Nov 19 2009

Health Net healthcare data breach affects1.5 million

Category: hipaa,Security BreachDISC @ 2:10 pm

Health Net, Inc.
Image via Wikipedia


Here we have another unnecessary major security breach in a large healthcare organization which resulted in a loss of patient data demonstrating poor baseline security. They clearly are not ready for the new HIPAA provision ARRA and HITECH. Review my threats page and evaluate your current business and system risks to make sure this does not happen to you.
Contact DISC for any question or high level risk assessment.

The Practical Guide to HIPAA Privacy and Security Compliance

By Robert Westervelt, News Editor
19 Nov 2009 | SearchSecurity.com

Health Net Inc. announced Wednesday that it is investigating a healthcare data security breach that resulted in the loss of patient data, affecting 1.5 million customers.

The Woodland Hills, Calif.-based managed healthcare provider said the lost files, a mixture of medical data, Social Security numbers and other personally identifiable information, were collected over the past seven years and contained on a portable external hard drive, which was lost six months ago. The company said the healthcare data was not encrypted, but was formatted as images and required a specific software application to be viewed. The hard drive contained data on 446,000 Connecticut patients.

The company reported the breach Wednesday to State Attorneys Generals offices in Arizona, Connecticut, New Jersey and New York. Health Net said it was beginning the data security breach notification process of sending out letters to its customers. The company said it expects to send notification letters the week of Nov. 30.

Connecticut Attorney General Richard Blumenthal said he was investigating the matter and why it took Health Net six months to report the healthcare breach.

“My investigation will seek to establish what happened and why the company kept its customers and the state in the dark for so long,” Blumenthal said in a statement. “The company’s failure to safeguard such sensitive information and inform consumers of its loss — leaving them naked to identity theft — may have violated state and federal laws.”

Blumenthal said the hard drive also contained financial data, including bank account numbers. He is seeking coverage for comprehensive, long-term identity theft protection for those customers affected by the breach.

Health Net provides medical coverage for approximately 6.6 million people and its subsidiaries operate in all 50 states. In a statement, the company said the breach took place in its Connecticut office. So far there have not been any reports of fraud tied to the missing data..

“Health Net will provide credit monitoring for over two years – free of charge – to all impacted members who elect this service, and will provide assistance to any member who has experienced any suspicious activity, identity theft or health care fraud between May 2009 and their date of enrollment with our identity protection service,” the company said.

It is the second time in a month that a healthcare provider lost customer data. Anthem Blue Cross and Blue Shield of Connecticut reported a stolen laptop was to blame for a breach compromising the personal information of 850,000 doctors, therapists and other healthcare professionals.

Security experts have long been advocating that enterprises deploy encryption on laptops and other devices that contain sensitive data. Still, all the technology in the world won’t end employee mistakes and carelessness, said Mike Rothman an analyst with Security Incite.

“You can do full disk encryption and all sorts of things to protect the device, but you are still fairly constrained by user sophistication,” Rothman said. “You have to start asking questions from a process standpoint relative to why this stuff was on an external drive in the first place.”

In reality you could turn off all USB ports on your devices, but that could hinder employee productivity, Rothman said. Security always gets back to making sure you have the right processes and policies in place and the right training and awareness so that employees understand what those policies are and ways to audit those processes, he said.

Experts say encryption should be used as a last resort when all other security policies and processes fail. While many enterprises have focused on encrypting laptops at the endpoint, encryption can be a bit trickier for portable hard drives and other removable media. If the drive is being shared between different systems people need to have some way to access the key, said Ramon Krikken, an analyst at the Burton Group.

“A lot of these portable hard drives are older without built-in encryption and to the extent to which you can easily deploy encryption has been a challenge for enterprises,” Krikken said.

Some USB makers market the devices with built-in encryption software. In 2008, Seate Technology extended full disk encryption technology to all its enterprise-class hard drives. The company also began pushing for standards for hard drive encryption in storage systems.

Nagraj Seshadri, head of product marketing at Utimaco the encryption software division of Sophos Plc, said healthcare organizations need to be just as responsible as financial firms when it comes to protecting data.


Perhaps healthcare management still doesn’t realize that they might be potentially liable for lack of reasonable safeguards to protect organization assets. Do you think it’s time for healthcare management to take information security seriously as a potential business risk?

Related articles by Zemanta

Reblog this post [with Zemanta]

Tags: arra and hitech, data loss prevention, data security, disk encryption and file encryption, Health care, Health Insurance Portability and Accountability Act, Identity Theft, identity theft and data security breaches, Personally identifiable information, Security, security awareness training

Nov 05 2009

Senate Panel Clears Data Breach Bills

Category: Information Privacy,Security BreachDISC @ 6:29 pm

The Senate's side of the Capitol Building in DC.
Image via Wikipedia
Legislation Heads for a Senate Vote

November 5, 2009 – Eric Chabrow, Managing Editor
The Senate Judiciary Committee Thursday approved two companion bills that would require businesses and government agencies to notify individuals of security breaches involving sensitive personally identifiable information. Both bills go to the Senate for consideration.

The Personal Data Privacy and Security Act, or S. 1490, designates as fraud unauthorized access of sensitive personally identifiable information, which would lead to racketeering charges. The measure, sponsored by Committee Chairman Patrick Leahy (at left), D.-Vt., also would prohibit concealment of security breaches involved in fraud and prohibit the dismissal of a Chapter 7 bankruptcy case if the debtor is an identity-theft victim.

The other measure, the Data Breach Notification Act, or S. 139, would require federal agencies and businesses engaged in interstate commerce to notify American residents whose personal information is accessed when a security breach occurs. An exception: if notification would hinder national security or a law enforcement investigation. S. 139, sponsored by Sen. Dianne Feinstein, D.-Calif., also would require notice to the Secret Service if records of more than 10,000 individuals are obtained or if the database breached has information on more than 1 million people, is owned by the federal government, or involves national security or law enforcement.

Among the objections raised by Sens. Jeff Sessions of Alabama, the committee’s ranking Republican, and Jon Kyl of Arizona, the Republican whip, focused on the provisions defining personally identifiable information (PII) to include an individual’s full name along with at least two of the following: the person’s birth date, home address, telephone number and mother’s maiden name.

Sessions said this information is available from other public records, such as a telephone directory, and would place an undue financial burden on businesses to notify customers of the breach if that was the only information exposed. Kyl said if the bill results in too many notices being sent, consumers might ignore them, similar to how the public views the orange alert on terrorism. “With frequent notices, customers may not worry about it,” he said.

Another objection raised by a few Republicans – a point dismissed by some of their Democratic colleagues – was the bankruptcy provision in the Leahy bill. The consensus of committee members was that a person victimized by identity theft should face bankruptcy but several GOP members worried that the provision might be used to get persons facing bankruptcy for other reasons off the hook if they also had their identities compromised.

Still, Leahy said the legislation, first introduced four years ago, is overdue, and the public is clamoring for it. He cited a Unisys study that contends more Americans are concerned about identity theft than the H1N1 virus or meeting their financial obligations. Since 2005, the year the bill was first proposed, more than 340 million records containing sensitive PII have been involved in data breaches, he said, citing a Privacy Rights Clearinghouse report.

“This loss of privacy is not just a grave concern for American consumers; it is also a serious threat to the economic security of American businesses,” Leahy said. “The president’s recent report on Cyberspace Policy Review noted that industry estimates of losses from intellectual property to data theft in 2008 range as high as $1 trillion. The FBI’s latest annual report on Internet crime found that online crime hit a record high in 2008 – a 33 percent increase over the previous year. This loss of data privacy is a serious and growing threat to the economic security of American businesses.”

Reblog this post [with Zemanta]

Tags: Cyberspace Policy, Data Breach Notification, Dianne Feinstein, Identity Theft, loss of privacy, Personal Data Privacy and Security Act, Personally identifiable information, S. 139, S. 1490, Senate Judiciary Committee, United States Senate

Apr 09 2009

Social networks and revealing anonymous

Category: Information PrivacyDISC @ 3:02 am

Image representing Twitter as depicted in Crun...
Image via CrunchBase

Privacy is a fundamental human right and in US a constitutional right. Advancement in technology are breaking every barrier to our privacy; at this rate individuals will be stripped of their privacy unless we enact policy protections. In this situation we need to define reasonable privacy for a society in general while keeping threats and public safety as a separate issue. Social networks are becoming a repository of sensitive information and usually privacy is anonymize by striping names and addresses. Fake profiles have been created on social network to be anonymous and a user may create multiple profiles with contradictory or fake information.

Arvind Narayanan and Dr. Vitaly Shmatikov from Univ. of Texas at Austin established an algorithm which reversed the anonymous data back into names and addresses.

The algorithm looks at the relationships between all the members of social networks an individual has established. More heavily an anonymous individual is involved in the social media, easier it gets for the algorithm to determine the identity of anonymous individual.

One third of those who are both on Flickr & Twitter can be identified from the completely anonymous Twitter graph, which deduces that anonymity is not enough to keep privacy on social network. The idea of “de-anonym zing” social networks extends beyond Twitter and Flickr. It is equally applicable in other social networks where confidential and medical data can be exposed such as medical records in healthcare.

“If an unethical company were able to de-anonymize the graph using publicly available data, it could engage in abusive marketing aimed at specific individuals. Phishing and spamming also gain from social-network de-anonymization. Using detailed information about the victim gleaned from his or her de-anonymized social-network profile, a phisher or a spammer will be able to craft a highly individualized, believable message”

Now is it reasonable to say that social network wears no clothes?

Personally identifiable information
California Senate Bill 1386 defines “personal information” as follows:
• Social security number.
• Driver’s license number or California Identification Card number.
• Account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account.

Names, addresses, email addresses and telephone numbers do not fall under the scope of SB 1386.

HIPAA Privacy defines “Individually identifiable health information” as follows
1. That identifies the individual; or
2. With respect to which there is a reasonable basis to believe the information can be used to identify the individual.
The term “reasonable basis” leaves the defining line open to interpretation by case law.

Arvind Narayanan and Dr. Vitaly Shmatikov paper.


Social network privacy video


httpv://www.youtube.com/watch?v=X7gWEgHeXcA

Reblog this post [with Zemanta]

Tags: Anonymity, Flickr, Personally identifiable information, privacy, Security, Social network, Twitter, Vitaly Shmatikov