Roundup: October Shaping Up To Be the Month of Innumerable Breaches
By Jennifer L. Saunders, CIPP/US
Headline after headline, the news is similar if not the same: PII lost, stolen or compromised through human error. And amidst October’s onslaught of breach reports from across the globe, the world’s premiere search engine is acknowledging just how devastating a breach of its data could be.
“If Google were to have a significant data breach today, of any kind, it would be terrible for the company,” Google Executive Chairman Eric Schmidt has said.
However, as The Wall Street Journal reports, he has also indicated Google CEO Larry Page “is ‘so wired’ to the risks that it is ‘inconceivable’ that a major data loss would occur.”
This comes after last week’s report of a hack affecting 2.9 million Adobe customers and the company’s move this week to reset relevant customer passwords and notify “customers whose credit or debit card information may have been compromised.”
And, in the wake of privacy concerns about the reuse of inactive Yahoo e-mail addresses, PCWorld has reported on Microsoft’s recycling of old addresses.
The most recent reports follow multiple headlines during the first week of October on breaches at schools and health providers—including claims from a New Orleans teachers' union that employee privacy rights were violated when a school system purchased a full-page ad to congratulate 1,113 educators by name and health data breaches in Illinois, California and Iowa.
Healthcare Breaches Abound
This week, HealthITSecurity reports on Tennessee-based Hope Family Health’s loss via theft of an unencrypted laptop holding personal information on 8,000 patients treated between 2005 and August of this year. The company’s chief compliance officer has said the information was “fingerprint- and password-protected; however, it was not encrypted.” The laptop has not been recovered, the report states, noting that while Hope is not offering patients a year of free credit monitoring, as is often done in similar breach cases, it has “augmented security by moving all protected health information over to a state-of-the-art encrypted database server.”
In another health data breach incident, Saint Louis University (SLU) is reporting an incident affecting 3,000 patients after “a few SLU employees gave out their account information by mistake as part of a phishing scam e-mail they received.” The scam resulted in the unauthorized access of “about 20 SLU e-mail accounts that held protected health information of about 3,000 people and about 200 Social Security numbers as well. SLU’s EHR system was not accessed through the scam and, according to the spokesman, employees’ financial information was the main target of the scam,” the report states, noting SLU is offering free credit monitoring and identity protection services to those affected by the breach.
Pennsylvania-based Rothman Institute has announced an internal breach of patient data after a former employee removed copies of patient schedules—including such data as patient names, telephone numbers, dates of birth, date and time of appointments and reasons for visits—without permission. The institute is offering a free year of credit monitoring as a precaution, Press of Atlantic City reports.
And North Carolina-based CaroMont Health exposed about 1,300 patients’ data in an unsecure e-mail.
In Canada, the Region of Peel is notifying 18,000 clients of a breach involving the theft of a digital card containing “the names, addresses, birth dates/ages, marital status and assessment information of clients” from the region’s Healthy Babies Healthy Children program, Brampton Guardian reports.
In Ireland, The Journal reports on 11 patient data breaches at hospitals in a six-month period.
In early October, Krebs on Security reported “miscreants responsible for breaking into the networks of America’s top consumer and business data brokers appear to have also infiltrated and stolen huge amounts of data” from the U.S. National White Collar Crime Center.
California-based PayJunction has been notifying “an undisclosed number of its sales agents that their names, Social Security numbers and bank account numbers may have been exposed when a data backup of an internal business system was inappropriately accessed.” The company learned of the unauthorized access in late September, eSecurity Planet reports this week, but the access occurred in July. The company has notified law enforcement and is offering those affected one year of free identity protection, the report states.
In Alabama, Colonial Properties Trust is notifying customers “that their names and Social Security numbers may have been accessed when Colonial's network was infected with malware” in April and May of this year.
The Florida ACLU is “looking into privacy policies at the Sarasota Police Department after a news release included the names of five women whose identities should have been protected under health privacy laws,” Herald-Tribune reports. The release included the names and birthdates of five women detained during an undercover operation. It was followed by an e-mail “asking the names of the women not be released on media outlets or websites at this time.” The Florida ACLU contends the names should have been protected under HIPAA “because the women are seeking medical attention for substance abuse,” the report states.
In the UK, human error resulted in the exposure of hundreds of personal e-mail addresses, while the Information Commissioner's Office has revealed that despite prior warnings, sensitive personal data was “incorrectly handled” by Luton Borough Council staff.
And in New Zealand, amidst reports of high-profile data breaches in recent years and plans to expand the practice of sharing private information about New Zealanders between government departments, Labour Leader and Information and Communications Technology spokesperson David Cunliffe is calling for strict rules around data sharing, noting the government has a “terrible record of protecting personal information,” The New Zealand Herald reports.
In the Courts
Meanwhile, in data breach-related litigation, Barnes & Noble has urged a federal judge “to nix a revamped putative class-action over a security breach that affected PIN pad devices in 63 of its stores, arguing the allegations are ‘virtually identical’ to the ones that were dismissed last month,” Law360 reports. A class-action suit against an ISP that partnered with ad targeting company NebuAd back in 2008 has been dismissed by an Illinois federal judge, while Symantec is seeking a dismissal of an unrelated class-action.
In Vermont, Natural Provisions has agreed to pay $30,000 to settle a violation of state data breach laws, Mondaq reports.
And a former South Carolina Department of Health and Human Services employee, Christopher Lykes Jr., has pleaded guilty “to four counts of willful examination of private records by a public employee and one count of criminal conspiracy.” The incident involved the compilation of more than 228,000 Medicaid patients' personal information on a spreadsheet that he sent to his private e-mail, The Associated Press reports, noting Lykes faces a potential sentence of 25 years in prison.
What To Do
If there is a bright side to all these breach reports, perhaps it comes in the number of experts weighing in with tips to help others avoid mistakes that can come at a high cost not only in terms of the bottom line, but also for the brand.
UCLA Health System Chief Compliance Officer Marti Arvin, for example, offered extensive tips for complying with the final Health Insurance Portability and Accountability Act omnibus rule at a recent event in Baltimore, MD, reported here by Bloomberg BNA.
And, an InformationWeek feature suggests “lessons learned from a data breach—embarrassing publicity and all—are sometimes the most enlightening because they show you how to fix security holes.”
Read more by Jen Saunders:
Clapper Offers NSA Explanations; Criticism, Concerns Abound
Roundup: NSA, UK Fallout Persists
NSA and Legislative Breach Implications, New Breach Announcements: A Roundup
GPEN Concludes Its First Internet Privacy Sweep