Privacy Advisor

This Week in Breach Roundup

October 21, 2013

By Angelique Carson, CIPP/US

A woman looking for yard sale bargains in Colorado purchased a box of office supplies worth more than she paid; the box contained student records—including Social Security numbers—from Pueblo Community College. “With all the identity theft and fraud, I was shocked that this was found at a garage sale,” the woman said.

That breach was just one of many discovered, investigated or arbitrated in the U.S. and abroad in the last week. 

Healthcare Breaches

Many of the breaches affected hospitals. Local law enforcement has opened an investigation into the theft of medical records from Northern Inyo Hospital in California. An employee in the hospital’s records department illegally obtained a patient’s medical file. The employee was subsequently fired. In the same state, the Legal Aid Society of San Mateo County is alerting patients of the burglary of 10 laptops containing personal data. The laptops were used by attorneys helping patients with healthcare services, and the data compromised may have contained medical data and Social Security numbers, HealthITSecurity reports.

In Florida, Broward Health is warning 960 patients about a data breach after a former employee stole their personal information. Wisconsin’s Memorial Hospital of Lafayette County has posted a notice on its website that it mailed 8,000 data breach notification letters after its third-party billing vendor accidentally sent their financial statements to the wrong people. In Virginia, two former nurse’s aides improperly accessed about 3,700 patients’ personal information in an identity theft scam, netting more than $116,000, The Virginian-Pilot reports.

An investigation by the Pittsburgh Tribune-Review has found employees or contractors committed more than 14,000 HIPAA privacy breaches since 2010, iHealthBeat reports. The breaches affected more than 100,000 veterans and more than 500 VA employees.

Breaches Announced or Investigated

California’s Monterey County Department of Social Services has recently begun notifying residents that their personal data may have been exposed following access to the department’s computer by unauthorized users overseas.

An IT security vulnerability was found on News Corp’s major metropolitan websites in Australia, The Sydney Morning Herald reports. The details exposed include birthdate, e-mail address, number of children and household income.

PR Newswire is “conducting an extensive investigation” and has notified law enforcement over a breach earlier this year in which hackers broke into its networks, stealing usernames and encrypted passwords. The stolen data was recently found on the same Internet servers housing data stolen in an Adobe Systems breach, Krebs on Security reports, indicating the same party may be responsible for both breaches.

In South Africa, a variant of malware inserted into point-of-sale devices at South African fast-food outlets has cost local banks tens of millions, Mail & Guardian reports.

Settlements and Pending Court Cases

Following a probe by the UK Information Commissioner’s Office (ICO) into Panasonic UK’s data security policies, the company has agreed to strengthen its data security practices. The ICO will not serve an enforcement notice based on Panasonic’s plans.

Symantec Corp. is asking a federal court in California to toss out a proposed class action. The plaintiff in the case accuses Symantec of concealing a data breach and says the company is now raising “unavailing or scattershot arguments” in its aims to see the case dismissed.

Meanwhile, an article for CFO warns companies should do their due diligence before entering contract negotiations with cloud providers in order to avoid data-breach liability claims.

Read More by Angelique Carson:
Baker: The Grandfather of Privacy Was A Fogey
Changing Tactics: The Rise of the Privacy Advocates
How Should Your Firm Respond to the NSA Fallout?
Survey: Users More Afraid of Peers than Gov’t When It Comes to Data Access