[SecurityRatty] tag: patients

Australian medical information found in abandoned amusement park

Sat, 28 Jun 2008 09:10:55 +0000

Technorati Tag: Security Breach

Date Reported:
6/27/08

Organization:
New South Wales Government (AU)

Contractor/Consultant/Branch:
Sydney West Area Health Service
Unnamed "bankrupt contractor"

Victims:
Patients

Number Affected:
Unknown

Types of Data:
"confidential medical records"

Breach Description:
"The Sydney West Area Health Service has been embarrassed by the discovery of medical records in an abandoned amusement park."

Reference URL:
ABC News
Macquarie National News
Macquarie National News (2)

Report Credit:
ABC NEws

Response:
From the online sources cited above:

The Sydney West Area Health Service has been embarrassed by the discovery of medical records in an abandoned amusement park.
[Evan] This is a first. An abandoned amusement park? I would be embarrassed too!

Pathology results and slides were found when a container dumped in the former Magic Kingdom park at Lansvale was set alight this week.

The container was discovered after it caught on fire yesterday, attracting the attention of the local fire department.

A bankrupt contractor is being blamed for dumping confidential medical records and contaminated waste in the grounds of an abandoned fun park.
[Evan] Confidential medical records AND contaminated waste? Ugh.

Police said it was likely the container had been there for a decade.
[Evan] A decade? This story keeps getting more bizarre.

The Health Department is reviewing waste disposal procedures following the discovery at Lansvale in Sydney's south west.
[Evan] I presume that the waste disposal procedures have probably changed over the past ten years. The Health Department should be reviewing procedures on a regular basis anyway.

The health service's chief executive, Professor Steven Boyages, says it is a serious breach and the health service is reviewing its waste disposal procedures.

"There are clear policy and procedures in place to manage records and disposal of records and clear policies in place to manage and dispose of any clinical waste," he said.

"It appears at first glance that the policy and procedures weren't followed by the contractors who were engaged to do this."

“It is a huge concern, I’ve called for an immediate review to ensure our existing contractors are following standard policy and procedures so this doesn't happen again," he said

Shadow health minister Jillian Skinner said the state government also has some explaining to do.

"Why if it was know this company had gone bankrupt and wasn't carrying out its duties they didn't check to make sure this material was disposed of properly?" Ms Skinner said.

Commentary:
The landscape of information security and personal information issues has changed markedly over the past ten years. SWAHS should still be held accountable, but how much can you comment on something that happened ten years ago and probably does not reflect upon current practice.

This is one of the most bizarre breaches I have read about in some time.

Past Breaches:
Unknown

Some of the other noteworthy breaches last week, 6/16/08 - 6/22/08

Mon, 23 Jun 2008 04:11:34 +0000

Technorati Tag: Security Breach

The Breach Blog

Just SOME of the other noteworthy breaches from the past week (6/16/08 - 6/22/08)

Citibank Hack Blamed for Alleged ATM Crime Spree
By Kevin Poulsen, Wired.com, 6/18/08

A computer intrusion into a Citibank server that processes ATM withdrawals led to two Brooklyn men making hundreds of fraudulent withdrawals from New York City cash machines in February, pocketing at least $750,000 in cash, according to federal prosecutors.

The ATM crime spree is apparently the first to be publicly linked to the breach of a major U.S. bank's systems, experts say.

Security firm finds server with health-care data
By Jeremy Kirk, NetworkWorld, 6/18/08

Security researchers with Finjan Software are seeing a growing thirst from cybercriminals for data other than credit-card numbers, with the latest findings including servers containing passwords leading to heath-care records and airline systems data.

The problem is two-fold: sensitive data is being stolen after PCs are infected with malicious software, and then that data sent to unprotected remote servers, said Yuval Ben-Itzhak, chief technology officer for Finjan. The content of those servers is then indexed by search engines, leaving it open to anyone who uses the right query terms.

Bank scam spreads as institutions look for possible source of breach
By Leanne Tokars, WSBT Channel 22 News, 6/18/08

SOUTH BEND - An international bank scam is spreading, and there is some idea how that information may have gotten out.

Hundreds of people and dozens of banks and credit unions across our area are trying to recover from a major security breach.

[Evan] This story is related to the "1st Source Bank reissues all debit cards in response to breach" posting on 5/30/08. Another supporting story; Fraudulent ATM transactions overseas could be tied to Indiana bank breach This is a winding storyline.

Parents livid over database putting student profiles, pictures online
By Mohit Joshi, Top News, 6/16/08

Melbourne, June 16: With the State government planning to post the profile of every state school student on its intranet database, called OneSchool, parents in Australia are livid over the fact that it will make their kids vulnerable to paedophiles.

OneSchool, will provide each and every detail of the state's 480,000 public school students enrolled from Prep to Year 12, for which, the photographs, personal details, career aspirations, off-campus activities and student performance records are already being collected from all 1251 state schools.

[Evan] I think I’d be livid too. Are parents given the opportunity to opt out, without penalty or lost opportunities? "According to Education Minister Rod Welford, if the parents refuse to give their consent to their child being profiled, they could also be denied access to public education."

Blears PC loss - officials blamed
BBC News, 6/17/08

Information on a computer stolen from Communities Secretary Hazel Blears' office had been sent in breach of data security rules, it has emerged.

The Communities and Local Government department admitted its officials had "not fully" complied with guidance on handling sensitive data.

Its top civil servant Peter Housden said "no damage had been done" as the documents were not secret.

The computer contained a combination of constituency and government information relating to defence and extremism.

[Evan] It is disappointing to read about breaches where the government does not follow its own laws and regulations. Mr. Housden claims that the files were "not secret". They certainly weren’t public, were they?

Personal details of thousands of patients stolen from hospital in new security blunder
By James Tozer, The Daily Mail, 6/18/08

Laptops holding tens of thousands of patients' records have been stolen from a hospital and a GP's home, it emerged yesterday.

In the latest lost personal data scandal, the information was stored on the machines in contravention of NHS guidelines.

It was revealed that details of 20,000 patients were on six laptops stolen earlier this month from filing cabinets at St George's Hospital, in Tooting, South West London.

[Evan] This is six stolen laptops in one month, and the four breaches in one year?! The exposed information in this breach was "names, postcodes, hospital numbers and dates of birth". Check out the excuse for storing confidential information on these poorly secured laptops; "Normally such information is stored on the hospital's central network, but because of technical problems it was being stored temporarily on the laptops."

To Readers: I am testing this weekly "Other noteworthy breaches" post. I am using this first one to gauge interest and decide if it is something we should continue. Please feel free to comment.

Castlecroft Medical Practice patient information at risk

Thu, 19 Jun 2008 07:54:50 +0000

Technorati Tag: Security Breach

Date Reported:
6/18/08

Organization:
NHS Trust

Contractor/Consultant/Branch:
Wolverhampton City Primary Care Trust
Castlecroft Medical Practice

Victims:
Patients

Number Affected:
~11,000

Types of Data:
"names, dates of birth, addresses, contact details and confidential medical records"

Breach Description:
"A laptop containing confidential medical records of all 11,000 Wolverhampton patients at a city surgery has been stolen from a GP’s house, police revealed today."

Reference URL:
The Press Association
The Express & Star

Report Credit:
The Press Association

Response:
From the online sources cited above:

A laptop containing confidential information about 11,000 patients has been stolen from a GP's home.
[Evan] This is now the 11th breach reported on The Breach Blog concerning NHS Trust and affiliated organizations. What is the excuse? Can the GP and/or Primary Care Trust and/or Medical Practice claim to not know the risks involved?

Contrary to Department of Health guidelines, the information was not encrypted, which would have made it unreadable without a special code to unscramble it.
[Evan] Are medical personnel aware of and required to follow the guidelines? Are there penalties or sanctions for non-compliance?

The laptop was among items stolen in a recent burglary at the home of the unnamed doctor, who works at the Castlecroft Medical Practice in Wolverhampton.

The details of when and where the laptop was taken from are not being released, but a helpline has been launched for worried patients
[Evan] I could not find the helpline phone number; otherwise I would publish it for people.

The information on the computer, which belongs to the practice, included patients' names, dates of birth, addresses, contact details and confidential medical records.

The practice has written to all of its 11,000 patients to inform them that information about them was on the stolen computer.

Dr Peter Wagstaff, senior partner at the practice, said: "The practice is treating this issue very seriously and we are extremely sorry for any distress or concern that it may cause our patients. Though not encrypted, the confidential information on the laptop was protected by a complex password system, which only a person with specialist computer knowledge would be able to crack."
[Evan] If the organization were "treating this issue very seriously", and if it was "truly sorry" then why attempt to minimize the situation (risk) by using the password protection argument. In my opinion (and that shared by many information security professionals), password protection is NOT an adequate preventative control to ensure the confidentiality of the information stored on a laptop computer. This holds especially true in instances where the password protection is controlled by the operating system. See: "Laptop stolen from a Quest Diagnostics employee" and "Not to worry: the stolen laptop was 'password-protected'".

He said the laptop appeared to have been stolen for its re-sale value, rather than for any information stored upon it.
[Evan] In my opinion, this is another attempt to minimize the situation and imply that the risk of confidential information disclosure is less than it may actually be.

Jon Crockett, chief executive of Wolverhampton City Primary Care Trust, said the trust was "extremely concerned" about the theft.

He said: "Patients and the public have the right to expect that those dealing with confidential information maintain the highest levels of security and we are carrying out a full and urgent investigation into this incident."
[Evan] Mr. Crockett makes a very valid point.

National guidance from the Department of Health is that any confidential information about patients must be stored in a safe and secure environment, and mobile devices - including laptops - which contain such data must be fully protected by encryption, he said.
[Evan] Again, Mr. Crockett seems to "get it".

Commentary:
The 11th breach for NHS Trust-affiliated organizations in less than 10 months and the fact that the cause of this one is so well publicized in other breaches does not instill much confidence.

The eleven breaches are only what has been reported on The Breach Blog, there may be more.

Past Breaches:
NHS Trust:
May, 2008 - Sandown Health Centre backup tape is missing
March, 2008 - Stolen NHS flash drive contained adolescent information
February, 2008 - Laptop missing from Russells Hall Hospital (UK)
January, 2008 - Stolen Bolton Hospitals Laptop affects cancer patients
January, 2008 - Queen Mary's Sidcup Hospital microfiche film goes missing
January, 2008 - Stockport Primary Care Trust flash drive goes missing
January, 2008 - Oldham Primary Care Trust NHS loses two data sticks
January, 2008 - Highly sensitive medical information found in the road
December, 2007 - Laptop stolen in Royal Bolton Hospital break-in
September, 2007 - Dudley Group of Hospitals NHS Patient Data For Sale on eBay

Laptop stolen from a Quest Diagnostics employee

Tue, 17 Jun 2008 08:09:12 +0000

Technorati Tag: Security Breach

Date Reported:
5/30/08

Organization:
Quest Diagnostics

Contractor/Consultant/Branch:
None

Victims:
Patients*

*assumed

Number Affected:
Unknown

Types of Data:
"name, address, and social security number"

Breach Description:
On May 1, 2008 a Quest Diagnostics employee's password protected laptop computer, which contained certain personally identifiable information, was stolen.

Reference URL:
Maryland State Attorney General breach notification

Report Credit:
The Maryland State Attorney General

Response:
From the online source cited above:

This letter is being sent to you in accordance with the requirements of the Maryland Personal Information Protection Act to advise you of the breach of security of personal data of certain Maryland residents.

The breach arose out of the theft of a password protected laptop computer of one of our employees on May 1, 2008.
[Evan] Really, what does the "password protected" mention have to do with anything other than to convince someone into thinking that the laptop was more protected than it actually is/was? Password protection (alone) is just not adequate for sensitive confidential information, unless of course an organization has deemed the risk to be not significant enough to warrant further protection such as encryption coupled with strong authentication. I presume that the laptop was not protected with encryption due to the fact that there is no mention of it. To me, the risk seems significant enough.

The personal data includes the name, address and social security number

At this time we have no reason to believe this incident will lead to fraudulent credit applications or other identity theft crimes.
[Evan] Yep, but the company DID unnecessarily increase the risk of this happening to someone now and in the future.

Nevertheless, because the laptop which includes this information cannot be located, we want to notify you about this incident.

To further reduce the risk of any harm to you we are offering you a credit monitoring product to identify any potential misuse of your personal information.

Quest Diagnostics takes the issue of safeguarding private information very seriously. For this reason, our data privacy and security policies incorporate comprehensive physical, technical and administrative processes and employee training designed to protect the privacy and security of data and minimize the risk of inappropriate access to sensitive information.
[Evan] Nice! This statement sounds very impressive and uses some common information security best practices lingo. Did any of these "data privacy and security policies" that "incorporate comprehensive physical, technical and administrative processes and employee training designed to protect the privacy and security of data and minimize the risk of inappropriate access to sensitive information" protect the information on the laptop? Do any of these things include restrictions on confidential information stored on mobile devices or encryption of data at rest?

We deeply regret any inconvenience caused by this incident and appreciate your understanding.

If you have any questions, please feel free to call Lisa Mullaly, Information Technology Compliance Director at (800)877-8824, extension 6147 at your convenience.

Commentary:
I may have been a little harsh in my comments, but I think I was justified. Breaches like these are so preventable. Hey, there's another best practice security lingo term, preventative controls. This breach only affected three Maryland residents, according to the breach notification. It is not known if the breach only affects these three people.

Past Breaches:
Unknown

Operational security failure

Tue, 17 Jun 2008 07:29:01 +0000

A shocking article appeared yesterday on the BMJ website. It recounts how auditors called 45 GP surgeries asking for personal information about 51 patients. In only one case were they asked to verify their identity; the attack succeeded against the other 50 patients.

This is an old problem. In 1996, when I was advising the BMA on clinical system safety and privacy, we trained the staff at one health authority to detect false-pretext phone calls, and they found 30 a week. We reported this to the Department of Health, hoping they’d introduce some operational security measures nationwide; instead the Department got furious at us for treading on their turf and ordered the HA to stop cooperating (the story’s told in my book). More recently I confronted the NHS chief executive, David Nicholson, and patient tsar Harry Cayton, with the issue at a conference early last year; they claimed there wasn’t a problem nowadays now that people have all these computers.

What will it take to get the Department of Health to care about patient privacy? Lack of confidentiality already costs lives, albeit indirectly. Will it require a really high-profile fatality?

2.2 million billing records missing on stolen backup tape

Wed, 11 Jun 2008 08:33:06 +0000

Technorati Tag: Security Breach

Date Reported:
6/10/08

Organization:
University of Utah

Contractor/Consultant/Branch:
University of Utah Hospitals & Clinics
Perpetual Storage, Inc.

Victims:
Patients

Number Affected:
"approximately 2.2 million"

Types of Data:
"names, related demographic information and diagnostic codes" additionally, "Records for a subset of 1.3 million patients also contained Social Security numbers"

Breach Description:
"SALT LAKE CITY (AP) - Billing records of 2.2 million patients at the University of Utah Hospitals and Clinics were stolen from a vehicle after a courier failed to immediately take them to a storage center"

Reference URL:
University of Utah Hospitals & Clinics
The Salt Lake Tribune
Associated Press via KUTV Channel 2 News

Report Credit:
University of Utah Hospitals & Clinics

Response:
From the online sources cited above:

SALT LAKE CITY (AP) - Billing records of 2.2 million patients at the University of Utah Hospitals and Clinics were stolen from a vehicle after a courier failed to immediately take them to a storage center
[Evan] There is no mention of encryption in any of the news reports I have read regarding this breach, so I am going to go ahead and assume that it was not used. As you read through the publicly available details of this breach below, you will probably agree that the courier driver made an idiotic mistake that he almost certainly regrets, but the University of Utah Hospitals & Clinics is the custodian of this information that should have identified the risks involved with transporting confidential patient records off-site. One of those risks is the possibility that a backup tape may become lost of stolen, which is obviously the case in this breach. Where were preventative controls to account for this unacceptable (in most cases) risk, like encryption?

The records, described only as backup information tapes, contained Social Security numbers of 1.3 million people treated at the university over the last 16 years

people would be notified by a letter at a cost of $500,000 just for stamps and envelopes
[Evan] How much would it have cost to encrypt the information on the tapes? The State of Utah has an exemption in their breach notification law for encrypted information.

The hospital also pledged free credit monitoring

The records were in a gray metal box

The courier, whose name was not released, picked them up in his Ford Explorer on June 1

instead of driving directly to a storage center, he worked a second job and then went home
[Evan] This is the idiotic mistake I was writing about earlier.

The next day, he discovered that someone had broken into his Ford Explorer outside his Kearns home and taken the box

The driver worked for Perpetual Storage Inc. for 18 years and was fired.

Authorities declined to say how easy or difficult it would be to read the records.

The sheriff believes the thief probably thought the box contained money.
[Evan] What it contains could probably be turned into a helluva lot of money!

"The investigation indicates that the theft was probably a random car burglary, and there is no evidence that the information on the tapes has been accessed or used for identity theft," said Salt Lake County Sheriff Jim Winder.
[Evan] Eight days (June 2nd - June 10th) is probably a little too soon for evidence to appear of identity theft.

There's no evidence any of the information on the tapes has been accessed; besides, anyone trying to use the tapes would need specialized equipment to view the contents, Winder said.
[Evan] Specialized equipment like a tape drive?

Eighty percent of the 2.2 million people live in Utah or Idaho, Betz said. The hospital is offering a $1,000 reward for the records. (Lorris Betz, M.D., Ph.D, Senior Vice President for Health Sciences)

The University of Utah Hospitals & Clinics is offering a $1,000 reward for the return of the tapes, no questions asked. Those wishing to claim the reward may call the Sheriff’s Department at (801) 743-7000.
[Evan] To think of this in pure financial terms. A person could return the tape for $1,000 or could access the tape, sell the information and make maybe $5,000.000+. Maybe a good preventative control for organizations is to assume that criminals are stupid as part of your risk management program (seriously though, it's not).

"We understand this is unwelcome news to our patients," said Betz.

The university had worked with Perpetual Storage for 12 years before the theft

The University of Utah Hospitals & Clinics has suspended deliveries of backup tapes to Perpetual Storage pending the review of all procedures and protocols for transporting and storing backup data.

Additionally, the health-care system is taking the following steps on behalf of its 2.2 million patients.

Mailing notification letters to all 2.2 million patients and guarantors;
Providing free credit monitoring and restoration service to patients whose records included Social Security numbers;
Providing a toll-free information line at 1-866-581-3599 to respond to questions; and
Establishing a website at healthcare.utah.edu/billingrecordstheft that provides information and resources.

Victim Reaction:
Tuesday's news was especially unsettling for people like Will Taylor, of West Valley City, whose premature daughter is a patient at University Hospital. Taylor has already been the victim of identity theft once, when thieves racked up credit card charges in his name.

"I will ask [the hospital] what precautions I can take and what they are doing about it," he said.

"If our information isn't safe, then what is?" patient Dan Christenson, of Salt Lake City, said Tuesday after learning of the theft.

Commentary:
I would be more understanding if this were the first breach ever reported where a backup was stolen that contained personal information, but it's not. Employing backup tapes without encryption is a very well documented risk, so why do large organizations still accept it?

Past Breaches:
March, 2008 - Stolen University Health Care laptop requires notification of 4800

Thieves steal tapes holding 2.2M billing records

Tue, 10 Jun 2008 20:00:00 +0000

University of Utah officials this week acknowledged that a metal box of backup tapes containing billing records of some 2.2 million patients was stolen early this month from the car of a courier who left it in a parked car overnight outside his home.

SSO: It isn't just about security

Fri, 06 Jun 2008 11:05:20 +0000

Defining a clear SSO strategy, implementing MFA with a view to improved user experience and enhanced productivity, and reducing password related frustrations accomplish three important objectives. First, the company realizes an ROI based on reduced downtime due to password management issues. Second, user frustration with technology constraints is mitigated (removed would be too much to hope for). And because of the first two objectives being met, more time is available for the most important thing we do--provide the highest quality heath care possible to our residents, our home care patients, and their families.

Walter Reed Army Medical Center breach through P2P

Tue, 03 Jun 2008 05:14:34 +0000

Technorati Tag: Security Breach

Date Reported:
6/2/08

Organization:
United States Army

Contractor/Consultant/Branch:
Walter Reed Army Medical Center ("WRAMC")

Victims:
"Military Health System beneficiaries" or patients

Number Affected:
~1,000

Types of Data:
"Names, Social Security numbers, birth dates and other information"

Breach Description:
"WASHINGTON (AP) — Sensitive information on about 1,000 patients at Walter Reed Army Medical Center and other military hospitals was exposed in a security breach, sparking identity theft concerns and an investigation by the Army."

Reference URL:
Walter Reed Army Medical Center News
Associated Press
WISH TV Channel 8 News

Report Credit:
Walter Reed Army Medical Center

Response:
From the online sources cited above:

WASHINGTON (AP) — Sensitive information on about 1,000 patients at Walter Reed Army Medical Center and other military hospitals was exposed in a security breach, sparking identity theft concerns and an investigation by the Army.

Names, Social Security numbers, birth dates and other information was released, hospital officials said Monday.
[Evan] This information belongs mostly to military personnel that were patients of WRAMC. The victims are the people that defend this country. Grrr.

The computer file that was breached did not include information such as medical records, or the diagnosis or prognosis for patients, they said.

Walter Reed officials declined to explain exactly how the information was compromised, pending an ongoing investigation by the hospital and the Army.
[Evan] There is more insight into the cause of the breach below. Keep reading.

Preliminary results of an on-going investigation have identified a computer from which the data was apparently compromised.

Data security personnel from Walter Reed and the Department of the Army continue to investigate the source and causes for the information compromise.

The medical center learned of the breach on May 21 from an outside data mining company, which officials did not identify.

the company was working for another client, found the file and contacted Walter Reed.

The hospital said it is working to notify all of the people named in the data file. Letters or e-mails were being sent out, beginning Monday.

The chairman of the House Armed Services Committee, Rep. Ike Skelton, D-Mo., said he wants to hear from the Army about its investigation.

"It's very troubling when private data is inappropriately released," Skelton said. "We must ensure that personal information is protected and prevent any future compromise of patient records."
[Evan] Obviously easier said than done.

Walter Reed plans to offer free credit protective services to patients whose information was revealed.

The hospital also has set up a hot line for people to call to see if their information was disclosed (1-877-854-8542, ext. 9).

The Health Insurance Portability and Accountability Act of 1996 protects patients from unauthorized release of their health records. The Walter Reed Army Medical Center has a robust information assurance program that meets all program standards and requirements. The compromised data file did not include protected health information such as medical records, diagnosis or prognosis for patients.

Message to "Team WRAMC" from COL Patty Horoho:
I want to ensure that each of you have an understanding of what may be in the papers regarding possible disclosure of personal data. Walter Reed officials were notified of a possible disclosure of personally identifiable information through a Peer to Peer (P2P) network of approximately 1000 Military Health System beneficiaries. The information did NOT contain any protected health information such as medical records, diagnosis or prognosis for patients. The individuals impacted have been identified and we are taking a proactive approach to contact them to assist in providing fraud protection services. Below is the media release we sent out will provide more details. A 24/7 hotline has been established in the Combined Operations Center, 202-782-8333 or 877-854-8542 ext 9 and a info site on the web page is also being created.

I need everyone to ensure that they are not loading or down loading programs that are not authorized by the command as it increases our vulnerability and possibly can cause a breach in protected information being shared.

Commentary:
So the cause of this breach was an unauthorized installation and configuration of a Peer to Peer (P2P) program. My concerns about this revolve around the ability to install the application and the inability of WRAMC personnel to block and/or detect the network traffic.

The installation of computer programs on a computer usually require elevated privileges such as administrative access. Are users of WRAMC information resources also administrators of their systems? If so, this is generally not a good idea.

P2P programs such as BitTorrent, Morpheus, Lime Wire, etc. are dependent upon a network to work, thus the "Peer to Peer". Most, if not all P2P network traffic is easy to block and/or detect with any combination of filtering, network access control and intrusion detection or prevention. Are these technologies not in use at WRAMC?

Lastly, what is WRAMC policy with respect to acceptable use and network access? There is no mention in the news reports.

Past Breaches:
April, 2008 - Excel Spreadsheet on the web exposes Army officers and civilians

Breach at UCSF gets leadership response

Sat, 31 May 2008 06:34:08 +0000

Technorati Tag: Security Breach

Date Reported:
5/28/08

Organization:
University of California

Contractor/Consultant/Branch:
University of California at San Francisco ("UCSF")
Departments of Pathology and Laboratory Medicine

Victims:
Patients

Number Affected:
3,569

Types of Data:
"names, dates of pathology service, health information and, in some cases, social security numbers"

Breach Description:
"The University of California San Francisco is alerting a group of patients that it has discovered a security breach involving a computer that held personal patient information."

Reference URL:
UCSF News Release

Report Credit:
Kristen Bole, UCSF

Response:
From the online source cited above:

The University of California San Francisco is alerting a group of patients that it has discovered a security breach involving a computer that held personal patient information.

There is no indication that any patient files were accessed.

UCSF takes this situation very seriously and is therefore responding with the highest level of caution and concern.

During routine monitoring of the campus computer network on January 11, 2008, UCSF discovered unusual data traffic on one of its computers.
[Evan] Its good that the unusual traffic was detected through routine monitoring, but I wonder how long the traffic was present before it was detected. Later on in the news release there is mention that an unauthorized movie-sharing program was installed on the computer on or about December 2, 2007. It seems likely that the unusual traffic may have started on or about December 2, 2007. Why the time gap between presence and detection?

The computer was immediately removed from the network to prevent further access.

UCSF conducted a thorough investigation into the incident to assess how this breach occurred and whether any patient information may have been compromised.

The investigation was completed this month.
[Evan] This is a long investigation. January 11th, 2008 through May 1st, 2008 is more than 3 1/2 months.

During the investigation, UCSF determined that an unauthorized movie-sharing program had been installed on this one computer on or about December 2, 2007, by an unknown individual.
[Evan] Uh oh. If the installation of the program requires administrative access to the computer, it is conceivable that the local administrator credentials were compromised. The fact that the news release states "unknown individual" leads me to believe that the account used was potentially a shared account.

Installation of this program required high-level system access, which is why the incident is considered a security breach.

This computer contained files with lists of patients from the UCSF pathology department’s database.

The data included information such as patient names, dates of pathology service, health information and, in some cases, social security numbers.

The Department of Pathology has notified 2,625 UCSF patients whose information was contained on the computer.

The files also included 944 patients whose tissue samples had been referred by other health care providers to UCSF for analysis.

UCSF has established a special phone line (415) 353-7427 and a special email address PathHotline@ucsf.edu to answer questions from patients who receive the notification letters.

The security of protected health information at UCSF is of utmost importance

The campus has undertaken extensive work in this area, including upgrading system security and performing the monitoring that uncovered this breach.
[Evan] Great! I just want to point out that the word "undertaken" is past tense. Information security is a lifecycle employing continuous management, improvement, monitoring, etc.

this event and others nationwide have caused UCSF to redouble its efforts in this area.

UCSF Chancellor J. Michael Bishop has formed a top-level task force to improve the system of controls to protect patient information and other sensitive data.
[Evan] Excellent! This demonstrates good organizational leadership, of which information security is integral. It stinks that it took a breach affecting over 6,000 people before this action was taken.

This task force is composed of campus leadership and is chaired by Executive Vice Chancellor and Provost Eugene Washington.

Chancellor Bishop has charged the group with conducting a comprehensive, expedited review of actions already taken and future actions needed to protect sensitive data, including reviewing associated practices, systems and policies.

He also has charged the committee with implementing the changes needed to safeguard protected health information and other sensitive data and has asked the group to report to him weekly on their status, with an emphasis on actions taken and planned.

Commentary:
I commend UCSF leadership for the establishment of the new task force led from the top. Hopefully the momentum will continue. All organizations, non-profits and profits alike, need information security leadership that comes from the uppermost echelons in order to be effective.

Past Breaches:
University of California:
May, 2008 - Health care practices and UCSF patient records exposed
April, 2008 - University of California Irvine students are hit with mysterious breach