[SecurityRatty] tag: medical

Encrypting Disks

Fri, 04 Jul 2008 09:10:18 +0000

The UK is learning:

The Scottish Ambulance Service confirmed today that a package containing contact information from its Paisley Emergency Medical Dispatch Centre (EMDC) has been lost by the courier, TNT, while in transit to one of its IT suppliers. The portable data disk contained a copy of records of 894,629 calls to the ambulance service's Paisley EMDC since February 2006. It was fully encrypted and password protected and includes the addresses of incidents, some phone numbers and some patient names. Given the security measures and the complex structure of the database it would be extremely difficult to gain access to any meaningful information.

News story here. That's what you want to do. There is no problem if encrypted disks are lost. You can mail them directly to your worst enemy and there's no problem. Well, assuming you've implemented the encryption properly and chosen a good key. This is much better than what the HM Revenue & Customs office did in November. I wrote about disk and laptop encryption previously.

Australian medical information found in abandoned amusement park

Sat, 28 Jun 2008 09:10:55 +0000

Technorati Tag: Security Breach

Date Reported:
6/27/08

Organization:
New South Wales Government (AU)

Contractor/Consultant/Branch:
Sydney West Area Health Service
Unnamed "bankrupt contractor"

Victims:
Patients

Number Affected:
Unknown

Types of Data:
"confidential medical records"

Breach Description:
"The Sydney West Area Health Service has been embarrassed by the discovery of medical records in an abandoned amusement park."

Reference URL:
ABC News
Macquarie National News
Macquarie National News (2)

Report Credit:
ABC NEws

Response:
From the online sources cited above:

The Sydney West Area Health Service has been embarrassed by the discovery of medical records in an abandoned amusement park.
[Evan] This is a first. An abandoned amusement park? I would be embarrassed too!

Pathology results and slides were found when a container dumped in the former Magic Kingdom park at Lansvale was set alight this week.

The container was discovered after it caught on fire yesterday, attracting the attention of the local fire department.

A bankrupt contractor is being blamed for dumping confidential medical records and contaminated waste in the grounds of an abandoned fun park.
[Evan] Confidential medical records AND contaminated waste? Ugh.

Police said it was likely the container had been there for a decade.
[Evan] A decade? This story keeps getting more bizarre.

The Health Department is reviewing waste disposal procedures following the discovery at Lansvale in Sydney's south west.
[Evan] I presume that the waste disposal procedures have probably changed over the past ten years. The Health Department should be reviewing procedures on a regular basis anyway.

The health service's chief executive, Professor Steven Boyages, says it is a serious breach and the health service is reviewing its waste disposal procedures.

"There are clear policy and procedures in place to manage records and disposal of records and clear policies in place to manage and dispose of any clinical waste," he said.

"It appears at first glance that the policy and procedures weren't followed by the contractors who were engaged to do this."

“It is a huge concern, I’ve called for an immediate review to ensure our existing contractors are following standard policy and procedures so this doesn't happen again," he said

Shadow health minister Jillian Skinner said the state government also has some explaining to do.

"Why if it was know this company had gone bankrupt and wasn't carrying out its duties they didn't check to make sure this material was disposed of properly?" Ms Skinner said.

Commentary:
The landscape of information security and personal information issues has changed markedly over the past ten years. SWAHS should still be held accountable, but how much can you comment on something that happened ten years ago and probably does not reflect upon current practice.

This is one of the most bizarre breaches I have read about in some time.

Past Breaches:
Unknown

Links for 2008-06-25 [del.icio.us]

Wed, 25 Jun 2008 20:00:00 +0000

Errant email exposed Department of Consumer Affairs personal information

Tue, 24 Jun 2008 13:51:19 +0000

Technorati Tag: Security Breach

Date Reported:
6/23/08

Organization:
State of California

Contractor/Consultant/Branch:
Department of Consumer Affairs

Victims:
"employees, contractors and board members"

Number Affected:
5,000

Types of Data:
Names, Social Security numbers, salaries and job titles

Breach Description:
"The state Department of Consumer Affairs (DCA) has sent letters to 5,000 employees, contractors and board members warning them of a security breach that has compromised their names and social security numbers. "

Reference URL:
Capitol Weekly
Central Valley Business Times
Props to PogoWasRight

Report Credit:
Malcolm Maclachlan, Capitol Weekly

Response:
From the online sources cited above:

The state Department of Consumer Affairs (DCA) has sent letters to 5,000 employees, contractors and board members warning them of a security breach that has compromised their names and social security numbers.

About 2,800 of the people on the list are current, full-time employees of the DCA.

The document also included some former employees and numerous contractors, such as people who proctor state job examinations.

The rest of the names were employees and board members of the 56 professional boards and bureaus administered by the DCA, such as the Bureau of Automotive Repair and the Medical Board.

The breach occurred on June 5 or 6 when a Microsoft Word document was improperly transmitted electronically outside of the department, said DCA spokesman Russ Heimerich.

The document also contained the salaries and titles of everyone on the list, but Heimerich noted that this was public information.

"The thing that is troubling to us is that information was coupled with their social security numbers," Heimerich said.
[Evan] Troubling to you? It's probably hard for the victims to have much sympathy.

The main danger with giving away a social security number is that it can be used to set up new credit cards, loans or purchases in someone's name.

However, a thief would generally need other information that was not included and could be harder to get, such as addresses, phone numbers and driver's license numbers.
[Evan] Addresses and phone numbers are usually pretty easy to obtain and I would think are much easier to get than Social Security numbers. Unless of course, somebody emails them to you.

The DCA is the main state agency charged with protecting consumers in California.
[Evan] Ironic.

From 2003 to 2007, it also housed the office charged with educating consumers and businesses about identity theft and fraud.
[Evan] More Ironic

One agency whose employees were not on the list is the California Office of Privacy Protection (OPP).

Heimerich said the incident is still being investigated, and that he could not disclose who had received the document.

He said that so far there is no evidence that any information has been used. It was not even clear the recipient had opened the document.

"We know that it left the building and that it wound up somewhere it shouldn't have wound up," Heimerich. "We're looking into how that happened."

“We kind of know where it was sent,” Mr. Heimerich says
[Evan] Sounds obvious, but did anyone check "Sent Items"? Yeah, probably. Seriously though, does the California DCA not log email sends and receives? It's hard to believe that the sender does not recall to whom they sent the email and there is no evidence of where it was sent.

The breach was discovered on Monday, June 9
[Evan] It took 3 or 4 days for the DCA to discover the breach.

People's whose names were on the list were sent an email the next day and an official letter a week later.
[Evan] Excellent quick notification. The earlier that a breach is detected and communicated to the data owner, the better.

Heimerich said the DCA will pay for a year of free credit reports and provide fraud insurance of up to $25,000 for everyone on the list.
[Evan] One year of protection does not adequately protect information that has a lifespan that far exceeds that one year. Most bad guys (or gals) know that the "standard" organization response to a breach includes one year of free credit monitoring/protection, so many of them wait a year to use the information. It is also important to point out that just because a person monitors their credit, does not mean that their identity isn't being used elsewhere. It's a scary thought, but it's a broken system.

He said the DCA had not yet determined how much these protections were going to cost.
[Evan] You can estimate the cost yourself.

Commentary:
I like how Microsoft Outlook helps me when I am typing an email address in the "To:" field of my email. It saves me some keystrokes and a few precious seconds. Sometimes I am in such a hurry that I don't even notice that Outlook put in the wrong email address. I type my email, click send and away I go onto another task. A couple of days later, I get a call from a customer asking where their information is. I state that I sent it to them a couple of days ago, but they claim to have never gotten my email. I look through my sent items, and HOLY #*@^! I just sent some confidential (sensitive and potentially damaging) information to a competitor instead of my customer.

Sound conceivable? Have you ever sent an embarrassing email to the wrong person? It is very easy to do if your not paying attention.

There are a number of controls us information security guys can put in place to reduce the risk of this happening. One of the best is information security training and awareness (kind of an administrative control).

Past Breaches:
State of California:
March, 2008 - San Quentin visitor and volunteer information lost

Medical records - the new frontier in data theft?

Mon, 23 Jun 2008 09:02:00 +0000

Looks like supply and demand and the good old laws of economics are catching up to data breaches as well. Seems like medical records is the new black - more criminals are focusing on getting access to this rather than boring credit card numbers, bank accounts etc.

There is a related scary part to this story - (other than the fact that medical records are under active threat)

The scary part is the huge numbers of available stolen credit card, bank account information out there - this is depressing prices all over the world for this data! The laws of supply/demand are taking over and making this a commodity. For example, not too long ago, prices for a valid credit card/bank card with a pin was $100 and now with the flood of such products, the prices have come down to $10-20 range.

The logical conclusion follows that criminals are becoming better at getting access to sensitive data - and are now moving up the value chain to get to even more valuable data. Presumably, stuff they can sell for more than $100!

Medical records under threat

Fri, 20 Jun 2008 15:20:00 +0000

Just saw a disturbing article on how folks are targeting medical records. Apparently Finjan (a security vendor) was trolling for malware and came across a large chunk of data with patient information etc - and get this, it was available for purchase for the highest bidder!

By now all of us are aware that hackers are no longer kids looking for laughs or thrills - they are the new criminal organizations. These organizations make it a business buying and selling data - be it credit cards, bank account information etc.

I suspect medical information can be used for many things - identity theft, blackmail, maybe even insurance fraud. Who knows?

But the main point here is this - it does appear that medical and patient information has value to criminal organizations and this is something to worry about. They will do anything to get their hands on this...

Castlecroft Medical Practice patient information at risk

Thu, 19 Jun 2008 07:54:50 +0000

Technorati Tag: Security Breach

Date Reported:
6/18/08

Organization:
NHS Trust

Contractor/Consultant/Branch:
Wolverhampton City Primary Care Trust
Castlecroft Medical Practice

Victims:
Patients

Number Affected:
~11,000

Types of Data:
"names, dates of birth, addresses, contact details and confidential medical records"

Breach Description:
"A laptop containing confidential medical records of all 11,000 Wolverhampton patients at a city surgery has been stolen from a GP’s house, police revealed today."

Reference URL:
The Press Association
The Express & Star

Report Credit:
The Press Association

Response:
From the online sources cited above:

A laptop containing confidential information about 11,000 patients has been stolen from a GP's home.
[Evan] This is now the 11th breach reported on The Breach Blog concerning NHS Trust and affiliated organizations. What is the excuse? Can the GP and/or Primary Care Trust and/or Medical Practice claim to not know the risks involved?

Contrary to Department of Health guidelines, the information was not encrypted, which would have made it unreadable without a special code to unscramble it.
[Evan] Are medical personnel aware of and required to follow the guidelines? Are there penalties or sanctions for non-compliance?

The laptop was among items stolen in a recent burglary at the home of the unnamed doctor, who works at the Castlecroft Medical Practice in Wolverhampton.

The details of when and where the laptop was taken from are not being released, but a helpline has been launched for worried patients
[Evan] I could not find the helpline phone number; otherwise I would publish it for people.

The information on the computer, which belongs to the practice, included patients' names, dates of birth, addresses, contact details and confidential medical records.

The practice has written to all of its 11,000 patients to inform them that information about them was on the stolen computer.

Dr Peter Wagstaff, senior partner at the practice, said: "The practice is treating this issue very seriously and we are extremely sorry for any distress or concern that it may cause our patients. Though not encrypted, the confidential information on the laptop was protected by a complex password system, which only a person with specialist computer knowledge would be able to crack."
[Evan] If the organization were "treating this issue very seriously", and if it was "truly sorry" then why attempt to minimize the situation (risk) by using the password protection argument. In my opinion (and that shared by many information security professionals), password protection is NOT an adequate preventative control to ensure the confidentiality of the information stored on a laptop computer. This holds especially true in instances where the password protection is controlled by the operating system. See: "Laptop stolen from a Quest Diagnostics employee" and "Not to worry: the stolen laptop was 'password-protected'".

He said the laptop appeared to have been stolen for its re-sale value, rather than for any information stored upon it.
[Evan] In my opinion, this is another attempt to minimize the situation and imply that the risk of confidential information disclosure is less than it may actually be.

Jon Crockett, chief executive of Wolverhampton City Primary Care Trust, said the trust was "extremely concerned" about the theft.

He said: "Patients and the public have the right to expect that those dealing with confidential information maintain the highest levels of security and we are carrying out a full and urgent investigation into this incident."
[Evan] Mr. Crockett makes a very valid point.

National guidance from the Department of Health is that any confidential information about patients must be stored in a safe and secure environment, and mobile devices - including laptops - which contain such data must be fully protected by encryption, he said.
[Evan] Again, Mr. Crockett seems to "get it".

Commentary:
The 11th breach for NHS Trust-affiliated organizations in less than 10 months and the fact that the cause of this one is so well publicized in other breaches does not instill much confidence.

The eleven breaches are only what has been reported on The Breach Blog, there may be more.

Past Breaches:
NHS Trust:
May, 2008 - Sandown Health Centre backup tape is missing
March, 2008 - Stolen NHS flash drive contained adolescent information
February, 2008 - Laptop missing from Russells Hall Hospital (UK)
January, 2008 - Stolen Bolton Hospitals Laptop affects cancer patients
January, 2008 - Queen Mary's Sidcup Hospital microfiche film goes missing
January, 2008 - Stockport Primary Care Trust flash drive goes missing
January, 2008 - Oldham Primary Care Trust NHS loses two data sticks
January, 2008 - Highly sensitive medical information found in the road
December, 2007 - Laptop stolen in Royal Bolton Hospital break-in
September, 2007 - Dudley Group of Hospitals NHS Patient Data For Sale on eBay

Security Briefing: June 16th

Mon, 16 Jun 2008 07:05:52 +0000

Monday and monday and monday. Creeps at this petty pace from day to day…

Seriously though, have a great week everyone!

Click here to subscribe to Liquidmatrix Security Digest!.

And now, the news…

Microsoft snafu blocks enterprise patching | Computer World
Judge Scuttles Ameritrade Hacking Settlement | Wired
More secret files found on a train | UK Press Association
Lab decodes ecoterrorists’ e-mail files | Oregon Live
Full Disk Encryption isn’t FDE anymore | CNET
Should telecoms patrol Internet? | Mercury News
Database fuels pedophile fears | Australian IT
When weak web security can expose medical records | ARN

Tags: News, Daily Links, Security Blog, Information Security, Security News

Laptop stolen from R.E. Moulton may affect 19,000

Sun, 15 Jun 2008 18:15:45 +0000

Technorati Tag: Security Breach

Date Reported:
5/23/08

Organization:
OneAmerica

Contractor/Consultant/Branch:
R.E. Moulton, Inc.

Victims:
Customers

Number Affected:
~19,000

Types of Data:
"names in combination with social security numbers"

Breach Description:
A laptop computer containing sensitive personal information belonging to approximately 19,000 individuals was stolen from the Irving, Texas offices of R.E. Moulton on or around March 7th, 2008.

Reference URL:
New Hampshire State Attorney General breach notification

Report Credit:
The New Hampshire State Attorney General

Response:
From the online source cited above:

R.E. Moulton is a leader in the medical stop-loss insurance industry and the stop-loss insurance products administered by it are available nation-wide.
[Evan] The notification to the New Hampshire State Attorney General starts with this sentence. It's nice if you can add a little marketing to your breach notification.

We are writing to inform you of an incident involving the possible disclosure of personal information.

Specifically, on or around March 7, 2008, thieves broke into our Irving, Texas regional office and stole a laptop computer containing personally identifiable information of numerous individuals, including names in combination with social security numbers.
[Evan] We don't know much about the physical security controls protecting the office and laptop, but we do have a clue. The fact that R.E. Moulton states "on or around March 7" leads me to believe that the physical controls were not sophisticated enough to detect the theft when it occurred. The practice or storing confidential information on a laptop is not a good idea in most cases and there is also no mention of encryption, so I assume it was not used. Bad, bad, and bad.

A police report was filed and the police are actively investigating this crime.

Personal information was on the stolen laptop because R.E. Moulton receives requests to provide quotes for stop-loss insurance coverage.
[Evan] In my opinion, this may be justification for collecting personal information, but certainly not a justification for storing it on a laptop.

Approximately 19,000 individuals were affected, although there may be duplicates on our master list; this means that the list of affected individuals may be smaller.

At this time. we are unable to determine the number of New Hampshire residents, if any, who will be notified of this incident because the information maintained on the laptop did not include addresses, but we will provide a list at a later date if we find that New Hampshire residents were affected.

Letters will be sent to these individuals as soon as we receive their addresses from their employers or the third parties who arranged for the insurance quotes.
[Evan] It seems to me that the "employers or the third parties" have a significant role in this breach also. I wonder if information security personnel at the "employers or the third parties" were aware and approved of the sharing of personal information with R.E. Moulton. If they were, then I wonder if they followed good protocol and evaluated the information security practices of R.E. Moulton.

Those employers and third parties were notified of this incident during the week of May 5, 2008 and are currently collecting the needed addresses.
[Evan] Employers and third parties were notified almost 2 months after the theft.

Depending on the length of time needed to collect addresses, we hope to start sending letters to the affected individuals in June.
[Evan] Add the amount of time referred to in this sentence to the ~2 months that have already passed and then add this to the time to address letters and you get a long time before victims are notified. I presume some victims will never be notified.

Please know that we have taken this incident very seriously.
[Evan] Action speaks louder than words.

While we do not anticipate that any of the information will be used for unauthorized or malicious purposes, to help those whose information was involved, we have engaged ConsumerInfo.com, Inc., an Experian company, to provide those individuals with one year of credit monitoring at no cost to them.

Please note that we are committed to protecting our customer and that we are constantly improving our processes to avoid any further reoccurrences.

In addition, appropriate steps have been take to prevent future disclosures of this information.
[Evan] What steps have been taken? It seems to me that data owners deserve more detail and explanation.

We sincerely apologize for any inconvenience or worry this may have caused you.

We encourage you to contact the company at 800-553-5318 with any questions or concerns.

From the FAQs:
Q. What is being done by R.E. Moulton to prevent a similar incident from occurring?
A. R.E. Moulton had procedures in place to protect customer information and is constantly reviewing those procedures in light of developments in information security and the evolution of criminal activity.
[Evan] What do you think of this answer?

Commentary:
I get especially frustrated by breaches that involve confidential information on a stolen laptop. Stolen laptops are one of, if not the most common types of breaches that we read about, yet the frequency of reports does not seem to be subsiding. Can an organization claim that they didn't know any better? At what point does risky information security behavior become negligent?

I suspect that most victims don't even know that R.E. Moulton had their personal information. This make the breach a little more troubling.

I accept mistakes because we all make them. I also accept security incidents that occur despite an organization's best efforts at protection. I don't accept poor behavior that seems to go against common sense.

Past Breaches:
Unknown

Security Briefing: June 13th

Fri, 13 Jun 2008 13:38:29 +0000

Friday the 13th.

Well, it was apparently worse than I thought at Infosecurity Canada. I spoke with eight people that attended and all of them gave it a unanimous thumbs down. Too bad. I guess if they were better organized it wouldn’t have sucked that badly.

Click here to subscribe to Liquidmatrix Security Digest!.

And now, the news… (better late than never)

Ameritrade Settling Hacking Lawsuit | Wired
McKinnon’s last ditch appeal to be heard by Lords | Heise Security
Third time’s the charm? RIAA tries end run around old case | Ars Technica
AG creates Cyber Crimes Unit division: Conway hopes to target Internet predators | Medical Leader News
Outsourcing contracts must offer personal data security | Computer Weekly
Windows Inspection Tool Set Helps You Troubleshoot Your System | AppScout
Web Application Security: Don’t Bolt It On; Build It In | IT Business Net
Opinion: Breach laws fail to protect anyone | InterGovWorld
Hacking: A story untold | Burlington Free Press

Tags: News, Daily Links, Security Blog, Information Security, Security News