Here’s more from TrustedSec:
While no technical details of the attack had previously been disclosed, information security firm TrustedSec, citing sources familiar with the incident, said on Tuesday that the initial attack vector was through the infamous “Heartbleed” vulnerability in OpenSSL, which provided the attackers a way in, eventually resulting in the compromise of patient data.
“This confirmation of the initial attack vector was obtained from a trusted and anonymous source close to the CHS investigation,” TrustedSec wrote in a blog post. “Attackers were able to glean user credentials from memory on a CHS Juniper device via the heartbleed vulnerability (which was vulnerable at the time) and use them to login via a VPN.”
While TrustedSec did not share much on the source, the firm is reputable. As background, David Kennedy, TrustedSec's founder and Princial Consultant, formerly worked for the NSA and also served as Chief Security Officer at ATM maker Diebold. He is also founder of the Derbycon conference.
In July 2014, Community Health Systems, Inc. (the “Company”) confirmed that its computer network was the target of an external, criminal cyber attack that the Company believes occurred in April and June, 2014. The Company and its forensic expert, Mandiant (a FireEye Company), believe the attacker was an “Advanced Persistent Threat” group originating from China who used highly sophisticated malware and technology to attack the Company’s systems. . .The Company has been informed by federal authorities and Mandiant that this intruder has typically sought valuable intellectual property, such as medical device and equipment development data. However, in this instance the data transferred was non-medical patient identification data related to the Company’s physician practice operations and affected approximately 4.5 million individuals who, in the last five years, were referred for or received services from physicians affiliated with the Company. The Company has confirmed that this data did not include patient credit card, medical or clinical information; the data is, however, considered protected under the Health Insurance Portability and Accountability Act (“HIPAA”) because it includes patient names, addresses, birthdates, telephone numbers and social security numbers.
With the current state of security in the healthcare industry I expect outside attacks on vulnerable providers and business associates will increase.
During fourth quarter 2013, Target experienced a data breach in which an intruder gained unauthorized access to its network and stole certain payment card and other guest information. In second quarter 2014, the Company expects to record gross breach-related expenses of $148 million, partially offset by the recognition of a $38 million insurance receivable. Expenses for the quarter include an increase to the accrual for estimated probable losses for what the Company believes to be the vast majority of actual and potential breach-related claims, including claims by payment card networks.
According to Hold Security, the attackers used a botnet to hunt for sites vulnerable to SQL injection hacks. They compromised roughly 420,000 websites and lifted 4.5 billion username-password combinations in all; after eliminating duplicates, the number drops down to a no-less-impressive 1.2 billion unique login combos. Hold Security has not released the names of the victim sites.
Brian Krebs has provided an excellent Q&A on the topic.
The short answer is no, but the more complex answer is that HIPAA holds BAs and their subcontractors to the same standards as the health care providers themselves. Thus it is critical that serious consideration is given to how the data is to be protected. In this case, the cloud provider would also be a BA and the agreement should reflect their responsibilities in securing the data and their duties if a breach does occur.
One source of guidance is NIST 800-144: Guidelines on Security and Privacy in Public Cloud Computing. Here’s the abstract:
Cloud computing can and does mean different things to different people. The common characteristics most interpretations share are on-demand scalability of highly available and reliable pooled computing resources, secure access to metered services from nearly anywhere, and displacement of data and services from inside to outside the organization. While aspects of these characteristics have been realized to a certain extent, cloud computing remains a work in progress. This publication provides an overview of the security and privacy challenges pertinent to public cloud computing and points out considerations organizations should take when outsourcing data, applications, and infrastructure to a public cloud environment.
Zeusgard allows you to safely bank online from any machine — even from a system that is already riddled with malware. That’s because it lets you boot your existing PC into an entirely different operating system. Even better, it is capable of connecting to the wireless network.
Priced at $40 for both the flash drive and the wireless adapter, it may be a perfect tool for small to medium-sized businesses who conduct online banking.
The revised rule is designed to ensure a more uniform response from Federal Courts regarding the loss of Electronically Stored Information (ESI). The rule, broken into two sections, gives courts power to undertake “measures” – AKA sanctions and other similar procedures – when a party loses ESI because they failed to take “reasonable steps” to preserve it during the anticipation of impending litigation.
The first section, Section 37(e)(1), allows a court to take measures when a party is prejudiced by the opposing party’s loss of ESI. The court is permitted to take reasonable action that sufficiently cures the party’s prejudice even though the loss of the ESI may not have been the opposing party’s fault.
Similarly, the second section, Section 37(e)(2), authorizes a court to take measures when a party intentionally loses ESI. However, it does not require a showing of prejudice to the adverse party. The court can assume that the ESI was unfavorable, instruct the jury that the ESI was unfavorable, or grant default judgment or dismiss the case.
Goldman said the contractor meant to email her report, which contained the client data, to a "gs.com" account, but instead sent it to a similarly named, unrelated "gmail.com" account.
The bank said it has been unable to retrieve the report or get a response from the Gmail account owner. It said a member of Google's "incident response team" reported on June 26 that the email cannot be deleted without a court order.
"Emergency relief is necessary to avoid the risk of inflicting a needless and massive privacy violation upon Goldman Sachs' clients, and to avoid the risk of unnecessary reputational damage to Goldman Sachs," the bank said.
"By contrast, Google faces little more than the minor inconvenience of intercepting a single email - an email that was indisputably sent in error," it added.
My questions are these: If losing the data would truly result in “a massive privacy violation” why wasn’t Goldman’s either encrypting the data itself or using software to encrypt their email (such as the freely available PGP)? And why should Google be legally responsible for cleaning up after companies who do not follow best (or even good) data protection practices?
Prepare for the worst now
- (1) Educate senior management about the threat of ransom-demanding cyber criminals (along with ransom-demanding malware, which they should already be familiar with). Let them know the threat is real, fairly easy to accomplish, and difficult to prevent. Do your research and put everything in a document, so they can't say you didn't warn them.
- (2) Ask management how you should respond if a ransom incident occurs and you believe it to be a viable threat. Should your company ever pay ransom? If your company thinks paying the ransom is the appropriate response (at least in some scenarios), get a sense of what the upper limit might be to save the company. Management won't want to have this discussion, but it's a good way to start a dead-serious dialogue about risk management.
- (3) Ask management if your current business interruption insurance covers data ransom scenarios. If so, to what level? If not, it's time to investigate insurance coverage for this type of event.
Fueled largely by the relative anonymity of cryptocurrencies like Bitcoin, extortion attacks are increasingly being incorporated into all manner of cyberattacks today. Today’s thieves are no longer content merely to hijack your computer and bandwidth and steal all of your personal and financial data; increasingly, these crooks are likely to hold all of your important documents for ransom as well.
“In the early days, they’d steal your credit card data and then threaten to disclose it only after they’d already sold it on the underground,” said Alan Paller, director of research at the SANS Institute, a Bethesda, Md. based security training firm. “But today, extortion is the fastest way for the bad guys to make money, because it’s the shortest path from cybercrime to cash. It’s really a great crime for the criminals.”
Chief Justice John Roberts delivered the opinion of the court. Roberts wrote that cellphones are powerful tools that are able to store a "digital record of nearly every aspect" of people's lives. Consequently, they are different from almost anything police find on a person upon arrest. A search of a person's cellphone is far more invasive to one's privacy, Roberts said, than a search of the person's wallet or purse.
"It is no exaggeration to say that many of the more than 90% of American adults who own a cellphone keep on their person a digital record of nearly every aspect of their lives — from the mundane to the intimate," Roberts wrote.
Read the full opinion here.
“[T]he DDoS attack against its servers and unauthorized access into the company's cloud control panel resulted in most of its data, backups, machine configurations and offsite backups being partially or completely deleted.
"Code Spaces will not be able to operate beyond this point," the company says. "The cost of resolving this issue to date and the expected cost of refunding customers who have been without the service they paid for will put Code Spaces in an irreversible position both financially and in terms of ongoing credibility."
Link (and here and here).
Parkview employees, who had been notified that the physician was not at home, left 71 cardboard boxes of these medical records unattended and accessible to unauthorized persons on the driveway of the physician's home, within 20 feet of the public road and a short distance away from a heavily trafficked public shopping venue, according to the resolution agreement between OCR and Parkview.
"All too often we receive complaints of records being discarded or transferred in a manner that puts patient information at risk," says Christina Heide, acting deputy director of health information privacy at OCR. "It is imperative that HIPAA covered entities and their business associates protect patient information during its transfer and disposal."
The hacker group, Rex Mundi, threatened that Domino's Pizza had until Monday at 8 p.m. to pay up, or the group would post all of the data — including customers' physical addresses — on the Internet. Domino's has not released on update on the breach, but a spokesperson said earlier this week that the company would not be paying the ransom and that financial data had not been stolen.
Unfortunately, this isn’t a new tactic and with the emergence of malware that encrypts the victim’s data it is only going to become more prevalent. I previously wrote about a $10 million ransom attempt against the Virginia Department of Health Professions that took place in 2009.
MTV said that the blackmailers had acquired the encryption key for a core part of Nokia's Symbian software and threatened to make it public.
Had it done so anyone could then have written additional code for Symbian including possible malware which would have been indistinguishable from the legitimate part of the software, MTV said.
After the blackmail attempt Nokia contacted the police and agreed to deliver the cash to a parking lot in Tampere, central Finland. The money was picked up but the police lost track of the culprits, MTV said.
Regulatory agencies and courts need to start recognizing true two-factor authentication as more than mere guidance for high-risk transactions. Holding the plaintiffs responsible for the banks’ legal fees on top of losing their funds will have a chilling effect on future lawsuits.
BancorpSouth’s most secure option for Internet-based authentication at the time was “dual control,” which required the customer to have one user ID and password to approve a wire transfer and another user ID and password to release the same wire transfer. The other option — if the customer chose not to use choose dual control — required one user ID and password to both approve and release a wire transfer.
Choice Escrow’s lawyers argued that because BancorpSouth allowed wire or funds transfers using two options which were both password-based, its commercial online banking security procedures fell short of 2005 guidance from the Federal Financial Institutions Examination Council (FFIEC), which warned that single-factor authentication as the only control mechanism is inadequate for high-risk transactions involving the movement of funds to other parties.
A trial court was unconvinced, and last week The 8th Circuit Court of Appeals found essentially the same thing, while leaning even more toward the defendants.
Some experts see a connection to last December’s Target breach:
But several security experts and cyber-intelligence researchers say they believe the chain suffered a malware attack similar to those that compromised the point-of-sale networks of U.S. retailers Target Corp., Neiman Marcus and Sally Beauty Holdings Corp.. Other experts, however, say it's too soon to tell what the cause of the latest breach was, and whether it was linked to any previous breaches.
But while the experts disagree about the details of this latest alleged breach, they agree it's time for retailers to tighten network security.
"It's really got the retail industry up in arms," says financial fraud expert Avivah Litan, an analyst at the consultancy Gartner. "CISOs are scared of getting fired, they are afraid of the consumer reaction and they're just trying to get handle on all of this."
UPDATE (6/18/2014): Brian Krebs provides new information indicating that the breach at the nationwide restaurant chain began on or around Sept. 18, 2013, and didn’t end until June 11. If true, the breach would predate the attack that compromised Target.
At nearly nine months, that’s slightly longer than the average amount of time before a breach is detected.
With technology capable of providing only partial security solutions, a proactive approach to address cyber risk should include evaluation of risk transfer mechanisms, such as insurance. In April 2014, members of Hunton & Williams LLP’s Insurance Counseling and Litigation and Global Privacy and Cybersecurity practices participated in a webinar regarding cyber insurance, discussing the nature of cyber risk and possible insurance solutions.
Listen to a recording of the seminar.
The Preamble to the Final HITECH Rule states:
“The conduit exception is a narrow one and is intended to exclude only those entities providing mere courier services [and their electronic equivalents.] As we have stated in prior guidance, a conduit transports information, but does not access it other than on a random or infrequent basis as necessary to perform the transportation service or as required by other law.”
Here’s a summary of the author’s conclusion.
Therefore, a HIPAA BA relationship is generally not implicated by an HIO, HISP or similar entity simply performing just fully encrypted data routing or transmission activities for a covered entity. A HIPAA BA relationship will, however, be found where such HIO, HISP or similar entity performs more than such limited activities, such as, for example, data aggregation, processing, hosting and transmission (other than as a conduit), encryption/decryption functions/management, record locator/querying functions, auditing and other oversight and governance functions requiring access to PHI, and creating data sets of de-identified information.
Read the whole article here.
Like many other dumps shops, McDumpals recently began requiring potential new customers to pay a deposit (~$100) via Bitcoin before being allowed to view the goods for sale. Also typical of most card shops, this store’s home page features the latest news about new batches of stolen cards that have just been added, as well as price reductions on older batches of cards that are less reliable as instruments of fraud.
I’ve put together a slideshow (below) that steps through many of the updates that have been added to this shop since its inception. One big takeaway from this slideshow is that many shops are now categorizing their goods for sale by the state or region of the victim company.
Full article here.
The most frequently relied upon defense against suits for damages for a release of personal information is that the plaintiff or class of plaintiffs lack standing because the harm they suffered as a result of the breach is conjectural or speculative.
The Court’s opinion held that representatives of the class of medical clinic patients whose names, contact details, social security numbers and medical information had been accidentally posted to a publicly accessible web site had standing to sue the clinic notwithstanding that no class representative had established that anyone had actually accessed the mistakenly released information and no one had suffered any quantifiable economic loss as a result.
There is room for improvement – vast improvement – in the detection of breaches. A large majority of enterprises fail to detect breaches on their own – they find out about them from somebody else, as a couple of recent reports show.
The security firm Mandiant, now part of FireEye, reported recently that while the average time it took to detect breaches declined slightly from 2012 to 2013, from 243 to 229 days (more than seven months), the number of firms that detected their own breaches actually dropped, from 37% to 33%.
The results in a report from security firm Trustwave were more encouraging, at least for the time between intrusion and detection – it found the median was 87 days. But the ability of firms to detect malware in their systems on their own was only 29%, which Karl Sigler, Trustwave’s manager of threat intelligence called, “just a horrible statistic in general.”
- 77 percent include a confidentiality statement;
- 22 percent encrypt emails;
- 22 percent include a confidentiality statement in the subject line;
- 17 percent require clients' written consent for transmission (compared to 13 percent that require oral consent);
- 14 percent password protect documents;
- 13 percent share links to documents shared on a secure site.
Why is this a problem? After all, it's not like clients' email accounts aren't password protected. You're not leaving the files on their door stoop, or on a table.
But in a way, you are. Take, for example, a family law dispute. You email important documents to a client. Her spouse, if he doesn't know her password already, probably knows the typical information required to gain access to the account (birth date, mother's maiden name, etc.). Or, even more simple: he's stopped by to pick up the kids and clicks around on her unattended computer.
After finding out certain relevant e-mails had been deleted, PSC immediately motioned to compel discovery and impose sanctions on BIPI. The deleted e-mails were particularly relevant because they pertained to the drug-in-suit, Pradaxa, and were in the possession of an employee who supervised Pradaxa’s development. The Court even noted that “[t]here is no question that [the employee’s] custodial file would have included documents relevant to the instant litigation.
However, BIPI contended that because they followed their document retention policy, which was deemed reasonable, they should be able to escape fault. As it turns out, BIPI was correct. In an opinion dated September 25, 2013, the Southern District of Illinois held that because BIPI had a reasonable document retention policy, which they fully complied with, sanctions were not warranted. BIPI’s document retention policy called for leaving “all of the employee’s email, user share and hard drive documents in place until 30 days after the employee’s final day with BIPI. After those 30 days, the documents are deleted…Further, when a litigation hold is released, the document retention policy is to delete all documents maintained exclusively under the hold within 24 hours.”
But is that really the case? There are many theories surrounding why the development team abruptly quit. Hopefully an ongoing audit of the code will provide answers:
TrueCrypt has been developed for the past 10 years by a team of anonymous coders who appear to have worked diligently to keep their identities hidden...
Green last year helped spearhead dual crowdfunding efforts to raise money for a full-scale, professional security audit of the software. That effort ended up pulling in more than $70,000 (after counting the numerous Bitcoin donations) — far exceeding the campaign’s goal and demonstrating strong interest and support from the user community. Earlier this year, security firm iSEC Partners completed the first component of the code review: an analysis of TrueCrypt’s bootloader (PDF).
In the wake of eBay’s revelation earlier this week that it had lost as many as 145 million customers’ data, eBay users and security response professionals say they’ve been increasingly angered and amazed at the company’s ham-fisted public response to an incident that’s already sparked multiple government investigations. EBay’s mistakes include taking days to post a notice about the breach on eBay.com and confusing users as to whether their PayPal accounts had also been affected. As of Friday afternoon, many–if not the majority–of the site’s users still had received no email notification about the breach.
“It just seems like their response has been complete disarray and disorganization,” says Dave Kennedy, the CEO of security consultancy and breach response firm TrustedSec. “This is one of the worst responses I’ve seen in the past ten years from a company that’s experienced a breach.”
Before his access to EnerVest was terminated, Mitchell went to the office after business hours, disconnected critical pieces of computer-network equipment and disabled the equipment's cooling system. EnerVest was unable to fully communicate or conduct business operations for nearly 30 days.
The company spent hundreds of thousands of dollars trying to recover historical data from its network servers. Some data was lost forever.
When asked about the level of investment in their organizations’ security strategy and mission, on average respondents would like to see it doubled from what they think will be spent—an average of $7 million to what they would like to spend—an average of $14 million. This may be a tough sell in many companies. However, our cost of data breach research can help IT security executives make the case that a strong security posture can result in a financially stronger company.
You can download the complete report here:
200 Million – Estimated dollar cost to credit unions and community banks for reissuing 21.8 million cards — about half of the total stolen in the Target breach.
18.00 – 35.70 - The median price range (in dollars) per card stolen from Target and resold on the black market (range covers median card price on Feb. 19, 2014 vs. Dec. 19, 2013, respectively).
53.7 Million – The income that hackers likely generated from the sale of 2 million cards stolen from Target and sold at the mid-range price of $26.85 (the median price between $18.00 and $35.70).
Check out more startling stats at Krebs On Security.
Such technology could help detect the use of stolen credentials, which were one of two ways most Web applications were compromised, according to the report released Tuesday. The other way was exploiting a weakness in the application.
Read the full report here.
Fortunately, it seems that because F5 uses a custom version of OpenSSL there are only a few configurations where F5 devices would expose the vulnerability to backend servers running affected versions of OpenSSL. This should give the network gurus some time to update the certificates on affected systems.
In this video the F5 security team discusses the vulnerability and takes live questions from an online forum. (F5 is a former employer).
“The OpenSSL Heartbleed vulnerability has resurrected the age-old debate of whether or not open source code is more or less secure than proprietary code. Before putting on your open source or proprietary jerseys and launching into this (frankly not-very-productive) fight, first consider a few things.”
Read the whole article here:
* The cost for a "minor" SQL injection attack can exceed $196,000;
* Anti-virus applications fail to detect 54 percent of new malware;
* Healthcare has seen a 13 percent increase in botnet activity.
Read the full report here.
This vulnerability is particularly unique because the sequence of the fix is important. If the keys and certificates have to be replaced, folks must wait to change their passwords until they confirm that action has been taken. Otherwise the new password is vulnerable as well.
Jamie Blasco, director of AlienVault Labs, said this bug has “epic repercussions” because not only does it expose passwords and cryptographic keys, but in order to ensure that attackers won’t be able to use any data that does get compromised by this flaw, affected providers have to replace the private keys and certificates after patching the vulnerable OpenSSL service for each of the services that are using the OpenSSL library.
The Security Rule applies to HIPAA “covered entities”—which include health plans, health care clearinghouses, and most health care providers—that handle electronic protected health information (ePHI). The Security Rule also applies to “business associates” that perform functions or services on behalf of covered entities involving ePHI. The Rule requires covered entities and business associates to conduct a risk assessment to identify possible gaps in their information security programs in order to help ensure that patient information is protected against data breaches or other security events.
It follows the National Institute of Standards and Technology’s development of a similar toolkit, and contains 156 questions and resources that are designed to help health care providers.
More information and downloads are available here.
Riley was 13, in sixth grade, when she posted on Facebook two years ago that she hated a school hall monitor because she was mean. After school officials called her in and leveled an in-school suspension for what she said on social media, she went back on Facebook and asked who snitched.
“I was a little mad at whoever turned me in ’cause it was outside school when it happened,” Riley said in a telephone interview from her central Minnesota home in Glenwood.
From Insurance Journal:
“A New York trial court recently ruled in a commercial general liability (CGL) policy coverage case that Zurich American Insurance Co. has no duty to defend Sony Corp. of America and Sony Computer Entertainment America in litigation stemming from the April 2011 hacking of Sony Corp.’s PlayStation online services.
The data breach had exposed personal information of tens of millions of users, and Sony’s losses are estimated to be as high as $2 billion.
In his bench ruling last month, Justice Oing said acts by third-party hackers do not constitute “oral or written publication in any manner of the material that violates a person’s right of privacy” in the Coverage B (personal and advertising injury coverage) under the CGL policy issued by Zurich.”
Having purchased credit monitoring/protection services for the past 24 months — and having been the target of multiple identity theft attempts — I feel somewhat qualified to share my experience with readers. The biggest takeaway for me has been that although these services may alert you when someone opens or attempts to open a new line of credit in your name, most will do little — if anything — to block that activity. My take: If you’re being offered free monitoring, it probably can’t hurt to sign up, but you shouldn’t expect the service to stop identity thieves from ruining your credit.
Read the whole article here.
Posing as a private investigator operating out of Singapore, Ngo contracted with Court Ventures, paying for his access to consumer records via regular cash wire transfers from a bank in Singapore. Through that contract, Ngo was able to make available to his clients access to the US Info Search database containing Social Security, date of birth and other records on more than 200 million Americans.
Experian came into the picture in March 2012, when it purchased Court Ventures (along with all of its customers — including Mr. Ngo). For almost ten months after Experian completed that acquisition, Ngo continued siphoning consumer data and making his wire transfers.
Until last week, the government had shared few details about the scope and the size of the data breach, such as how many Americans may have been targeted by thieves using Ngo’s identity theft service. According to a transcript of Ngo’s guilty plea proceedings obtained by KrebsOnSecurity, Ngo’s ID theft business attracted more than 1,300 customers who paid at least $1.9 million between 2007 and Feb. 2013 to look up Social Security numbers, dates of birth, addresses, previous addresses, phone numbers, email addresses and other sensitive data.
Much more here: http://krebsonsecurity.com/2014/03/experian-lapse-allowed-id-theft-service-to-access-200-million-consumer-records/
Now it's fun and games with infinitely more paperwork.
The email infected a company server holding thousands of important documents after an email with a malicious attachment was mistaken for a message sent from the firm's phone answering service.
That error left every single document used by firm on its main server in an encrypted state, including Word, WordPerfect and PDF files, said Goodson's owner, Paul M. Goodson.
"The virus also warned if you tried to tamper or decrypt anything, it was going to be permanently locked and you could never open it," Goodson said.
After IT staff were unable to make any headway against the malware's encryption, Goodson tried to pay the ransom but discovered that the grace period - another nasty aspect of Cryptolocker - had expired.
Read the full article here.
Because of the sensitive data handled by law firms, they're a critical and oft-overlooked weak link in the "Cybersecurity chain," according to Inside Cybersecurity.
The document linked in the article can be used to figure out what to log, what to report on and what reports to review for various purposes. At its center are these top log report categories:
- 1. Authentication and Authorization Reports
- 2. Systems and Data Change Reports
- 3. Network Activity Reports
- 4. Resource Access Reports
- 5. Malware Activity Reports
- 6. Failure and Critical Error Reports
A former Northwestern University student claims that after she was admitted to an Illinois hospital for extreme intoxication, a doctor there took photos of her and posted them to social media sites with commentary about her condition.
. . .
Approximately 15 minutes after she had regained consciousness, Puppala, who was on duty at the time and knew Chernyakova through a mutual friend, visited her hospital room, according to the complaint.
He allegedly asked to view her medical records, and returned several hours later to take photographs of her "while she was on the hospital bed, crying and attached to an IV," according to the complaint. He then posted these photographs on Instagram and Facebook, accompanied by "attached statements of commentary" about Chernyakova's condition, according to the complaint.
Puppala refused to delete the photographs when he was asked to do so by hospital security, according to the complaint.
At the bottom of that same article Krystyna summarizes a number of recent data breach settlements and the causes behind the breaches. It deserves its own post and should serve as a warning to any HIPAA covered entity or business associate responsible for storing or handling PHI.
- How These Breaches and Fines Could Have Been Avoided:
- (1) Address need for encryption for everything with PHI, (laptops, mobile devices, photocopiers.)
- Idaho Hospice ($50K)
- Providence Health ($100K)
- Mass Eye/Ear ($1.5M)
- Alaska DHSS ($1.7M)
- (2) Dispose of ePHI properly
- CVS ($2.25M)
- Rite Aid ($1M)
- (3) Do not remove PHI or ePHI from your facilities without assessing the risks and safeguarding it
- Mass General ($1.5M)
- (4) Choose your Business Associates' wisely (and have written BAAs with them)
- BCBS Tennessee ($1.5M)
- Arizona Cardiologists ($100K)
- (5) Conduct COMPLETE risk assessments that address all ePHI no matter where it may be located (and update them as needed)
- BCBS Tennessee ($1.5M)
- Idaho State ($400K)
- Arizona Cardiologists ($100K)
- Wellpoint ($1.7M)
- (6) Have written policies (and actually implement them)
- Rite Aid ($1M)
- CVS ($2.25M)
- Cignet Maryland ($4.3M)
- Mass General ($1.5M)
- (7) COOPERATE with OCR!
- Cignet Maryland ($4.3 million)
Affinity had reported the breach after it was informed by CBS Evening News that confidential medical information was on the hard drive of a photocopier previously leased by Affinity. Originally estimated at over 400,000 affected individuals, as reported by DataBreaches.net., OCR noted in its press release regarding the Resolution Agreement that up to 344,579 individuals were reported as potentially affected by the breach.
CBS had purchased the copier along with three others as part of an investigatory report on digital photocopiers and identity theft.
The settlement includes a Corrective Action Plan (CAP) stating that Affinity must use "best efforts" to retrieve all photocopier hard drives that were previously leased and safeguard all ePHI maintained therein, within five days.
Ouch. Read the full article here.
Over 277,000 patients were notified by Texas Health Harris Methodist Hospital in Fort Worth ("Texas Health Fort Worth") earlier this month of a breach of their health information. Only patients seen between 1980 and 1990 whose records were maintained on microfiche are affected or potentially affected by the breach.
Texas Health Fort Worth's business associate, document destruction company Shred-It, was contracted to dispose of the old microfiche records. As reported by the Star-Telegram, because the microfiche could not be destroyed on-site, Shred-It was to transfer them to another facility for destruction.
Somehow "lost" or misdirected during transit, the records found themselves in a park where a concerned citizen found them and contacted the Dallas police.
A recent study by independent data privacy research firm Ponemon Institute of 3,317 individuals in six industrialized countries found that employees are moving intellectual property, including trade secrets, outside their companies in all directions.
Over half of those surveyed admitted they had emailed business documents to their personal email accounts; 41% said they do this at least once a week. The same percentage of respondents confessed they downloaded company IP to personally-owned tablets or smartphones. A majority of those surveyed did not believe this was “wrong.”