Archive for May, 2014

Police looking at ProMedica Bay Park Hospital data breach

Chief: Worker likely broke law by accessing patients’ records




Navarre
BLADE PHOTO

Enlarge

The ProMedica employee who was fired for accessing nearly 600 patient records at Bay Park hospital is now the focus of a criminal investigation. Oregon police Chief Mike Navarre said after speaking with ProMedica officials Friday that he is “very confident” the actions by the employee, whom he identified as a woman, were likely illegal.

“Based on what I was told today, I think it warrants a criminal investigation that will determine what laws were broken,” he said.

Chief Navarre said he will ask hospital officials for a copy of their internal investigation, which found that the woman had accessed 594 patient records between April 1, 2013, and April 1, 2014. He expects the criminal investigation of the security breach to take several weeks or months. He would not specify what charges the woman may face.

ProMedica officials refused to disclose why the employee violated the privacy of patients by looking at their personal information. They said the person responsible was not directly treating the patients.

“ProMedica Bay Park Hospital deeply regrets this incident and is fully cooperating with federal and legal authorities,” a hospital spokesman said in a statement. “There is no evidence that any financial information, including Social Security numbers, was accessed.

“As legally required, ProMedica Bay Park Hospital reported the event to the Department of Health and Human Services. ProMedica Bay Park Hospital intends to be transparent about the event as it has been thus far.”

The hospital completed its investigation of the incident and discovered the security breach on April 2 but did not notify the public until Wednesday, nearly two months later.

Hospital officials refused to disclose any information about the person involved in the incident, citing employee confidentiality concerns. The company notified federal health authorities about the data breach but did not contact local law enforcement, ProMedica officials said.

The chief said he was not made aware of the incident by the hospital system and that he is not sure if it is bound by law to report the incident to law enforcement agencies. At the same time, however, he expressed frustration about learning of the security breach from the news media.

“Imagine there is dead body and finding out about it a year later and starting your investigation a year later,” he said.

He added that even if his department’s investigation finds that the employee did not access financial information about patients, the woman could still face criminal charges for her actions.

In similar cases of hospital data breaches, the people responsible have faced federal criminal prosecution for identity theft and privacy-law violations. In 2012 an employee who accessed personal patient information at Northwestern Memorial Hospital in Chicago was charged with identity theft. In 2011, a former employee of the University of Pittsburgh Medical Center Shadyside near Pittsburgh pleaded guilty to violating the Health Insurance Portability and Accountability Act after stealing the personal information of patients there.

Contact Marlene Harris-Taylor [email protected] 419-724-6091.

Article source: http://www.toledoblade.com/Medical/2014/05/31/Police-looking-at-ProMedica-data-breach.html

,

No Comments

W.Va. Justices Revive Data Breach Suit Lacking ID Theft

Law360, New York (May 30, 2014, 8:45 PM ET) — West Virginia’s highest court on Wednesday breathed new life into a class action over a data breach at Charleston Area Medical Center, ruling that the plaintiffs could collectively proceed with their breach of confidentiality and privacy claims even though they couldn’t prove that their data had been misused.

In a 4-1 decision, the Supreme Court of Appeals of West Virginia reversed Circuit Court Judge James C. Stucky’s June 2013 order denying class certification and finding that the plaintiffs lacked standing to bring their claims related to…

Article source: http://www.law360.com/appellate/articles/543131/w-va-justices-revive-data-breach-suit-lacking-id-theft

,

No Comments

Target Picking Up the Pieces After Data Breach

Cover question mark — recover?

In time it might, but it will take two years or so.

How do you prevent this from happening again?

We have been through it all.

“bloomberg businessweek” did an investigation on what could have been done to prevent this.

They have the ability, but it was a case of one hand not talking to the other, and we saw what ensued.

How can companies prevent becoming a target, literally and figuratively, right?

Good point.

Everyone will react to this.

The big retailers across the board, exceeded damage — the potential damage that could happen.

It will move quickly now, obviously implementing the chip.

It will happen quicker, accelerate the end of this year, early next year.

That is part of the problem.

Even the third-party’s that have access, the service, the data, that is where the breach happened initially.

So, they are closely analyzing who is talking and having access to their secure data, the customers data.

How vulnerable is corporate america?

Everything is vulnerable.

They are constantly aggressive to put things in place and have risk assessments there, and go through these different drills, just like we would go through fire drills when we were kids.

If they do that from a cyber security perspective, they would put it much better protection.

It seems one of the challenges is that the hackers are always on the cutting edge, always learning, figuring out new things, so if you are not in that business, if you are not — you know, target is in the resale — retail business.

It should not be in the security business, but you need to be somehow keeping yourself vigilant and up to speed enough so that you are going to support those threats.

That is a really nice — thwart those threats.

That is a really nice point.

We are all in the security business, if you think about a pair we all have to take precautions.

— about it.

We all have to take precautions.

The consumer.

Upper management, the whole board has to be diligent.

Ebay came out and recommended people change their passwords.

How can consumers best protect themselves in this environment?

It is just that, the siblings all of us say we are going to do — have the world’s best password, 15 characters, numbers, symbols, we hear that over and over, i am asking 10 people, most of them, it is a birthday, an easy name to remember.

They are still not doing it until they are personally affected, and then someone will step it up and get a secure password.

That is the easiest thing they can do.

Are they taking other steps to secure their wireless networks, their computers, their passwords?

It goes on and on and on.

It is scary because everything we have is out there.

Scott schober, thank you very much.

Thank you.

Article source: http://www.bloomberg.com/video/target-picking-up-the-pieces-after-data-breach-TJlQ1d4yTTS6sRvV7~UguA.html

,

No Comments

Why Investors Shouldn’t Worry Too Much About eBay’s Data Breach

E-commerce player eBay (NASDAQ: EBAY  ) is in hot water. The company is asking users to change passwords due to a cyber attack on 145 million accounts that compromised a database that contained encrypted passwords and other non-financial data. Although eBay is claiming that this breach has not resulted in any unauthorized activity for users, we already know what a data breach can do to a company from what we saw with Target (NYSE: TGT  ) . 

Target can recover
Target’s breach compromised credit card data for 70 million-110 million customers, and the company had to engage in a massive recovery plan. The breach ended up claiming its CEO, and the company has struggled to post good results. Target can’t measure exactly the impact of the breach on its performance, but the company can get back on track slowly.

We’ll defer to fellow Fool contributor Daniel Kline for the explanation:

Customers however remain mostly confident in the brand — about 85% of the retail chain’s shoppers do not plan to change their spending habits at Target in the next year, according to a Bloomberg national poll. Only 7% plan to reduce their spending.

eBay’s breach isn’t Target’s
In comparison, eBay’s breach doesn’t look as catastrophic as Target’s. According to a press release, there is “no evidence of any unauthorized access to financial or credit card information, which is stored separately in encrypted formats.”

So, eBay might recover from this event without serious problems. However, in case eBay’s stock comes under pressure, investors should think of adding more shares to their portfolio, as the company’s financial performance and growth strategies look impressive. It beat estimates in the first quarter, reporting revenue and adjusted earnings growth of 14% and 11%, respectively, versus the year-ago quarter. 

Bright prospects
eBay is focused on making the most of the rapidly changing buying behavior of consumers through its online, mobile, and other omni-channel commerce capabilities. eBay is controlling and leveraging its global commerce platforms in mobile leadership. It is also improving its operating discipline and execution, which have enabled it to post solid results. eBay marketplace, PayPal, and eBay enterprise platforms are driving solid volume growth for its customers and merchant partners. This should ensure a solid performance going forward. 

eBay’s mobile business is growing at a solid rate, exceeding the company’s own expectations. For example, in the last fiscal year, apart from continuously growing volume, eBay added more than 14 million new customers on mobile. These accounted for 40% of its total new users.

Looking forward to 2014 and beyond, there is a huge opportunity for the e-commerce giant as mobile continues to change traditional commerce. The lines between online and offline commerce are blurring, allowing eBay to tap the tremendous opportunities in the $10 trillion commerce market. 

eBay is making aggressive investments in three key areas. First, it is focusing on improving sales, marketing, and product experience. Second, the company is making moves in the omni-channel segment by increasing investments in eBay Now, in-store pickup, ship-from-store, and PayPal ubiquity. Finally, it is increasing investments in emerging markets and to drive cross-border trade.

The company is expanding its global footprint to accelerate e-commerce volume. The company believes that its commerce and payment platforms are growing in relevance to retailers of all sizes.

Final words
From a financial viewpoint as well, eBay looks like a good pick. It trades with a forward P/E ratio of 15, which is impressive considering that its earnings are expected to grow at a compounded annual rate of 13% for the next five years. The company’s balance sheet also looks strong, with a cash balance of $8 billion and debt of $4.13 billion.

If the data breach does take a toll on eBay’s shares in the short run, investors should consider it as a blessing in disguise, as the company’s long-term prospects appear bright.

Article source: http://www.fool.com/investing/general/2014/05/31/why-investors-shouldnt-worry-too-much-about-ebays.aspx

,

No Comments

Monsanto data breach discovered

0) { %

0) { %

0) { %

Article source: http://www.ksdk.com/story/news/local/2014/05/30/monsanto-data-breach-discovered/9799179/

,

No Comments

50000 Potentially Impacted by A-State Data Breach

JONESBORO, AR (News release) – The Arkansas Department of Human Services has informed Arkansas State University about a data breach in the College of Education and Behavioral Science’s Department of Childhood Services (CHS) that could cause exposure of personally identifiable information.

A-State Chief Information Officer Henry Torres said DHS notified the campus late Wednesday that the breach involved a database related to the Traveling Arkansas Professional Pathways (TAPP) Registry, which is a professional development system designed to track and facilitate training and continuing education for early childhood practitioners in Arkansas. The program is a grant-funded project administered and housed on the Jonesboro campus. The registry tracks more than 6,000 workshops annually to train childcare workers, and participants register online through the registry.

“We have confirmed unauthorized access to data, but we have no reports regarding illegal use of the information in these files,” Torres said. “We took immediate measures to address this issue after being notified by DHS. We are cooperating with DHS and working with programmers to assess and resolve the situation.”

An estimated 50,000 potentially impacted individuals in the database will be notified of the breach “out of an abundance of caution,” Torres said. Only a non-active portion of the data within the database contained full Social Security numbers, and it did not contain all users of the database. Most of the database tables included only four or five digits of a Social Security number, but the Social Security Administration has determined that is personally identifiable information.

The registry program is not part of the main university databases, so no student, faculty or staff records are involved unless they have participated in the TAPP Registry.

Computer servers containing the databases were immediately disabled, Torres said, and the university has a third-party security consultant who will assist in addressing the issues.

Arkansas State’s Information Technology Department will contact State Chief Security Officer Frank Andrews and DHS Chief Security Officer Mark Riley for a post-mitigation review related to all follow-up actions taken and to report any findings.

DHS and A-State have been working to transfer all data from the university’s IT system to the DHS system since December. DHS is expected to take over the registry in July.

Full Social Security numbers were not found in database transfer files until a recent review of database transmitted in April, Torres said. There is no indication that full Social Security numbers were included in prior data transmitted in December and March. No database information related to children or to parents who are not part of the TAPP Registry was breached.

The TAPP Registry has been taken offline until the review is completed. A toll-free number, 1-855-363-1011, has been established for potentially impacted individuals who have questions. The number will be staffed daily between 8 a.m. and 5 p.m. central time. Information is also available on the AState.edu home page, click on the link at the bottom of the page labeled “identity theft.”

Article source: http://www.arkansasmatters.com/story/d/story/50000-potentially-impacted-by-a-state-data-breach/10425/m_lm-0WiuUqolWdHVYrXpg

,

No Comments

Data breach reported in Arkansas State department

An estimated 50,000 people could be affected by a data breach in Arkansas State University’s Department of Childhood Services, ASU officials said Friday.

ASU Chief Information Officer Henry Torres said the school was notified about the breach by the state Department of Childhood Services on Wednesday.

“We have confirmed unauthorized access to data, but we have no reports regarding illegal use of the information in these files,” Torres said. “We took immediate measures to address this issue after being notified by DHS. We are cooperating with DHS and working with programmers to assess and resolve the situation.”

The breach involved a database related to the Traveling Arkansas Professional Pathways (TAPP) Registry, a professional development system designed to track and facilitate training and continuing education for early childhood practitioners in Arkansas, Torres said. The registry also tracks more than 6,000 workshops each year, and participants register online.

Though it is connected to ASU’s College of Education and Behavior Science, the registry program is not part of the main university databases, so no student, faculty or staff records are involved unless they have participated in the TAPP Registry, according to ASU.

Computer servers containing the databases were immediately disabled, Torres said, and the TAPP Registry has been taken offline until a review of the system is completed.

A hotline has been established for individuals who have questions, and staffed daily between 8 a.m. and 5 p.m. CDT. Information is also available on the ASU website.

The registry is a grant-funded project administered and housed on Arkansas State’s Jonesboro campus.

Online:

Arkansas State University website on identity theft: http://www.astate.edu/a/its/information-on-security/index.dot

Order Reprint

Article source: http://www.sacbee.com/2014/05/30/6444979/data-breach-reported-in-arkansas.html

,

No Comments

Target interim CEO said retailer’s complaceny contributed to massive data breach – The Star

Target Interim Chief Executive Officer John Mulligan said that even before December’s massive data breach, the retailer had lost its way by becoming too cautious and bureaucratic.

The theft of credit-card data for 40 million customers has forced the company to refocus on pleasing shoppers and reconsider everything from how it presents apparel to how it makes decisions, Mulligan said today in an interview.

“That came out of it, but I would have preferred to have gotten there a different way,” he said. “We got a little bit risk-averse in making sure things were perfect and we understood the economics. Now, it’s really unshackling ourselves.”

Earlier this month, Mulligan, an 18-year veteran of the second-largest U.S. discount retailer, was promoted from chief financial officer to replace Gregg Steinhafel as CEO on an interim basis while the company searches for a permanent replacement. Target had already been trying to improve lackluster results in the U.S. and a botched expansion to Canada before hackers infiltrated its computer systems.

At a test store in Minneapolis, Target is reworking the baby, electronics, toys and clothing sections because presentations had become stale, Mulligan said.

The changes include opening up floor plans, improving lighting and introducing mannequins, which were used for the first time two years ago with the debut of its smaller CityTarget locations. The remodeled baby area went from initial concept to introduction at 200 stores this summer in seven months, Mulligan said.

Faster Decisions

“We are accelerating how we make decisions,” by giving design and store teams more autonomy and requiring fewer initiatives to be approved by top management, Mulligan said. “It’s just getting more comfortable putting things out there.”

The moves are all part of an attempt to get Target back to its roots of upscale discounting, Mulligan said. While its design collaborations get a lot of attention, the chain’s ability to apply its cheap chic mantra to basic products is what set it apart, he said.

“People equate that with the big designer things,” Mulligan said. “Those are important, but that’s frosting. It’s the everyday innovation. That’s the secret sauce. That was our success.”

Shares of Minneapolis-based Target rose 1.6 percent to $56.76 at the close in New York. They’ve fallen 10 percent this year. That compares with a 2.4 percent drop for larger rival Wal-Mart Stores Inc. and a 4.1 percent increase for the Standard Poor’s 500 Index.

Earnings Forecast

Target last week cut its annual earnings forecast to $3.60 to $3.90 a share, down from a previous range of as much as $4.15. It projected adjusted earnings of 85 cents to $1 a share for the second quarter, compared with an average estimate of about $1.03.

The company is holding off on stock buybacks as it works on its comeback. The retailer said it probably won’t repurchase more stock before the second half of the year.

U.S. comparable-store sales will grow as much as 2 percent this year, and product promotions will push its gross margin below 30 percent, the company said. The sales will “be flat to slightly positive” in the current quarter, Target said. Sales by that measure declined 0.4 percent in its most recent fiscal year, the first annual drop since the year ended in January 2010.

Target’s Canadian business lost $211 million before interest and taxes last quarter, a wider deficit than the $205 million it posted a year earlier. In the last fiscal year, the division lost $941 million before interest and taxes, reducing the year’s profit by $1.13 a share. The company replaced the top executive there, Tony Fisher, with Mark Schindele last week.

RELATED COVERAGE

Target’s top tech official resigns as retailer overhauls data security after breach

Menendez announces safeguards for consumers in wake of Target data breach

Article source: http://www.nj.com/business/index.ssf/2014/05/target_interim_ceo_said_company_complaceny_contributed_to_massive_data_breach.html

,

No Comments

Identity theft danger threatens 62000 workers; no patient files involved …

The scope of a data breach at UPMC that may have exposed Social Security numbers, addresses, salaries and bank account information to identity thieves has widened to potentially include all of its 62,000 workers, the health care conglomerate informed employees in an email Friday.

“Outside of the 817 confirmed victims of tax fraud, we are not aware of any other fraud perpetrated against UPMC relating to this situation,” the email stated. “In the interest of protecting our staff, we are now urging all of our employees to take the proper precautions to protect their personal information.”

The number of employees at risk has expanded exponentially — from a few dozen, to several hundred to tens of thousands — since February, when the company acknowledged that about 22 employees had been victimized by fraudulent income-tax return schemes.

In April, a UPMC spokesperson said all employees who could have been potentially affected by the breach, then estimated at 27,000, had been notified.

Gloria Kreps, a UPMC spokeswoman, said that the email sent to employees was based on new information from the ongoing investigation into the breach, which is being handled by local police, the FBI, the U.S. Secret Service, the U.S. attorney’s office and the Internal Revenue Service.

A spokeswoman for U.S. Attorney David Hickton said that investigators are working diligently to advance the investigation but declined to provide details.

“UPMC has been informed by law enforcement authorities based on their ongoing investigation that more employee information was stolen than they originally knew,” Ms. Kreps wrote in an email. “This new information has indicated that employee names, Social Security numbers, addresses, salaries, bank account numbers and bank routing numbers may have been accessed.”

In the email to employees, UPMC said it is “a victim in an all-too-frequent crime of hacking and data theft.”

“Please be assured that we have done all that we can to make sure our systems are secure and we do not believe that a similar attack would be successful in the future,” the company wrote. “We continue to take steps to mitigate risk for our employees. But the reality is that cyber theft is now very common and can be present in many types of online transactions. Once again, we apologize for this difficult and troubling news. We stand ready to assist you through this process and remain hopeful that by working with the authorities that we can bring these criminals to justice in the future.”

Ms. Kreps said UPMC has notified all employees via phone and letter, alerted major banks, provided a hotline for employees with questions and is planning educational Web seminars for staff and family members about identity-theft protection.

UPMC also has made free identity protection services available to employees through LifeLock and is in discussions with the company to extend that service for five years.

A class action suit was filed against UPMC in February in Allegheny County Common Pleas Court on behalf of employees who had fraudulent bank accounts opened in their names and tax returns stolen.

The lawsuit alleges that vulnerabilities in UPMC’s computer system allowed for the breach and the company did not reasonably safeguard the sensitive information in its care.

Benjamin Sweet, one of the attorneys representing the plaintiff class, called the news that all employees may be affected “troubling.”

“It’s hard to know what the next shoe to drop will be,” Mr. Sweet said. “At a minimum, UPMC owes its employees and the public an immediate and full accounting of the facts. … Can it confirm whether the data breach is confined to UPMC employees or has any patient-level data been compromised? If so, how many patients and over what length of time?”

Ms. Kreps said the breach was confined to employees’ information.

“This breach affected our payroll system, which is completely separate from patient financial and medical information,” Ms. Kreps said.

Mr. Sweet said it is too early to tell whether the news of the wider data compromise “will change the complexion of the case” but said it will be made known to the court.

Article source: http://www.post-gazette.com/local/city/2014/05/30/All-62-000-workers-at-UPMC-may-now-be-victims-Data-breach-at-UPMC-may/stories/201405300188

,

No Comments

State department informs Arkansas State of data breach

JONESBORO, AR (KAIT) – Officials with Arkansas State University say they have been informed about a data breach from the Arkansas Department of Human Services.

DHS told the university on Wednesday the breach was in the College of Education and Behavioral Science’s Department of Childhood Services. The breach could “cause exposure of personally identifiable information”, according to the news release from the university.

The university’s Chief Information Officer Henry Torres said the database involved was the Traveling Arkansas Professional Pathways (TAPP) Registry. The registry is a system designed to track and facilitate training and continuing education for early childhood practitioners in Arkansas, according Torres.

About 50,000 individuals could be impacted by the breach, but Torres said in the release that the university has no reports regarding illegal use of those files. Those individuals will be contacted about the breach as a precaution.

The TAPP program is not part of the university’s main database. The university stated only those who are in the program may be involved. It has been taken offline until a review is completed.

Torres said only a non-active portion of the data in the database contained full Social Security numbers, and it did not contain all users of the database.

Those impacted by the breach can call 1-855-363-1011 with any questions or go to www.astate.edu and click on the “identity theft” link.

Copyright 2014 KAIT. All rights reserved.

Article source: http://www.kait8.com/story/25654071/state-department-informs-arkansas-state-of-data-breach

,

No Comments