[The following is excerpted from "The 8 Most Common Causes of Data Breaches -- And How You Can Prevent Them," a new report published this week on Dark Reading's Attacks and Breaches Tech Center.]

Data breaches have dominated headlines recently. Whether it’s nation-state spies intent on stealing information, cyber pranksters and hacktivists looking for attention, or cybercriminals out to make a buck, there are plenty of adversaries intent on breaking into networks and databases and carrying away whatever
pieces of information they can grab.

“And from pubs to public agencies, mom-and-pops to multinationals, nobody was immune,” the Verizon RISK Team writes in its “2013 Data Breach Investigations Report.”

Verizon investigators analyzed information from 621 data breaches and more than 47,000 security incidents in 2012 that the company or one of its 19 partner organizations had investigated on the behalf of customers.

Motives for the data breaches are diverse. Hacktivists and those looking to make some money generally go after the low- hanging fruit — the insecure systems in the enterprise — to carry out their plans. Organized crime may be a bit more willing to spend the time going after better-protected systems in hopes of a bigger payoff. Then there are those targeting a specific individual or organization — these adversaries are stealthy and persistent enough to slowly chip away at defenses until they get what they are looking for.

Even as the list of victims gets longer, it’s increasingly
clear that some of these breaches could have been prevented. Of the breaches included in the report, 78% had initial intrusions Verizon’s investigators rated as “low difficulty.”

Many of these attacks could have been prevented by adopting security controls, switching authentication schemes and adopting best practices, Verizon suggested.

While Verizon investigators cautioned against trying to treat all the breaches in the same way, they identified several ways in which organizations have been compromised. Understanding these categories can
help organizations figure out how best to boost their defenses.

Several of the most common attack methods in the report fall into two broad categories: hacking and malware. The report identifies hacking as the most common method, at 52%, followed by malware, at 40%, and physical attacks — such as adding skimming
hardware on ATMs — at 35%. Social engineering
is also a serious problem, at 29%. “Misuse,” which includes activities such as privilege abuse and using unapproved hardware and correlated strongly with insider attacks, was observed in 13% of the breaches. User error rounded out the list with 2%.

“Treating our adversaries as random and unpredictable
is counterproductive. We may be able to reduce the majority of attacks by focusing on a handful of attack patterns,” Verizon researchers write in the report. Following are eight ways that enterprise systems and data are being targeted.

1. Weak and Stolen Credentials, a.k.a.
Passwords

Article source: http://www.darkreading.com/perimeter/the-eight-most-common-causes-of-data-bre/240155330

Hidden vulnerabilities lie in everyday activities that can expose personal information and lead to data breach, including buying gas with a credit card or wearing a pacemaker.

Every transaction and health record is now collected, categorized, sorted, and analyzed—and can be hacked. Microcomputers that control aspects of everyday life—from heart rhythms and insulin levels, to the operation of manufacturing plants and data centers, to the use of electricity in homes and gasoline usage in cars—are increasingly at risk for data breach and can threaten public safety.

Industry experts offer insights on top hidden vulnerabilities that can cause data breach:

1. Wireless medical devices. A wireless pacemaker can wirelessly transmit patient data 24/7 that could be used to steal, exploit, or tamper with patient’s health records, with potentially life-threatening consequences. – Rick Kam, president and co-founder, ID Experts.

2. Skimming devices at gas stations. Highly sophisticated credit card skimming devices at gas stations are stealing from consumers. A fake credit card reader is placed over the bank’s equipment to capture a customer’s personal identification number and sends the credit card information to a nearby computer. – Dave Navetta, founding partner, Information Law Group.

3. Web crawlers/Web spiders. Search engines utilize software applications to systematically browse and index content available over the World Wide Web. An improper firewall setting could allow for the contents of a server containing sensitive personal information to be indexed and for that information to appear in search results. – Eric A. Bukstein, associate, Hogan Lovells.

4. Paper records. Covered entities are now so focused on IT security matters, that there is a danger that basic privacy safeguards for paper records will not keep up with changes in work processes. Safeguards for handling paper records are needed, as much as ever, to keep protected health information out of the wrong hands during routine use, as well as en route to storage, the shredder, or disposal. – Terrill Clements, equal opportunity specialist, U.S. Department of Health and Human Services, Office for Civil Rights – Region X.

5. Malicious mobile applications. Smartphone applications are fun, useful, and prevalent. But malicious code can be easily embedded within applications, with the sole intention of grabbing and stealing consumer data, including credit card numbers and other personally identifiable information. – Robin B. Campbell, senior counsel, Crowell Moring.

6. Search history poisoning. Cyber criminals will continue to infiltrate search engine algorithms and other search mechanisms that control what information is presented to users on the Internet, potentially giving hackers access to the user’s personal information. Researchers believe that manipulating users’ search histories may be the next step for attackers to use legitimate resources for illegitimate gains. – Steven Anderson, vice president and senior underwriter, XL Group.

7. Bring Your Own Device (BYOD). Most organizations now allow employees to access company data via personal smartphones, yet lack appropriate security protocols to protect the data, thus adding significant risk exposure to patient records. – Robin Slade, development coordinator, Medical Identity Fraud Alliance.

8. Cloud-based file sharing tools. Storing unencrypted files and documents can put data at risk for loss or hackers. Organizations should take precautions when using file-sharing services in the cloud so they don’t expose sensitive information. – Larry Ponemon, chairman and founder, The Ponemon Institute.

9. LinkedIn lurking. If your LinkedIn profile contains the words “payroll,” “HR” or “Finance,” you’ve painted a bull’s eye on your back for Spear Phishing. Not only that, LinkedIn provides the hackers with the names of your closest contacts, people whose emails you’re more likely to open if the hackers try using password-stealing malware. – Winston Krone, managing director, Kivu Consulting.

10. Human error. A growing majority of breaches occurs because of a human error on the inside of an organization; we recognize this based on the claims we are paying. Organizations should be asking how personally identifiable information is being handled, stored, accessed, and who is accountable for protecting it. An organization should have the right policies, procedures, and training in place to build awareness around the importance of protecting this data. It should be from the top down. – John Gambale, head of professional liability, U.S. and Canada, AIG.

“Emerging privacy and security vulnerabilities are often overlooked in planning for PII and PHI security,” said Rick Kam, president and co-founder of ID Experts. “The problem is that any computer can be hacked; and any device is capable of transmitting personal information. Proactive assessment can help organizations minimize risks to their customers and their business.”

Article source: http://www.net-security.org/secworld.php?id=14945

In a recently published judgment, the Court said that the Data Protection Act (DPA) does not oblige businesses to pay individuals compensation for distress that causes damage where the distress caused is not attributable to a breach of the Act.

Under section 13 of the DPA a person is generally entitled to compensation if they suffer damage as a result of violations of a section of the DPA by organisations that hold their personal data. Individuals are also generally entitled to compensation from those data controllers if they suffer distress that causes damage.

Organisations do have a defence to this right to compensation if they can “prove that [they] had taken such care as in all the circumstances was reasonably required to comply with the requirement [that it is alleged to have breached].”

Lady Justice Arden, Lord Justice Lloyd and Mr Justice Ryder were ruling on the point whilst assessing what extent of damages a finance company should be liable to pay a consumer, referred to as ‘Halliday’ in the ruling, in relation to distress suffered by the man.

Halliday had previously won an order from a district court against Creation Consumer Finance Limited (CCF) in which the finance company was ordered to pay £1500 in compensation and legal costs to settle claims that it had breached Halliday’s rights under the DPA. CCF was also ordered to end a credit agreement that had been in place with Halliday, delete all of the consumer’s personal data from its systems and provide Halliday with a list of organisations it had passed his details onto and ensure that those bodies deleted the information.

However, CCF paid the £1500 it owed Halliday into a closed bank account. The company pursued the bank to have the money returned and then sought to recover the money from Halliday. During this process Halliday noticed that CCF had entered incorrect information about him in their systems that showed that he was £1500 in arrears. Halliday also found out that the information had been shared with credit reference agency Equifax.

Halliday claimed that CCF had breached the terms of the district court order and that he had been “highly distressed” about that fact and “especially when coupled with the court’s seeming inability to protect its process from abuse”, according to the Court of Appeal’s judgment. He said that CCF should have to pay between £6,000 and £18,000 to compensate him for the distress it had caused.

The Court of Appeal said, though, that Halliday could not claim compensation for distress that was not caused by the actual data protection breach itself.

“[In order to be eligible to claim compensation for distress that causes damage under the DPA] it is clear that the claimant has to be an individual, that he has to have suffered distress, and that the distress has to have been caused by contravention by a data controller of any of the requirements of the Act,”  Lady Justice Arden said in the Court of Appeal’s ruling. ”In other words, this is a remedy which is not for distress at large but only for contravention of the data processing requirements.” 

“It also has to be distress suffered by the complainant and therefore would not include distress suffered by family members unless it was also suffered by him. When I say that it has to be caused by breach of the requirements of the Act, the distress which I accept Mr Halliday would have felt at the non-compliance of the order is not, at least directly, relevant because that is not distress by reason of the contravention by a data controller of the requirements of this Act. If the sole cause of the distress had been non-compliance with a court order, then that would have lain outside the Act unless it could be shown that it was in substance about the non-compliance with the Data Protection Act,” the judge said.

The Court said that Halliday’s distress had not be directly related to CCF’s data protection breach and that therefore the finance company should only have to pay £750 in substantial damages and a further £1 in nominal damages in way of compensation over the case.

Lady Justice Arden said that the breach “did not lead to a loss of creditor reputation” for Halliday and that there was “no proof of any fraudulent or malicious intent on the part of CCF”. The breach was caused by a single error only by CCF, she said.

Data risks expert Ian Birdsey of Pinsent Masons, the law firm behind Out-Law.com, said that claims for damages under section 13 of the DPA are often brought in conjunction with other claims.

“It is very rare for claims made under section 13 of the DPA to be brought in isolation,” Birdsey said. “More commonly they are made alongside other claims, for example, breach of privacy rights or copyright infringement. The Douglas v Hello! case provides a good example in a privacy context.”

“Claimants often find that they have stronger claims based on other causes of action, where the measure of damages is also more significant. Courts tend to award only nominal damages under section 13 of the DPA so any damages awarded tend to pale into insignificance compared to those awarded for privacy or IP claims,” he said.

“In addition, individuals can find it hard to show that they have suffered financial harm as a result breaches of the Data Protection Act. There may not be an identifiable financial harm that consumers can point to having suffered unless they have been the victim of fraud, or perhaps incurred other costs, as a result of a data breach where their credit card details were stolen, for example,” Birdsey added.

Article source: http://www.out-law.com/en/articles/2013/may/distress-must-be-directly-linked-to-data-breach-for-consumers-to-claim-compensation-rules-court-of-appeal/

Article source: http://www.rte.ie/news/2013/0520/451428-data-protection/

What data breach? Are you talking about the one that happened at Heartland in 2009? Or, maybe the Fidelity one from 2011? Again, no?

Oh, you’re referring to the latest one that led to the arrests in New York of several people who fraudulently withdrew $45M from several ATMs.

By now, it should be obvious what’s different about the latest breach. If not, read on.

High-profile breaches in the past, like the ones that hit Heartland Payment Systems and Fidelity National Information Services, involved theft of payment card information. The current one has gone further and has actually resulted in the loss of money. It’s
accordingly known as “$45M ATM heist” than data breach.

Like other past breaches into payment information, this one also began as breaking and entering into the databases of several payment processors – including ElectraCard Services and EnStage – who hold sensitive card information of banking customers. The
first BE into ElectraCard Services happened in December 2012 and the second one involving EnStage, in February 2013. At the time, there was little publicity about these breaches, at least nothing that caught my eye. The real media frenzy began only when the
scamsters who used the stolen information to withdraw money from ATMs were apprehended in NYC about 10 ten days ago. In other words, this is one of the rare cases of a high-profile data breach that is directly linked to financial losses.

Like an onion peel, details of the present incident are unraveling day by day. I hope we’ll eventually get answers to the following questions:

• Where were the PIN and magstripe data stolen from? (According to its statement, it was not from ElectraCard Services)
• Was the data stolen from inhouse data centers of the payment processors? Or was it located on a “cloud” provided by some third party cloud services companies? Although this might seem irrelevant for a common man, it’s necessary to get into these details
  so that security professionals can plug the right holes.
• Between the time the security breaches reportedly happened in December 2012 / February 2013 and the ATM heists  occurred earlier this month, did the banks involved – National Bank of Ras Al-Khaimah PSC and Bank of Muscat - reach out to all the affected
  cardholders and ask them to change their ATM PIN numbers?
• How soon were the withdrawal frequencies and limits reset to their original – and correct – values?

I also hope this incident makes it amply clear to regulators that large scale frauds happen as a result of breaches into payment processors’ systems, and not when individual
cardholders are shopping online and putting through one-off transactions. Keeping this in mind, they should revisit their present approach of trying to prevent fraud by insisting on cumbersome two-factor authentication for all sizes of online and mobile payment
transactions. Such a procedure adds friction and causes heavy shopping cart abandonment (more on that here) while proving futile when sensitive data
comes under an attack where it’s found in bulk. Instead, regulators should shift their focus to ensuring that payment card information is encrypted and stored absolutely safely. In this context, the CEO of Heartland Payment Systems

set the tone by accepting that, when it comes to security levels to be maintained by payment processors, PCI certification is necessary but not sufficient.

Article source: http://www.finextra.com/Community/FullBlog.aspx?blogid=7711

Last fall, when Linda Mendez was offered discount phone service through a federal program for the poor, the San Antonio mom thought it was too good to be true. She signed up anyway.

Mendez, 51, works the graveyard shift at a university gym. She uses many of her cellphone’s 250 minutes a month to check on her husband and four young children, including a daughter with Down syndrome.

“I’m always telling my husband, ‘where’s my phone?’” Mendez said, adding that it also helps her stay in touch with her three adult children and 13 grandchildren.

“I need it because something’s usually happening.”

For all the convenience afforded by Lifeline, the federal program that subsidizes phone service for qualified low-income households, Mendez now says her initial doubts were justified.

Tens of thousands of Lifeline applicants, including Mendez, were exposed this spring to the risk of identity theft by the phone carriers that signed them up for the program.

More than 170,000 records from two participating companies — Oklahoma City-based TerraCom Inc. and its affiliate, YourTel America Inc. — were posted online, a Scripps News investigation has found. The records, from residents of at least 26 states, include Social Security numbers, dates of birth and information about participation in other government-assistance programs. Of those records, 343 were viewed by unknown individuals, an official for both companies acknowledged.

Scripps unearthed the documents through a simple Google search and alerted TerraCom and YourTel of its findings on April 26. Within hours, the records no longer were publicly accessible.

TerraCom officials declined numerous requests for an interview, though a spokesman for the company said it has notified federal and state officials of the security breach.

Lifeline, begun in 1985 to aid low-income families, was expanded to include wireless service in 2005. Adding cellphones also created problems: Some customers received multiple phones. Some carriers sent them to people who’d never applied.

Liberal distribution pays off for the hundreds of phone companies participating in Lifeline. They’re reimbursed at least $9.25 per line per month. American consumers pick up the tab for the program and other federal communications efforts through an average $2.73 monthly surcharge on their phone bills.

Growing concerns about waste, fraud and abuse led the Federal Communications Commission last year to tighten program rules. It limited household reimbursement to one phone line, for instance, and required Lifeline carriers to document applicants’ eligibility. Before that, a customer’s signature was sufficient.

Subscriptions, which peaked at 18.2 million last August, dropped to 13.2 million last month.

New responsibility for vetting applicants is driving carriers to collect more sensitive information — which they’re expressly forbidden from keeping.

Carriers “must not retain copies of applicant’s personal documentation that is viewed to validate eligibility,” the Universal Service Administrative Co., the nonprofit that runs the Lifeline program, instructs on its website.

However, personal documents collected by TerraCom and YourTel America workers and dating back to September were posted to the Internet, Scripps found. The records were being stored by Call Centers India, a contractor hired to help the carriers determine Lifeline applicants’ eligibility, according to TerraCom attorney Jonathan Lee.

The FCC, which declined interview requests, is “aware of this incident,” an FCC spokesman wrote in an email, noting that a carrier could be fined up to $1.5 million for a single violation of privacy.

The commission and TerraCom have had previous dealings. In February, TerraCom and YourTel together paid $1 million in fines and “voluntary” contributions to close an FCC investigation into their billing practices, according to the commission. TerraCom also faces ongoing inquiries about its business practices from regulators in Oklahoma and Indiana.

The Indiana attorney general’s office, responding to Scripps’ reporting, has launched an investigation into the release of TerraCom applicants’ personal records. The Texas attorney general’s office is also making inquiries about the publicly posted information.

The records include 44,000 application or certification forms and 127,000 supporting documents or “proof” files, such as scans or photos of driver’s licenses, tax records, pay stubs and passports. Taken together, the records expose residents of at least 26 states.

The application records, drawn from 18 of those states, generally date from last September through November. The proof files, from last September through April, include residents of at least eight remaining states.

Immediately after Scripps notified TerraCom of the records discovery, the phone carrier contacted the company it had hired to review applications and store data. Call Centers India, which also does business under the name Vcare Corp., began an “intensive investigation

Article source: http://www.kypost.com/dpps/news/national/data-breach-puts-lifeline-phone-applicants-privacy-at-risk_8508556

News Release    

Most Kiwis Concerned about
Data Breaches at Banks and Credit Card Companies – Unisys
Security Index finds

The protection of
personal data against accidental loss, theft or deliberate
hacking is a key security issue for New
Zealanders

WELLINGTON, 22 May 2013
– In the wake of recent high profile data
breaches, the latest Unisys Security
Index shows the majority of New Zealanders are concerned
that a range of commercial and government organisations are
vulnerable to data breaches, particularly financial
institutions, telecommunication providers and government
services.

The national survey of 505 adult New Zealanders
conducted in April 2013 by Consumer Link, found
three-quarters of respondents are concerned about an
accidental or deliberate data breach of information held by
banks or credit card companies and two in three people are
similarly concerned about telecommunications providers and
government services.

“The results show that
New Zealanders are familiar with the risk of data breaches
and are concerned about their potential impact across a
range of industries and government departments,” said
Steve Griffin, country manager, Unisys New Zealand. 
“Only airlines and hotels recorded a result below 50
percent.  This likely reflects the priority individuals
place on protecting what they consider to be high value data
such as financial, taxation and medical
details.”
“Recent data breaches such as the incident
at the Earthquake Commission (EQC)1 where customer data was
inadvertently sent to the wrong person, highlight that the
risk of an accidental breach caused by human error is just
as critical as the malicious threat of theft or deliberate
hacking.  Organisations must therefore protect against
internal threats using a combination of security policies,
employee education (to make sure they understand how and why
to comply with these policies) and technology solutions such
as encryption,” Mr Griffin said.

“The Unisys Security
Index results also send a message to governments and
companies that the public perception of data security has
been compromised by high profile breaches that have
undermined public confidence. Organizations must take action
to regain that trust,” said Mr Griffin.

Unisys
Security Index shows decreasing security concerns across New
Zealand
The overall Unisys Security Index score
for New Zealand is 134 out of 300, down 10 points from 144
compared to March 2012.  Of the 12 countries where the
research was conducted, New Zealand recorded the second
largest decrease over this period, behind only the
US.
Issues related to identity theft remain the top
concern, with 56 percent of New Zealanders extremely or very
concerned about unauthorised access to or misuse of their
personal information, and 55 percent concerned about other
people obtaining or using their credit/debit card
details.
1Earthquake Commission Open letter to customers
- http://www.eqc.govt.nz/news/an-open-letter-to-eqc-customers

About the Unisys Security Index
The
Unisys Security Index is an annual global study that
provides insights into the attitudes of consumers on a wide
range of security related issues.  Conducted in New Zealand
by market research firm Consumer Link, the Unisys Security
Index provides a regular, statistically robust measure
gauging levels of concern about various aspects of security.
The current New Zealand Unisys Security Index survey was
conducted nationally between 9-15 April 2013 using a
nationally representative sample of 505 respondents aged 18
years and over.  All results have been post-weighted to
Statistics New Zealand census data.  The study measures
consumer perceptions on a scale of zero to 300, with 300
representing the highest level of perceived concern.  The
research was conducted across 12 countries:  Australia,
Belgium, Brazil, Columbia, Germany, Malaysia, Mexico,
Netherlands, New Zealand, Spain, UK and US.  For more
information on the Unisys Security Index including
additional resource material visit: www.unisyssecurityindex.co.nz 

About Unisys
Unisys is a worldwide
information technology company. We provide a portfolio of IT
services, software, and technology that solves critical
problems for clients. We specialise in helping clients
secure their operations, increase the efficiency and
utilisation of their data centres, enhance support to their
end users and constituents, and modernise their enterprise
applications. To provide these services and solutions, we
bring together offerings and capabilities in outsourcing
services, systems integration and consulting services,
infrastructure services, maintenance services, and high-end
server technology. With approximately 23,000 employees,
Unisys serves commercial organisations and government
agencies throughout the world. For more information, visit
www.unisys.com.

About Unisys Asia Pacific
In Asia
Pacific, Unisys delivers services and solutions through
subsidiaries in Australia, New Zealand,
China, Hong
Kong, India,
Malaysia, The
Philippines, Singapore, and
Taiwan  and through distributors or resellers in other
countries in the region. 
For more information, visit
www.unisys.co.nz. 
Follow us on www.twitter.com/UnisysAPAC.

ENDS

© Scoop Media

Article source: http://www.scoop.co.nz/stories/BU1305/S00860/most-kiwis-concerned-about-data-breaches-at-banks.htm

Most New Zealanders have lost confidence that government departments, financial institutions and telecommunications companies can keep their private information safe, according to a recent survey.

The Unisys Security Index survey has found three quarters of the 505 respondents were concerned about an accidental or deliberate data breach of information held by banks or credit card companies, and two in three people surveyed were concerned about telecommunication providers and government services.

Unisys New Zealand company manager Steve Griffin said of the organisations in the survey, only airlines and hotels recorded a result below 50 per cent level of concern.

“This likely reflects the priority individuals place on protecting what they consider to be high value data such as financial, taxation and medical details.”

Mr Griffin said recent data breaches such as with the Earthquake Commission (EQC), where customer data was inadvertently sent to the wrong person, highlighted that the risk of an accidental breach caused by human error was just as critical as the malicious threat of theft or deliberate hacking.

The public believed their personal and credit card data was “significantly at risk”.

“Organisations have got to respond to that risk to bring back that confidence level of the people using their services.”

People need to use trusted organisations but understand the risks involved, he said.

Most of the recent publicised data breaches were accidental rather than malicious, Mr Griffin said.

“But you can imagine the more and more breaches that become very very public, the lower the confidence is going to be in those organisations.”

It wasn’t a simple task for organisations to rebuild public confidence, but it needed a “concentrated effort”, to achieve the right levels of security, Mr Griffin said.

The survey measured consumer perceptions on a scale of zero to 300, with 300 representing the highest level of perceived concern.

The Unisys Security Index score for New Zealand was 134 out of 300 – down 10 points from 144 recorded in March last year.

The research was conducted in Australia, Belgium, Brazil, Columbia, Germany, Malaysia, Mexico, Netherlands, New Zealand, Spain, the United Kingdom and the United States.

***

Percentage of New Zealanders concerned about a data breach by accidental loss, theft or deliberate hacking at the following types of organisations:

• Financial services such as credit card companies and banks: 76 per cent;

• Telecommunication providers and internet service providers: 65 per cent;

• Government services such as social welfare, tax office or immigration: 63 per cent;

• Health organisations, hospitals and doctors: 57 per cent; and

• Airlines and hotels including frequent flier programs: 42 per cent.

- APNZ

By Rebecca Quilliam Email Rebecca

Article source: http://www.nzherald.co.nz/nz/news/article.cfm?c_id=1&objectid=10885327

New York’s Dent Neurologic Institute (DNI) recently announced that an employee mistakenly attached patient information to an e-mail sent to approximately 200 patients on May 13, 2013 (h/t Becker’s Hospital Review).

The attachment contained 10,000 patient names, mailing addresses, e-mail addresses, primary physicians, referring physicians, last appointment and scheduling code. No diagnoses, Social Security numbers, birthdates, financial data or phone numbers were exposed, according to DNI.

DNI CEO Joseph Fritz says the error was discovered right after it occurred, and DNI personnel began immediately calling the 200 people who mistakenly received the information to ask them to delete it. The institute plans to send a letter of apology and explanation to all 10,000 patients affected, as well as their referring physicians.

“We are very sorry this happened and we deeply apologize to all of our patients, referring physicians and WNY healthcare partners,” Fritz said in a statement. “Patient confidentiality is extremely important in our field and we take it very seriously and we will review how this accident happened so we can take steps to minimize the possibilities it could ever happen again.”

Patients with questions are advised to call (716) 250-2000 during business hours, or (716) 558-3534 after hours.

Article source: http://www.esecurityplanet.com/network-security/dent-neurologic-institute-acknowledges-data-breach.html

There is more patient data exposure news from Buffalo, NY, as following the recent health data breach at DENT Neurologic Institute, the Erie County Comptroller’s office (headed by Stefan I. Mychajliw) reported that paper health records with protected health information (PHI) were left out in public view by the Department of Social Services (DSS).

The comptroller apparently learned of the breach during an audit and, according to The Buffalo News, the records contained copies of birth certificates, personal medical records, Social Security numbers, bank accounts, tax returns, inmate records, payroll information, court records and passports. DSS had previously refused auditors the opportunity to review records following reports that it hadn’t been checking for patient qualifications for those seeking benefits. In an ironic twist, however, DSS found full patient files that were meant to be shredded sitting in open boxes at a loading dock.

Much of this case is still unknown, including how many patients are involved, definitively what information has been compromised and whether any patients have suffered identity theft or credit problems as result of the breach.

“It shouldn’t happen in today’s day and age. We have the ability to ensure that these documents be kept secure, but a number of individuals in county government didn’t follow the rules…and if they’re still not following the rules after being warned, they should be fired,” Erie County Executive Mark Poloncarz said to WGRZ.com.

Erie County Executive’s spokesperson Peter Anderson was not a fan of the way the breach was publicized, saying that the Comptroller released details of the audit to the public before informing the administration. Anderson said that Erie County took steps to remediate the breach as soon as it learned of the issue on April 1. There was a press conference this morning in which Erie County Legislator Lynne Dixon was expected to request a legislative hearing to delve further into what went wrong.

While the investigation is still ongoing, as far as breaches go, this may be damaging to the Erie County DSS because of the carelessness of the breach combined with the nature of the data that was exposed. We’ve already seen plenty of cases of tax fraud schemes and patients finding out months later that their data had been compromised. How will an incident in which the DSS doesn’t know who’s accessed the data fall under HIPAA jurisdiction? As many healthcare organizations have already done to this point, it’s better to be safe than sorry, but how that applies to a state government organization remains to be seen.

Information from PHIPrivacy.net was used in this story.

Article source: http://healthitsecurity.com/2013/05/21/erie-county-dss-investigating-health-data-breach/