Massive data breach at local health care group

A massive data breach in at Mercy Medical center in Redding.

Dignity Health, which owns Mercy Medical, announced today that information from 520 patients was inappropriately accessed.

The incident involved its business partner Navi-Health, which assists mercy with patient support after leaving the hospital.

From June 2015 to May 2016 Navi-Health unknowingly employed a person as a case manager who was working under an assumed identity and nursing license.

The company has severed ties with the case manager and police are investigating.

The information accessed included clinical information, lab results, medications and personal information, such as, name, address, phone number, social security number, date of birth.

Patients whose information was compromised are being contacted.

The hospital will also enroll the patients with a credit monitoring service for the next year and assist them in placing a fraud alert in their credit files.

In a statement, mercy medical center stated it deeply regrets the inconvenience this has caused our patients.

Article source: http://www.actionnewsnow.com/news/massive-data-breach-at-local-health-care-group/

,

No Comments

Illinois data breach law amended and includes new twists

JD Supra provides users with access to its legal industry publishing services (the “Service”) through its website (the “Website”) as well as through other sources. Our policies with regard to data collection and use of personal information of users of the Service, regardless of the manner in which users access the Service, and visitors to the Website are set forth in this statement (“Policy”). By using the Service, you signify your acceptance of this Policy.

Information Collection and Use by JD Supra

JD Supra collects users’ names, companies, titles, e-mail address and industry. JD Supra also tracks the pages that users visit, logs IP addresses and aggregates non-personally identifiable user data and browser type. This data is gathered using cookies and other technologies.

The information and data collected is used to authenticate users and to send notifications relating to the Service, including email alerts to which users have subscribed; to manage the Service and Website, to improve the Service and to customize the user’s experience. This information is also provided to the authors of the content to give them insight into their readership and help them to improve their content, so that it is most useful for our users.

JD Supra does not sell, rent or otherwise provide your details to third parties, other than to the authors of the content on JD Supra.

If you prefer not to enable cookies, you may change your browser settings to disable cookies; however, please note that rejecting cookies while visiting the Website may result in certain parts of the Website not operating correctly or as efficiently as if cookies were allowed.

Email Choice/Opt-out

Users who opt in to receive emails may choose to no longer receive e-mail updates and newsletters by selecting the “opt-out of future email” option in the email they receive from JD Supra or in their JD Supra account management screen.

Security

JD Supra takes reasonable precautions to insure that user information is kept private. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. However, please note that no method of transmitting or storing data is completely secure and we cannot guarantee the security of user information. Unauthorized entry or use, hardware or software failure, and other factors may compromise the security of user information at any time.

If you have reason to believe that your interaction with us is no longer secure, you must immediately notify us of the problem by contacting us at [email protected] In the unlikely event that we believe that the security of your user information in our possession or control may have been compromised, we may seek to notify you of that development and, if so, will endeavor to do so as promptly as practicable under the circumstances.

Sharing and Disclosure of Information JD Supra Collects

Except as otherwise described in this privacy statement, JD Supra will not disclose personal information to any third party unless we believe that disclosure is necessary to: (1) comply with applicable laws; (2) respond to governmental inquiries or requests; (3) comply with valid legal process; (4) protect the rights, privacy, safety or property of JD Supra, users of the Service, Website visitors or the public; (5) permit us to pursue available remedies or limit the damages that we may sustain; and (6) enforce our Terms Conditions of Use.

In the event there is a change in the corporate structure of JD Supra such as, but not limited to, merger, consolidation, sale, liquidation or transfer of substantial assets, JD Supra may, in its sole discretion, transfer, sell or assign information collected on and through the Service to one or more affiliated or unaffiliated third parties.

Links to Other Websites

This Website and the Service may contain links to other websites. The operator of such other websites may collect information about you, including through cookies or other technologies. If you are using the Service through the Website and link to another site, you will leave the Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We shall have no responsibility or liability for your visitation to, and the data collection and use practices of, such other sites. This Policy applies solely to the information collected in connection with your use of this Website and does not apply to any practices conducted offline or in connection with any other websites.

Changes in Our Privacy Policy

We reserve the right to change this Policy at any time. Please refer to the date at the top of this page to determine when this Policy was last revised. Any changes to our privacy policy will become effective upon posting of the revised policy on the Website. By continuing to use the Service or Website following such changes, you will be deemed to have agreed to such changes. If you do not agree with the terms of this Policy, as it may be amended from time to time, in whole or part, please do not continue using the Service or the Website.

Contacting JD Supra

If you have any questions about this privacy statement, the practices of this site, your dealings with this Web site, or if you would like to change any of the information you have provided to us, please contact us at: [email protected]

Article source: http://www.jdsupra.com/legalnews/illinois-data-breach-law-amended-and-33861/

,

No Comments

Data Breach Leads to Firing in Alabama Finance Department

Bentley

Two senior employees with the State of Alabama Department of Finance have been disciplined by Governor Robert Bentley, with one being fired.

James Nolin, Chief Information Officer for the Department of Finance Information Service Division was terminated on June 17. Rex McDowell, Assistant Director of Finance, was placed on leave pending the outcome of an investigation.

Bentley was informed by Alabama Law Enforcement Secretary Stan Stabler on June 10th that “some of the actions of senior managers within the Department of Finance and its Information Services Division are potentially criminal in nature.”  The two men were relieved of their duties on June 17th.  It is unclear what, if any, information was compromised.

According to a letter Bentley sent to the FBI notifying them of the breach and security concerns it has raised, the network that was compromised supports ALEA and the State of Alabama’s Criminal Justice Information Systems (CJIS).

Bentley has requested that the FBI conduct an investigation into the “full scope of CJIS Security Policy non-compliance and/or the criminal activity of current or former employees of the Alabama Department of Finance.”

Rex McDowell had come under fire in recent years for working only three days a week and commuting from his home in Dallas, Texas while receiving a yearly salary of over $177,000.00.

Related Posts

Judge Jacob Walker swears in Alabama Governor Robert Bentley to testify inAlabama Speaker Mike Hubbard trial on Wednesday, June 1, 2016  in Opelika, Ala.(Todd J.Van Emst/Opelika-Auburn News/Pool)



Alabama Governor Robert Bentley walks to the Lee County Justice Center to testify in Alabama Speaker Mike Hubbard trial on Wednesday, June 1, 2016  in Opelika, Ala.Todd J.Van Emst/Opelika-Auburn News/Pool



Gov a No Show



Governor Robert Bentley and Senior Political Advisor Rebekah Mason.


Article source: http://wkrg.com/2016/06/24/data-breach-leads-to-firing-in-alabama-finance-department/

,

No Comments

New York AG Reports on Data Breaches

Why it matters

In a new report, the New York Attorney General’s Office revealed that it received 459 data breach notices between January 1, 2016, and May 2, 2016, an increase of 40 percent over the same time period in the prior year, when the office received a total of 327 notices.

“Data breaches are an escalating threat to our personal and national security, and companies need to do more to ensure reasonable security practices and best standards are in place to protect our most sensitive information,” Attorney General Eric T. Schneiderman said in a press release. “I am committed to stemming the data breach tide. Making notification to my office easier for companies who have experienced a data breach means quicker notification and quicker resolution for New York’s consumers.”

Detailed discussion

New York’s Information Security Breach and Notification Act requires companies to provide notice to the AG’s Office and consumers in the event of a data breach. Last year, the Office received 809 data breach notices. Given the upward trend already visible in the first half of 2016, the Office expects to receive “well over 1,000 notices” this year, Attorney General Schneiderman said—a new record high.

To improve efficiency with the increased volume, the AG’s Office provided companies with the ability to file notice electronically via a submission form on the Office’s website. Previously, companies were required to mail, fax, or e-mail their notices.

In addition to details about the entity breached, the form requires companies to select a description of the breach (an external systems breach, for example, or insider wrongdoing), as well as the information acquired in combination with a name or other personal identifier (such as a Social Security number or financial information). Entities must report the total number of consumers affected, and how many New Yorkers were impacted, along with the dates of the breach and when it was discovered. A copy of the notice to affected consumers must be provided to the AG’s Office, along with information about whether the company has suffered any other breach notifications within the prior 12 months.

Attorney General Schneiderman has kept a close eye on data breaches in the state during his tenure, releasing a report in 2014 titled “Information Exposed: Historical Examination of Data Security in New York State.” Analyzing eight years of security breach data for the state, the report found that the number of reported data security breaches in New York more than tripled between 2006 and 2014. The roughly 5,000 data breaches impacted 22.8 million personal records of New Yorkers, according to the report, with hacking intrusions by third parties the number-one cause of breaches.

To read the AG’s press release, click here.

To view the New York State security breach reporting web submission form, click here.

Article source: http://www.lexology.com/library/detail.aspx?g=fa34124b-d7ce-4f81-9325-559a912d0a7c

,

No Comments

LinkedIn data breach blamed for multiple secondary compromises | CSO Online

The LinkedIn compromise has been linked to a number of confirmed incidents where data exfiltration has taken place. It’s possible these incidents are only the tip of the iceberg though, as many of the organizations compromised are service providers with access to customer networks.

On June 18, Citrix posted an alert warning of an incident that forced the company to reset all of their customer’s passwords. A day later, Citrix updated the alert and explained the problem.

“Citrix can confirm the recent incident was a password re-use attack, where attackers used usernames and passwords leaked from other websites to access the accounts of GoToMyPC users,” the company wrote.

Multiple industry sources have shared additional details with Salted Hash, some confirming upwards of thirty instances where an organization has been compromised and sensitive information exfiltrated by the attackers.

However, this number is likely a low estimate, as the compromised organizations are service providers with access to customer networks.

Those who spoke to Salted Hash on the condition of anonymity are still working active cases to determine the full extent of the problems, but the fear is that the customers of the breached service providers have been compromised as well.

The organizations that have been targeted operate in the manufacturing industry, retail industry, and a number of other verticals.

The common thread in each case is the LinkedIn list, generic password policies, a lack of two-factor authentication, and remote access software from services such as GoToMyPC, LogMeIn, and TeamViewer.

Citrix called the incident a “very sophisticated password attack,” but that isn’t the reality of the situation, there’s nothing sophisticated going on.

These are straight brute force attacks with a high degree of success, largely because the leaked LinkedIn records have allowed the attacker to reuse credentials directly, or enumerate them slightly, in order to gain access.

It isn’t clear if the active cases are all related, or if there is more than one attacker or group conducting the raids. What is clear, is that some of the organizations caught-up in this situation are large ones and the only reason they’re in this mess is due to recycled credentials.

There’s a method to the madness:

An attacker who has the LinkedIn list knows a person’s name, their work history, and their password. Thus, the attacker now has a list of possible targets, a good idea of how network IDs are generated, and some base passwords to start with. There’s more work to be done, as the attacker has to identify services and systems exposed to the public, but this isn’t an impossible task.

“Typically there would be two types of threat actors that would consume these stolen credential sets,” explained Israel Barak, CISO of Cybereason.

The first are the actors that will use the credential set to conduct broad, non-targeted attacks where they would attempt to gain access to social media and financial services using the leaked credentials. The second set of actors take their time and target individuals, or organizations they’re associated with, in order to gain access to sensitive information and systems.

Don’t blame the victim, but…

Many organizations alter the default Active Directory policies slightly, but this still leaves them with passwords containing 7-12 characters, which are comprised one uppercase letter, one number, and one special character, plus a 90-day expiration window.

Yet, most of the passwords used today are based on patterns and guessable logic. The workforce is trained to create weak passwords from the start, because organizations implement password policies that result in easily guessed or cracked credentials.

“Typically organizations set a password complexity and selection policy that requires users to choose passwords comprising of multiple character sets, have some sort of minimal length, and some restrictions as it relates to expiration and reuse. Essentially this really doesn’t solve anything, as it relates to the problem of an average person not wanting to remember too many passwords, which leads to password sharing across multiple services,” Barak said.

“I think the most robust way to approach this particular issue is to employ multi-factor authentication on sensitive services, and I think this is especially true for services that are internet accessible, such as Outlook Web Access, VPN portal, your ERP systems, or similar sensitive services.”

The point, Barak added, was to ensure that the exposure of a user’s password wouldn’t be enough compromise their account.

Sadly, in many of the examples shared with Salted Hash, there was a direct relation between the compromised organization and the leaked LinkedIn account data set – so the username and password on LinkedIn was the exact combination needed to access the corporate network.

But even when there wasn’t a direct relation, the information available from the LinkedIn list allowed some basic guesses that resulted in successful compromises. For example, if there was a mismatch with the network ID, altering it slightly to match public email addresses often worked (e.g. jsmith vs. john.smith).

Two-factor authentication wasn’t a factor in any of the breach examples shared with Salted Hash. Again, this is because the compromised organizations didn’t use such features.

GoToMyPC isn’t the only service provider that’s been targeted recently.

Earlier this month, Team Viewer users reported system compromises, and at least some of them admitted to reusing passwords. Last week, LogMeIn proactively reset accounts where it was determined a customer was recycling their LinkedIn password. On Tuesday, Carbonite reset all of their customer’s passwords after detecting login attempts using recycled credentials.

So what’s the underlying problem?

Weak password policies and recycled credentials are a serious problem.

At the same time, this problem is one that isn’t easily fixed. Humans have developed some bad habits when it comes to passwords and access, and corporate policies that limit complexity and require easily guessed formats, further enable these bad habits.

In hindsight, the organizations that were compromised due to the LinkedIn list made plenty of mistakes that proactive measures would have fixed. But singling them out, as if they’re something unique, would be a mistake.

Organizations don’t track passwords or audit them; users are allowed privileged access without restrictions; two-factor authentication is only sparingly enabled in some cases (assuming it’s enabled at all); and security policies are selectively applied.

For example, the Department of Homeland Security banned personal webmail for security reasons. However, DHS Secretary, Jeh Johnson, was exempted from this ban because he liked to check his personal email from the office.

If that seems like a familiar situation to you, that’s because everyone who has ever worked in IT can tell horror stories about how C-Level executives are regularly exempted from security policy.

This is why preventing recycled or easily guessed passwords is such a problem. How can you manage passwords and how they’re developed or used, when just getting everyone on the same page policy-wise is challenge enough?

Article source: http://www.csoonline.com/article/3086942/security/linkedin-data-breach-blamed-for-multiple-secondary-compromises.html

,

No Comments

EHR Data Potentially Exposed in Vendor Healthcare Data Breach

Another medical center has reported a potential healthcare data breach stemming from a hacking incident affecting EHR vendor Bizmatics, according to a HIPAA notification letter on the ENT and Allergy Center’s website.

Hackers caused a recent possible healthcare data breach

The Office of Civil Rights reported on its data breach tool that 16,200 individuals were impacted by the healthcare data security incident.

The medical center reported that its EHR vendor, Bizamtics, had discovered that an unauthorized user had accessed its data servers, which stored and managed patient files. The outside party first hacked the data servers in early 2015 and continued to access EHR files until Bizmatics discovered the intruder later that year.

The vendor notified ENT and Allergy Center that some of its EHR files may have been viewed or acquired as a result of the possible data breach. Although, Bizmatics could not identify which patient files may have been exposed.

Bizmatics confirmed to the medical center that patient information that may have been affected included names, addresses, healthcare visit information, and the last four digits of Social Security numbers. However, the EHR files did not contain credit card numbers or any other financial information.

Upon discovering the possible healthcare data breach, Bizmatics contacted law enforcement officials and hired a private cybersecurity firm to secure its systems and investigate the event.

ENT and Allergy Center stated that it has notified all affected individuals and offered them free credit, fraud, and identity-theft monitoring services for a year. The healthcare facility has also established a toll-free phone number dedicated to answering questions about the healthcare data security incident.

Additionally, the healthcare organization reported that it is “in the process of implementing safeguards to protect your information.”

Bizmatics has also been involved in several other recent possible healthcare data breaches.

Last month, Pennsylvania-based Integrated Health Solutions PC reported that 19,776 individuals were notified of a potential EHR breach after an outside entity had accessed Bizmatics systems. Similarly, the EHR vendor could not confirm if patient files were accessed and what records were affected.

In another healthcare data security event, Bizmatics informed Southeast Eye Institute PA earlier this year that its EHR files may have been exposed in a hacking incident from January 2015. The organization reported that 87,314 individuals were affected by the incident.

There have been several other reports of possible EHR breaches caused by unauthorized access of data servers and systems at Bizmatics. However, the vendor has not released a statement addressing the incidents.

TX agency notifies 600 patients of possible PHI breach

The Texas Health and Human Services Commission has announced a possible PHI breach that has affected 600 individuals, reported a statement on its website.

The agency was notified by Iron Mountain, one of its contractors and a document shredding company, that 15 boxes containing client information went missing from the Irving, Fort Worth, and Dallas facilities.

The Texas Health and Human Services Commission had hired the company to destroy the client documents within the boxes because they contained confidential information from individuals who may have applied for medical assistance between January 1, 2008 and August 31, 2009.

Neither the agency’s statement nor the contractor have released information on how the boxes were misplaced.

PHI that may have been involved in the possible healthcare data breach included Social Security numbers, addresses, Social Security claim numbers, dates of birth, names, medical record numbers, Medicaid or individual numbers, case numbers, and bank account information.

In response, the Texas Health and Human Services Commission contacted all individuals who may have been affected by the healthcare data security incident and provided them with complimentary credit monitoring services for one year.

Additionally, the agency has taken steps to improve data security measures regarding confidential information.

“The agency is conducting an investigation into Iron Mountain’s handling of this event and taking steps to secure confidential information and reduce the chances of this event happening again,” explained the statement. “After the investigation is complete, HHSC [Health and Human Services Commission] will review processes and procedures, making any changes needed to prevent this type of event in the future.”

Police officer discovers abandoned medical records in public park in Indiana

The Indiana Attorney General is investigating a potential healthcare data breach after private medical records were discovered in recycling bins in a public park, reported an article on the TheIndyChannel.com.

A member of the Indiana Metropolitan Police Department found the medical records among other recycled materials in public dumpsters in the park. The file folders contained patient information, such as names, addresses, Social Security numbers, and insurance information.

In a statement to the news source, the Indiana Attorney General’s office stated that it is working with the police department and several waste or recycling processing companies who may have handled the abandoned files in order to obtain and secure them.

The office also reported that it can review the possible healthcare data breach and seek enforcement actions for HIPAA and Indiana’s Disclosure of Security Breach law violations.

As part of its review, the Attorney General’s office plans to work with affected individuals to help prevent potential fraud and connect them to their lost files.

Additionally, it has encouraged all private individuals to immediately report abandoned medical records or other documents containing personal identifying information to the Indiana Attorney General’s office. The office typically takes possession of these records to ensure they are secured and are not misused.

The Attorney General did not disclose how many medical records were found or what healthcare practices may be involved.

Article source: http://healthitsecurity.com/news/ehr-data-potentially-exposed-in-vendor-healthcare-data-breach

,

No Comments

Abingdon-Avon employee arrested in relation to data breach – KWQC

mark-l-rodgers

KNOX COUNTY, Ill. (KWQC) – The district’s IT Director has been arrested just a month after the district went public about a data breach impacting student grades.

UPDATE: Knox County State Attorney, John Pepmeyer confirmed this arrest is related to the data breach. Pepmeyer said the investigation into the data breach unveiled information leading to this arrest.

Pepmeyer said Mark L. Rodgers posted bail on June 22, shortly after his arrest.

He also said Rodgers will appear in court on July 22.

Court records show Mark L. Rodgers is charged with three counts of eavesdropping. He’s accused of using a web cam to secretly record a private conversation without permission.

The district website confirms Rogers is employed by the Abingdon-Avon School District.

Last month, a note on the district website said a data breach happened in January, resulting in grade and GPA changes. The note also said the school hired a firm to investigate the breach.

Rodger’s record from the Knox County Courthouse doesn’t say if his charges are in relation to this data breach but says these charges happened between January and February.

Three felony counts of eavesdropping means, if convicted he could spend a maximum of 9 years in prison.

The Knox County Attorney was in court all day on Thursday, June 23, and unavailable to answer any questions relating to this case.

Rodger’s next door neighbor said she doesn’t think he is the cause of the data breach.

Stay tuned to KWQC-TV6 and kwqc.com for updates.

Related Posts

data breach ap



school budget cuts



Car crash, accident



police-arrest-fire


Article source: http://kwqc.com/2016/06/23/arrest-made-in-connection-to-abingdon-avon-school-district-data-breach/

,

No Comments

State Data Breach Notification Laws – Overview of Requirements for Responding to a Data Breach

Used by all states (except D.C.) with data breach laws [1]

(AK, AZ, AR, CA, CO, CT, DE, FL, GA, HI, ID, IL, IN, IA, KS, KY, LA, ME, MD, MA, MI, MN, MS, MO, MT, NE, NV, NH, NJ, NY, NC, ND, OH, OK, OR, PA, RI, SC, TN, TX, UT, VT, VA, WA, WV, WI, WY)

NOTE:

MA – financial account number, or credit or debit card number, even without any required security code, access code, PIN or password, is reportable if associated with first name/initial and last name.

Article source: http://www.natlawreview.com/article/state-data-breach-notification-laws-overview-requirements-responding-to-data-breach

,

No Comments

New York school district suffers a hack and data breach

New York school district suffers a hack and data breach

Sometimes the important lessons about security are not learned in schools, but by schools. In this week’s course on cyber security, Holley Central School District itself has been schooled, after a cyber attack leaked the data of thousands employees, old and new alike.

According to cloud security company BatBlue Networks, a secretary at the New York-based school district discovered an attack from back in April 2016. In the attack, hackers stole information on over 150 employees and contractors, in addition to thousands more who worked for the district any time before 2004.

Officials connected to the school district are claiming that no personal information was stolen, although “personal information” is a term that could extend to several things – not just Social Security numbers and insurance information, but names, addresses, phone numbers, and so on are all considered personal information. Aside from that, the district has not yet commented on what information was taken.

However, all employees and former employees, as well as contractors, who have been impacted by the breach will receive a free year of Life Lock credit protection. Holley Central School Distract has also reached out to the New York State Police and the FBI to look into the incident, and it assures reporters that it’s working to make its systems more secure against any attacks that may come later.

Photo by Dougtone

  • About
  • Latest Posts

Robert Pleasant

Robert Pleasant is a writer and unabashed nerd, contributing news coverage and editorial articles to SiliconANGLE. His experience includes writing articles for websites such as UCStrategies, G33k-HQ, and Green Tea Graffiti, covering a range of subjects in technology, gaming, and entertainment. Robert, known to his friends as Robbie, earned his degree in Creative Writing from University of California, Santa Cruz, before getting into the tech news field, and in addition to the writing he does for SiliconANGLE, enjoys creating original comedic stories in his downtime.

SIGN UP FOR THE SiliconANGLE NEWSLETTER!

Join our mailing list to receive the latest news and updates from our team.

SIGN UP FOR THE SiliconANGLE NEWSLETTER!

Join our mailing list to receive the latest news and updates from our team.

Submit a Comment Cancel reply


Article source: http://siliconangle.com/blog/2016/06/23/new-york-school-district-suffers-a-hack-and-data-breach/

,

No Comments

Abingdon Avon employee arrested a month after a data breach – KWQC

mark-l-rodgers

KNOX COUNTY, Ill. (KWQC) – The district’s IT Director has been arrested just a month after the district went public about a data breach impacting student grades.

Court records show Mark L. Rodgers is charged with three counts of eavesdropping. He’s accused of using a web cam to secretly record a private conversation without permission.

The district website confirms Rogers is employed by the Abingdon-Avon School District.

Last month, a note on the district website said a data breach happened in January, resulting in grade and GPA changes. The note also said the school hired a firm to investigate the breach.

Rodger’s record from the Knox County Courthouse doesn’t say if his charges are in relation to this data breach but says these charges happened between January and February.

Three felony counts of eavesdropping means, if convicted he could spend a maximum of 9 years in prison.

The Knox County Attorney was in court all day on Thursday, June 23, and unavailable to answer any questions relating to this case.

Rodger’s next door neighbor said she doesn’t think he is the cause of the data breach.

Rodgers is in jail on a $15,000 bond.

Stay tuned to KWQC-TV6 and kwqc.com for updates.

Related Posts

data breach ap



school budget cuts



school budget cuts



Car crash, accident


Article source: http://kwqc.com/2016/06/23/arrest-made-in-connection-to-abingdon-avon-school-district-data-breach/

,

No Comments