[SecurityRatty] tag: doctor

A Diverse Portfolio of Fake Security Software - Part Five

Tue, 02 Sep 2008 01:04:58 +0000

The "campaign managers" behind these fake security software propositions are not just starting to take park them at up to three different locations, localize the sites to different languages and introduce client-side exploits, just in case the end user gets suspicious and doesn't install it, but also, the natural evasive practices. For instance, once some of their domains get detected and blocked, they put them in a stand by mode and relaunch them online in a week or so, or ensure that only those coming to the domains from where they are supposed to come - yet another blackhat SEO or SQL injection attack - are the only ones getting to see the download screen.

Some of the new additions parked at the same IPs offered by the "known suspects" include :

main-scanner .com - (77.244.220.138; 78.159.97.247; 89.149.209.251; 212.95.37.154)
scanner-mainpro .com
scanner-online1 .com
alldiskscheck300 .com
myscanners101 .com
download-a1 .com
scanner-online1 .com
multilang1 .com
ratemyblog1 .com
multisearch1 .com
filescheck-list303 .com
woodst-sale .com
scanner-mainpro .com
main-scanner .com
directrevisions .com

supersolution-freeantivirus .com - (213.155.2.69)
antivirus-bestsolution .net
antivirus4protection .net
antivirusproxp .com
freebest-antivirus .net
goodantivirus-free .net
noadwareantivirus .com
pwrantivirus2009 .com
solution-freeantivirus .com
supersolution-antivirus .com
supersolution-freeantivirus .com
antivirusdwl .com
securesoftdl .com
viva-codec .com
win-antivirus-protect .com
avxp-2008 .net
antivirusq .net
antivirus2008b .net
antivirus2008m .net
antivirus2008n .net
antivirus2008v .net
antivirus777 .com
antivirusq .net
antivirusr .net
antivirust .net
antivirusw .net
antivirusu .net
expressantivirus2009 .com
spywarezscan .net
antispywareq .net
free-anti-spywaree .net
avcheckyourpc .net

software-for-me08 .com - (78.157.143.250)
software-for-me-08 .com
softwarefor-me2008 .com
softwarefor-me-2008 .com
software-forme08 .com

doctor2antivirus .com - (217.112.94.226; 87.248.163.56)
doctor5antivirus .com
doctor6antivirus .com
doctor7antivirus .com
doctor8antivirus .com
doctorantivirus2008a .com
doctor-antivirus .com
bcodecnow .net

mysoftwarefreezone .com - (91.203.92.97)
hotvid44 .com
totsec2009 .com
getdefender2009 .com
totalsecure2009 .com
myveryprivatevid .com
mustseethatvid .com
onlythebestvid .com
ie-antivirus-order .com
ie-anti-virus .com
secure-order-box .com

secureexpertcleaner .com - (89.149.227.50)
bestxpclean2008 .com
virusremover2008 .com
registrydoctor2008 .com
securefileshredder .com
hypersecurefileshredder .com
bestsecureexpertcleaner .com

getdefender2009 .com - (58.65.238.34)
malwarebell .com
free-viruscan .com
tmptmpservvv .com
cometoseemyshow .com

getneededsoftware .com - (91.203.93.25)
gettotalsec2008 .com
thedownloadvid .com
scan.pc-antispyware-scanner .com
totalsecure2009 .com

wista-antivirus2009 .com - (216.255.179.203)
usawindowsupdates .com - (85.17.143.213)
mswindowsupdates .com

The campaigns and the hosting providers are continuously monitored, especially taking into consideration the fact that the domains are already appearing in Alexa's web rankings with sudden peaks of traffic.

Related posts:
Fake Security Software Domains Serving Exploits
A Diverse Portfolio of Fake Security Software - Part Four
A Diverse Portfolio of Fake Security Software - Part Three
A Diverse Portfolio of Fake Security Software - Part Two
Localized Fake Security Software
Diverse Portfolio of Fake Security Software
Got Your XPShield Up and Running?
Fake PestPatrol Security Software
RBN's Fake Security Software
Lazy Summer Days at UkrTeleGroup Ltd
Geolocating Malicious ISPs
The Malicious ISPs You Rarely See in Any Report

When turning updates off really doesnt

Thu, 14 Aug 2008 09:31:32 +0000

In any business dealings, if you cant trust the company to do what they say they will do,
You go elsewhere right?
Its your decision. Not in this instance folks.

clipped from windowssecrets.com

You’ll get a new Windows Update, like it or not

This time, Microsoft is being more up-front about its forthcoming
refresh of Windows Update. For example, product manager Michelle Haven described in a
blog post on July 3 some new features that the upgrade will add.

The new version will reportedly reduce the time WU takes to scan for and send out new updates. In addition, if you use the online version of WU, and you click an update for more information, the new version will offer you more links with additional details.

But the Redmond company hasn’t changed the wording of the Control Panel settings that appear to prevent Windows Update from performing silent downloads — but don’t.

In light of these potentially misleading controls, a few tricks on managing Windows Update are just what the doctor ordered.

Homer Simpson and the Kimya Botnet

Fri, 11 Jul 2008 13:46:17 +0000

Television often relies on fake codes, phone-numbers and addresses to make up part of their fictional worlds. Sometimes, it can go slightly wrong - how many people tried to call Doctor Who last week?

D'oh.

Actually, "D'oh" is rather appropriate here. In an old episode of The Simpsons, it was revealed that Chunkylover53@aol.com was Homers Email address. Of course, every Simpsons fan with net access immediately added Chunkylover53 to their AIM contact list. As this article points out....

Homer's e-mail address chunkylover53@aol.com, as seen on EABF03, was registered by writer-producer Matt Selman, who also replied to e-mails from fans testing it. "He logged in the night that the episode aired and it was immediately filled with the maximum number of responses. He's tried to answer every one of them and then as soon as he answers a hundred, a hundred more pop in," Al Jean told the New York Post in January 2003.

The "Chunkylover53" AIM screen-name hasn't logged in for quite some time, apparently. Imagine the puzzled expressions worn by Simpsons fans when, all of a sudden, the account came back to life in the last few days with this in their "Away" message....

...yes, "Homer" has seemingly returned, and he comes bearing infection files!

Of course, the "exclusive Simpsons episode" is nothing of the kind - what you actually download is a file about 150kb in size, and it looks like this:

Run the file, and you won't see a new Simpsons episode - you're actually more likely to see this:

....a strange error message that mentions "photos" (probably fake), followed by lots of real error messages as most of your desktop fails, leaving you with an entirely blank screen:

Click to Enlarge (if you really must!)

From this point onwards, the PC will likely need a reboot and will be sluggish until cleaned up, constantly throwing out error messages, crashing when attempting to open Windows Explorer etc.

Now, given that the infection links are being passed around via IM Away messages, there was always going to be the possibility of an Instant Messaging worm attack. However, a lot of testing has taken place and so far, we haven't seen any malicious messages or URLs sent via AIM or MSN Messenger.

That's no reason to get complacent though, because what we have seen taking place is possibly quite a bit worse. First of all, a number of hidden files are dropped onto the PC, including Rootkit technology (which the bad guys have helpfully pointed out in the code):

Worse, your PC is deposited into a Botnet of Turkish origin - here's the giveaway traffic stream via an Ethereal log:

....awaiting further instructions from the Botnet C&C center. This particular Botnet has been around since March of this year. The Turkish connection is interesting, because I haven't seen too many Turkish Botnets - and there's been quite a surge in hacking activity from Turkey recently (most notably the DNS attacks on Photobucket and ICAAN by NeTDevilz).

Finally, the infection drops a number of other files onto the PC besides the Rootkit, which are seemingly related to a new variant of this Chinese infection.

It's worth noting that there may only be Instant Messaging infection links sent out if the person running the Botnet Command Center decides to issue all the drones with such a command - so while we haven't seen any IM infection activity, it would be wise not to rule it out completely. We recommend infected users keep an eye on all Instant Messaging activity until they can clean the infection from their computer, just in case.

Whoever is responsible for these messages has changed them a couple of times already - last night, the download link had been updated to look like this:

...and it currently advertises a link for a dating website:

We've reported all links related to this attack, and at least two of the files claiming to be "exclusive Simpsons episodes" are currently offline, though there's bound to be more out there. For now, this is a good reminder to be cautious when randomly adding cool things seen on TV and film to your online applications - you can't always assume the person at the other end is entirely in control.

We detect this as Kimya.

Additional Research: Chris Mannon, FSL Senior Threat Researcher
Deepak Setty, FSL Senior Threat Research Engineer

CBAC & Medical Identity Theft

Thu, 10 Jul 2008 06:09:41 +0000

Good story to keep in mind for those of you working on CBAC. Claims neeed protection and verification. Why steal an identity when you can capture a claim? (hattip: askelizabeth)

The Sopranokovs

The Russian mob comes to town with a new scam—medical identity theft.

When FBI special agent Ted Price peered through the window of a dingy brick storefront on Southwest Morrison Street in March, it was what he didn’t see that caught his attention.

The business, called UnimedCorner, claimed to provide ailing seniors with orthotics—braces and other devices to correct foot, joint and back problems.

Price and other federal investigators were skeptical.

On Unimed’s showroom floor, Price saw wheelchairs, motorized scooters, a variety of canes and, on the walls, a selection of amateurish paintings and framed photographs. There was no evidence, however, of the kinds of equipment for which Unimed had billed Medicare nearly $2 million in the previous couple of months.

“I observed wheelchairs and canes through the window but did not see any orthotics in the store,” Price later wrote in a search-warrant affidavit. “It is a sign of fraud that the store is not stocking the items [for which] it is billing.”

By the time Price arrived on the scene, the company’s owner, a shadowy Russian immigrant named Alexandr Shcherbakov, was long gone.

Today, Shcherbakov’s store sits undisturbed. The message light on the phone blinks, dead potted plants droop and a stuffed toy monkey slumps in a glass display case.

And behind the cash register hangs a framed poster of television’s best-known mobsters, the Sopranos.

From interviews and information presented in federal affidavits, it is clear Shcherbakov moved to Oregon to commit a crime elegant and lucrative enough to make Tony Soprano envious: medical identity theft.

...

“Medical identity theft is the new frontier for organized crime,” says Alex Johnson, a former FBI agent who investigates fraud for Regence BlueShield. “Pretty much anybody can set up a mom-and-pop operation and start cranking out claims.” Someday, most Americans will need a cane, wheelchair, home hospital bed or another of the items healthcare professionals call “durable medical equipment,” or DME.

For those over 64 and without private insurance, there’s a good chance federally funded Medicare will pick up the tab for that equipment. Last year, according to federal statistics, Medicare spent $8.6 billion on DME.

Here’s the way the system is supposed to work: A doctor prescribes a device such as a wheelchair for a patient, who presents his prescription to a DME supplier. The supplier provides the equipment and bills Medicare, which typically pays 80 percent of the cost. Unlike pharmacists, who fill prescriptions under strict scrutiny of state and federal watchdogs, DME suppliers are lightly regulated. “DME is very vulnerable to fraud,” says Consuelo Woodhead, the chief healthcare fraud prosecutor for the U.S. Attorney’s Office in Los Angeles. “It doesn’t require any background in medicine, any kind of professional licensure or appreciable capital.

There are barriers of entry in other medical fields, but not in DME.” To operate, DME suppliers simply need a place of business, a business license and liability insurance. Unlike pharmacists, DME suppliers operate under an honor system: The feds count on them to supply the equipment they claim to provide to the beneficiaries who need it.

That honor system is not working.

The epicenter of DME fraud, according to the federal Department of Health and Human Services, is South Florida, where Medicare billing for DME quadrupled from 2002 to 2006 to $1.7 billion. Investigators found much of that increase was due to fraud. In 2006, federal inspectors revoked the licenses of 634 DME suppliers in South Florida, nearly half the DME dealers in the region.

Later the same year, raids in Southern California yielded similar results: The feds shut down 95 DME suppliers. Many of the DME suppliers shut down around Los Angeles were run by immigrants from the former Soviet Union. It’s probably no coincidence that when the feds raided Los Angeles DME suppliers, some Angelenos fled to cities where there was less scrutiny—such as Portland.

Castlecroft Medical Practice patient information at risk

Thu, 19 Jun 2008 07:54:50 +0000

Technorati Tag: Security Breach

Date Reported:
6/18/08

Organization:
NHS Trust

Contractor/Consultant/Branch:
Wolverhampton City Primary Care Trust
Castlecroft Medical Practice

Victims:
Patients

Number Affected:
~11,000

Types of Data:
"names, dates of birth, addresses, contact details and confidential medical records"

Breach Description:
"A laptop containing confidential medical records of all 11,000 Wolverhampton patients at a city surgery has been stolen from a GP’s house, police revealed today."

Reference URL:
The Press Association
The Express & Star

Report Credit:
The Press Association

Response:
From the online sources cited above:

A laptop containing confidential information about 11,000 patients has been stolen from a GP's home.
[Evan] This is now the 11th breach reported on The Breach Blog concerning NHS Trust and affiliated organizations. What is the excuse? Can the GP and/or Primary Care Trust and/or Medical Practice claim to not know the risks involved?

Contrary to Department of Health guidelines, the information was not encrypted, which would have made it unreadable without a special code to unscramble it.
[Evan] Are medical personnel aware of and required to follow the guidelines? Are there penalties or sanctions for non-compliance?

The laptop was among items stolen in a recent burglary at the home of the unnamed doctor, who works at the Castlecroft Medical Practice in Wolverhampton.

The details of when and where the laptop was taken from are not being released, but a helpline has been launched for worried patients
[Evan] I could not find the helpline phone number; otherwise I would publish it for people.

The information on the computer, which belongs to the practice, included patients' names, dates of birth, addresses, contact details and confidential medical records.

The practice has written to all of its 11,000 patients to inform them that information about them was on the stolen computer.

Dr Peter Wagstaff, senior partner at the practice, said: "The practice is treating this issue very seriously and we are extremely sorry for any distress or concern that it may cause our patients. Though not encrypted, the confidential information on the laptop was protected by a complex password system, which only a person with specialist computer knowledge would be able to crack."
[Evan] If the organization were "treating this issue very seriously", and if it was "truly sorry" then why attempt to minimize the situation (risk) by using the password protection argument. In my opinion (and that shared by many information security professionals), password protection is NOT an adequate preventative control to ensure the confidentiality of the information stored on a laptop computer. This holds especially true in instances where the password protection is controlled by the operating system. See: "Laptop stolen from a Quest Diagnostics employee" and "Not to worry: the stolen laptop was 'password-protected'".

He said the laptop appeared to have been stolen for its re-sale value, rather than for any information stored upon it.
[Evan] In my opinion, this is another attempt to minimize the situation and imply that the risk of confidential information disclosure is less than it may actually be.

Jon Crockett, chief executive of Wolverhampton City Primary Care Trust, said the trust was "extremely concerned" about the theft.

He said: "Patients and the public have the right to expect that those dealing with confidential information maintain the highest levels of security and we are carrying out a full and urgent investigation into this incident."
[Evan] Mr. Crockett makes a very valid point.

National guidance from the Department of Health is that any confidential information about patients must be stored in a safe and secure environment, and mobile devices - including laptops - which contain such data must be fully protected by encryption, he said.
[Evan] Again, Mr. Crockett seems to "get it".

Commentary:
The 11th breach for NHS Trust-affiliated organizations in less than 10 months and the fact that the cause of this one is so well publicized in other breaches does not instill much confidence.

The eleven breaches are only what has been reported on The Breach Blog, there may be more.

Past Breaches:
NHS Trust:
May, 2008 - Sandown Health Centre backup tape is missing
March, 2008 - Stolen NHS flash drive contained adolescent information
February, 2008 - Laptop missing from Russells Hall Hospital (UK)
January, 2008 - Stolen Bolton Hospitals Laptop affects cancer patients
January, 2008 - Queen Mary's Sidcup Hospital microfiche film goes missing
January, 2008 - Stockport Primary Care Trust flash drive goes missing
January, 2008 - Oldham Primary Care Trust NHS loses two data sticks
January, 2008 - Highly sensitive medical information found in the road
December, 2007 - Laptop stolen in Royal Bolton Hospital break-in
September, 2007 - Dudley Group of Hospitals NHS Patient Data For Sale on eBay

University of Florida student information online for years

Thu, 12 Jun 2008 06:41:30 +0000

Technorati Tag: Security Breach

Date Reported:
6/11/08

Organization:
University of Florida

Contractor/Consultant/Branch:
Office for Academic Support and Institutional Services

Victims:
Students

Number Affected:
"more than 11,300"

Types of Data:
"names, addresses and Social Security numbers"

Breach Description:
"GAINESVILLE, Fla. - University of Florida officials today mailed letters of notification to more than 11,300 current and former students regarding a privacy breach that resulted in names, addresses and Social Security numbers being posted online that may have been accessible to the public."

Reference URL:
University of Florida
Miami Herald
Inside UF
United Press International

Report Credit:
University of Florida

Response:
From the online sources cited above:

GAINESVILLE, Fla. - University of Florida officials today mailed letters of notification to more than 11,300 current and former students regarding a privacy breach that resulted in names, addresses and Social Security numbers being posted online that may have been accessible to the public.
[Evan] Not "may have been". The information was accessible to the public and was not even protected by a password.

The student information was actively used from 2003 through 2005 and remained posted until it was recently discovered during a routine audit of UF systems.
[Evan] If I am reading this right, this means that some of the personal information was available publicly for ~5 years!

School officials emphasized that the site would not have been easy to find and they do not believe it was accessed by anyone outside the school.
[Evan] There is no security through obscurity.

"The risk of someone outside actually finding this information and using it inappropriately is very low," - Steve Orlando, UF Spokesman
[Evan] I wonder how Mr. Orlando came to the conclusion that the risk of disclosure and misuse is "very low". As I understand, the server was publicly accessible, presumably via the internet. If so, was the site indexed by search engines like Google, Yahoo, and Microsoft? It is much easier to find information through a search index because folder structure is much less relevant. The fact that this information was available for 3-5 years adds to the risk too. I only know what I read and based on this and experience, I wouldn't classify this as a "very low" risk situation. Either way, the risk was increased due to poor information security practice and was not necessary.

"We've done computer forensics, and we don't have any evidence that anybody accessed this information," he added.
[Evan] This indicates poor logging and monitoring which are both essential detective controls (in most situations). Information security personnel (or admins) should be empowered to reconstruct events.

"But because we can't say that with absolute certainty, we're going through with the notification out of an abundance of caution," Orlando said.
[Evan] I am NOT a fan of the "abundance of caution" claims that seem more popular in breach notifications lately. Organizations would be best advised to use an "abundance of caution" in the prevention and early detection of breaches by applying sound information security principles.

Since 2005, the site has been "dormant but accessible," said university spokesman Steve Orlando. "It was just sitting there."

The information has been removed and is no longer available online or elsewhere in the UF systems.

The breach occurred when former student employees of the Office for Academic Support and Institutional Service, or OASIS, program created online records of students participating in the program.

The student employees posted the information online so that they could work with it from remote locations, but they did not install security measures to keep others from accessing it as well
[Evan] I have so many questions and arguments. Were the students aware of the risks? If not, then there is probably an information security training and awareness problem. Why was it necessary to include Social Security numbers in the records? Why were the seemingly untrained students allowed to post the information without being stopped or detected? I have many more questions, but I am starting to confuse myself now.

The university sent letters of notification to about 11,300 students whose information is believed to have been potentially compromised.
[Evan] Here's my take on the word "compromised". If an organization cannot provide reasonable assurance that the information has not been subject to unauthorized disclosure, modification, or destruction, then the information has been "compromised".

University officials were unable to find contact information for about 570, so they are asking students who were enrolled in CLAS from 2003 to 2005 and did not receive a letter but who believe their information may have been compromised to call UF’s Privacy Office Hotline at 866-876-HIPA and provide the requested information.

Anyone who thinks he or she may be one of the 570 people who were not notified is urged to go to privacy.ufl.edu and read the information posted there before calling the privacy hotline.

"This would certainly appear to be the largest privacy breach we've had," Orlando said.

We're in the process of strengthening some of those policies regarding what information can be posted and what security measures should be in place
[Evan] Good start.

Victim Reaction:
"Why would it be necessary to use a Social Security number instead of something else?" asked Reixach, pointing out that students were given ID numbers. "It's just silly".

"It's negligence on their part, especially if anyone has been affected with identity theft,"

Johann Arias, a spring CLAS graduate, had not heard about the breach Wednesday and said UF should be doing more to notify those affected.

"They always make information very prominent when you have a hold or owe them money," Arias said.

Commentary:
This is a case where poorly trained students are granted access or obtained access to confidential information and posted the information to an unsecured location which went undetected for years. Bad all around.

Past Breaches:
May, 2008 - University of Florida doctor loses job over breach
November, 2007 - University of Florida student info online

Academy Learning Centres stolen computers affect seniors

Thu, 29 May 2008 05:14:25 +0000

Technorati Tag: Security Breach

Date Reported:
5/22/08

Organization:
Academy Hearing Centres

Contractor/Consultant/Branch:
None

Victims:
Patients (mostly seniors)

Number Affected:
"Dozens"

Types of Data:
Names, addresses, credit-card numbers, health information and health-card numbers

Breach Description:
"Dozens of Calgary seniors are alarmed after learning their credit-card numbers, addresses and health-card numbers were stored on computers that were stolen recently. The Academy Hearing Centre in Brentwood Mall, which provides hearing tests and equipment, mostly to seniors, recently mailed out letters warning of the theft."

Reference URL:
CBC News

Report Credit:
CBC News

Response:
From the online source cited above:

Dozens of Calgary seniors are alarmed after learning their credit-card numbers, addresses and health-card numbers were stored on computers that were stolen recently.

The Academy Hearing Centre in Brentwood Mall, which provides hearing tests and equipment, mostly to seniors, recently mailed out letters warning of the theft.

The Academy Hearing Centre refused the CBC's request for an interview, saying only that there is no need for clients to be alarmed.
[Evan] This is it? Is this indicative of the service that one could expect from Academy Hearing Centres? Organizations should be more open and willing to talk about what they do to protect confidential information, unless they don't know themselves. Shame shame.

Victim Reaction(s):
"I got scared," said one elderly female client who purchased a hearing aid from the company.

She requested that her name not be released because she is worried about her security.

The woman said the thieves nabbed her name, address, health information and Alberta health-care number.

"It's the same thing, like somebody steals your social insurance number," she said.

She added that she was unable to change her health-card number.

"I called up Edmonton, the health insurance centre, and she said you have to wait about six months. Just have to notify your doctor, the family doctor. So somebody might be using my number, so let's hope it won't happen."

Commentary:
I wish I had more information to share about this breach, but this is all that is publicly available. In anyone has anything more to share, please feel free to comment. Posted on the Academy Learning Centres web site:

"if there is any question left unanswered, please do not hesitate to contact one of our team directly by calling: ph: 403. 210. 2482."

If you suspect that you may be affected by this breach, or if you want more information, I suggest that you call. Victims can demand answers; after all they are the data owners. What makes this breach especially difficult is the fact that it affects customers that are generally easy victims of fraud and deception.

Past Breaches:
Unknown

University of Florida doctor loses job over breach

Thu, 22 May 2008 05:47:33 +0000

Technorati Tag: Security Breach

Date Reported:
5/20/08

Organization:
University of Florida

Contractor/Consultant/Branch:
College of Medicine

Victims:
Patients

Number Affected:
~1,900

Types of Data:
Digital photographs, names, dates of birth, Social Security numbers, and Medicare numbers

Breach Description:
"University of Florida officials will be notifying about 1,900 patients of a UF plastic surgeon that their private health information might have been breached after the information was managed and disposed of improperly."

Reference URL:
Jacksonville Business Journal
WOKV Radio News
First Coast News

Report Credit:
Jacksonville Business Journal

Response:
From the online sources cited above:

JACKSONVILLE, FL -- The private health information of 1900 local patients may have been compromised when a Jacksonville doctor gave his computer away.

Dr. Francis D. Ong, a UF assistant professor of plastic surgery at the UF College of Medicine-Jacksonville, stored unsecured digital photographs of his patients and identifying information -- such as names, dates of birth, Social Security numbers, and Medicare numbers -- on a computer.

The patients involved were treated by Dr. Ong between July 2005, when he joined UF, and December 2007.

Ong then gave the computer to a family he was friends with in late January or early February this year.
[Evan] So, is it safe to assume that Dr. Ong owned this computer? If so, I can think of (at least) three problems that led to this breach. First, the storage of confidential information on a poorly (or less) secured client workstation. Second, the disposal of a client workstation in an insecure manner. Third, the use of a personally owned computer on a corporate (or organization) network.

One of the friends using the computer replaced its operating system, resulting in the permanent loss of most of the patient information.
[Evan] Not true. Formatting and re-installing an operating system will not result in permanent loss of data. Depending on factors such as disk size, amount of previously stored data and location on disk, much of the confidential information could still be retrieved with relative ease.

"The family had installed a new operating system on the computer February 24, so roughly around three weeks after they got the computer and they had destroyed most of the information that was on the hard drives,"
[Evan] See my comments above

According to UF policy, confidential patient information should only be stored in highly secure university servers, not individual computer hard drives.
[Evan] A good policy statement in most cases.

"Dr. Ong's storage of these pictures and related data on this computer and his subsequent transfer of the computer to a family were in violation of University of Florida policy," said David Behinfar, a privacy compliance manager at the College of Medicine.

As a result, UF officials say Dr. Ong will no longer be working with the University of Florida's College of Medicine.
[Evan] This is likely a necessary step taken by the university. It is sad for Dr. Ong, but a policy is only as good as its enforcement.

Ong will be no longer be working at the college by June.

"Dr. Ong has reported that the family members used the computer for their personal use and have said that neither they nor anyone else viewed any pictures or medical information on the computer,"

The computer has been returned to the University of Florida, and the school tells us the risk of anyone using the information for unlawful or mischievous purposes is extremely low.
[Evan] I agree that the risk to the affected individuals is probably low due to the fact that the chain of custody is pretty well known with some amount of certainty. This breach could have been much worse.

"We deeply regret this event and apologize to our patients who it may have affected,"

"We have taken steps to prevent incidents of this type from occurring in the future and are continuing to educate our physicians and staff on our electronic data storage policies."
[Evan] Some information security professionals may argue with me, but I am a big proponent of information security training and awareness programs. In my experience, effective programs pay for themselves.

The UF privacy office mailed letters to patients May 19, which included a brochure offering safeguarding advice and a privacy office hotline number.

Concerned patients of the College of Medicine can call the hotline at 866-876-4472.

Commentary:
I was a little surprised to see Dr. Ong's name mentioned so many times in the news reports. It seems to me that Dr. Ong made an honest mistake and likely regrets his actions in this case. This is a classic example that demonstrates the responsibility of data users to learn the information security policies, standards, guidelines and procedures that apply to them during the course of their employment. It is acceptable for an employee to ask questions and seek guidance in areas that aren't clear.

Information security requires cooperation from everyone involved.

Past Breaches:
November, 2007 - University of Florida student info online

Health care practices and UCSF patient records exposed

Wed, 07 May 2008 12:10:17 +0000

Technorati Tag: Security Breach

Date Reported:
5/1/08

Organization:
University of California

Contractor/Consultant/Branch:
University of California at San Francisco ("UCSF")
Target America Inc.

Victims:
Patients

Number Affected:
6,313

Types of Data:
"The information included names, addresses, medical departments and some patient medical record numbers"

Breach Description:
"(05-01) 17:22 PDT San Francisco -- Information on thousands of UCSF patients was accessible on the Internet for more than three months last year, a possible violation of federal privacy regulations that might have exposed the patients to medical identity theft"

Reference URL:
San Francisco Chronicle
CNET
United Press International
UCSF News Release

Report Credit:
Elizabeth Fernandez, San Francisco Chronicle

Response:
From the online sources cited above:

Information on thousands of UCSF patients was accessible on the Internet for more than three months last year, a possible violation of federal privacy regulations that might have exposed the patients to medical identity theft, The Chronicle has learned.

The information accessible online included names and addresses of patients along with names of the departments where medical care was provided.

Some patient medical record numbers and the names of the patients' physicians also were available online.

The breach was discovered Oct. 9, but the medical institution did not send out notification letters to the 6,313 affected patients until early April, nearly six months later.

Sensitive information can be used by employers, health insurers and other entities to discriminate

thieves can use purloined information to obtain medical treatment and prescription drugs and to file false medical claims.
[Evan] Purloined is a funny word.

"This is a large and very significant data breach," said Pam Dixon, executive director of the World Privacy Forum

"To commit medical identity theft, all you need is a patient's name, address and the name of the hospital. If you have a doctor's name and the medical department where the patient was being treated, it is gold. If you add a medical record number, it is a disaster for patients."
[Evan] I don't think most people know this. Many people think that they are fine if there were no Social Security numbers or credit card numbers exposed.

Hospital officials say there's no indication of identity theft to date.

UCSF had shared information on its patients with a vendor, Target America Inc., which mines electronic databases amassing information about a nonprofit's potential or existing donors.

Target America, whose Web site says it maintains "the highest standards of security," tunnels through millions of electronic records to help nonprofits identify and cultivate future donors as well as current donors "who could be giving you more." Additionally, it unearths financial information about donor friends and business acquaintances - even offering maps of a donor's neighborhood.
[Evan] Seems wrong, doesn't it? You go to the clinic, the clinic farms out your information to a company that determines whether or not you are a good candidate to hit up for money (you probably don't pay enough in health insurance, deductibles and co-pays). If you are a deemed a good donor candidate, you get emails and letters that you never signed up for. The purpose of the emails and letters is to build a rapport with you with the intention of getting you to donate money. Personally, I would be more willing to donate if an organization were straight with me.

The breach was discovered, said UCSF officials, when the hospital was alerted that a patient's name had been queried on the Internet "and it was listed in association with UCSF."

Corinna Kaarlela, UCSF director of news services, said immediate action was taken to close off the information. Ten days after the breach's discovery, UCSF ended its business agreement with Target America.

Nancy Johnson, president of Target America, said she could not discuss the matter because of client confidentiality.
[Evan] There is no mention of this breach anywhere on Target America's site either. Sweep it under the rug and maybe it will go away?

The breach spotlights a little-known practice among medical institutions to plow the ranks of patients for fundraising purposes.

Hospitals and other health care providers are turning patients into "fundraising free-fire zones," said Dr. Arthur Caplan, chairman of the department of medical ethics at the University of Pennsylvania School of Medicine.

"The breach is a symptom, but the real ethics challenge is the extent to which health care institutions are tracking patients and their families for nonmedical reasons - for fundraising, marketing, advertising," Caplan said. "I don't think people are aware of the degree to which this is occurring, whether it's by a hospital or a nursing home or a hospice."

Since 2004, UCSF said it provided the names and addresses of 30,590 patients to Target America, paying the company $12,000 a year.

Hospital officials said it contracted with the company to assist "with identifying names of individuals who could potentially receive communications from UCSF."
[Evan] Why not say it like it is. The true motive?

"These opportunities included upcoming events, developments in specific UCSF programs, and opportunities to support the University."
[Evan] Closer.

After the breach was discovered, the hospital said it required Target America to hire "an objective third-party firm" to investigate. UCSF received the forensic analysis report March 26. It showed that information was potentially accessible from July 1 to Oct. 9 last year "if a query for a specific name was made." Notification letters were mailed to patients April 4.

While UCSF officials stressed that the breach did not involve Social Security numbers, Dixon said that patients could nonetheless be at risk for harm.

"With medical identity theft, there is so much on the line - only minimal information needs to go out for there to be a problem," she said.

Linking patients to the departments where they were treated, for instance, is problematic because it can serve as a key identifier of a patient's health condition.
[Evan] Don't think that this doesn't happen. Insurance companies are not in business to help people, they are in business to make money. They want to identify as many pre-existing conditions as possible.

UCSF officials say the use of a department's name is not prohibited under HIPAA. But it acknowledged that such a disclosure is against its own "best practice" policy.
[Evan] I think that this is open to interpretation. HIPAA is not clear (nor can it be) in all circumstances, and some people would argue this claim with UCSF officials.

"Steps have been taken to reinforce this practice,"
[Evan] Like what? Are "steps" enough?

For one outraged UCSF patient whose name was part of the online data disclosure, the incident involved an alarming breach of medical trust.

"They told a fundraising company that I'm a patient - morally this should not ever be done by any health care provider," said the patient, a retired executive living in San Francisco. He asked that his name not be published.

"Medical records are supposed to be of utmost privacy," he said. "The University of California is high up in the totem pole for quality medical care. When you go there, the first thing you see are notices regarding patient privacy. Why in the world would they give out my private information? It boils down to monetary greed."
[Evan] There is no doubt that UCSF Medical Center is an outstanding health provider in terms of providing innovative medical care and saving lives. One of the best from what I read.

UCSF is committed to maintaining the privacy of patient information and takes any compromise of patient information very seriously. When patients are seen at UCSF, they are provided with a Notice of Privacy Practice (NOPP), which describes how UCSF may use and disclose their medical information in accordance with the Federal HIPAA Privacy Rule.

UCSF continually modifies systems and practices to enhance the security of patient information.

Commentary:
Hmm. I agree with Dr. Caplan when he stated that "The breach is a symptom, but the real ethics challenge is the extent to which health care institutions are tracking patients and their families for nonmedical reasons - for fundraising, marketing, advertising,". There is not much discussion surrounding the details of the actual breach itself. I have also read concern of the length of time it took before patients were notified.

From Target America's "Why Target America?" page:
"Target America data base, culled from 75 data sources, contains more than 7 million records of the wealthiest and most generous people in the nation -- the top 5 percent in terms of income, assets, and philanthropic history. Ninety-four percent of the individuals on the data base give more than $5,000 a year to charities. The breadth of our data is unique: we focus not only on high-profile, corporate America, but include emerging sources of wealth such as minority-owned business and women entrepreneurs."
Looks like a pretty important database to me.

There are no apologies made by UCSF or Target America for the breach.

Past Breaches:
University of California:
April, 2008 - University of California Irvine students are hit with mysterious breach

Why even having health insurance is not enough anymore

Sun, 04 May 2008 11:13:07 +0000

Forgive me for going totally off topic (hey its my blog I write what I want) but it is Sunday and not much news on security. I wanted to write about an article I saw in the NY Times today called "Even the Insured Feel the Strain of Health Costs". The article details that with the hard economic times even people who have health insurance are being bitten by the ever rising costs of health care. Rising premiums, covering less procedures and care and charging more for prescriptions and medical care combine to put the bite on everyone. From my own experience here are 4 examples of how even with health insurance, medical care costs are taking a bite:

1. My wife had minor surgery in September. It was ambulatory surgery where she went in the morning and went home that afternoon/evening. Even though we have full PPO coverage and it was participating doctors, hospital, etc. my out-of-pocket costs after insurance were almost $3000! The surgeon received a whopping $472 from the insurance company for the operation and the hospital billed like 17k! When I called the hospital they said they did not expect to get paid that much, but had to bill it so they could get as much as they could. I than had to negotiate what I would pay out of pocket beyond that. I also had to pay the anesthesia, the prescriptions, etc.

2. Here at StillSecure we had to switch providers again this year because United Health Care wanted another 15 to 20% raise in premiums. In fact that is about normal for health insurance, way above the cost of living and inflation. We pay a good chunk of our employees insurance premiums, but even so the 20% or so that we have the employee pick up gets bigger and bigger. Plus the insurance company covers less and less. This squeeze is frankly baffling. How can you pay more and get less.

3. I had a dental implant a few months back. Though we pay for dental coverage, our insurance would cover a bridge or cap, but they don't consider implants necessary and would not cover any of it. I had to lay 2k out of pocket. On top of this the panoramic x-ray the oral surgeon took (which again was not covered, another 100 bucks) showed I had an impacted wisdom tooth with a cyst around it. My dental insurance covered the wisdom tooth, but the cyst removal would be considered under my regular insurance and my dentist was not participating. In fact I could not find a participating oral surgeon in the area. So I had to an extra $600 dollars out of pocket and of course my out-of-network deductible was $750, so I ate it again.

4. The orthodontist. This one is perhaps the worst of all and really gets my goat. My oldest son went for an orthodontic exam. The doctor told my wife that he would probably need braces when he gets older and that current best practices in orthodontics is to put braces on now in a phase 1 and than if necessary they put other braces on later when more of his adult teeth come in. Putting braces on now would lesson the severity of what he would need later. OK, great lets do it, right? Wrong! Our insurance covers a one time payment of $1200. The dentist said if we use it now, the cost for phase 1 would be $3600. That leaves a balance of $2400 that I have to pay. However, if I do it without insurance he would charge me $2400 and than I could use the $1200 towards the phase 2 braces my son may need which could be up to 10k. So if we went through insurance the cost was $3600 with $2400 out of pocket or no insurance $2400 out of pocket. What is wrong with that picture. Whether I have insurance or not, it still costs me $2400! This is fundamentally what is wrong with our health care system. The dentist is willing to accept $2400. He should take the $1200 from my insurance and I should pay him another $1200. Anything else is ludicrous and in my mind borders on criminal insurance fraud.

We need to restore sanity to the whole system. It is not just the 48 million people in this country that don't have insurance, it is also the costs of the people who do have insurance. Don't tell me that giving us greater limits to put in tax deferred health savings plan are the answer either. Fundamentally we need the insurance companies to stop sucking the blood of the premium payers. We need the health industry to bill for what the do and what it is worth, not how to maximize what the insurance company pays and most of all we need to make sure that people can afford and receive decent health care!

BTW, if you want to read an excellent blog on this subject, Dr. Stanley Feld, Brad's dad writes a great blog on it.