[SecurityRatty] tag: physicians

A backup tape is stolen from Greensboro Gynecology Associates

Wed, 16 Jul 2008 12:16:26 +0000

Technorati Tag: Security Breach

Date Reported:
7/15/08

Organization:
Greensboro Gynecology Associates

Contractor/Consultant/Branch:
None

Victims:
Physicians, staff members, and patients

Number Affected:
Unknown

Types of Data:
"names, addresses, Social Security numbers, employers, insurance companies, policy numbers and family members"

Breach Description:
"GREENSBORO - Patients at a Greensboro doctors’ office have been notified that their personal information - including Social Security numbers and addresses - was stolen in May."

Reference URL:
News & Record

Report Credit:
Ryan Seals, News & Record

Response:
From the online source cited above:

In a letter mailed to patients, Greensboro Gynecology Associates said a backup tape of their computer database was stolen.
[Evan] Does "their computer database" include billing information and other confidential information other than personally identifiable information?

The letter was dated June 16, but some letters weren't postmarked until July 9.

The medical practice said a backup tape of patient information was stolen on May 29 from an employee who was taking the tape to an off-site storage facility for safekeeping.
[Evan] I wonder what type of off-site storage facility. Some of the small businesses that I have encountered consider an employee's home to be an "off-site" storage facility.

The stolen information included patients' name, address, Social Security number, employer, insurance company, policy numbers and family members.

The tape did not include treatment or specific medical data.

"We are very concerned about this theft, as we too are victims," Pat Higgins, the practice's administrator, wrote in an e-mail Tuesday. "We are notifying our present and former patients. ..."

The practice at 719 Green Valley Road Suite 305 said personal information for its physicians and other staff members also was on the stolen tape.

the case is under investigation

did not respond to inquiries about how many patients were affected, how the theft occurred and whether anything else was taken

The practice's letter said the theft had been reported to police. However, officials with the Greensboro Police Department and the Guilford County Sheriff's Office said they had no such report on file.
[Evan] This is interesting news.

The data was not encrypted, but Greensboro Gynecology Associates said the stolen data isn't likely to be accessed.

"We have consulted with several computer security experts, and they have advised it is highly unlikely the tapes can be accessed because of the program used and the language (the information) is written in," according to a recording on a hotline set up to address patients' concerns.
[Evan] Who are these several computer security "experts'? I hate to disagree, but... The assessment is based on "the program used and the language" that the archived information is written in. Really? How hard is it to obtain the necessary hardware and software to access the information? Someone interested in accessing the tape could conceivably flip the data protection tab on the tape (to prevent data corruption through inadvertent writes), download some of the more popular backup software programs, buy a compatible drive (stolen or on eBay), and go to town. Couldn't they? Backup Exec is a very popular backup program. Anyone can download a 60-day trial for free. More talented professionals have even more sophisticated methods of accessing data on tape.

Greensboro Gynecology Associates said they are consulting with computer security experts to prevent similar thefts in the future.
[Evan] I kind of hope that they are not consulting with the same computer security "experts" referenced above.

"We sincerely regret and apologize that this incident occurred," the letter said

Commentary:
Many backup software solutions include the option to encrypt the written data built-in. Why not use it?

Greensboro Gynecology Associates has established a hotline for concerned patients. The phone number is (336) 544-4590. The hotline asks patients to leave their name and telephone number for a staff member to return their call.

Past Breaches:
Unknown

Physicians and medics

Mon, 26 May 2008 16:12:12 +0000

My thanks to Mike Rothman who last week gave me credit for “fighting the good fight”. I’d like to think he’s right — it has been a bit of a struggle over the years, I’d like to think I’m winning (or at least managing a draw) as I continue the struggle, and I’d like to think it’s worthwhile. Mike does seem to continue to question the pragmatism of my approach though, which is what this post is about.

Don’t get me wrong. I greatly admire the work Mike does and wish he and his book had been around when I started out as a CISO. Would have saved me significant pain and suffering. On the other hand, if I’d had Mike’s P-CSO I might have become complacent and ended up believing that’s all there was to being a CISO. Not that I think Mike is advocating complacency — he’s not. I also don’t think he discounts risk analysis concepts. He’s simply focused on helping that component of our profession who’s just getting started or who faces other practical constraints in dealing with our very complex problem space. His is a necessary and highly valuable contribution, and he provides it in an entertaining way that’s too rare.

Let me set this discussion in a medical analogy context. If I was in the middle of nowhere or didn’t have the resources for a physician, then a medic who’s skilled in lifesaving basics would do just fine. However, if the situation called for a deeper understanding of the complex, sometime subtle health considerations, then I’d prefer a physician. Someone who didn’t say; “Boy, this anatomy and physiology stuff is complicated. I’m just going to stick with ‘The hip bone is connected to the back bone…’” My physician may, of course, choose to follow a pragmatic, commonly-used course of treatment, but they’d be able to do so with a deeper understanding of the problem space, greater (but not perfect) certainty that the course of treatment would work, and a better ability to explain to me, the patient, why I had to swallow this bitter pill, undergo the knife, or have this long tube snaked into one of my orifices.

Yes, I realize that physicians sometimes get it wrong, sometimes get wrapped up in fancy and even unnecessary procedures, and can drive up costs. That’s just as true as what can happen at the other end of the spectrum — the shaman who operates entirely by superstition, faith, FUD, and intuition. The point is, there’s absolutely a need for both medics and physicians (and levels in between). We, as professionals, can choose where we want to be within that continuum. With this in mind, a few things to consider are:

In the heat of battle, when resources are limited, or when it just makes sense, physicians always have the option of behaving as medics and sticking with the bare essentials (the reverse isn’t true). In fact, the best physicians I’ve encountered are pragmatic in their approach but have the deeper knowledge to leverage when need arises
Medics might effectively deal with 80+% of our problems, but that remaining ~20% can be critical
A person can start out as a medic and then become a physician later, as need and resources dictate
Physicians tend to be paid more

Bottom line — knowledge and understanding are never a bad thing, but it requires extra effort to acquire them. And, as Mike points out, the simple approach is often good enough and may be all we can hope for given our individual circumstances. For myself though, I prefer a deeper understanding of our complex problem space. I want to be able to answer the hard questions about why and how. But that’s just me.

BTW - I was amused at Mike’s characterization of risk analysis as Black Magic, as this phrase would also have been used in the past to describe medical and scientific concepts/practices we take for granted today.

University of Florida doctor loses job over breach

Thu, 22 May 2008 05:47:33 +0000

Technorati Tag: Security Breach

Date Reported:
5/20/08

Organization:
University of Florida

Contractor/Consultant/Branch:
College of Medicine

Victims:
Patients

Number Affected:
~1,900

Types of Data:
Digital photographs, names, dates of birth, Social Security numbers, and Medicare numbers

Breach Description:
"University of Florida officials will be notifying about 1,900 patients of a UF plastic surgeon that their private health information might have been breached after the information was managed and disposed of improperly."

Reference URL:
Jacksonville Business Journal
WOKV Radio News
First Coast News

Report Credit:
Jacksonville Business Journal

Response:
From the online sources cited above:

JACKSONVILLE, FL -- The private health information of 1900 local patients may have been compromised when a Jacksonville doctor gave his computer away.

Dr. Francis D. Ong, a UF assistant professor of plastic surgery at the UF College of Medicine-Jacksonville, stored unsecured digital photographs of his patients and identifying information -- such as names, dates of birth, Social Security numbers, and Medicare numbers -- on a computer.

The patients involved were treated by Dr. Ong between July 2005, when he joined UF, and December 2007.

Ong then gave the computer to a family he was friends with in late January or early February this year.
[Evan] So, is it safe to assume that Dr. Ong owned this computer? If so, I can think of (at least) three problems that led to this breach. First, the storage of confidential information on a poorly (or less) secured client workstation. Second, the disposal of a client workstation in an insecure manner. Third, the use of a personally owned computer on a corporate (or organization) network.

One of the friends using the computer replaced its operating system, resulting in the permanent loss of most of the patient information.
[Evan] Not true. Formatting and re-installing an operating system will not result in permanent loss of data. Depending on factors such as disk size, amount of previously stored data and location on disk, much of the confidential information could still be retrieved with relative ease.

"The family had installed a new operating system on the computer February 24, so roughly around three weeks after they got the computer and they had destroyed most of the information that was on the hard drives,"
[Evan] See my comments above

According to UF policy, confidential patient information should only be stored in highly secure university servers, not individual computer hard drives.
[Evan] A good policy statement in most cases.

"Dr. Ong's storage of these pictures and related data on this computer and his subsequent transfer of the computer to a family were in violation of University of Florida policy," said David Behinfar, a privacy compliance manager at the College of Medicine.

As a result, UF officials say Dr. Ong will no longer be working with the University of Florida's College of Medicine.
[Evan] This is likely a necessary step taken by the university. It is sad for Dr. Ong, but a policy is only as good as its enforcement.

Ong will be no longer be working at the college by June.

"Dr. Ong has reported that the family members used the computer for their personal use and have said that neither they nor anyone else viewed any pictures or medical information on the computer,"

The computer has been returned to the University of Florida, and the school tells us the risk of anyone using the information for unlawful or mischievous purposes is extremely low.
[Evan] I agree that the risk to the affected individuals is probably low due to the fact that the chain of custody is pretty well known with some amount of certainty. This breach could have been much worse.

"We deeply regret this event and apologize to our patients who it may have affected,"

"We have taken steps to prevent incidents of this type from occurring in the future and are continuing to educate our physicians and staff on our electronic data storage policies."
[Evan] Some information security professionals may argue with me, but I am a big proponent of information security training and awareness programs. In my experience, effective programs pay for themselves.

The UF privacy office mailed letters to patients May 19, which included a brochure offering safeguarding advice and a privacy office hotline number.

Concerned patients of the College of Medicine can call the hotline at 866-876-4472.

Commentary:
I was a little surprised to see Dr. Ong's name mentioned so many times in the news reports. It seems to me that Dr. Ong made an honest mistake and likely regrets his actions in this case. This is a classic example that demonstrates the responsibility of data users to learn the information security policies, standards, guidelines and procedures that apply to them during the course of their employment. It is acceptable for an employee to ask questions and seek guidance in areas that aren't clear.

Information security requires cooperation from everyone involved.

Past Breaches:
November, 2007 - University of Florida student info online

Health care practices and UCSF patient records exposed

Wed, 07 May 2008 12:10:17 +0000

Technorati Tag: Security Breach

Date Reported:
5/1/08

Organization:
University of California

Contractor/Consultant/Branch:
University of California at San Francisco ("UCSF")
Target America Inc.

Victims:
Patients

Number Affected:
6,313

Types of Data:
"The information included names, addresses, medical departments and some patient medical record numbers"

Breach Description:
"(05-01) 17:22 PDT San Francisco -- Information on thousands of UCSF patients was accessible on the Internet for more than three months last year, a possible violation of federal privacy regulations that might have exposed the patients to medical identity theft"

Reference URL:
San Francisco Chronicle
CNET
United Press International
UCSF News Release

Report Credit:
Elizabeth Fernandez, San Francisco Chronicle

Response:
From the online sources cited above:

Information on thousands of UCSF patients was accessible on the Internet for more than three months last year, a possible violation of federal privacy regulations that might have exposed the patients to medical identity theft, The Chronicle has learned.

The information accessible online included names and addresses of patients along with names of the departments where medical care was provided.

Some patient medical record numbers and the names of the patients' physicians also were available online.

The breach was discovered Oct. 9, but the medical institution did not send out notification letters to the 6,313 affected patients until early April, nearly six months later.

Sensitive information can be used by employers, health insurers and other entities to discriminate

thieves can use purloined information to obtain medical treatment and prescription drugs and to file false medical claims.
[Evan] Purloined is a funny word.

"This is a large and very significant data breach," said Pam Dixon, executive director of the World Privacy Forum

"To commit medical identity theft, all you need is a patient's name, address and the name of the hospital. If you have a doctor's name and the medical department where the patient was being treated, it is gold. If you add a medical record number, it is a disaster for patients."
[Evan] I don't think most people know this. Many people think that they are fine if there were no Social Security numbers or credit card numbers exposed.

Hospital officials say there's no indication of identity theft to date.

UCSF had shared information on its patients with a vendor, Target America Inc., which mines electronic databases amassing information about a nonprofit's potential or existing donors.

Target America, whose Web site says it maintains "the highest standards of security," tunnels through millions of electronic records to help nonprofits identify and cultivate future donors as well as current donors "who could be giving you more." Additionally, it unearths financial information about donor friends and business acquaintances - even offering maps of a donor's neighborhood.
[Evan] Seems wrong, doesn't it? You go to the clinic, the clinic farms out your information to a company that determines whether or not you are a good candidate to hit up for money (you probably don't pay enough in health insurance, deductibles and co-pays). If you are a deemed a good donor candidate, you get emails and letters that you never signed up for. The purpose of the emails and letters is to build a rapport with you with the intention of getting you to donate money. Personally, I would be more willing to donate if an organization were straight with me.

The breach was discovered, said UCSF officials, when the hospital was alerted that a patient's name had been queried on the Internet "and it was listed in association with UCSF."

Corinna Kaarlela, UCSF director of news services, said immediate action was taken to close off the information. Ten days after the breach's discovery, UCSF ended its business agreement with Target America.

Nancy Johnson, president of Target America, said she could not discuss the matter because of client confidentiality.
[Evan] There is no mention of this breach anywhere on Target America's site either. Sweep it under the rug and maybe it will go away?

The breach spotlights a little-known practice among medical institutions to plow the ranks of patients for fundraising purposes.

Hospitals and other health care providers are turning patients into "fundraising free-fire zones," said Dr. Arthur Caplan, chairman of the department of medical ethics at the University of Pennsylvania School of Medicine.

"The breach is a symptom, but the real ethics challenge is the extent to which health care institutions are tracking patients and their families for nonmedical reasons - for fundraising, marketing, advertising," Caplan said. "I don't think people are aware of the degree to which this is occurring, whether it's by a hospital or a nursing home or a hospice."

Since 2004, UCSF said it provided the names and addresses of 30,590 patients to Target America, paying the company $12,000 a year.

Hospital officials said it contracted with the company to assist "with identifying names of individuals who could potentially receive communications from UCSF."
[Evan] Why not say it like it is. The true motive?

"These opportunities included upcoming events, developments in specific UCSF programs, and opportunities to support the University."
[Evan] Closer.

After the breach was discovered, the hospital said it required Target America to hire "an objective third-party firm" to investigate. UCSF received the forensic analysis report March 26. It showed that information was potentially accessible from July 1 to Oct. 9 last year "if a query for a specific name was made." Notification letters were mailed to patients April 4.

While UCSF officials stressed that the breach did not involve Social Security numbers, Dixon said that patients could nonetheless be at risk for harm.

"With medical identity theft, there is so much on the line - only minimal information needs to go out for there to be a problem," she said.

Linking patients to the departments where they were treated, for instance, is problematic because it can serve as a key identifier of a patient's health condition.
[Evan] Don't think that this doesn't happen. Insurance companies are not in business to help people, they are in business to make money. They want to identify as many pre-existing conditions as possible.

UCSF officials say the use of a department's name is not prohibited under HIPAA. But it acknowledged that such a disclosure is against its own "best practice" policy.
[Evan] I think that this is open to interpretation. HIPAA is not clear (nor can it be) in all circumstances, and some people would argue this claim with UCSF officials.

"Steps have been taken to reinforce this practice,"
[Evan] Like what? Are "steps" enough?

For one outraged UCSF patient whose name was part of the online data disclosure, the incident involved an alarming breach of medical trust.

"They told a fundraising company that I'm a patient - morally this should not ever be done by any health care provider," said the patient, a retired executive living in San Francisco. He asked that his name not be published.

"Medical records are supposed to be of utmost privacy," he said. "The University of California is high up in the totem pole for quality medical care. When you go there, the first thing you see are notices regarding patient privacy. Why in the world would they give out my private information? It boils down to monetary greed."
[Evan] There is no doubt that UCSF Medical Center is an outstanding health provider in terms of providing innovative medical care and saving lives. One of the best from what I read.

UCSF is committed to maintaining the privacy of patient information and takes any compromise of patient information very seriously. When patients are seen at UCSF, they are provided with a Notice of Privacy Practice (NOPP), which describes how UCSF may use and disclose their medical information in accordance with the Federal HIPAA Privacy Rule.

UCSF continually modifies systems and practices to enhance the security of patient information.

Commentary:
Hmm. I agree with Dr. Caplan when he stated that "The breach is a symptom, but the real ethics challenge is the extent to which health care institutions are tracking patients and their families for nonmedical reasons - for fundraising, marketing, advertising,". There is not much discussion surrounding the details of the actual breach itself. I have also read concern of the length of time it took before patients were notified.

From Target America's "Why Target America?" page:
"Target America data base, culled from 75 data sources, contains more than 7 million records of the wealthiest and most generous people in the nation -- the top 5 percent in terms of income, assets, and philanthropic history. Ninety-four percent of the individuals on the data base give more than $5,000 a year to charities. The breadth of our data is unique: we focus not only on high-profile, corporate America, but include emerging sources of wealth such as minority-owned business and women entrepreneurs."
Looks like a pretty important database to me.

There are no apologies made by UCSF or Target America for the breach.

Past Breaches:
University of California:
April, 2008 - University of California Irvine students are hit with mysterious breach

Stolen General Internal Medicine laptop exposes nearly 12,000

Mon, 05 May 2008 08:17:36 +0000

Technorati Tag: Security Breach

Date Reported:
4/25/08

Organization:
General Internal Medicine of Lancaster (PA)

Contractor/Consultant/Branch:
None

Victims:
Patients*

*"who visited the office of General Internal Medicine of Lancaster, 2301 Columbia Ave., from 2005 through 2007"

Number Affected:
"nearly 12,000"

Types of Data:
Names, addresses, telephone and Social Security numbers

Breach Description:
"EAST HEMPFIELD TOWNSHIP, Pa. -- A laptop stolen from a doctors office containing the social security numbers of patients and office staff was stolen recently in East Hempfield Township, Lancaster County."

Reference URL:
WGAL Channel 8 News
Lancaster Intelligencer Journal
General Internal Medicine of Lancaster

Report Credit:
General Internal Medicine of Lancaster (PA)

Response:
From the online sources cited above:

EAST HEMPFIELD TOWNSHIP, Pa. -- A laptop stolen from a doctors office containing the social security numbers of patients and office staff was stolen recently in East Hempfield Township, Lancaster County.
[Evan] Why do we store personal (and other confidential) information on poorly secured laptops? Why, why, why?

A medical practice in East Hempfield Township is contacting nearly 12,000 of its patients to notify them that a computer was stolen from the office April 17

"We're just sick about this," said practice manager Lois Summers. "We know that the computer didn't contain the information of all (12,000) patients, but we notified everyone we saw during that three-year period just to be safe."
[Evan] The organization is not providing (as far as I can tell) fraud alert or credit monitoring, but the costs are probably still significant. 12,000 mailings has a hard cost and is pretty easy to quantify. The price involved with lost confidence and visits is harder to nail down.

office workers on April 17 were taking paper records bearing basic patient information and scanning them into a laptop computer so the records could then be transferred to a disk.
[Evan] Even in a small scale project it is important to evaluate risks EARLY on in the process, before work starts.

After that process was completed, the office planned to burn the paper records.

no medical information about patients was compromised.

The computer contained the names, addresses, telephone numbers and Social Security number s of many of the patients who visited the office of General Internal Medicine of Lancaster, 2301 Columbia Ave., from 2005 through 2007.

East Hempfield Township police said someone stole the computer from an unlocked conference room inside the Physicians Alliance office building on Columbia Avenue last week.

An employee left the area where the scanning was being done for a brief period the morning of April 17. When that employee returned, Summers said, the laptop was gone.
[Evan] It only takes a second or two for a thief to nab a mobile device. People think that it won't happen to them until it does. Then it's like "@^ @%*#"! Understand that these things will happen. We don't know when. We don't know how. We don't know where. Many times the hardware costs are a write-off, but what is the cost of personal information for which you are not the owner? We can take steps to significantly reduce the risk of data exposure.

Police said they suspect whoever stole the laptop wanted the computer more than the information on it.
[Evan] Sure.

Investigators also said the personal information is not easy to access.
[Evan] "Not easy" is subjective. If the information was only protected by an operating system password, then the information is likely very easy to access.

"Obviously, this was not a secure system we had and it will never be done again in this office," Summers said. "We need a secure (computer) drive that cannot be removed from the office."
[Evan] Excellent quote, "Obviously, this was not a secure system". Lois Summers then goes on to address physical security of the drive itself. Physical security is very important, but it should be noted that logical security (biometrics, encryption, etc.) are equally as important.

General Internal Medicine of Lancaster located in the office building sent a letter to patients to alert them of what happened.

Anyone with questions is urged to call General Internal Medicine at 397-2738.

Commentary:
The General Internal Medicine of Lancaster web site prominently displayed a "Fraud Alert" graphic in the middle of the home page.

I appreciate organizations that do not hide the fact that personal information (entrusted to them) has been compromised. Losing the information causes enough stress for victims. General Internal Medicine does a good job of openly admitting the breach and providing information. Their "Fraud Alert" page even provides a link to a copy of the East Hempfield Township police report. I get a real sense that the organization feels terrible about the breach and has taken steps to mend the relationship with patients. I don't get this sense from many breaches.

Unfortunately the information security practices at General Internal Medicine that led to this breach are commonplace in many organizations of all sizes, in many industries.

Past Breaches:
Unknown

700,000 records on stolen CCB server

Tue, 22 Apr 2008 10:57:38 +0000

Technorati Tag: Security Breach

Date Reported:
4/18/08

Organization:
Numerous*

*See Commentary section for list of businesses

Contractor/Consultant/Branch:
Central Collection Bureau ("CCB")

Victims:
Individuals who were referred to CCB for debt collection purposes by Indiana businesses, on or before March 20, 2008

Number Affected:
~700,000

Types of Data:
"personal information, including names, contact information, Social Security numbers, dates of birth, dates of service, and medical procedure codes"

Breach Description:
"Indiana residents are hereby alerted to a security breach at Central Collection Bureau (CCB, located at 7510 South Madison Avenue, Indianapolis, Indiana. This breach potentially exposed the personal information, including names, contact information, Social Security numbers, dates of birth, dates of service, and medical procedure codes."

Reference URL:
Central Collection Bureau
Chicago Sun-Times (Associated Press)
NBC Channel 13 Eyewitness News

Report Credit:
Central Collection Bureau

Response:
From the online sources cited above:

SECURITY BREACH NOTIFICATION ALERT:
CENTRAL COLLECTION BUREAU
Dated April 18, 2008

Indiana residents are hereby alerted to a security breach at Central Collection Bureau (CCB, located at 7510 South Madison Avenue, Indianapolis, Indiana.

This breach potentially exposed the personal information, including names, contact information, Social Security numbers, dates of birth, dates of service, and medical procedure codes.

These individuals were referred to CCB for debt collection purposes by Indiana businesses, on or before March 20, 2008

Approximately 700,000 files may have been breached.

The businesses that engaged CCB for debt collection during that period of time are listed below.

Please note that only a very small percentage of the individuals who were patients or customers of the businesses below—i.e., those who ultimately were referred for debt collection—would have their personal information included in the CCB database.

Some of the information might be outdated. St. Vincent Health System said it had not given any billing business to Central Collection in more than three years, so all of the missing billing information is several years old.
[Evan] This was a question that my colleagues and I were debating about this breach. 700,000 records seems like an awful lot of "active" collection accounts. CCB would need quite a few collection agents to service this many accounts, if in fact they were all active. I think we can assume that only a fraction of the 700,000 records were actually "active" and CCB did not effectively destroy information that they no longer needed to keep.

Other patients and customers of those companies are not affected by this breach.

The theft occurred on Friday, March 21, 2008, at CCB's location in Indianapolis.

On that date, thieves broke into the company's offices and stole 8 computers, as well as one of its servers (databases).

The server was password protected and protected by three locked doors. The 8 computers did not contain personal information.

The information was protected by two passwords but was not encrypted, Klene said.

"Our server was password protected. We have obviously spoken to some IT people who feel that a good computer hacker could get through those passwords," he said.
[Evan] It doesn't even take a "good computer hacker" to get through the passwords.

CCB promptly contacted the police and is working with the Indiana Attorney General's office.

The company also promptly installed additional locks, a security system, and a motion detection system to help minimize the risk of any further unauthorized access to its information.
[Evan] These will help with physical security. Full-disk encryption and a effective data retention policy wouldn't hurt for logical security, eh? Us information security guys would refer to multiple defensive layers as "defense in depth". Brilliant!

CCB apologizes to its clients and all Indiana residents affected by this incident.

"We're obviously heartsick about this," said Chet Klene, Central Collection Bureau president. "We've been in business since 1972, and nothing like this has ever happened before."
[Evan] I don't doubt that CCB is "heartsick" by this incident. I feel bad for them and the fact that they probably did not know any better. Maybe this is partly a failure on the part of the information security profession as a whole.

While the company has no information suggesting that the breach occurred for purposes of identity theft, it nevertheless has contacted the three national credit bureaus to place a fraud alert.

Please go to the CCB website at www.ccbinc.net, call CCB at 317-887-5165 or 1-800-878-5165 or email CCB at theft@ccbinc.net for more information

Commentary:
Clients of CCB with information on the stolen server include:

Academy Animal Hospital, Advanced Interventional Pain, Advanced Physical Therapy, Alternative Care Experience, Anderson General Surgery, Andrew Dick MD, Anesthesia, Aqua Systems, Associated Billing, "Barbara Sturm, MD", Brad Sammons DDS, Brien Grow DO, Buchanan Counseling Services, Campion Barrow & Assoc., Cardiothoracis Surgeons, Cardiovascular Diagnostic Services, Carl Foster MD, Caryn Guba DDS, Center For Orthopaedic Surgery, Central Indiana Phys Medicine & Rehab, Charles Howe Professional Medical Corp, Charles Kelley III DPM, Charles Kerkhove Jr DDS, Charles Tomich DDS, Chiropractic Thereputics, Citizens Gas & Coke, City of Franklin Ambulance, Clarian Radiology, Clinical Laboratory Physicians, Comdent, Comprecare, Culligan Water Conditioning, Cummins Behavioral Health System, D.E. Kelley DDS, Daniel Feeny MD, David Pennington III MD, David Shaw MD, David Szentes MD, Denture By Design, Dermatopathology Lab, Diagnostic Medicine, Dunlap Urgent Care, Edward J Diekhoff MD, Emily Cline MD, Emergency Medical Group Physicians, Forest Creek Family Dental, Friendly Village of Indy, Gary Hunt DDS, Gary Taylor DDS, Generations In Dentistry, George Small Jr MD, Gial Anesthesiology Service, Grandmas House Child Care, Greg Hardin MD, Hamilton Anesthesia Group, Hearing Center, Henderson Drugs & Home Health, House of Kids, Howard Alig MD, Howard Regional Health System, Indiana Radiology Partners, Indiana Spine Group, Indiana General Surgery, Indiana Medical Network, Indpls Neurosurgical Group, Internal Medicine Plus, JCB Anesthesia & Pain Mgt, Jeffrey Stevens DPM, Jennifer Siegel DDS, JMH Health Affiliates, John Jackson DC, John Norris MD, Johnson Co Anesthesia, Johnson County REMC, Johnson Memorial Hospital, Joseph Meek DDS, Julie Chao MD, Kenny Stall MD, Kerry Mays MD, Kevin Macadaeg MD, Khalil Wakim MD, Kidd Pediatrics, Knowledge Learning Corp, Koehring & Sons, Kokomo Sports Center, Larry Buckel MD, Laura Steiner MD, Laura Stitle MD, Laurette Robey MD, Laverne Tubergen MD, Lawrence Falender DDS, Library Park Immediate Care, Lora Overton DO, Madison Anesthesia Group, Madison Avenue Flower Shop, Mark Ellis DDS, Mark Kahn DDS, Mark Ogle MD, Mark Yamanaka MD, Martinsville Dental Center, Memory Maker Studios, Mere Image Sportswear, Meridian Veterinary Clinic, Methodist Arthritis Physicians, Methodist Medical Group, Michael Arnold DDS, Michael Cozzi MD, Michael Harper, Midamerica Surgery Center, Milto Cleaners, Mitchell Foster MD, Muncie Cataract & Laser Center, Nancy Zinni MD, Northside Surgical Specialists, Northside Anesthesia Services, Northwest Medical Pain Control, Nufinity, Orthopaedic Supplies Inc., Panchapakesan Harlan MD, Paul Batties MD, Paul Johnson DDS, Paul Johnson DDS, Paul Strange MD, Philip Borders MD, Pioneer Anesthesia Consultanta, PT Buntin MD, R.D. McQuiston MD, Rebecca De La Rosa DDS, Richard Herd Jr DDS, Rick Stephens Builder, Riley Bennett & Egloff LLP, Robert Smith MD, Robert's Salon & Day Spa, Ronald Wines DDS, RW Armstrong, Sandhya Nanda MD, Sarah Akard DDS, Scot Hagadorn MD, South Emerson Anesthesia Assoc., South Emerson Pain Management, South Emerson Surgery Center, Southeast Family Physicians, Southside Animal Hospital, Southside Family Medical Group, Southside Pediatrics, St. Vincent Health and related entities, Stephen Stitle MD, Stephen Szynal DO, Stonehedge Apartments, Stop 11 Animal Hospital, Sun Medical, Surgical Associates of Madison Co, Susan Wagner DDS, Thomas Eads MD, Thomas Ferrara MD, Tim Schafer DDS, University Family Physicians, University Pediatric Associates, University Surgeons, USF Inc, Valle Vista Guidance Center, Valle Vista Hospital, Walker Family Dentistry, Wells & Marvel PC

Past Breaches:
Unknown

Reproductive Medicine Center doctor loses patient data on flash drive

Fri, 01 Feb 2008 13:44:24 +0000

Technorati Tag: Security Breach

Date Reported:
1/30/08

Organization:
University of Minnesota Physicians

Contractor/Consultant/Branch:
Reproductive Medicine Center

Victims:
Patients

Number Affected:
3,100

Types of Data:
Patient information including details of infertility treatments

Breach Description:
A doctor with the University of Minnesota Physicians, Reproductive Medicine Center lost a flash drive containing sensitive personal information belonging to patients. He was using the flash drive to back-up his data.

Reference URL:
WCCO Channel 4 news
AOL Video

Report Credit:
Esme Murphy, WCCO

Response:
From the online sources cited above:

Dr. Theodore Nagel, a doctor at the fertility clinic, lost a flash drive that he used to back up his computer. The drive holds details of infertility treatments for 3,100 patients going back to 1999.

The physician who is affected is absolutely mortified and we are also very concerned," said Dr. Bobbi Daniels, U of M Physicians Medical Director.

University of Minnesota regulations require doctors to encode information on flash drives. Nagel did not do that on his flash drive nor did he use a password.
[Evan] It's nice to see that the University of Minnesota has requirements for how information on flash drives must be stored. It stinks that Dr. Nagel did not follow the requirements. I wonder if he was aware.

"I think this would be the hardest for people that are currently undergoing fertility treatments," said Amy Anderson, a former infertility patient.

"You are talking about your sexuality and just a lot of private medical issues," said Anderson.

"It is hard but once and a while accidents do happen," said Anderson.

Nagel reported the loss of the drive himself and he's written the patients a letter of apology.
[Evan] I almost feel bad for Dr. Nagel

The clinic has also set up a hot line for those affected. The lost drive did not contain any financial or social security information.

Commentary:
No financial risk to affected individuals, but huge personal privacy risk. A word or two, do NOT use flash drives as data backups. If you must, then don't go WITHOUT strong encryption (and don't write down the key/password).

Past Breaches:
Unknown