Archive for July, 2015

UConn Responds to Data Breach at School of Engineering

The University is responding to a criminal cyberintrusion through which hackers apparently originating in China gained access to servers at UConn’s School of Engineering. UConn has implemented a combination of measures intended to further protect the University from cyberattack, and to assist individuals and research partners whose data may have been exposed.

UConn IT security professionals, working with outside specialists, have no direct evidence that any data was removed from the School of Engineering’s servers. However the University is proceeding from an abundance of caution by notifying roughly 200 research sponsors in government and private industry, as well as working to determine how many individuals need to be notified about a potential compromise of personal information.

“UConn places the highest priority on maintaining the security and integrity of its information technology systems,” said Michael Mundrane, Vice Provost and Chief Information Officer at UConn. “That’s why, in addition to assisting individuals and research partners in responding to this incident, we’re taking steps to further secure our systems.”

The security breach was first detected by IT staffers at the School of Engineering on March 9, 2015, when they found malicious software, or “malware,” on a number of servers that are part of the school’s technical infrastructure.

The School of Engineering immediately notified faculty, staff, students, visitors, and emeriti – as well as roughly 1,800 users of the Lync instant communication tool used across the University at the time – that their log-in credentials had potentially been compromised, and recommended that those individuals change their passwords.

The University’s Information Security Office, in collaboration with School of Engineering staff and Dell SecureWorks, worked to identify the extent of the breach, secure the affected systems, and prepare a comprehensive review and response.

As a result of that process, this week the University began notifying research partners in government and private industry about the breach. Although the University has no evidence that any data was taken from the servers, or “exfiltrated,” the notifications are part of an appropriate, prudent response.

As part of the ongoing process of analyzing the extent of the attack, the University believes that personally identifiable information of consumers may have also been compromised.  Those individuals whose sensitive information (such as Social Security numbers or credit card information) is determined to have potentially been compromised will be notified and provided with the option to enroll in identity protection services.

“The unfortunate reality is that these types of attacks are becoming more and more common,” Mundrane said, “which requires us to be even more vigilant in protecting our University community.”


What happened?

In March 2015, information technology staffers at the UConn School of Engineering discovered malicious software on a number of servers that are part of the school’s technical infrastructure. This software potentially compromised data residing on these servers, including sensitive information pertaining to research and individual communications.

How did the University respond to this breach?

The University’s Information Security Office was immediately notified, and jointly began a process of investigation and remediation with the School of Engineering’s information technology staff. The school immediately notified faculty, staff, students, visitors, and emeriti, as well as roughly 1,800 users of the Lync instant communication tool that their credentials were potentially compromised, recommended that anyone potentially affected reset their passwords, and surveyed the entire school to find out if any potentially sensitive or personal data was stored on the breached servers. The University subsequently brought in Dell SecureWorks to conduct a comprehensive incident response, including analysis of the cyberattack and a search for active threats that may have been missed in the initial response.

What did the investigation reveal?

Based on analysis done both internally by the University and by Dell SecureWorks, it was determined that the first penetration of a server on the School of Engineering network occurred on Sept. 24, 2013, with further penetration of the system occurring after that date. Although the University has no direct evidence that any data was exfiltrated, it is proceeding as if that were the case by notifying individuals with personal information that could have been compromised, as well as research partners outside the University.

How is the University assisting those whose data may have been compromised?

University officials are notifying individuals whose personally identifiable information could have been compromised by the security breach. Anyone who receives notification is eligible for enrollment in identity protection services at no cost for a year.

The University is also notifying approximately 200 public and private research sponsors who have executed contracts with School of Engineering faculty. Proceeding from an abundance of caution, UConn is notifying our research sponsors about the incident, although there is no direct evidence that research data was compromised.

What is the University doing to make its computer networks more secure?

Given the increasingly sophisticated threats against large organizations around the world, UConn has launched a comprehensive review of all related IT security practices and procedures. This review is part of a wider effort to protect University employees and sensitive data from attack.

Among the steps already taken are

  • The access point for the attack was identified and the vulnerability patched;
  • All School of Engineering Active Directory passwords were reset;
  • Forensic analysis was conducted by internal security professionals as well as by an external firm;
  • All servers that contained any evidence of compromise were decommissioned and rebuilt;
  • More granular system firewall separation was implemented;
  • Account and system monitoring has been increased and tuned to identify any potential unauthorized access.

Article source:


No Comments

7th Circuit Opens Door to Data Breach Class Actions

On July 20, 2015, the U.S. Court of Appeals for the 7th Circuit issued an opinion that could dramatically change the class action landscape for companies that are victims of hackers. In Remijas v. Neiman Marcus Gp., the 7th Circuit reversed the district court, ruling that Neiman Marcus (NM) customers whose credit card information was compromised had standing to bring a class action suit against the retailer.

Sometime in 2013, hackers attacked NM and stole the credit card numbers of its customers. In mid-December 2013, NM learned that approximately 350,000 cards were exposed to malware and that 9,200 of those cards were discovered to have been used fraudulently. In 2014, the plaintiffs—on behalf of the 350,000 other customers whose data may have been hacked—brought a suit for negligence, breach of implied contract, unjust enrichment, unfair and deceptive business practices, invasion of privacy and violation of multiple state data breach laws.

Upon a motion from NM, the district court dismissed for lack of standing for failure to show “injury in fact.”  The plaintiffs appealed, alleging (among other injuries) that their lost time and money resolving the fraudulent charges and protecting themselves against future identity theft, and their increased risk of future identity theft, amounted to concrete, particularized injuries.

The Remijas court agreed that these allegations were sufficient to confer standing. With regard to the potential for future harm, the court distinguished this type of data breach from the suspected privacy incursions in Clapper v. Amnesty Int’l USA, 133 S.Ct. 1138 (2013). Once a breach has occurred, plaintiffs are not required to “wait for the threatened harm to materialize in order to sue”—the breach itself amounts to a substantial risk of harm.

The 7th Circuit also found that a customer’s mitigation efforts taken after a breach, such as subscribing to a credit monitoring service, qualified as a concrete injury sufficient to confer standing. It therefore reversed the district court’s dismissal and remanded.

In dicta, the opinion took a dim view of some of the plaintiffs’ other asserted injuries. It declined to give weight to the argument that plaintiffs were harmed because they spent more on NM goods than they would have had they known that NM did not take the necessary precautions to secure their data. The court also refused to create a property right for plaintiffs’ “private information,” whereby they could be harmed even if they were automatically reimbursed and there was no risk of further use of the stolen information.

Although it was not a part of the district court’s decision, the Remijas court also ruled against NM’s causation argument that the harm could have been caused by another retailer—such as Target—who was subject to similar data breaches in 2013. In such a situation, it is a company’s burden to show that it is not the cause of the injury.

The 7th Circuit raised other questions for the district court to consider on remand, including the length of time that a potential victim is truly at risk of injury following a data breach. “The [Government Accountability Office] suggests at least one year, but more data may shed light on this question.”  Questions of causation and damages will dominate as more data breach class actions move past the motion-to-dismiss stage.

The Remijas decision highlights the dynamic litigation landscape for companies after data breaches. Federal courts across the country disagree on what is sufficient harm to confer standing, but the 7th Circuit has now opened the door to viable data breach class actions premised on the fear of future harm from identity theft. Now, companies may have just as much to fear from the plaintiff lawyers as they do from the hackers themselves.

Article source:


No Comments

St. Francis opens 24/7 hotline following data breach – WISH

INDIANAPOLIS (WISH) — Franciscan St. Francis Health has set up a 24 hour hotline to help those with questions about the recent data breach.

Federal authorities are investigating a data breach that has compromised personal information and medical records of an estimated 1.5 million people across Indiana.

Medical Informatics Engineering (MIE) has been notifying people on what to do next since learning about the breach. However, the numbers for MIE and Experian that were given out have been flooded with phone calls causing long wait times.

St Francis set up the 24/7 hotline in hopes of letting people with questions talk to a real person. They say they will keep the hotline open until the wait times improve for MIE and Experian.

The number is 1-888-438-3638. MIE is also offering free identity and credit protection services. Click here for information on how to sign up.

If you have questions about the data breach, click here. For up to date information on the investigation, click here.

Article source:


No Comments

Suit filed in medical data breach

The ink was barely dry on patient notification letters when Medical Informatics Engineering Inc. was named the defendant in a lawsuit alleging that negligence contributed to the local company’s May data breach.

James Young, a patient whose medical information was compromised, filed the paperwork Wednesday in U.S. District Court in Fort Wayne.

The Indianapolis man is seeking to create a class action, which would allow others who had personal information stolen in the data breach to join the lawsuit and potentially receive a cash award.

Young alleges that MIE failed “to take adequate and reasonable measures to ensure its data systems were protected,” failed to stop the breach and failed to notify customers in a timely manner.

The Fort Wayne company publicly disclosed the cyberattack, which it says happened May 26, on June 10. The lawsuit alleges that the breach might have happened as early as May 7.

Reached late Thursday for comment, Jeff Donnell, an executive with the company, said by email, “We are aware of the suit, and we are currently reviewing it. Our primary focus at this time is on our response to those affected by this cyber attack.”

The Journal Gazette obtained the legal paperwork Thursday.

In an interview Wednesday morning, Donnell reviewed the timeline.

Monitoring systems on MIE’s computer network alerted staff to an unusually high load of activity on one computer server at 5 a.m. May 26, he said. Information technology staff shut down that server and notified company executives, as set out in the company’s incident response plan.

MIE executives alerted the FBI’s cyber squad the same day, Donnell said. While it was clear that the attack was sophisticated, the scope of the breach was not clear, he said.

Within 48 hours, the firm brought in cybercrime specialists, a law firm and an independent forensics company, recommended by its cyber insurance provider.

“These are experts who do this every single day,” Donnell said. “We worked with them to do the right thing at the right time.”

MIE consulted state and federal guidelines that specify how soon consumers must be notified, he said. It also notified the Federal Trade Commission, the Department of Health and Human Services and the offices of numerous state attorneys general.

After notifying client companies June 2, the firm made a public statement on June 10. But MIE waited to mail the almost 3.1 million notification letters to consumers until officials knew which individual patients were affected and to what degree each person’s private information was compromised.

MIE officials didn’t want patients who have visited more than one health care provider to receive multiple letters that might contradict each other on what information was left vulnerable, Donnell said.

For that reason, he said, the company waited until the analysis was completed and compiled before making individual notifications.

Letters started going out on July 17; the last ones were mailed July 25, Donnell said.

Young’s lawsuit is seeking payment of costs directly related to misuse of information taken in the theft and compensation for “the stress, nuisance, and annoyance of dealing with all issues resulting from the MIE data breach.”

Tom Markle, an employee benefits attorney and partner with local firm Barrett McNagny, said Young doesn’t stand to receive more money than millions of others affected by the data breach just because his might be the first filing to reach the court.

“There is no advantage to a plaintiff filing a lawsuit like this (as soon as possible),” he said.

Irwin B. Levin, who represents Young, is managing partner of Indianapolis law firm Cohen Malad LLP. In the document, Levin refers to himself as being “experienced in class-action and complex litigation.”

The lawsuit requests a jury trial. Although the amount of damages being sought isn’t specified, the lawsuit says the plaintiff expects a total award that exceeds $5 million before interest and other costs.

[email protected]

Article source:


No Comments

‘Credit freeze’ could protect during data breach probe

Posted: Thursday, July 30, 2015 10:08 pm

‘Credit freeze’ could protect during data breach probe

Tribune-Star staff report

Tribune Star

Indiana Attorney General Greg Zoeller has urged all Hoosiers to freeze their credit, as his office investigates a recent data breach on radiology records, possibly affecting Wabash Valley patients.

Zoeller’s advice came the day after UAP Clinic, which formerly contracted with the company whose computers were breached, said the alleged attackers may not have compromised as much local patients’ information as first believed.

“People cannot sit back and assume they won’t become a victim of these crimes which are costly, time consuming to fix and can have a long-term impact on your financial stability and credit,” he said.

A credit freeze, he said, can help protect against identity theft and fraud.

Hoosiers can sign up for a free credit freeze with each of the three credit bureaus — TransUnion, Experian and Equifax. The person requesting the freeze can remove it at any time to apply for new credit or a loan.

A credit freeze, according to Wikipedia, “allows an individual to control how a U.S. consumer reporting agency (also known as credit bureau: Equifax, Experian, TransUnion, Innovis) is able to sell his or her data. The credit freeze locks the data at the consumer reporting agency until an individual gives permission for the release of the data.”

Medical Informatics Engineering of Fort Wayne announced last week that it discovered evidence of a “sophisticated cyber attack” on one of its computer servers in May. MIE read radiology images for UAP Clinic from mid-2006 to late 2011. UAP was known as APS Clinic until 2009.

An estimated 1.5 million Hoosiers and 3.9 million people nationwide may be affected by the cyber attack, Zoeller’s office stated in a news release Thursday.

The breach also impacted MIE subsidiary NoMore Clipboard, according to the attorney general’s office. Ten other health care providers and 44 radiology centers had records compromised, the news release stated.

UAP Clinic said its patients’ spousal information and medical lab results were not included in the breach, according to a Union Health System news release issued Wednesday. But the alleged attackers may have had access to Social Security numbers, health insurance policy details and other sensitive information for at least three weeks before MIE discovered the breach, according to the news release.

Fewer than 100 Social Security numbers are believed to be at risk, health system spokeswoman Djanedi Cardwell said this week, adding that it’s not yet clear how many individual patients could be victims of the breach.

Still, in a statement, Zoeller said the state was faced with “yet another massive data breach putting countless Hoosiers at risk of identity theft and fraud.”

The attorney general’s office also recommended Hoosiers closely monitor financial statements for any unusual activity and review and monitor credit reports to check for inaccuracies.

People can request a free credit report from each of the credit bureaus once a year by clicking on

Patients can confirm whether their information was breached by calling MIE at 866-328-1987. Anyone whose personal information was misused can file a complaint with the Federal Trade Commission at

We have sent a confirmation email to {* emailAddressData *}. Please check your email and click on the link to activate your account.

We’ve sent an email with instructions to create a new password. Your existing password has not been changed.


Thursday, July 30, 2015 10:08 pm.

| Tags:

Data Breach

Article source:


No Comments

Federal authorities investigate data breach affecting 1.5 million Hoosiers – WISH

INDIANAPOLIS (WISH) — Federal authorities are investigating a data breach that has compromised personal information and medical records of an estimated 1.5 million people across Indiana.

Medical Informatics Engineering (MIE) has been notifying people on what to do next since learning about the breach.

The company, based out of Fort Wayne, provides record services for 44 radiology centers and 11 healthcare providers.

The company said it discovered suspicious activity with a server on May 26 and soon learned hackers had unauthorized access to the network since May 7.

For almost two weeks, MIE has been sending out letters to people, who may have had their personal and medical records stolen.

The company said the records include personal information, like home addresses, phone numbers, birth dates, social security numbers, and even details about health insurance policy and coverage.

Katherine Papke said she received a letter from the company earlier this week.

“It just seems like the more automated we get the worst it becomes,” said Katherine Papke, data breach victim.

Papke told 24-Hour News 8 her letter listed several healthcare providers, including Franciscan St. Francis Health.

She said she has been checking her financial statements and credit reports since for any unusual activity.

“I do the best I can to, you know, try to track it at least every couple of days,” said Papke. “Sometime it’s daily, but at least every couple of days just checking to make sure that nothing new is out there.”

A spokesperson for St. Francis Health says the hospital is contracted with MIE and is working to ensure the privacy of thousands of patients.

The hospital even launched a section on its website to keep patients up-to-date with the investigation.

“The data breaches of Anthem, there were no medical records released. These are very significant medical records, lab reports, people’s charts essentially online,” says Greg Zoeller, Indiana Attorney General’s Office. “So it does raise the same kind of fears that we warned against and have been worried about.”

Indiana State Attorney General Greg Zoeller says this breach is alarming because hackers now have access to medical records.

“We’re afraid that they will use them to defraud the government so they will be billing Medicad or something like that,” said Zoeller. “That’s already been happening, we haven’t tracked it exactly who’s doing it or how.”

Zoeller says his agency will continue to monitor the situation in the coming weeks for any new updates.

“This is much more sophisticated, highly technological advanced, quite frankly organized crime,” said Zoeller. “We’re not talking about individuals, some computer hacker, these are people who are very well organized and sophisticated.”

In the meantime, Zoeller is hoping victims will take the next appropriate steps following the breach.

“Protect yourself the best you can and protecting your credit records,” said Zoeller. “People don’t understand that’s a valuable asset for the rest of your life.”

The Indiana Attorney General’s Office is recommending a credit freeze to prevent anyone from taking out a line of credit in your name. Click here for more information on how to request a credit freeze.

MIE is also offering free identity and credit protection services. Click here for information on how to sign up.


Article source:


No Comments

Government Debates Protections for Data Breach Victims

After two data breaches that affected more than 22 million federal employees of the Office of Personnel Management, government officials are fighting to get prolonged credit monitoring for current and retired workers.

Representative Steny Hoyer, a Democrat from Maryland and the House Minority Whip, has proposed a lifetime of credit monitoring, rather than the three years of protection that has already been approved. He feels thieves can use the stolen information for a lifetime so those affected by the hacks should have credit monitoring for the rest of their lives.

Just last week, a Senate panel agreed to provide 10 years of credit monitoring and at least $5 million in liability protection for related damages to those affected workers.

“We’re going to have a very high degree of energy in the delegation–Republicans and Democrats–trying to make sure the energy and focus are applied to solving this problem and ensuring that our information is safe.” said Hoyer.

There is no guarantee that Congress will approve a lifetime of protection for affected employees, especially considering the cost involved with such an undertaking.

“Nobody anticipated this,” commented Hoyer. “It’s not something you could budget for.”

Article source:


No Comments

PSC to OPM: Protect all affected by data breach


PSC to OPM: Protect all affected by data breach

The Professional Services Council is urging the Office of Personnel Management to protect the 21.5 million affected by the second OPM data breach.

“Unfortunately, it has now been more than four weeks since the first public release of the existence of the second breach and still no notifications have been sent out,” said PSC president and CEO Stan Soloway in a release.

OPM said in a July 27 announcement that it will not have a protection plan until the middle of August.

The delay is “unacceptable,” Soloway said. “Contractors and other affected individuals should be treated the same as the 4.1 million federal employees/former federal employees covered by the first data breach, who were notified within days of being affected and provided protections immediately.”  

Soloway and PSC recommended also that OPM consider using existing contracts to provide interim 18-month coverage while a longer-term solution is solicited and awarded.

About the Author

Mark Hoover is a senior staff writer with Washington Technology. You can contact him at [email protected], or connect with him on Twitter at @mhooverWT.

Article source:


No Comments

Hanes Website Is The Latest, Oddest Victim Of Data Breach

haneshackTo be honest, we had no idea that you could buy Hanes underwear (and socks, shirts, etc) from the Hanes website, mostly because we’d never really thought to look at the Hanes website. But if you have been shopping at — and potentially at other sites in the Hanes Brands catalog — some of your information may have been compromised.

A Consumerist reader forwarded us the above e-mail from HanesBrand exec David Thompson, letting customers know that the breach may have exposed personal info like name, address, phone number, along with the last 4 digits of the credit card on the account.

The company says it has fixed the leak, but is taking questions via its customer service line at (800) 503-6681.

A rep for Hanes Brand confirms that the e-mail above is genuine and explains that the breach involved the e-commerce platform underlying all Hanes Brands websites.

The Hanes Brand umbrella includes a wide variety of apparel companies, including L’eggs, Playtex, Wonderbra, Champion, and Maidenform.

Article source:


No Comments

NC attorney general: Data breaches occurring at ‘alarming rate’

Data breaches are happening at an “alarming rate” these days with the development of new technology, and North Carolina officials say there are ways to protect one’s identity before it’s too late.

Speaking Thursday at the Better Business Bureau in Ballantyne, N.C. Attorney General Roy Cooper said identity theft costs the national economy billions of dollars and can cost individuals not just money but also their security and creditworthiness.

Identity theft occurs when someone steals your personal information, pretends to be you and commits fraud in your name. The Attorney General’s Office estimates that about 400,000 North Carolinians are victims of identity theft each year.

More than 7,200 breaches involving information of more than 7.2 million North Carolina consumers have been reported to the Attorney General’s Office since 2005, when a state law took effect that requires businesses and government agencies to report breaches.

Two such consumers are Diana and Lee Rainey, residents of Charlotte for more than three decades. A hacker this year somehow obtained the Raineys’ personal information to file a tax return in Lee Rainey’s name. The two quickly filed a police report and informed the Internal Revenue Service and major credit bureaus about the breach.

The Raineys consider themselves lucky to have caught the breach early, adding that the only notable inconvenience now is waiting for their IRS refund check.

The BBB and Cooper’s office say “one of the best ways” consumers can protect against ID theft is by using a security freeze, which blocks access to credit history without explicit permission, meaning a criminal who has stolen someone’s identity wouldn’t be able to use it to open accounts.

To combat the identity theft of children, both the BBB and Cooper’s office support N.C. House Bill 607, which would require major credit bureaus to create and freeze a child’s credit report when requested by a parent. The proposed law passed the N.C. Senate on Monday.

“No one knows about (identity theft) until that child becomes of age and applies for that first credit card and boom – they find they have been a victim of identify theft, they have bad credit when they haven’t done anything,” Cooper said.

Identity theft is difficult to track on a year-to-year basis, because it’s an underreported crime, and when it is reported, sometimes it is years after the initial breach, said Noelle Talley, the state attorney general’s public information officer.

Still, security breaches – from stolen laptops to hacking – can give identity thieves access to personal information such as Social Security numbers and bank account information, Talley said.

Figures from the N.C. Attorney General’s Office show that already in 2015, the personal data of some 1.1 million state residents has been compromised by security breaches – much of that from the breach targeting health insurer Anthem, which affected more than 775,000 North Carolina customers. That figure is up from just over 380,000 affected statewide in 2014 and 1.56 million in 2013, when the Target data breach occurred.

Cooper said taking action right away after a breach is imperative.

“The longer it goes without doing something about it, the more problems you have, the more debt that has built up and the more difficult it is to prove the negative: ‘I did not do this,’” Cooper said.

Tom Bartholomy, president of Charlotte’s BBB, outlined several ways to “virtually and physically” protect against identity theft, including shredding personal documents, using unique passwords, checking your credit report regularly and setting up bank alerts.

Consumers can find more information on ID theft at or by calling 877-5-NO-SCAM (566-7226).

Article source:


No Comments