to say when users found out about the breach ” “None of them were necessarily happy with us, or with the news this happened,” Thompson said. “But none of them has indicated they have noticed any sort of issue. It does not mean it hasn’t happened — and that’s why we spoke to them first before we announced it.”

Comparison with two private sector firm breaches

Health histories of 120,000 Oregon customers covered by Health Net were breached in March. Computer disks and backup tapes with details of 365,000 Oregon patients of Providence Health & Services went missing in Dec 2005

Another incident in early 2010

This incident was far more serious than the recent breach. A pen drive with payroll information of 550 Department of Corrections employees was found in Madras. The drive contained Social Security numbers of 300 employees at the Deer Ridge Correctional Institution near Madras and the Shutter Creek Correctional Institution in North Bend, and information of employees at the Warner Creek Correctional Facility in Lakeview.

How can Alertsec help protect data?

Organisations are now made aware about their data security and are implementing data encryption techniques. Alertsec uses encryption software to protect data from breaches and theft.

Alertsec Xpress is backed up by Check Point Full Disk Encryption and is used by over 4 million users worldwide, with single deployments exceeding 150,000 laptops and PCs. This is the most deployed software of its kind and is seen as today’s market leader.

Sensitive info papers lost from filing cabinet

Data breaches are online as well as physical

Data breaches are not restricted to online or soft copy data loss. They also include theft or loss of physical documents.

Here’s a look at a recent case of physical and digital data theft.

Scottish Children’s Reporter Administration (SCRA) breaches Data Protection Act for the second time

The Scottish Children’s Reporter Administration (SCRA) is in breach of data security related to children’s data twice in the last 6 months. The SCRA is an organization dedicated to protect children in the judicial system. The body investigates the care of Scotland’s most vulnerable children.

Details of the two breaches

In January 2011 the Scottish body sent documents containing a child’s personal data to the wrong email address. The documents carried sensitive information like child abuse related to the legal case which had the contact information of the child’s mother and witnesses.

Later, in September 2010, the body somehow lost 9 case files which contained personal data such as birth dates, names and social report. Apparently the files got lost when the filing cabinet which contained these files was moved and later sold to a second-hand furniture shop.

Mishandling of sensitive information

Ken Macdonald, assistant information commissioner for Scotland, is concerned that data had been breached twice by the same organization.

“On both occasions the personal data which was compromised related to young children and was caused by human errors that could easily have been avoided,” said Macdonald. He further added “I am pleased that the Scottish Children’s Reporter Administration has taken action to make sure that the personal information they handle is kept secure and would urge other organizations, particularly those handling sensitive information relating to young people, to follow suit,”. Fortunately both times the information was not circulated.

Information handling post breach

Neil Hunter, chief executive of the SCRA, is renewing the organization’s data protection policy and training employees about data security.

The ICO (Information Commissioner’s Office) is holding workshops related to raising awareness of data protection obligations among staff.

About ICO

The Information Commissioner’s Office (ICO) upholds information rights in the public interest, promoting openness by public bodies and data privacy for individuals. The ICO has specific responsibilities set out in the Data Protection Act 1998, the Freedom of Information Act 2000, Environmental Information Regulations 2004 and Privacy and Electronic Communications Regulations 2003.

Security guaranteed with Alertsec Xpress

This incident highlights the need of a data security and data encryption software, the threat could have simply been reduced to an insurance matter by a mere investment of $13/month. The information would have been secure with no loss what so ever. That is certainly a small price to pay compared to what can happen if you lose confidential or sensitive data. Alertsec Xpress offers a very good and easy-to-use laptop security service that includes more than the traditional software licensing model. Feel free to subscribe for your personal 30-day free trial.

Alertsec has offices in the US, UK, Sweden and operates in many other countries around the world through partners.

Its mission is to continuously improve its products and services in order to deliver the easiest and most cost-effective managed encryption service on the market

Gov. Jerry Brown signs Senate Bill 24

Breach after breach is forcing lawmakers to make changes in the security policy.

A California lawmaker has come up with a bill that would update the state’s data breach notification law, SB-1386, to help prevent sensitive data.

About Senate Bill 24

Existing law requires any agency, and any person or businessconducting business in California, that owns or licensescomputerized data that includes personal information, as defined,to disclose in specified ways, any breach of the security of thesystem or data, as defined, following discovery or notification ofthe security breach, to any California resident whose unencryptedpersonal information was, or is reasonably believed to have been,acquired by an unauthorized person

Bill Update

Senator Simitian had submitted three versions of his security breach notification to former Governor Schwarzenegger in 2008, 2009 and 2010. But they were vetoed all three times.

This time though, he was lucky. The current Governor, Jerry Brown, signed the bill which helps consumers with information to help prevent identity theft.

SB 24 defines key details that must be a part of the notification letter and forces the Attorney General to take cognizance of the breach.  In case a social security number or drivers license details get compromised, the notice letter explains how to contact major credit agencies. This is very important as consumers can keep a track of their accounts and get proof of identity theft (if one takes place). The bill further empowers to prevent identity theft, including freezing your credit report.

As per the update the breach notification letters will contain details of the incident i.e. the type of personal information compromised, a description of what happened, and steps to be taken to protect oneself from identity theft. The law also makes it compulsory for organizations to submit a copy of the alert letter to the state attorney general’s office in case the breach has affected 500 or more people

What are the other States doing about ID theft?

Taking a cue from California law, over 40 states have adopted security breach notice laws.  Some of them are Alaska, Arkansas, Connecticut, Hawaii, Indiana, Louisiana, Maine, Maryland, Massachusetts, Missouri, New Hampshire, New Jersey, New York, North Carolina, Puerto Rico, South Carolina, Vermont, and Virginia.

Will hackers stop?

Cyber thieves will continue breaking the law but businesses and agencies will take more precautions to protect their data henceforth and if they ever become a victim of data breach, they will know who to turn t0.

It was high time California  got the added protection that SB 24 will provide.

Alertsec offers encryption service

Security services like the ones offered by Alertsec are the need of the hour. Alertsec is the frontrunner in offering hard disk encryption as a fully managed service. We provide information security in a cost-effective & easy way. Alertsec is part of the Durator Group which has been awarded the highest credit rating available.

Another cyber attack on Citigroup

Hackers love Citigroup and they waste no time in finding loopholes to hack into their system. They have done it again but in a different way. This is not an online hack but an offline one.

This time they have illegally accessed personal information of 92,408 Citigroup Inc. credit card customers in Japan and sold this info to third parties. This is a clear indication that banks are vulnerable to cyber attacks and need to beef up their security.

Customer account numbers, names, addresses, phone numbers, birth dates, account-opening dates and gender information were stolen hacked into. Thankfully, personal identification numbers and card security codes were safe.

So far, no unauthorized use of the cards had been reported by the end of business on Aug. 5, the Kyodo News reported.

Citi is getting in touch with all customers affected by the theft and plans to reissue cards at the customer’s request. It further added that customers won’t be responsible for fraudulent transactions on their accounts.

Who is the perpetrator this time?

According to Citigroup Japan, the system was hacked by a third-party vendor that had been given access to Citi’s internal systems.

Avivah Litan, a distinguished analyst at Gartner, sums up in exact words ”This is a CIO’s worst nightmare,”. “I am sure Citi is not sitting around and twiddling its thumbs as the hackers gain the upper-hand. However, it does prove what a leaky sieve most large banks and corporations are when it comes to protecting customer data. There are so many points of compromise that it’s very difficult for them to thwart all potential attacks.”

Customers have started worrying as cyber criminals are getting better and better in their online attacks stealing private information and documents. They are not fully able to trust the big companies who are handling their money and credit card information.

Citi has been a constant target of hackers

In 2006, Citi’s system had been breached through a third party, giving away corporate banking information. Citi had to take the step of blocking PIN-based transactions for customers in Canada, Russia, and the United Kingdom. This was a followed by an incident in June where the FBI arrested a former Citi executive who allegedly embezzled more than $19 million from the bank and its customers.

About Citigroup

Citigroup is a leading global financial services company housing 200 million customer accounts and operating in more than 140 countries. Through Citicorp and Citi Holdings, Citi provides consumers, corporations, governments and institutions with a broad range of financial products and services, including consumer banking and credit, corporate and investment banking, securities brokerage, and wealth management.

Protect yourself with Alertsec

Organisations are now made aware about their data security and are implementing data encryption techniques. Alertsec uses encryption software to protect data from breaches and theft.

Alertsec Xpress is backed up by Check Point Full Disk Encryption and is used by over 4 million users worldwide, with single deployments exceeding 150,000 laptops and PCs. This is the most deployed software of its kind and is seen as today’s market leader.

A serious data breach

There was a recent case of a USB drive found unattended in a pub in South London. The drive contained carried data of around 26,000 social housing tenants and bank details of some 800 tenants

Breach details

Apparently, the USB drive owner worked for housing associations Lewisham Homes and Wandle Housing Association. The data belonged to the tenants of these housing associations. The USB drive was seen lying in the All Inn One pub. The authorities were immediately notified; fortunately, the data was not compromised.

According to Sally-Anne Poole, acting head of Enforcement at the ICO “Saving personal information on to an unencrypted memory stick is as risky as taking hard copy papers out of the office. Luckily, there is no suggestion that the data was misused. But this incident could so easily have been avoided if the information had been properly protected.”

The Lewisham Homes and Wandle Housing Association had breached the 1998 Data Protection Act by not encrypting the information of 26,000 people.

Action taken by the ICO

The ICO gave the housing bodies a stern warning and made them aware that they had clearly breached the Data Protection Act. Had the stick gotten into the hands of a hacker, all hell would have broken loose.

Reactions by security experts

According to Edy Almer, VP of product management at Safend: “It is good to see that data stored on the USB was most likely not compromised and that the immediate response from the breached party was to make things right. It is important to note it was a third party contractor that lost the data and not trained internal staff, thus highlighting the need to selectively block or encrypt all devices connecting to your network in order to protect sensitive data.”

Mark Fullbrook, UK and Ireland director at Cyber-Ark’ reacted: “This is yet another example of the poor data protection policies operating within organisations today. Using a memory stick to transport sensitive information may be convenient, but it’s certainly not secure and whilst in this case the memory stick was returned to its rightful owners, should it have fallen into the wrong hands the repercussions could have been severe”

Action taken by the housing associations

Lewisham Homes has revised its data security procedure and the contractor/owner of the stick has been dismissed.

What can be done to protect data?

Using encrypted software is the need of the hour. Be it an organization or an individual, if you are carrying data, it has to be protected, no matter how what it is.

Use Alertsec

Organisations, especially corporate giants, have to have an information security policy in place that proves they have taken necessary steps and measures to safeguard the information they gathered. If these policies are not adhered to, the regulators may prosecute.

Alertsec Xpress is used by organizations that have recognized the need to protect their information. Customers range from single-user sole traders and consultants to multinational companies with a large number of offices around the globe. Over 4 million users worldwide use Alertsec Xpress’s Check Point Full Disk Encryption