Group items tagged

"Medical records for about 15,500 Northern California Kaiser patients - about 9,000 of them in the Bay Area - were compromised after thieves stole an external drive from a Kaiser employee's car last month, Kaiser officials said Tuesday." Kaiser officials said the electronic device contained patients' names, medical record numbers and possibly ages, genders, telephone numbers, addresses and general information related to their care and treatment. No Social Security numbers or financial information was contained on the drive, and Kaiser officials said there's no evidence that the information has been used inappropriately. The device was not encrypted, but some of the information was password protected. Kaiser has sent letters to the 15,500 members and the employee, who Kaiser would not identify, has been fired.

Another hospital employee fired for inappropraite access of medical records. More damage to a medical group reputation because someone failed to get the message.

IT and business both understand the need to protect regulated customer and business data -- so long as they're in business, analysts say. Here's a look at how some folding businesses are falling short protecting data and the possible liabilities for the IT group and CIO. From HIPPA to Sarbox, a slew of regulations to protect customer and employee data force CIOs to step lively to comply. The punishment for failure to do so is costly and even dire. But once a company folds-and more are folding every week given the economy-what happens to that data? Who in the business and IT could be hit by the splatter if it all hits the fan? "Certain companies have been disposing of records containing sensitive consumer information in very questionable ways, including by leaving in bags at the curb, tossing it in public dumpsters, leaving it in vacant properties and/or leaving it behind in the offices and other facilities once they've gone out of business and left those offices," says Jacqueline Klosek, a senior counsel in Goodwin Procter's Business Law Department and a member of its Intellectual Property Group. "In addition, company computers, often containing personal data, will find their ways to the auction block," she adds. "All too often, the discarded documents and computer files will sensitive data, such as credit card numbers, social security numbers and driver's licenses numbers. This is the just the kind of data that can be used to commit identity theft." Discarded and unguarded data is now low-hanging fruit for criminal harvesters and corporate spies. "Recent client activity supports that competitors are beginning to buy up such auction devices specifically with the intention of trying to salvage the data," says James DeLuccia, author of IT Compliance & Controls. "Hard drives are being removed and sold online, or whole servers are sold via Craigslist and Ebay." In some cases, the courts insist data be sold during a bankruptcy. "Company servers, once I restore

Why employers should actually perform background checks.

A former Texas lottery worker was arrested while training for a new job Tuesday - his fourth with the state - and charged with illegally "possessing" personal information on 140 lottery winners and employees, including their names and Social Security numbers. Joseph Mueggenborg was still working for the Lottery Commission in 2007 when he allegedly took the information, which was discovered last year on a state computer at the Comptroller of Public Accounts where he later was employed. He was fired and the information was turned over to criminal investigators. When arrested Tuesday, however, the computer analyst was training for yet another job, at the Texas Department of Licensing and Regulation. Travis County prosecutor Jason English said it was "concerning" that the man was still working for the state after being fired by the comptroller. Susan Stanford, a spokeswoman for the Texas Department of Licensing and Regulation, said the department was unaware Mueggenborg had been fired and was under investigation when he was hired as a systems analyst three weeks ago. He was receiving job-related training at the time of his arrest, she said. The department has secured Mueggenborg's computer and begun a forensic study.

Despite ominous reports of cyberbullying and "Facebook depression" among young people, the number of parents who are cool with their children - between the ages of 10 and 12 - having a social media account has doubled in a year.

"Important personal information, such as social security numbers, names and zip codes, of many Notre Dame employees was exposed to the Internet after the University accidentally placed the information in a publicly accessible location. The data breach affected about 24,000 employees, including some students who work for the University, Gordon Wishon, associate vice president of information technology and the University's chief information officer, said. The personal information that was exposed will no longer be accessible because the University immediately removed it from the Internet and secured it, he said. "

"Kathy Silver, CEO of University Medical Center, learned three weeks ago that names, birth dates and Social Security numbers for at least 21 patients were leaked from the hospital - a crime being investigated by the FBI. But the hospital still has not disclosed the breach to the patients, Silver told a committee of legislators Wednesday. She spoke as if this was not a problem. The law allows 60 days from the time UMC learns of a security breach to inform patients, she said. One victim says that is too long to wait to tell patients they may be at risk of identity theft. The hospital should have disclosed the breach immediately, said a 40-year-old UMC patient whose personal information - the kind that can be used for identity theft - was leaked. The man, who went to the public hospital Nov. 1 after a motorcycle accident, learned his privacy had been breached only when a Las Vegas Sun reporter told him Wednesday afternoon. The man was stunned and angry to learn from someone other than hospital officials that his data had been leaked. Hospital officials should have notified him "way sooner," he said. "I would've given them two or three days after they initially found out. But this is a major thing - a priority thing!""

"Consumers who have received a data breach notification letter are four times more likely than others to be the victim of identity theft, according to a survey released this week by Javelin Strategy and Research. Approximately 11 percent of U.S. consumers have received a data breach notification letter in the past 12 months with a third of the breaches involving Social Security numbers and 15 percent involving ATM PINs, according to Javelin's third annual survey of nearly 5,000 U.S. consumers, released Tuesday. Of those who have received a data breach notification letter in the past year, 19.5 percent said they were the victims of fraud associated with identity theft, compared to 4.3 percent who have not received a notification but were victimized. "It wasn't just a statistical anomaly," Robert Vamosi, a Javelin risk fraud and security analyst and the author of the study, told SCMagazineUS.com on Wednesday. "In 2007 and 2006, we saw a similar pattern, so this isn't a blip. This is something that has been going on for a while.""

The Oklahoma Department of Human Services (DHS) is notifying more than one million state residents that their personal data was stored on an unencrypted laptop that was stolen from an agency employee. The computer file contained the names, Social Security numbers, birth dates and home addresses of Oklahoma's Human Services' clients receiving benefits from programs such as Medicaid, child care assistance, nutrition aid and disability benefits, the agency announced Thursday. The computer, which was stolen when a thief broke into the car April 3 after the employee stopped on her way home from work, was password protected, and officials do not believe the burglar realized what he or she was stealing. Therefore, the risk of the data being accessed is minimal, according to the agency. "We feel this was not a situation where someone was targeting the agency or that information," DHS spokeswoman Mary Leaver told SCMagazineUS.com on Friday. "We feel it was random." Leaver said the state Office of Inspector General is conducting an investigation, out of which likely will come a mandatory review of information security policies. However, it is not believed the employee violated existing policy when the incident occurred, she said. News of the theft comes one day after the Ponemon Institute, in conjunction with Intel, released a study that found the average value of a lost laptop is $49,246. About 80 percent of the cost is related to the chance that a breach could occur, the study showed.

New Englanders have a reputation for being taciturn, but when it comes to data Massachusetts takes the cake. No state loves its privacy more than the Bay State, which last year passed the nation's most exacting data privacy law, requiring companies to check off a honey-do list of steps designed to protect personal data belonging to commonwealth residents. Connecticut and Rhode Island preceded Massachusetts in joining the minority of states that have enacted proactive data privacy laws, requiring businesses to protect information like Social Security and credit card numbers. Maine, Vermont and New Hampshire, like nearly all states, have only reactive data laws, requiring companies to take certain steps - like reporting a breach to authorities - after data has been compromised. Rhode Island's law, passed in 2006, requires businesses that own or license Rhode Islanders' personal information to "provide reasonable security" for that data. Connecticut's law, passed shortly before Massachusetts enacted data privacy legislation last summer, requires businesses to create and publicly display a data protection policy, but does not specify what that policy should entail. The Connecticut and Rhode Island laws stop far short of the controversial requirements in Massachusetts, where new regulations are scheduled to take effect by January 2010. "They're not technically one-liners, but they're very general," Goodwin Procter LLP partner David Goldstone said of the Connecticut and Rhode Island statutes, which are similar to laws passed in Texas and California. "Essentially they say companies have to have reasonable protections in place."

Stay Online on the world wide web online roulette from Contemporary sydney, Fun and Free! Now you is capable of doing Actual "www.funlivecasino.com.au" Stay Online on the world wide web online roulette for Fun in Contemporary sydney on a product new web page, FunLiveCasino.com.au. Using the newest on the world wide web operating technology, Fun Stay Gambling house allows you be a part of a genuine action occurring on a genuine desk in a genuine betting house, all approved on Live! You can see other real gamers in the betting house betting on the same outcomes you do providing you greatest believe in in the outcomes as they are not designed 'just for you a, like other action experiencing items such as 'live studios' or pc designed actions. Its awesome to think next time your really in the betting house that you might be on digicam, and individuals on the world wide web might be watching! The long run is scary! Believe one day soon this will be the only way individuals would bet on the world wide web because the worldwide web is complete of fraudsters, you have to be extremely cautious, and why would you perform Online Online on the world wide web online roulette any other way except from a Actual Gambling house you can check out, see, pay attention to and trust! Amazingly this site is absolutely 100 % 100 % 100 % free and has no determining upon up process, no junk, no pc rabbit mouse mouse clicks and no pressure. Just Immediate Fun "www.funlivecasino.com.au" 100 % 100 % 100 % free Stay Roulette! Give it a try, its value verifying out! "www.funlivecasino.com.au"Australia's Online Fun Stay Casino! Backlinks designed from http://fiverr.com/radjaseotea/making-best-156654-backlink-high-pr

A nationwide ATM heist late last year netted thieves $9 million in cash in one day, according to published reports. The coordinated attack stemmed from a computer intrusion at payment processor RBS WorldPay. Atlanta-based RBS WorldPay announced on Dec. 23 that hackers had broken into its database and made off with personal and financial data on 1.5 million customers of its payroll cards business. Some companies use payroll cards in lieu of paychecks by depositing employee salaries or hourly wages directly into payroll card accounts, which can then be used as debit cards at ATMs. RBS said that thieves also might also have accessed Social Security numbers of 1.1 million customers. New York's Fox 5 cites FBI sources as saying that thieves used the stolen payroll cards recently to withdraw $9 million from ATMs from 49 cities, including Atlanta, Chicago, New York, Montreal, Moscow, and Hong Kong. Steve Lazarus, a spokesman for the FBI's Atlanta field office, said the withdrawals were carried out by a small army of so-called "cashers," or people who work with cyber thieves and fabricated cards to pull money out of compromised accounts. From the Fox piece: "Shortly after midnight Eastern Time on November 8, the FBI believes that dozens of the so-called cashers were used in a coordinated attack of ATM machines around the world."

1:53:26 - Jun 29, 2007 Recorded at the 8th www.ToorCon.org Information Security Conference, Sept 30th and Aug 1st, 2006 in San Diego, California. Content produced by www.MediaArchives.com --- PRIVACY IS DEAD - GET OVER IT, with Steven Rambam. This talk will include numerous examples of actual data and investigative online resources and databases, and will include an in-depth demonstration of an actual online investigation done on a volunteer subject. (The subject is Rick Dakan, a noted author, who will be present.) (From CNN: "...Rambam was scheduled to discuss how he dug up -- in just over four hours of searching private and public databases -- more than 500 pages worth of data on Rick Dakan, who was attending the conference and had agreed to participate in the project. "All I had given him was my e-mail and name," Dakan said. "He knew everywhere I'd lived, every car I had driven, and even someone else in Alabama who was using my Social Security number since 1983.Emphasis will be placed on discussing the "digital footprints" that we all leave in our daily lives, and how it is now possible for an investigator (or government Agent) to determine a person's likes and dislikes, religion, political beliefs, sexual orientation, habits, hobbies, friends, family, finances, health and even the person's actual physical whereabouts at any given moment, solely by the use of online data and related activity

Never mind landing the job. Now people on the lookout for employment have another cause for worry: identity theft. As the joblessness rate soars, scammers are ginning up fake Web sites or posing as recruiters to trick job seekers into giving up sensitive personal information. Corneilus Allison became a potential target after he applied for a position at Aetna (AET) in January, court documents show. In hopes of securing a position at the insurer, he entered required personal information into Aetna's job Web site. In May he received a response-but it wasn't an offer of employment. Aetna instead told him that his personal information, including his Social Security number, might have been compromised. Hackers had found their way into Aetna's job application site, managed by an outside vendor, nabbed e-mail addresses of job seekers, and sent correspondence as if from Aetna asking for additional personal information.

It is hard work looking for a job, Matt Sawyer said. "Well with the economy being down right now, it's pretty hard," said Sawyer. Like most job hunters, Matt is posting his resume on various online job sites. But you have to be careful when sending out your personal information over the Internet, privacy expert Pam Dixon said. "The problem is, if you don't use it correctly, it can come back to haunt you," she said. Dixon runs the World Privacy Forum and warns job hunters to be cautious with their personal information when posting their resume. "In fact any competent job site will give you the option of hiding your personal information," said Dixon. Scam artists have been known to steal personal information from resumes and use it to apply for credit. That is why Dixon said you should only include your first initial and last name, no full names, when writing your resume. She also said not to include your phone number or address. Dixon said you should create an email address that is temporary and just use it for your job search. Dixon said scam artist will even call people from their resume and ask for detailed information like a copy of their driver's license or social security number or even their credit card information. The scammers will claim it's for a background check but it's only to steal from the job seeker. Matt admits if he was approached for a job he might give away too much information. "I think when people first get that call and they're real excited about it, they might just jump into it and go ahead and do it," he said.

Be careful what information you give to recruiters!

Insurance company Aetna has contacted 65,000 current and former employees whose Social Security numbers (SSNs) may have been compromised in a Web site data breach. The job application Web site also held names, phone numbers, e-mail and mailing addresses for up to 450,000 applicants, Aetna spokeswoman Cynthia Michener said. SSNs for those people were not stored on the site, which was maintained by an external vendor. The company found out about the breach earlier this month when people began receiving spam messages that appeared to come from Aetna and complained to the company, Michener said. The spam purported to be a response to a job inquiry and requested more personal information. The spam campaign showed the intruders successfully harvested e-mail addresses from the Web site, although Michener said it's not clear if SSNs were also obtained. Nonetheless, Aetna sent letters last week notifying the 65,000 people whose SSNs were on the site of the breach. The company is offering them one year of free credit monitoring, as SSNs are often used by identity thieves. "We wanted to err on the side of caution," Michener said. Aetna hired an IT forensics company to investigate how the Web site had been compromised. "At this point despite a thorough review, they've not been able to pinpoint the precise breach," Michener said. Aetna posted alerts on the job site, its main Web site and its internal intranet about the spam campaign, Michener said.

It is information no one would want scattered on papers in a parking lot, much less thrown away in a dumpster for anyone to find. Medical records were found behind a 99 Cents store in southwest Houston putting people's identities at risk. "This has got Social Security numbers, Medicare numbers. That's pretty serious," said the man who found the documents. Dozens of documents with sensitive personal information were dumped. A self-proclaimed dumpster diver who wants to remain anonymous found them.

Chase Bank has sent out data breach notification letters to an undisclosed number of customers after a computer tape with customers' personal information was reported missing from a third-party vendor's storage facility. Tom Kelly, spokesperson for New York-based Chase, the commercial/consumer banking arm of financial giant JPMorgan Chase, says the vendor -- which he would not name -- confirmed it received and maintained the tape, and that its offsite facility had been searched thoroughly after the tape disappeared. Kelly would not say if the data on the tape was encrypted, but says its data can be read only with special equipment and software. "We have no evidence to indicate any of the information has been viewed or used inappropriately," Kelly says. A local ABC News station in Louisville, KY first reported the missing data tape and the notification letters being sent in August. Kelly says the notification letters are being sent out in batches, but would not say how long the tape has been missing, nor what type of customers' information (credit or banking) was on the tape. The electronic files, according to the notification letter, may have included names, addresses and Social Security numbers, but did not include any banking or financial information. Affected customers are being offered a free one-year subscription to the bank's identity protection program, Kelly says. For more information on 2009 data breaches involving financial institutions, see this interactive timeline

Imagine this nightmare scenario: You've contracted with a vendor to enter personnel data into a new computer system. You give the vendor confidential data regarding your employees, including their Social Security numbers, addresses, names of dependents, health records and bank account routing numbers. Then the vendor notifies you that employee data was somehow stolen or lost. What do you do? It happens more often than anyone would like to admit. The Federal Trade Commission estimates that 9 million Americans have their identities stolen each year. More than 262 million records have been breached since January 2005

A former IT analyst at the Federal Reserve Bank of New York and his brother were arrested Friday on charges that they took out loans using stolen information, including sensitive information belonging to federal employees at the bank. Prosecutors allege that Curtis Wiltshire, 34, took out student loans totalling US$73,000 using the stolen information. His brother, Kenneth Wiltshire, 40, is charged with using the identities of two federal employees to try and obtain a loan for a 2006 Sea Ray 340 Sundancer speedboat. The charges (pdf) come two months after federal investigators found two 2006 student loan applications on a thumb drive attached to the work computer of Curtis Wiltshire, who had worked at the Reserve Bank for nearly eight years as an information and technical analyst. According to court documents, that investigation was unrelated to the fraud charges. Wiltshire was dismissed soon after the drive was found on around Feb. 15, prosecutors said. The charges were filed in the federal court in Manhattan. The two men could not be reached for comment Friday and the names of their lawyers were not included in the court documents. Curtis Wiltshire had "access to computer files containing information about employees of the [federal bank], including their names, dates of birth, Social Security numbers, and photographs," U.S. Federal Bureau of Investigation Special Agent Cordel James said in an affidavit filed in the case. Curtis Wiltshire was charged with bank fraud and identity theft and faces more than 30 years in prison if convicted. His brother was charged with mail fraud and identity theft and faces a maximum of 22 years in prison.

Veterans suffering anxiety and paranoia following the theft of a government hard drive containing the medical histories and Social Security numbers of 198,000 of their brethren cannot recover financial damages, a federal appeals court says. The 11th U.S. Circuit Court of Appeals, in largely dismissing a class-action, ruled Wednesday that the veterans could recoup at least $1,000 under the Privacy Act if they could show financial damages, not mental anguish. What's more, the Atlanta-based court noted that the veterans - some already suffering post-traumatic stress syndrome from their Vietnam War days - likely could recover damages for mental anguish associated with the data breach if the lawsuit was before a different court. That's because the courts of appeal across the nation have issued conflicting interpretations of the Privacy Act of 1974, which allows people to sue the government for privacy breaches and recover "actual damages." Precedent in the 11th Circuit, which includes Alabama, Florida and Georgia, interprets "actual damages" as money losses only. So 198,000 veterans - whose life history was on a hard drive that vanished from a Birmingham, Alabama Veterans Administration hospital - are out of luck, even if their war-time paranoia was exacerbated by the breach. The 11th Circuit noted (.pdf) that the 5th U.S. Circuit Court of Appeals and the 10th U.S. Circuit Court of Appeals "do not restrict 'actual damages' under the Privacy Act to pecuniary losses." And the Supreme Court has refused to resolve the circuit splits.

"Computer scientists have recently undermined our faith in the privacy-protecting power of anonymization, the name for techniques that protect the privacy of individuals in large databases by deleting information like names and social security numbers. These scientists have demonstrated that they can often "reidentify" or "deanonymize" individuals hidden in anonymized data with astonishing ease. By understanding this research, we realize we have made a mistake, labored beneath a fundamental misunderstanding, which has assured us much less privacy than we have assumed. This mistake pervades nearly every information privacy law, regulation, and debate, yet regulators and legal scholars have paid it scant attention. We must respond to the surprising failure of anonymization, and this Article provides the tools to do so."

Assumption of privacy through anonymization of data is called into question by deanonymization techniques. The work is not new but its implications have gone under-realized. In a country struggling to understand how to even define privacy, will anyone listen?