Archive for November, 2013

Data Breach at UW Medicine Exposes 90000 Patients’ Information

Washington’s UW Medicine recently announced that 90,000 patients’ personal information was exposed when a UW Medicine employee opened an e-mail attachment containing malware (h/t PHIprivacy.net).

“The malware took control of the computer, which had patient data stored on it,” UW Medicine said in a statement. “UW Medicine staff discovered this incident the following day and immediately took measures to prevent any further malicious activity.”

While it doesn’t appear that the objective was to obtain patient information, the malware apparently accessed the data files of approximately 90,000 Harborview Medical Center and University of Washington Medical Center patients, including their names, medical record numbers, other demographics (which may include addresses and phone numbers), dates of service, charge amounts for services received, birthdates, and Social Security numbers or HIC (Medicare) numbers.

The incident has been referred to the FBI, and UW Medicine says it has implemented a “review, training and outreach effort” in response to the incident, though it’s not clear what that effort may include.

ID Experts is managing a call center at (877) 271-1533, where patients can call with questions.

Photo courtesy of Shutterstock.

Article source: http://www.esecurityplanet.com/network-security/data-breach-at-uw-medicine-exposes-90000-patients-information.html

,

No Comments

Union chief says data breach compromised firefighters’ personal information

The president of the Milwaukee firefighters union says the personal information of numerous members of the department has been compromised in the wake of the data breach involving Dynacare Laboratories.

David Seager, president of the Milwaukee Professional Firefighters Association Local 215, wrote in an email to aldermen that while the bulk of the blame of a data breach belongs to Dynacare, the city should be held responsible for providing personal Social Security numbers to the health care providers. Information on thousands of city employees and their spouses or domestic partners was involved.

“While the circumstances surrounding Dynacare are horribly disastrous, it does not excuse the fact that our Social Security numbers were relinquished,” Seager wrote.

Contacted Friday, Seager said he was not at liberty to detail how the personal information of some firefighters had been compromised. He wrote in his email that firefighters were “fighting to restore their credit.”

Jeff Fleming, a city spokesman, said the city was not aware of any attempt to compromise an employee’s personal information.

The data breach involved Dynacare, which works with Froedtert Community Health/Workforce Health to operate the city’s wellness program. Dynacare told city officials Nov. 15 that a car owned by a Dynacare employee was stolen overnight on Oct. 21-Oct. 22, and reported stolen Oct. 22. The car contained a flash drive with the personal information of 9,414 city employees, their spouses and domestic partners.

The personal information included the names, addresses, dates of birth, Social Security numbers and gender of an estimated 6,000 city employees. The flash drive also had the names of more than 3,000 spouses and domestic partners of those workers.

The flash drive has not been recovered.

Since the disclosure, the city has announced plans to file a federal complaint with the U.S. Department of Health and Human Services’ Office of Civil Rights, alleging Froedtert and Dynacare violated federal security and privacy requirements. Dynacare also is conducting its own investigation.

In addition, a Milwaukee firefighter and his wife have filed suit in Milwaukee County, seeking unspecified damages. Lawyers for the couple say they will seek class-action status in behalf of other city employees.

In his email, Seager expressed his disappointment with Mayor Tom Barrett’s administration in handling the data breach and the release to Froedtert of Social Security numbers.

The missing flash drive contained unencrypted information of a highly sensitive nature. The city has said it gave the personal information to Froedtert in a secured and password-protected form.

Barrett has said the city will find a way in the future to not use Social Security numbers as a means of employee identification.

On Friday, Barrett said the city’s wellness committee, comprised of employees from different city agencies, was part of the decision-making process for the wellness program.

“There clearly was a need for an individual marker, if you will, for the people who get into the system,” Barrett said. “And, working with the Department of Employee Relations, the decision was made to use the Social Security number. I think moving forward we will move away from that, there’s no question about it. We’ll use a different identifier.”

Seager also complained that the Dynacare offer of a one-year free membership in an identify protection program was not enough.

“While the one-year term is a start, it appears to me and all of my members that this is nothing more than a get-out-of-jail free card,” he wrote. “It is vital, not just to my membership but to the entire city workforce, that the leadership of the city pursue a lifetime program via Dynacare Laboratories.”

A Dynacare spokesman did not respond to a request for comment.

Ashley Luthern of the Journal Sentinel staff contributed to this report.

Article source: http://www.jsonline.com/news/milwaukee/union-chief-says-data-breach-compromised-firefighters-personal-information-b99153231z1-233863511.html

,

No Comments

AvMed’s novel data breach settlement- first time payment to plaintiffs who …

Recently, AvMed agreed to pay $3 million in a data breach settlement. What sets this apart from other data breach settlements is Plaintiffs who have not suffered identity theft as a result of the breach may nevertheless collect from the Settlement Fund. Plaintiffs who did not suffer identity theft claimed they were injured by overpaying an insurance premium which was supposed to safeguard data.

AvMed’s Data Breach

AvMed offers healthcare plans to businesses and individuals in Florida and throughout the United States. On December 10, 2009, three laptops were stolen from AvMed’s corporate offices in Gainesville, Florida. Two of the three laptops contained “Sensitive Information,” including protected health information and Social Security numbers, potentially exposing 1.2 million AvMed members.

The Litigation

On November 16, 2010 Plaintiffs filed a putative class action in the Southern District of Florida. Plaintiffs claimed AvMed failed to encrypt and safeguard the stolen laptop computers which resulted in the exposure of members’ Sensitive Information. In its motion to dismiss, AvMed argued that Plaintiffs did not sufficiently allege the injury or damage elements of their claims. Defendants argued that courts across the country consistently have held that an allegation of data compromise, without an allegation that the lost or stolen data has been misused in a way that inflicts a compensable injury or damage of the plaintiff, fails to state a claim in tort or contract.

The Florida District Court granted AvMed’s Motion to Dismiss Plaintiff’s First Amended Complaint for failure to state a cognizable injury and failure to state a claim. However, Plaintiff’s shortly thereafter filed a Second Amended Complaint, which the Court also denied. Plaintiffs appealed.

Plaintiff’s Appeal Mediation

On appeal, the Eleventh Circuit found Plaintiffs established a plausible causal connection between the data breach and identity theft, and therefore the injuries were not prohibitively speculative. The Eleventh Circuit remanded the case, and in December 2012 the parties entered mediation. Where Plaintiffs’ argument gained traction, was the alleged harm suffered from overpaying for insurance coverage.

The Settlement

Under the terms of the settlement, AvMed agreed to pay $3 million to a Settlement Fund, which pays out money to AvMed members for premium overpayments as well as to those members who suffered identity theft. Further, AvMed agreed to: (1) mandatory security training for employees; (2) mandatory training on appropriate laptop use and security; (3) updating company computers with additional security mechanisms, including GPS tracking technology; (4) new password protocols and full disk encryption technology on all company computers; (5) physical security upgrades; and (6) review and revision of written policies and procedures for information security.

Conclusion

Companies handling sensitive information should be aware that the AvMed settlement marks a change in the traditional view of data breach damages. Companies should carefully review their insurance policies as well as data security practices to mitigate their exposure.

Article source: http://www.lexology.com/library/detail.aspx?g=08d45c4a-415b-4dcf-ac14-b8c83135200a

,

No Comments

Judge dismisses consumer lawsuit against Apple over data breach

Wellington, Nov. 29 (ANI): A California judge has reportedly dismissed a consumer lawsuit against Apple, which claimed that the tech giant breached its privacy policy and put the plaintiff’s personal data exposed.

The four plaintiffs failed to show that they had relied on any alleged company misrepresentations and that they had suffered harm.

According to stuff.co.nz, the plaintiffs claimed in 2011 that Apple had violated its privacy policy, and had designed its iOS environment to easily transmit personal information to third parties that collect and analyse such data without user consent or detection.

The plaintiffs had also claimed that they suffered damages by paying too much money for their iPhones and by losing storage space, among other things.

US District Judge Lucy H Koh in California said that the plaintiffs must be able to provide some evidence that they saw one or more of Apple’s alleged misrepresentations, that they actually relied on those misrepresentations, and that they were harmed thereby. (ANI)

K-Tigers perform at S. Korea’s new Taekwondo stadium

November 29, 2013 at 12:00 AM

Syrian army takes strategic town of Deir Attiyeh

November 29, 2013 at 12:00 AM

Philippine survivors paid to clear up typhoon mess

November 29, 2013 at 12:00 AM

View More Videos





Your Name (*) :

Your Email :

Your Phone :

Your Comment (*):

 

 

 

Comments:

Article source: http://www.newstrackindia.com/newsdetails/2013/11/29/66-Judge-dismisses-consumer-lawsuit-against-Apple-over-data-breach-.html

,

No Comments

California’s Flamingo Resort and Spa Admits Data Breach

The Flamingo Resort and Spa in Santa Rosa, Calif., recently began notifying an undisclosed number of its employees that a virus was discovered on its payroll computer “which could have allowed a hacker to access personal information, such as your Social Security number, date of birth, home address, phone number and bank routing numbers (if you do direct deposit for your paychecks).”

“The Flamingo Resort and Spa is taking further measures to ensure this will not happen in the future,” the resort’s Christine Melton and Floriann Bynum wrote in the notification letter [PDF].

While no identity theft protection services are being offered to those affected, recipients of the notification letter are being advised to place fraud alerts on their credit files, and to check their credit reports for any accounts they didn’t open, inquiries from creditors they didn’t initiate, or personal information that isn’t accurate.

“If you do find suspicious activity on your credit reports, call your local police or sheriff’s office and file a police report of identity theft,” the letter advises. “Get a copy of the police report. You may need to give copies of the police report to creditors to clear up your records.”

Employees with questions are advised to call the resort at (800) 848-8300.

Photo courtesy of Shutterstock.

Article source: http://www.esecurityplanet.com/network-security/californias-flamingo-resort-and-spa-admits-data-breach.html

,

No Comments

Data Breach at Florida Medical Group Exposes 4400 Patients’ Personal Data

The Sarasota Herald-Tribune reports that Florida Digestive Health Specialists has notified 4,400 patients that a former employee improperly accessed and photographed patient records that included names, birthdates, phone numbers and Social Security numbers.

Because the investigation is ongoing, the former employee’s name hasn’t been released.

“This particular person went to print the photos at Walmart, and the manager was suspicious of them and turned them in to the Manatee County Sheriff’s Office,” Florida Digestive Health privacy officer Terri Zahn told the Herald-Tribune. “They were able to link them back to one of our care centers and the former employee. We have been cooperating in any way we could to help them with the case.”

The employee was terminated immediately, and Florida Digestive Health says it has already taken steps to tighten its security in response to the breach. Patients are being advised to monitor their credit reports for suspicious activity.

Photo courtesy of Shutterstock.

Article source: http://www.esecurityplanet.com/network-security/data-breach-at-florida-medical-group-exposes-4400-patients-personal-data.html

,

No Comments

Microsoft Releases Security Advisory for Microsoft Windows Kernel

  • Home
  • FAQ
  • Contact Us
  • Traffic Light Protocol
  • Privacy Use
  • Accessibility
  • Get a PDF Reader

US-CERT is part of the Department of Homeland Security.

Article source: http://www.us-cert.gov/ncas/current-activity/2013/11/28/Microsoft-Releases-Security-Advisory-Microsoft-Windows-Kernel

, ,

No Comments

Maricopa Colleges waited 7 months to notify 2.4 million students of data breach

Cookies must be enabled to view articles on azcentral.com

Article source: http://www.azcentral.com/community/phoenix/articles/20131127arizona-college-students-data-breach.html

,

No Comments

Grocery supplier warns of regional data breach

Posted: Wednesday, November 27, 2013 10:00 am

Grocery supplier warns of regional data breach

By KEITH KINNAIRD
News editor

Bonner County Daily Bee

|
2 comments

SANDPOINT — A regional food distributor that supplies Bonner County grocery stores is warning customers that its payment processing system is under attack by a cyber criminal.


URM Stores Inc. CEO Ray Sprinkle posted an open letter to the company’s website advising customers to consider paying with a cash or check until it implements enhanced security measures block further additional unauthorized access to its system. Sprinkle added that some stores are also able to process credit cards using a dial-up connection that was unaffected by the attack.

“This process takes a few more minutes at the checkout stand and we ask for your patience,” Sprinkle said in the letter.

URM supplies Super 1 Foods in Sandpoint, Yoke’s Fresh Market in Ponderay, Mitchell’s Harvest Foods in Priest River and Akins Harvest Foods in Bonners Ferry.

Sandpoint and Ponderay police said earlier this month they received a rash of credit card fraud complaints. Sandpoint Police Chief Corey Coon and Ponderay Police Chief Mike Hutter were unresponsive to media inquiries on Tuesday, however.

Sprinkle said it’s believed the attack is targeting data found on the magnetic stripe on the back of credit and debit cards, which can be used to manufacture counterfeit cards. Consumers who believe their card has been compromised are urged to immediately contact the issuing bank that issued the card.

Major credit card companies have “zero liability” policies that guarantee cardholders will not be responsible for fraudulent charges, according to URM.

The company said it has engaged a leading computer security firm to examine the processing system.

In response to the attack, URM established a dedicated call center for customers who have questions or seek further information about protecting themselves. The call center can be reached at (877) 237-7408. It’s open from 9 a.m. to 7 p.m. Monday through Friday, and from 10 a.m. to 2 p.m. on Saturday.

Additional information is also available online (www.urmstores.com).

More about Sandpoint

  • SHS Bulldogs SHS Bulldogs
  • ARTICLE: Bulldogs fall short against Vikings
  • ARTICLE: Walking ‘The Way’
  • ARTICLE: Don’t be a turkey during holiday, just be careful

More about Ponderay

  • ARTICLE: Trail aims to connect two sides of county
  • ARTICLE: Woman hit in crosswalk recovering
  • Susan Delducco Susan Delducco
  • ARTICLE: Ponderay highway rebuild is a disaster

More about Bonner County

  • SHS Bulldogs SHS Bulldogs
  • ARTICLE: Bulldogs fall short against Vikings
  • ARTICLE: Walking ‘The Way’
  • ARTICLE: Don’t be a turkey during holiday, just be careful

on

Wednesday, November 27, 2013 10:00 am.


| Tags:


Sandpoint,



Ponderay,



Bonner County,



Payment Processing System,



Urm Stores Inc.,



Super 1,



Yoke’s,



Mitchell’s Harvest Foods,



Akins Harvest Foods,



Bonners Ferry,



Priest River

Article source: http://www.bonnercountydailybee.com/news/local/article_8fd5a91a-572c-11e3-a695-0019bb2963f4.html

,

No Comments

California EDD Acknowledges Data Breach

California’s Employment Development Department, which manages unemployment insurance and disability insurance for the state, recently began notifying an undisclosed number of people that their confidential information, including their full names and Social Security numbers, may have been provided by mistake to employers for whom they hadn’t worked.

“Employers regularly receive these claim filing notices as part of the verification required in processing unemployment benefits and are aware that the information contained in them is confidential,” EDD chief information security officer Christian Turner wrote in the notification letter [PDF]. “In fact, some of these notices already have been returned to the EDD by employers noting the information on the notice does not match their records.”

“The EDD assures you that the cause was identified and corrected to prevent any further occurrences,” Turner wrote. Anyone with questions is advised to contact (916) 654-7401.

Photo courtesy of Shutterstock.

Article source: http://www.esecurityplanet.com/network-security/california-edd-acknowledges-data-breach.html

,

No Comments