Category Archives: Data Breach (Financial, Education, Business, Government, Healthcare)

Commentary on significant data losses due to data breaches

 

Prevendra - Ameriprise FInancial

Financial Advisor at Ameriprise exposes millions in assets via NAS

Do you use a financial advisor? I do, and I recommend mine to others without reservation. Part of that recommendation comes from the manner in which the account data is secured, which provides me more than a modicum of assurance that the folks managing my money are not asleep at the switch when it comes to protecting my identity (and thus my assets).

Most financial firms of note have in place good to adequate security. And yes, like every industry, convenience is sometimes sacrificed (a little) to provide the level of security necessary to insure your data is protected. The convenience factor is a two-way street.

You the consumer need to have access to your own information and accounts; your financial advisor also needs access to your information and accounts. If either of you get lazy and bypass the established security and privacy implementations, then your data is being placed at risk.

And this is exactly what happened in the case when the Financial Data Worth Millions Unwittingly Exposed In Ameriprise Accountsthough it appears that Ameriprise and the advisor are at odds on what constitutes security.  From our optic, both failed!  The NAS (Network Attached Storage) device which housed the backup data of the financial advisor, had no security implementation in place.  

The financial advisor apparently backed up his client’s data to unsecured NAS. The advisor’s client’s data were included in the depository. Not just client account with Ameriprise, but all their accounts and their passwords … thus exposing for any who know how to scan the internet (Shodan was used in this instance) to see.   What exactly was available for harvesting?  Here are a two screenshots.

The first screenshot details the internal account details of the clients. Those portions which would expose the individual accounts of the client and the access credentials – the screenshot had been redacted and the password column omitted. In few words, a total compromise of the client’s financial accounts occurred.

Prevendra - Ameriprise Compromise 2

The second screenshot provided by the security researcher Chris Vickery is the questionnaire the financial advisor provides to Ameriprise in which data handling is discussed. 
Prevendra - Ameriprise Compromise

What to ask your financial advisor?

The financial industry is high on the threat list for lucrative harvesting by cyber criminals, we don’t need to intrust our fiscal assets with those who aren’t interested in protecting those assets.

Use the considerable assets of FINRA to fact check and augment your knowledge of the financial advisory industry and best practices. FINRA is there to protect you the investor and their tip-sheet (2 page pdf: Keeping Your Account Secure) is a good primer.

When engaging with your financial advisor ask some pointed questions on how your data is protected and secured!

  • Do you transmit my account data via unencrypted email? (Are they attaching a .pdf and winging it to you?)
  • Personal information forms and medical data for annuities, life insurance, etc. where are they physically stored?
  • How are they protected?
  • My external accounts (bank, brokerage, etc.) how is that data protected?
  • Who has access to my online account? Financial advisor? Supervisors? Analysts? (The more who have access the more opportunities to lose or misuse your data)

If you don’t like the answers or if their are no answers, find a new advisor.

Prevendra's Email Updates
Get the latest content first.
100% Privacy. We don't spam.
Prevendra: Ransomware

Ransomware: Attack and Resolution

Companies continue to fall victim to ransomware* on a regular basis. According to an IBM X-Force® Research report, “Ransomware: How consumers and businesses value their data” 70 percent of companies who have fallen victim to ransomware, have paid the ransom. The FBI tells us the typical ransom is in the range of $200 to $10,000 paid, with some notable cases of ransome moving well into five, six and seven digit ranges. With a 70 percent success rate, one understands why the cyber criminal community is doubling down on ransomware as the malware of choice.

[x_pullquote cite=”FBI: Alert Number I-091516-PSA” type=”left”]What to Report to Law Enforcement

The FBI requests victims reach out to their local FBI office and/or file a complaint with the Internet Crime Complaint Center.

  • Date of Infection Ransomware Variant (identified on the ransom page or by the encrypted file extension)
  • Victim Company Information (industry type, business size, etc.)
  • How the Infection Occurred (link in e-mail, browsing the Internet, etc.)
  • Requested Ransom Amount Actor’s Bitcoin Wallet Address (may be listed on the ransom page)
  • Ransom Amount Paid (if any)
  • Overall Losses Associated with a Ransomware Infection (including the ransom amount)
  • Victim Impact Statement
  • Don’t Pay a Ransom

[/x_pullquote]

IT departments are charged with the ensuring that their entity’s infrastructure is accessible by those who use the systems; data is secure and protected, with access by those who have a need to know; and that the information within the system is trustworthy and accurate. Planning for a ransomware attack is a must.

Don’t Pay Ransomware

But what of the companies/entities who decline to pay a ransom, how do they fair?

The ransomware event certainly creates havoc and expense. In some cases, preparedness and remediation exceeds the cost of the ransom. If you do not have cold-storage of your backups, you may lose your data permanently.

The San Francisco Municipal Transit Agency (SFMTA) recently fell victim to ransomware which impacted over 900 office computers. Once discovered, the SFMTA put into action their crisis management plan, and according to the SFMTA, they turned off the ticket machines (as a precaution), and opened up fare-gates. The SFMTA service was not disrupted, though riders rode for free as the IT team assessed the situation. Once the scope and nature of the event was determined, the SFMTA began restoring the affected devices. The SFMTA did not pay the ransom of $73,000 in bitcoins which was demanded, they had a plan and they executed the plan. (Source: Update on SFMTA Ransomware Attack | SFMTA )

Prepare for ransomware

Put in place a regimented regime with respect to your data and infrastructure. Both the FBI and IBM links provided are full of useful tips on putting one’s house in order. As the Cisco video above details, ransomware is a criminal enterprise and you and your business must be prepared.

In addition, every entity (and individual) should be familiar with “No More Ransom” which is a public-private resource which was initially created by Interpol, Kaspersky and Intel Security, and now includes a number of national Cyber Emergency Response Teams, multiple information security companies and has blossomed into a multi-lingual global resource. There mission is to disarm the cyber criminals. They provide, free, software to remove ransomware from devices, servers, etc.

NEED HELP unlocking your digital life without paying your attackers? #nomoreransom Click To Tweet

Here are the recommendations from No More Ransom:

  1. Back-up! Back-up! Back-up! Have a recovery system in place so a ransomware infection can’t destroy your personal data forever. It’s best to create two back-up copies: one to be stored in the cloud (remember to use a service that makes an automatic backup of your files) and one to store physically (portable hard drive, thumb drive, extra laptop, etc.). Disconnect these from your computer when you are done. Your back up copies will also come in handy should you accidentally delete a critical file or experience a hard drive failure.
  2. Use robust antivirus software to protect your system from ransomware. Do not switch off the ‘heuristic functions’ as these help the solution to catch samples of ransomware that have not yet been formally detected.
  3. Keep all the software on your computer up to date. When your operating system (OS) or applications release a new version, install it. And if the software offers the option of automatic updating, take it.
  4. Trust no one. Literally. Any account can be compromised and malicious links can be sent from the accounts of friends on social media, colleagues or an online gaming partner. Never open attachments in emails from someone you don’t know. Cybercriminals often distribute fake email messages that look very much like email notifications from an online store, a bank, the police, a court or a tax collection agency, luring recipients into clicking on a malicious link and releasing the malware into their system.
  5. Enable the ‘Show file extensions’ option in the Windows settings on your computer. This will make it much easier to spot potentially malicious files. Stay away from file extensions like ‘.exe’, ‘.vbs’ and ‘.scr’. Scammers can use several extensions to disguise a malicious file as a video, photo, or document (like hot-chics.avi.exe or doc.scr).
  6. If you discover a rogue or unknown process on your machine, disconnect it immediately from the internet or other network connections (such as home Wi-Fi) — this will prevent the infection from spreading.

 


Additional Reading:

IBM X-Force® Research report, “Ransomware: How consumers and businesses value their data”


*Ransomware: Ransomware is a type of malware installed on a computer or server that encrypts the files, making them inaccessible until a specified ransom is paid. Ransomware is typically installed when a user clicks on a malicious link, opens a file in an e-mail that installs the malware, or through drive-by downloads (which does not require user-initiation) from a compromised Web site. (Source FBI)

Disclosure:  Christopher Burgess is a paid content contributor to IBM’s Security Intelligence Blog


Prevendra: Madison Square Garden

Madison Square Garden customer payment cards harvested

On 22 November, Madison Square Garden Company (The Garden) began notifying their customers that a breach of the point of sale (POS) system had occurred, and may have affected those customers who purchased goods at merchandise and food concessions at The Garden’s various properties, during the period 09 November 2015 – 24 October 2016, you may be affected.

Properties affected

  • Madison Square Garden,
  • The Theater at Madison Square Garden,
  • Radio City Music Hall,
  • Beacon Theatre, and
  • The Chicago Theatre

Data exposed

The data contained in the magnetic stripe on the back of payment cards swiped in person:

  • credit card numbers,
  • card holder names,
  • expiration dates,
  • and internal verification codes

Use plastic at The Garden November 2015-October 2016? MSG customer's payment cards harvested Click To Tweet

I visited The Garden, what now?

If you visited any of the above venues during the window of criminal exposure and purchased something from one of the concessions (merchandise or food) and paid for it with a payment card (credit or debit), then The Garden recommends the following:  Potentially affected customers are advised to remain vigilant by regularly reviewing their payment card statements for any unauthorized activity. Customers should immediately report any unauthorized charges to their card issuer because payment card rules generally provide that cardholders are not responsible for unauthorized charges reported in a timely manner. The phone number to call is usually on the back of the payment card. 

The Garden continues in a separate piecePrevendra: Madison Square Garden ticker solidifying the sense that you, the consumer, together with your credit/debit card issuer are on your own with a multi-page document repeating the data surrounding their year-long breach and then walking you through basic steps of monitoring one’s credit cards, putting freezes on credit reports, etc.

This breach appears to have little effect on the company’s valuation, as the market price of  The Garden stock went up, even though the last newsworthy item was about this very incident. What is missing from The Garden’s statements? How many consumers are affected?

But is this unique to The Garden? No. Consumers will remember and may have been affected by the POS breaches of Target, Home Depot, Wendy’s, Dairy Queen, Neiman Marcus, Eddie Bauer, HIE Hotels, and every entity using Oracle’s Micros POS system. From 2013, through 2014, 2015 and now 2016, POS systems are being compromised at a regular cadence.

I’m a retailer, what now?

Every retailer who has a POS system, be it controlled by their own IT team or via a third-party vendor, should hold those responsible for assuring the security and privacy of the consumer’s information, accountable. The POS is where the consumer exchanges their credit/debit card for the retailer’s goods, and the consumer should not have to worry if the retailer is information security savvy or not, but they should. If your business doesn’t understand the technology or the systems being discussed, then take a moment, and educate yourself either via the plethora of materials available on POS systems, or by engaging any number of reputable security and privacy consultants, to do a data flow audit to ensure the portion of the financial transaction occurring on your premises is secure.

 

 

Prevendra - MSU data breach

MSU data breach: Database with 400,000 records accessed

Michigan State University (MSU) has confirmed that on Nov. 13 an unauthorized party gained access to an MSU server containing certain sensitive data which included the personal identifying information of 400,000 individuals. The MSU data breach, characterized by the MSU President Lou Anna K. Simon as a,”criminal act in which unauthorized users gained access to our computer and data systems”.

Simon continued, “Only 449 records were confirmed to be accessed within the larger database to which unauthorized individuals gained access. However, as a precaution, we will provide credit monitoring and ID theft services for any member of our community who may have been impacted by this criminal act.”

MSU data breach

According to MSU, the database which was accessed contained the 400,000 records, each containing PII of faculty, staff and students who were employed by MSU between 1970 and Nov. 13, 2016, or were students between 1991 and 2016.. 

  • Names
  • Social Security Numbers
  • MSU identification numbers
  • Birth Dates

MSU noted, that the compromised records did not contain: passwords, financial, academic, contact, gift or health information. Apparently the information technology (IT) and information security (INFOSEC) teams had in place the ability to determine which records were opened during the period of “unauthorized access” and confirmed 449 of the 400,000 were confirmed to be accessed by the unauthorized party. 

Furthermore, unlike many instances where a data breach causes paralysis within the entity, the MSU data breach shows us the presence of an INFOSEC team, having a plan, and executing on that plan.

Education as a target

The education sector is and always will be a lucrative target from both unscrupulous entities, as well as nation states. The information desired ranges from the PII as targeted and captured in this instance for current or future use to make an approach to an individual to the advanced transformative research being conducted at the college or university.  The need to lock down the infrastructure across academia remains challenging.  According to the 2016 Voremetric Data Threat Report, the number one shortcoming to implementation of cybersecurity infrastructure within the educational sector is the lack of skilled IT/INFOSEC staff.

In 2015, NBC News produced a short piece on the a targeting the online infrastructure of the educational sector. The salient data points within the video remain as true today (2016) as they did when the piece was pulled together.

Prevendra Privacy

Data Breaches again at Horizon Blue Cross Blue Shield New Jersey (Horizon BCBSNJ)

Prevendra - Horizon Blue Cross Blue Shield - Data breach 2013It seems health insurer Horizon Blue Cross Blue Shield New Jersey (Horizon BCBSNJ) can’t catch a break. During the course of 2015 (1100) and 2016 (170,000), they have had two more incidents which compromised or placed at risk the protected health information or the personal identifying information of their insured. In December 2013, we commented on how Horizon had suffered two separate data breaches in the course of five years (2013 and 2008) with the 2013 breach ending up affecting 839,711  individuals.

Privacy breach incident in 2016

Horizon BCBSNJ in late-October/early-November Horizon BCBSNJ informed approximately 170,000 of their insured, that they may have received the “explanation of benefits” (EOB) for someone else with the Horizon BCBSNJ system, and that their EOB may have also been mishandled. According to NJ.com, a vendor of Horizon BCBSNJ made a clerical or program error which caused a mix up which sent the individual EOB statements on their errant way to the Horizon BCBSNJ.  A statement attributed to the insurer is quoted as saying, “names, policy numbers and the physician information of other policy holders … and …  no social security numbers, financial information, addresses or dates of birth were included on the statements, (the letters) may include member name, member ID number, claim number, date of service, limited description of services, service codes or provider/facility name,”

For those familiar with reading EOB’s the description of service and service codes can be cross referenced to determine what ailment you were being treated for by the medical professional. Back in the day of ICD-9, the codes were very broad, but now that ICD-10 is in use, the descriptions and codes are much more granular. While this compromise, caused by a vendor error, may in the end not end up causing incidents of identity theft or fraud, what it did do is put very sensitive and personal PHI and PII in the hands of one’s neighbors (given all recipients were within the same geographic area served by Horizon BCBSNJ.)

Imagine showing up at a PTA meeting and introducing yourself, only to have an individual approach you afterwards and identify themselves as having received your EOB and then making an inquiry about your health, with the specificity provided within the EOB.

What's in your EOB? 170,000 of Horizon BCBS New Jersey are learning what's in their neighbor's EOB Click To Tweet

Fraud incident in 2015

In a poorly formatted, and densely worded statement,  Horizon BCBSNJ  said: “On July 30, 2015, we learned that some of our members’ personal information may have been accessed due to fraudulent activity.  Horizon BCBSNJ’s Special Investigations Unit discovered that several perpetrators falsely established themselves as doctors or other healthcare professionals and obtained Horizon BCBSNJ member identification numbers, and potentially other personal information, through methods typically only available to legitimate doctors and healthcare professionals.” The perpetrators went on to make false claims of BCBSNJ for goods and services provided to members of Horizon BSBSNJ’s insured population.  According to NJ.com, this fraudulent activity affected approximately 1100 of Horizon BCBSNJ’s insured.

The Horizon BCBSNJ compromised included the following data points:

  •  name
  • date of birth
  • gender
  • member ID number
  • mailing address.

They close ourt their statement with the admonishment, that the insured are the line of defense in protecting Horizon BCBSNJ against fraud. “As always, you should review your Explanation of Benefits (EOB) statements and medical bills, and report any suspicious activity to Horizon BCBSNJ.”


While Horizon BCBSNJ has had a non-stop string of privacy and information security incidents, they are not alone. All in the healthcare industry must lean in and ensure they have in place processes and procedures which adhere to the HIPAA physical and technical safeguards.

“HIPAA – Physical and Technical Safeguards”

Following is a direct extract from the Department of Health and Human Services HIPAA guidance

  • Physical Safeguards
    Facility Access and Control. A covered entity must limit physical access to its facilities while ensuring that authorized access is allowed.
    Workstation and Device Security. A covered entity must implement policies and procedures to specify proper use of and access to workstations and electronic media. A covered entity also must have in place policies and procedures regarding the transfer, removal, disposal, and re-use of electronic media, to ensure appropriate protection of electronic protected health information (e-PHI).
  • Technical Safeguards
    Access Control. A covered entity must implement technical policies and procedures that allow only authorized persons to access electronic protected health information (e-PHI).
    Audit Controls. A covered entity must implement hardware, software, and/or procedural mechanisms to record and examine access and other activity in information systems that contain or use e-PHI.
    Integrity Controls. A covered entity must implement policies and procedures to ensure that e-PHI is not improperly altered or destroyed. Electronic measures must be put in place to confirm that e-PHI has not been improperly altered or destroyed.6
    Transmission Security. A covered entity must implement technical security measures that guard against unauthorized access to e-PHI that is being transmitted over an electronic network.
Prevendra: Prevent data breaches

Data breach – Are you prepared? Most are not.

According to the new survey conducted by the Ponemon Institute on behalf of Experian, companies are complacent and lack confidence when it comes to data breach preparedness. A result which I found to be most astounding given the fact that every day we read of yet another company, institute, organization or governmental entity experiencing a data breach.  The study, “Is Your Company Ready for a Big Data Breach?” (registration wall), highlights the good and the bad which the surveyed companies declared. Pulling from the Experian press release:

The Bad

  • Among those organizations surveyed that do not practice their plan (26%), a majority (64%) don’t practice because it is not a priority.
  • Only 38% of companies surveyed have a data breach or cyber insurance policy. Of those that do not have such a policy, 40% have no plans to purchase one.
  • Less than half (46%) of survey respondents have integrated response plans into their business continuity plans, and only 12% meet with law enforcement or state regulators in advance of an incident.
  • Only 39% of organizations surveyed practice their plan at least twice a year.

The Good

  • 58% of surveyed organizations (compared with 48% in 2014) have increased their investment in security technologies in the past 12 months in order to be able to detect and respond quickly to a data breach.
  • 61% of surveyed organizations (compared with 44% in 2013) have a privacy/data protection awareness and training program for employees and other stakeholders who have access to sensitive or confidential personal information.
  • Companies understand that they need to take action after a breach occurs to keep customers and maintain their reputation. To do so, those surveyed believe the best approaches are providing free identity theft protection and credit monitoring services (71%), gift cards (45%), and discounts on products or services (40%).
Do not collect, what you can't protect #databreach #infosec Click To Tweet

But there’s more

Data breach preparedness is severely hampered, as the IT teams have little or no visibilityPrevendra - Experian data breach report figure 13. A full 73 percent of respondents lamented that their IT teams lacked visibility into end-user access of sensitive and confidential information. Really?  If the IT team does not have visibility into how the end-user is accessing the company’s sensitive and confidential data, who does.  In these entities, does the leadership ordain it’s every man or woman for themselves? Where is the security architecture demonstrating to the data custodians the state of their data with respect to security and privacy at all times. As we come to the end of 2016, this has long been table stakes for any entity involved in retaining or processing personal identifying information (PII).

The survey went on to show how the financial service industry was the most egregious and experienced 19 percent of the breaches within the population of the survey respondents, with the public sector following.

We can do better

What I found most disturbing though, was the lack of C-suite support, coupled with the lack of expertise addressing the protection of the sensitive and confidential data. Thus the C-suites choose to lead with their chins as they embrace the age-old infosec technique called, luck.

Therefore, we are forced to admonish any and all entities, do not collect what you can’t protect.   Do not rely on obscurity as a viable defense.  Do not assume because your company is small in size the PII in your possession, for employees, partners or customers does not have value.  And finally, do not allow any third party access to your data until you understand how they are accessing this data and how they are protecting your data. Do be a part of the 40 percent of respondents who wanted to know if a material breach occurs, and if you are the CISO, head of IT or CSO, please do ensure your board is aware of the security threats facing the company.

To do nothing is not an option. If you need help, reach out to the security, privacy and intelligence professional of your choice.

Data Breach – Horizon Blue Cross – two data breaches in five years

Looking for information about the 2016 mis-mailing of EOB’s to Horizon Blue Cross Blue Shield of New Jersey (Horizon BCBSNJ) members?  Read-> Data Breaches Again at Horizon BCBSNJPrevendra: Horizon Blue Cross Blue Shield data breach


Horizon Blue Cross Blue Shield of New Jersey – Two data breaches in five years.

[Updated 18 December 2013*]

Earlier this week 839,711 members of Horizon Blue Cross Blue Shield of New Jersey received an early lump of coal, news that their information had been compromised by their healthcare insurer.

The breach of 2013:  
The statement issued by Horizon noted two laptops were stolen from their offices between 1 and 4 November 2013, contained the personal identifying information (PII) and protected health information (PHI) of a number of Horizon Blue Cross Blue Shield insured. Interestingly they make a point to mention that the laptops were cable locked to the desks (a good physical security technique which actually does deter walk-by theft of devices, but is of little deference to the thief with time). Alas, while the physical security deterrent was in place, the technological protection of the data was not protected at standard healthcare data protection methods in accordance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy, Security and Breach Notification Rules (see below for the excerpt from the Health and Human Services (HHS) HIPAA site). The press piece goes on to say, “Horizon BCBSNJ continues to work with law enforcement to locate the laptops. To prevent a similar incident from happening in the future, Horizon BCBSNJ is strengthening encryption processes and enhancing its policies, procedures and staff education regarding the security of company property and member information.”

In each of the 2013 breach notification letters (Horizon Blue Cross has crafted three separate letters) the individual is provided with a wealth of data, including the admonishment: “If you identify medical services listed on your explanation of benefits that you did not receive, please contact us immediately.” Such is indicative of an understanding on the part of Horizon Blue Cross of the very real possibility of Medical Identity Theft.

The breach of 2008:
In  January 2008, InformationWeek magazine reported the data breach at Horizon BCBS of New Jersey involving yet another stolen laptop computer:

 “Horizon Blue Cross Blue Shield of New Jersey has notified its members that an employee laptop computer containing personal information — including Social Security numbers — for about 300,000 individuals was stolen in early January… On its Web site, the company says a “security feature was initiated” on Jan. 28 that “destroys all the data on the stolen computer.” Horizon Blue Cross Blue Shield of New Jersey says the personal information contained on the computer also included names and addresses of members, but no medical data.”

Event amnesia?
The Horizon spokesperson in 2008, quoted by Information Week, noted the existence of a “security feature” which destroys all the data on the stolen computer. Furthermore, the event of 2008, only involved PII and not PHI. Fast forward to 2013, and two laptops are stolen from within the offices. The information security team no doubt had appropriate policies in place to protect PII and PHI subsequent to the 2008 breach, but the implementation side of the equation appears to have encountered what many entities encounter, lack of situational awareness with respect to where and how PII and PHI, the crown jewels and most sensitive of data was stored.

Preventing the next breach?
Questions which immediately come to mind. Is Horizon Blue Cross or any other organization which handles PII and PHI able to scan across all devices to determine the existence of PII or PHI stored in an unprotected manner? Any number of  the commercial off the shelf (COTS) Data Loss Prevention software packages would have been less expensive than the breach remediation exercise in which they are now engaged.

The SANS Institute published a Data Loss Prevention worksheet (sponsored by McAfee and crafted in 2009), which would be of value to any and all entities which handle PII and/or PHI. Within the worksheet’s Executive Summary, the author of the worksheet notes;

Data-centric protections need to address data discovery and classification, incident workflow, policy creation/management and data movement detection. The breadth of the technology required to accomplish all of this is broad, covering:

  • Fully-integrated encryption for end points for data in use, in motion and at rest within applications (e-mail, file servers, etc.), including sensitive data transferred onto portable storage devices
  • Host-based DLP for localized detection and prevention of data leakage for data in use, data in motion, and data at rest
  • Network DLP with data discovery and analysis, network monitoring (with extensive protocol and application parsing support), and prevention capabilities for both inbound and outbound content

While it would be naive to think theft will ever be eradicated, that which can be stolen can certainly be mitigated. Horizon Blue Cross has been bitten by the same issue two times over the course of the past five years, theft of devices which contained sensitive data.  As noted in our discussion surrounding the recent compromise of 90,000 patient records by the University of Washington, Horizon Blue Cross is not alone. In Ponemon’s December 2012 report, “Third Annual Study on Patient Privacy,”  a sobering statistic was revealed: 94 percent of healthcare organizations in the study have had at least one data breach in the past two years.  More than million individuals face the reality of having to monitor and secure their identities, well beyond the one year of coverage provided by Horizon Blue Cross, as one’s identity has value 2, 3, 12, 25 years after having been stolen.

The takeaway for all healthcare providers, empower your Chief Security Officer (CSO) and Chief Information Security Officer (CISO) with sufficient resources to not only protect your infrastructure; but also to invest in employee education. Know where and how your data is stored on your network and employees devices. Far too often, healthcare security and awareness programs fall into the operational expense category of “nice to have.” Incidents such as the Horizon Blue Cross compromise, demonstrate the need for training and resourcing. Security is no longer in the nice to have category. Nor is security awareness training for those handling data just once and done, but must be a constant reminder that your patient’s information is precious and it is incumbent upon everyone to protect and secure the information. If you’re entity does not have a CSO or CISO, and many don’t, obtain the services of a Virtual CSO – have a professional security practitioner on your data security team.

[*Updated: 18 December 2013 – To remove attribution to Horizon Blue Cross Blue Shield of New Jersey (BCBSNJ) for the data breach of 2009 which occurred at Blue Cross Blue Shield Association (BBSA) involving the compromise of the PII of 800,000-850,000 doctors. We thank Horizon Blue Cross Blue Shield of New Jersey, for reaching out to us, and providing clarification: BCBSA and BCBSNJ are independent entities.  //CB]

“HIPAA – Physical and Technical Safeguards”

Following is a direct extract from the Department of Health and Human Services HIPAA guidance

Physical Safeguards
Facility Access and Control. A covered entity must limit physical access to its facilities while ensuring that authorized access is allowed.
Workstation and Device Security. A covered entity must implement policies and procedures to specify proper use of and access to workstations and electronic media. A covered entity also must have in place policies and procedures regarding the transfer, removal, disposal, and re-use of electronic media, to ensure appropriate protection of electronic protected health information (e-PHI).

Technical Safeguards
Access Control. A covered entity must implement technical policies and procedures that allow only authorized persons to access electronic protected health information (e-PHI).
Audit Controls. A covered entity must implement hardware, software, and/or procedural mechanisms to record and examine access and other activity in information systems that contain or use e-PHI.
Integrity Controls. A covered entity must implement policies and procedures to ensure that e-PHI is not improperly altered or destroyed. Electronic measures must be put in place to confirm that e-PHI has not been improperly altered or destroyed.6
Transmission Security. A covered entity must implement technical security measures that guard against unauthorized access to e-PHI that is being transmitted over an electronic network.

Prevendra: Data breaches community colleges

Community Colleges and Data Security

One normally does not think of a community college or junior college to be a place where data breaches would be of concern. That is of course until it happens, and then the realization hits at just how closely these institutions are intertwined with their communities. A data breach reaches deep within the communities from which they draw their students, in which the college’s employees reside and from which many of the professors/instructors are drawn.

Prevendra - Community College data breachesThis is magnified when a breach event is mishandled. Take the recent instance concerning the data breach at Maricopa County Community College District (MCCCD). The school learned they had been breached on April 29, 2013, but only revealed the breach to those affected on November 26, 2013, an inexplicable delay.  What was exposed in the MCCCD breach? The breached data included names, dates of birth, social security numbers, and bank account information. The MCCCD is in the process of notifying approximately 2.5 million students, suppliers and employees, all of whom will now be faced with a potential identity theft risk. The number is large, the MCCCD comprises ten campuses and hosts approximately 265,000 students per year. In late November, the MCCCD said they expect to spend approximately $7 million to notify those affected, provide credit monitoring services and to staff a call center as a result of the April breach.

How did the MCCCD learn of the breach? The Federal Bureau of Investigation (FBI) informed the MCCCD someone was offering to sell its data online – outsiders had garnered remote access to the MCCCD’s computer systems.  MCCCD Chancellor Rufus Glasper apologized for the security lapse which permitted the breach, and MCCCD spokesman noted that the district is disciplining several information technology employees, “We’ve attributed that lack of security to the failures of certain people with IT responsibilities who did not live up to the expectations that we placed on them,” he said.

While the MCCCD example may include both a technological breach of the school’s IT infrastructure, and time is required to evaluate and isolate, the MCCCD choosing not to reveal the compromise of the personal identifying data to those who were now at risk within 30 days of discovery, is indicative of either failure to follow established notification processes or absence of a data breach plan. One would like to assume every college has a data and privacy policy which adheres to the compliance requirements of the Family Educational Rights and Privacy Act (FERPA) which protects the privacy of student education records, while at the same time protecting the personal information of employees, vendors, and others engaged with the schools.

In April 2013, Kathleen Styles, Chief Privacy Officer of the U.S. Department of Education, commented in an interview with Daniel Solove (Professor of Law at GW Law School), in which she discussed protecting data at schools. The prerequisite, the data must be stored in a secure manner, with the onus on the school to determine the proper balance of “physical, technological, and administrative controls to prevent unauthorized access.” When asked about cloud storage, she again noted the information must be stored securely. She continued with the following data points to be followed when contracting services from the cloud:

  • The school or district must directly control the contractor’s use and maintenance of education records;
  • — The contract has to be for services or functions the school or district would have otherwise used its employees to perform;
  • — The contractor must meet the criteria for “school officials” with “legitimate educational interests,” as published by the school or district in its annual FERPA notification of rights; and
  • — The contractor must be subject to FERPA use and re-disclosure limitations, meaning that the contractor has to use the FERPA-protected information for the purpose for which it received it, and that the contractor may re-disclose that information if permitted under the terms of the contract (and, of course, provided that the school or district itself may re-disclose under FERPA).

Styles concluded, “schools and districts are responsible for the protection of their data, regardless of where they are stored. It doesn’t matter whether the records are located in a locked file cabinet, in a server on the school premises, or on a server in the cloud.

The MCCCD example involves approximately 2.5 million individual’s identities was no doubt a financial windfall to the criminal elements who conducted the breach. Each compromised record has a street value of approximately $11 each ($27.5 million in total for the criminals who took the data, if they are able sell each record on the criminal underground identity market (See Dell’s Secure Works piece, “Underground hacking economy is alive and well” for the value of identities, and compromised computers on the criminal market), which no doubt was detected by the FBI. The MCCCD has earmarked $7 million toward the remediation, the MCCCD’s final sum may be significantly more, as the average cost of remediation in the U.S. following a data breach is $180/record and the MCCCD has budgeted $2.80/record.

The takeaway for all educational institutions, not just community colleges, empower your Chief Security Officer (CSO) and Chief Information Security Officer (CISO) with sufficient resources to not only protect your infrastructure; but also to invest in employee education. Far too often, data security and awareness programs fall into the operational expense category of “nice to have.” Incidents such as that which the MCCCD experienced demonstrate the need for having a breach response plan and training. Training which isn’t just once and done, but a constant. The personal identifying information is precious and it is incumbent upon everyone to keep it protected and  secure. If your school does not have a CSO or CISO, and many don’t, obtain the services of a Virtual CSO.


[x_feature_headline type=”left” level=”h2″ looks_like=”h2″ icon=”exclamation-circle”]Data breaches in higher education[/x_feature_headline]

2,500,000 records – Maripoca Community College – Maripoca County, Arizona

125,000 records – Kirkwood Community College – Cedar Rapids, Iowa  

90,000 records – University of Washington – Seattle, Washington

14,000 records – Mercer County Community College – West Windsor Township, NJ  

3,300 records – Tallahassee Community College – Tallahassee, FL

1000 records – El Paso Community College – El Paso, Texas 

129 records – Oakland Community College – Southfield, MI 

 

Prevendra - University of Washington

Data breaches in healthcare – The UW data breach

Prevendra - University of Washington data breach October 2013

Photo by Joe Mabel via wikimedia

Data breach at the University of Washington – October 2013

In early October 2013 a University of Washington Medicine (UW Medicine) employee opened an email attachment and in doing so launched a piece of malicious software (aka *malware*). The employee’s computer was taken over by the malware and with that action approximately 90,000 patients had their data accessed by criminal elements.  UW Medicine in their statement, “UW Medicine Notice of Computer Security Breach” provided an information security assessment of the breach which noted that while the patient data was accessed, they do not *believe* that the patient information was sought or targeted. The breach statement goes on to provide assurances the UW Medicine has engaged law enforcement, including the Federal Bureau of Investigation (FBI) and was taking appropriate steps within UW Medicine to insure that a reoccurrence would not happen.

The UW Medicine statement noted the data exposed in this data breach included “Data about patients may have included: name, medical record number, other demographics (which may include address, phone number), dates of service, charge amounts for services received at UW Medicine, Social Security Number or HIC (Medicare) number, date of birth.” What this means is that every one of the individuals whose data has been compromised will have to be concerned about identity theft for the rest of their days.  The value of PII (Personal Identifying Information) and PHI (Protected Health Information) in the criminal market is not hypothetical. Each record, containing the information identified by the UW Medicine, will have a street value of approximately $11-$25 each (Between $990,000 to $2 million for the criminals who took the data if they are able sell each record on the criminal underground identity market. See Dell’s Secure Works piece, “Underground hacking economy is alive and well” for the value of credit cards, identities, and compromised computers on the criminal market).

The cost of this data breach to UW Medicine will not be insignificant. According to the Ponemon Institute‘s report “2013 Cost of Data Breach Study: Global Analysis” the UW will spend approximately $180 per record to clean up after this breach. The cost includes all of the administrative costs associated with reporting the breach, providing remediation services, and internal adjustments to processes and procedures. Doing the math, that puts the remediation dollars number at more than $16 million. UW Medicine is fortunate their pockets are deep, as they are most likely also looking at a fine coming their way from the U.S. Department of Health and Human Service (HHS), as well. The new HIPAA (Health Insurance Portability and Accountability Act of 1996), is in play which according to a January 2013 note from the HHS, “Penalties are increased for noncompliance based on the level of negligence with a maximum penalty of $1.5 million per violation.

Sadly, UW Medicine is not alone. In Ponemon’s December 2012 report, “Third Annual Study on Patient Privacy,”  a sobering statistic was revealed: 94 percent of healthcare organizations in the study have had at least one data breach in the past two years.

The takeaway for all healthcare providers, empower your Chief Security Officer (CSO) and Chief Information Security Officer (CISO) with sufficient resources to not only protect your infrastructure; but also to invest in employee education. Far too often, healthcare security and awareness programs fall into the operational expense category of “nice to have.” Incidents such as this, demonstrate the need for training. Training which isn’t just once and done, but a constant reminder that your patient’s information is precious and it is incumbent upon everyone to protect and secure the information. If you’re entity does not have a CSO or CISO, and many don’t, obtain the services of a Virtual CSO.[/vc_column_text]

[/vc_column][/vc_row]
[ctitle title=”KOMO 4 – News” color=”#6d0019″ background=”#fff”]

[ctitle title=”KING 5 – News” color=”#6d0019″ background=”#fff”]

[ctitle title=”Virtual CSO” color=”#6d0019″ background=”#fff”]

Prevendra provides virtual Chief Security Officer  (CSO) services. Providing advice, guidance and security recommendations for your health care entity – if your entity is dealing with patient information, PHI and PII and does not have a dedicated security team focused on data security, HIPAA compliant data handling and healthcare security awareness on a continuum – obtaining the services of a Virtual CSO is an affordable solution. Prevendra Virtual CSO services are available for the healthcare vertical as a retained service.

For more information, contact us via email: info@prevendra.com

Prevendra - Identity Warriors - ID Warriors

ID WARRIORS, helps protect you against more than just ID fraud, we alert you whenever we detect your personal information being used to apply for wireless services, retail credit, utilities, and mortgage loans within our extensive network. If you become a victim of identity theft while you are a member of ID WARRIORS, we will spend up to $25,000* to help your recovery.  [button style=”black” float=”left” margin=”10″ size=”small” link=”http://idwarriors.com/prevendra” target=””]Click to learn more about ID Warriors[/button]