Category Archives: Data Breach

Does Wyndham Confirm the FTC’s Role as Federal Privacy Enforcer?

Data breach law in the United States might have just become a lot less patchy, but a little more uncertain.  On April 7, 2014, the District Court of New Jersey decided FTC v. Wyndham Worldwide Corp., et al., No. 13-1887-ES.  This case arises out of a FTC action, brought under the deception and unfairness prongs of […]

FTC Provides Guidance on Heartbleed

I usually do not re-post directly from the FTC, but given the timeliness of the subject, the wide impact of the problem and the technical nature of the issue, I thought it was warranted to re-post the FTC’s guidance on Heartbleed.  Talk to your IT folks about this sooner rather than later: By Nicole Vincent Fleming […]

SEC Hosts Cybersecurity Roundtable

Cybersecurity remains a hot topic for regulators, including the Securities and Exchange Commission (SEC).  On March 26, 2014, the SEC hosted a roundtable to discuss cybersecurity and the issues and challenges it raises for market participants.  The roundtable addressed cybersecurity concerns for investment advisers, broker-dealers and public companies, and provided a forum to share information as to […]

Health Insurer Hit With A Record HIPAA Penalty: What Does It Mean?

Triple-S Salud Inc., a Puerto Rican health insurer, has been hit with a $6.8 million penalty from the Office of Civil Rights of the Department of Health and Human Services for a massive data breach.  Triple-S (known as ASES in Spanish) has posted a notice on its website regarding the breach.  The penalty, which also […]

Target Data Breach Escalates, Class Actions Begin

As previously discussed here, Target suffered a massive data breach that compromised the credit and debit cards of many of its customers.  Now that the dust has started to settle, the extent of the breach is becoming clearer.  In December, Target announced that 40 million credit and debit card numbers were stolen in this hack.  Further investigation […]

Are You a “Target”? Business Implications of the Target Breach

Now that the initial media blitz about the massive Target breach has passed, it is time to look ahead at the implications: Legislation:  In the past, we have seen major breaches drive legislative change.  But now that most states have data security statutes, it seems unlikely that much will happen at the state level.  And […]

Security Flaws Could Land Affordable Care Act Contractors In Legal Crosshairs

A recent article in Law360 discusses how “technical problems plaguing the Affordable Care Act’s online insurance marketplace could expose vast amounts of personal data to theft….”  I noted in that article that while these concerns were valid, they are simply expanded versions of existing exposures in payor databases: “Will breaches and improper disclosures happen as part of […]

iPhone’s Fingerprint Scanner Raises Privacy and Security Concerns

Apple’s latest iteration of the iPhone (the iPhone 5S) went on sale last Friday.  The phone contains a new feature called Touch ID, which allows iPhone owners to unlock and purchase content from Apple’s online store using a fingerprint reader housed in the iPhone’s home button.  As expected, Apple’s use of biometric authentication has raised […]

U.S. District Court Narrowly Construes Computer Fraud and Abuse Act

In the following article from Massachusetts Lawyers Weekly (reprinted with permission), Brian Bialas comments on the latest Computer Fraud and Abuse Act case, and the resultant split in the District of Massachusett on how to interpret the CFAA:  Ex-employees sued over computer use Judge narrowly construes CFAA By Eric T. Berkman A technology company could not […]

Recent Massachusetts Supreme Judicial Court Case Starts a Wave of Lawsuits Against Retailers for Collecting Customer ZIP Codes

            In a recent decision, the Massachusetts Supreme Judicial Court (SJC) determined that customer ZIP Codes are “personal identification information” that retailers are prohibited from collecting during credit card transactions.  With this decision, the Massachusetts high court may have set off a wave of new class-action lawsuits against retailers that collected customer ZIP Codes.  Especially […]

HIPAA “Omnibus” Regulations Published in Federal Register

The revised HIPAA regulations were formally published today in the Federal Register.  In this form, they only take up 138 pages! Law360 has a brief piece on the revised HIPAA rules, with the perspectives of various attorneys (including me) on the changes.  While I’m not sure I agree with the quote that “This is a […]

Key Elements of the New “Omnibus” HIPAA

On January 18, 2013, nearly four years after the passage of the HITECH Act and its amendments to HIPAA, and nearly three years after it proposed regulatory amendments, the U.S. Department of Health and Human Services (“HHS”) has finally issued major “omnibus” revisions to HIPAA’s privacy and security regulations. In the 563 pages of the regulations and related regulatory comments, […]

Massachusetts Attorney General Secures $140,000 Settlement of Claims that Patient Information Was Left in a Town Dump

The Massachusetts Attorney General announced today that the former owners of a medical billing practice and four pathology groups have agreed to collectively pay $140,000 to settle allegations that medical records and patient billing information for “tens of thousands of Massachusetts patients were improperly disposed of at a public dump.”  Under the settlements, the defendants have agreed to pay a […]

HHS Announces First HIPAA Breach Settlement Involving Less than 500 Patients

The Department of Health and Human Services’ Office for Civil Rights (“HHS OCR“) announced today that it was, for the first time, entering into a monetary HIPAA settlement for a breach involving less than 500 patients: the Hospice of North Idaho (HONI) has agreed to pay HHS OCR $50,000 to settle potential HIPAA security rule violations. HHS OCR began its investigation after HONI reported to […]

Protecting Health Information: Health Data Security Training

It was a pleasure to be on a panel with members of the Massachusetts Office of the Attorney General last week at the Massachusetts Medical Society to talk about how physicians can protect health information in our presentation entitled:  “Protecting Health Information: Health Data Security Training.”   We covered the latest in federal law (HIPAA, […]

Another Massachusetts Health Care Provider Hit with Big HIPAA Settlement: Massachusetts Eye and Ear Infirmary Pays $1.5 Million

Late yesterday, the HHS Office for Civil Rights (“OCR”) announced that it had reached a $1.5 million settlement with Massachusetts Eye and Ear Infirmary and Massachusetts Eye and Ear Associates, Inc. (“MEEI“) to settle potential HIPAA Security violations.  As part of the settlement, MEEI also agreed to a Corrective Action Plan to improve policies and procedures to safeguard the privacy and security […]

FAA Chooses “Security Through Obscurity” For New Air Traffic Control System, Still Gets Hacked

There’s a fascinating, and deeply troubling, report on NPR today about the FAA’s new air traffic control system: The new system is called the Next Generation Air Transportation System, or NextGen. It will be highly automated. It will rely on GPS instead of radar to locate planes, and it is designed to allow air traffic controllers and pilots to pack more planes, helicopters […]

Customers Recover Losses in Bank Security Breaches

A recent story in the Wall Street Journal discusses how small businesses can push back against banks which do not provide sufficient security for their bank accounts. The article focused on the recent First Circuit decision, Patco Construction Co. v. People’s United Bank, involving a bank account that had been drained by multiple fraudulent transactions. […]

Vermont Quietly Updates Its Data Security Law

You may have missed it, because it came without fanfare and does not seem to have made the data security trade press, but in early May, the State of Vermont updated its data security law. In particular, these revisions to 9 V.S.A. chapter 62 do the following: change the information protected to “personally identifiable information” […]

A Few Thoughts from Deputy Undersecretary for Cybersecurity, Mark Weatherford, Department of Homeland Security

On May 16, Deputy Undersecretary for Cybersecurity, Mark Weatherford, spoke to the Advanced Cyber Security Center about DHS’s cyber security priorities: Information Sharing, R&D, and the Advanced Persistent Threat. On Information Sharing:  This is a continuing challenge, in part because of the way the federal government shares information.  At present, the federal government provides cyber […]

Data Breaches Continue To Be A Problem For Health Care Providers: South Shore Hospital (Massachusetts) Pays $750,000 To Settle Data Breach Charges

An aptly-timed article from Mass High Tech Business News noted earlier today that: “Data Breaches [Are] a Growing Problem in Health Care.”  This article focused on a recent breach at Boston Children’s Hospital involving the records of 2,000 patients. The article was prescient, as this afternoon, the Massachusetts Attorney General announced a $750,000 settlement with suburban Boston’s […]

Massachusetts Reports on Data Breaches for 2007-2011

The Massachusetts Office of Consumer Affairs and Business Regulation has issued its first annual report on data breaches. Since Massachusetts has one of the more strict state laws on data security and breach reporting, this report bears close attention for trends across the nation. Some of the highlights in this summary, which covers 2007-2011: Through […]

Good Advice that Bears Repeating: Toughen Up Your Passwords!

In an article that repeats a common theme in this space, this week’s Economist talks about how researchers are trying to help ordinary people toughen up their passwords.  But despite the efforts of these researchers, the article’s conclusion is a gloomy one: The upshot is that there is probably no right answer. All security is […]

$1.5 Million Settlement of First HIPAA Enforcement Action Resulting from HITECH Breach Notification Rule

The trend toward increasingly large health information breach settlements has continued with yesterday’s announcement thatBlue Cross Blue Shield of Tennessee (BCBST) has agreed to pay the U.S. Department of Health and Human Services (HHS) $1,500,000 to settle potential violations of HIPAA’s Privacy and Security Rules, HHS’s Office of Civil Rights. BCBST also agreed to a corrective […]

Lessons from the Chinese Hacking of Nortel for IT Security, Due Diligence

Recent press reports of massive Chinese-sponsored hacking at the one-time telecom giant Nortel might cause you to throw up your hands and say, what chance do I have against such forces?  A closer look suggests that there is much that can be done, and should be done, both in IT security and in the sale and acquisition […]

Jail Time for Man Who Accessed Computer of a Competing Medical Practice

An Atlanta, Georgia man was sentenced earlier this month to one year and one month in prison for intentionally accessing a computer of a competing medical practice, and taking personal information of the patients.  The individual made this improper access in order to send marketing materials to patients at the other practice. The individual worked as an information technology […]

“Performing Due Diligence Before Signing a Cloud SLA”

My overview of some of the major issues involved in signing a cloud computing agreement can be found in searchcloudcomputing, "Performing Due Diligence Before Signing a Cloud SLA."                                                                      *  *  * No one is certain of all the legal risks associated with enterprises storing confidential or proprietary information outside the corporate firewall — in […]

“Once More Unto the Breach, Dear Friends, Once More”: The Increasing Recognition of Complexity in Data Breach Response and Reporting

In an article in today’s New York Times, we get some real-life insight into the difficulties in responding to a data breach.  Even simple questions, like whether or not to report the breach and who is responsible for reporting it, take on unforeseen complexity. The particular breach in question happened at the Massachusetts eHealth Collaborative, when an employee’s […]

Consumer Response to Data Breach: Let’s Sue!

Interesting findings in the Unisys Security Index for the United States regarding what Americans say they would do in the event that they learned of a security breach suffered by an organization with which they were dealing: Change passwords on that organization’s website and other sites (87%) Stop dealing with that organization entirely (76%) Publicly expose the issue (65%) Take […]

Most Recent Sony Breach Illustrates the Cascading Effect of Data Breaches

It was revealed recently that Sony’s on-line services were the subject of another significant attack. This incident, however, did not exploit a vulnerability in Sony’s security infrastructure so much as it highlighted the cascading effect of data breaches. Rather than try to scale any fences or jimmy any windows, this attack used account holders’ own keys […]

Advanced Cyber Security Center Launched

As noted in MassHighTech, the Advanced Cyber Security Center was officially launched on September 20.  The program was opened by Massachusetts Governor Deval Patrick and featured a presentation from Attorney General Martha Coakley.  As described by MassHighTech: Touted as a first of its kind collaborative effort that brings together stakeholders in cyber security from the […]

More Consumer Data Security and Privacy Legislation Introduced

The latest legislator to enter into the federal data security and privacy sweepstakes is Senator Richard Blumenthal (D-CT) who introduced legislation, S. 1535, on September 8.  This bill, if passed, would require companies dealing with consumers to strengthen their data security and privacy policies.  In particular, Senator Blumenthal’s bill, “The Personal Data Protection and Breach Accountability Act,” would required businesses […]

Pulling Out Your Hair Over Wrongfully Disclosed Records?

A recent Massachusetts case shows that even prisoners have a right to privacy in their medical records. In this case, Alexander v. Clark, Suffolk Superior Court, Civil Action No. 0905456-H 28 Mass. L. Rptr. No. 14, 291 (May 30, 2011), the court sided with the claim of a prisoner that her health information had been wrongfully disclosed. In particular, […]

New Database Allows Review of Past History of Data Breaches

The Privacy Rights Clearinghouse has created in an interesting tool, a "Chronology of Data Breaches."  It doesn’t promise that it is comprehensive; what it does say is that it is a "useful indication of the types of breaches that occur, the categories of entities that experience breaches, and the size of such breaches."

HIPAA Breaches Reported to OCR Near 300

When we last looked at OCR’s reporting on HIPAA breaches impacting 500 or more individuals, back in May 2011, there had been 265.  This was up from September 2010, when there had been 191 such breaches. As of today, there as 292 listed.  Given that the last reported date of breach on the OCR’s list is May […]

Another Big HIPAA Settlement: The UCLA Health System Settles for $865,000

In another sign that OCR is continuing to seek significant penalties for HIPAA violations, it announced on July 7 that the UCLA Health System ("UCLAHS") has agreed to settle potential violations of the HIPAA Privacy and Security Rules for $865,500 and has committed to a corrective action plan aimed at remedying gaps in its compliance with […]

Is Teamwork the Answer to Data Security?

Increasingly, alliances are viewed as an important way to improve data security.  The Washington Post reports that the National Security Agency is now working with Internet service providers to thwart cyberattacks against defense firms by foreign adversaries.  We have previously noted two other initiatives:   the Advanced Cyber Security Center (to which Foley Hoag serves as legal counsel).and […]

2011: The Year of the Breach

We are six months into 2011, and it seems destined to be “The Year of the Breach.”  In just the past few months, major American (and multi-national) corporations and institutions have reported that they have been the victims of some kind of security breach: Epsilon: breach of customer email addresses; RSA: compromise of security tokens (possibly impacting […]

Consumer Class Action Filed Against Sony for Data Breach

On May 5, a consumer class action was filed against Sony, relating to the data breaches in its Sony PlayStation and related services.  The complaint alleges negligence, invasion of privacy and misappropriation of confidential financial information, as well as breach of express and implied contract.  No specific damages were alleged.

EU Chimes in on Sony Data Breach

The EU’s Justice Commissioner has chimed in on the Sony data breach, stating that Sony must "take the relevant technical and organizational measures to guarantee protection against data loss or an unjustified access."

Sony Mega-Breach Spotlights Data “Security” Myths

Sony’s unenviable status as the victim of the record theft of 77,000,000 individuals’ personal information underscores a reality that the on-line business community would like its army of customers to forget: it’s not just that the so-called “hackers” can be very good at what they do, it’s that the appointed guardians of legally protected personal information […]

Big HIPAA Breaches Now Number 265

When we last looked at OCR’s reporting on HIPAA breaches impacting 500 or more individuals, back in September 2010, there had been 191 such breaches. In the intervening 7 months, that number has jumped to 265 such breaches listed on OCR’s website.  It’s safe to expect these figures will continue to climb for the foreseeable future.

“Pressure Point: Online Privacy — Privacy is Potentially a Costly Workplace Issue”

In the April 22, 2011 Boston Business Journal article, entitled, "Pressure Point: Online Privacy – Privacy is Potentially a Costly Workplace Issue," I was interviewed regarding some of the recent developments in privacy and security law for employers:  “Most of the time, data breaches don’t come down to a failure of technology or inadequate technology. […]

TripAdvisor Reports Data Breach

If you are like me, you may have received an email from TripAdvisor, alerting you that "an unauthorized third party had stolen part of TripAdvisor’s member email list."  The text of that email was as follows:  To our travel community: This past weekend we discovered that an unauthorized third party had stolen part of TripAdvisor’s member […]

Health Net Announces Second Major Breach in Two Years; Creates Potential for Largest Ever Penalty

On March 14, the California-based managed care organization, Health Net, Inc., announced that it cannot account for "several server drives" that contained protected health information.  According to California regulators, these servers appear to contain the data of 1.9 million people nationwide: The company announced today that nine of its server drives containing personal information for 1.9 million current […]

What Is Inside Mass General’s $1 Million HIPAA Settlement?

As we noted earlier this month, Massachusetts General Hospital recently entered into a $1 million Resolution Agreement  and Corrective Action Plan with the Department of Health and Human Services’ Office of Civil Rights.  This settlement stemmed from an incident on March 9, 2009, when a MGH employee was commuting on the subway, "removed documents containing PHI from her bag and placed […]

Compliance Approaches in the Changing HIT Privacy and Security Landscape: How You Can Nurture a Culture of Health Information Security and Privacy

My slides from this presentation, "Compliance Approaches in the Changing HIT Privacy and Security Landscape:  How You Can Nurture a Culture of Health Information Security and Privacy" cover HIPAA and HITECH developments and compliance, with a focus on breaches and OCR settlements/penalties, including: §Resolution Agreement with Providence Health & Services–July 16, 2008 Settlement:  $100,000 §Resolution Agreement with […]

FTC Publishes Copier Data Security Guide

As we noted back in May, digital copiers have caught the eye of government privacy enforcers.  If you have a digital copier at your business, you should review the FTC’s Copier Data Security: A Guide for Businesses.  In that Guide, the FTC suggests that “your information security plans .  . . should cover the digital copiers your company […]

You Call That a Password? Passwords Used to Protect Personal Health Information in Clinical Trials Are Cracked More Than 90% of the Time

In a recent article in the Journal of Medical Internet Research, the strength of passwords in clinical trials was analyzed. In all cases that were examined, "the recovered passwords were poorly constructed, with names of local locations (e.g., “ottawa”), names of animals (e.g., “cobra”), car brands (e.g., “nissan”), and common number sequences (e.g., “123”)."  This result […]

Apparent HIPAA Violations in Hospital Treating Tucson Shooting Victims

As so often happens following a hospital’s involvement in a high profile event, the Tucson hospital treating the victims of the recent shooting is reported to have fired several staff, presumably for looking at patient records they should not have looked at: Katie Riley, the Director of Media Relations in the Office of Public Affairs […]

Website Privacy Policies – an extensive primer…..

This is a cross-posting of an interesting November 29 entry in Foley Hoag’s Emerging Enterprise Center blog, by Patrick Connolly and Prithvi Tanwar: If your start-up’s website will collect user information…. and chances are it will, you need to start thinking about your website privacy policy. I have often spoken with founders who think that the website […]

Gone Baby Gone: More Massachusetts Medical Records Go Missing

Following on the heels of the discovery of hospital records in a town garbage dump, today’s Boston Globe reported that  "computer files that possibly contained personal information on about 800,000 people connected to South Shore Hospital are ‘unrecoverable.’"  However, the investigation into this breach determined that there was a low of harm risk to those individuals whose records were […]

TJX Settles Investor Lawsuit Related to Data Breach

According to a report in the Boston Globe, TJX has settled a lawsuit brought by the Louisiana Municipal Police Employees’ Retirement System, a TJX stockholder, which had alleged that the TJX board of directors failed to protect customers’ personal data, apparently in connection with Alberto Gonzalez breach.  Bloomberg News has reported the case was settled for $595,000 in […]

Ponemon Study Finds Average Cost of Data Breach Was $3.4 million in 2009

Last week, the Ponemon Institute and PGP Corporation released the results of their Global 2009 Annual Study on Cost of a Data Breach (.pdf) [available directly from EncryptionReports].  The highlights of the survey were announced in PGP’s press release.  Ponemon surveyed companies in the U.S., UK, Germany, Australia and France and found that in 2009, […]

One Million Impacted by Blue Cross Blue Shield of Tennessee Data Breach: How Do You Remediate on that Scale?

Blue Cross Blue Shield of Tennessee announced last week that nearly 1 million of its members have been affected by the theft of hard drives containing unencrypted personal data.  BCBSTN had previously announced in January that 1.6 million files with unencrypted personal and protected health information of about 500,000 members in 32 states were breached in October 2009, due to a theft of 58 […]

Microsoft No Longer Seeking Removal of Cryptome or Leaked Compliance Handbook

Last week, lawyers from Microsoft issued a demand under the Digital Millennium Copyright Act (DMCA) seeking the removal of leaked copies of Microsoft’s “Global Criminal Compliance Handbook” that pulled website Cryptome.org from the Internet, at least temporarily.  The DMCA provides copyright owners with the ability to request that internet service providers remove infringing materials from […]

HHS Reports 35 Breaches Impacting 500 or More People

At the end of February, the HHS Office of Civil Rights (“OCR”) posted on its website a list of HIPAA “covered entities” that have reported breaches of unsecured health information affecting more than 500 individuals.  OCR’s posting showed 35 health data breaches that impacted over 700,000 individuals (with individual breaches ranging in size from 359,000 […]

Incident(s) of the Week: Recent Updates from Prior Incidents

1.  The FTC Fines Las Vegas Man $35,000 for Dumping Customer Financial Records In Public Dumpster This week, the FTC finalized a $35,000 settlement with Gregory Navone, the real estate broker who left 40 boxes of customer tax returns, bank statements, consumer reports and other financial records in a public dumpster behind an office building in […]

Is Your Password Still “123456″? If So, It’s Time for a Change

If you or your co-workers use any of the passwords listed below, you are asking to be hacked.  According to a report from the consulting firm Imperva, this list reflects an analysis of some 32 million passwords that an unknown hacker stole in December 2009 from RockYou, a company that makes software for users of social networking […]

Connecticut AG Opens New Era in HIPAA Enforcement with Health Net Suit

In the first instance of a state attorney general exercising the new powers granted by the Health Information Technology for Economic and Clinical Health Act ("HITECH Act"), Connecticut Attorney General Richard Blumenthal (and recently announced candidate for the U.S. Senate) filed suit today against Health Net of Connecticut, Inc. for failing to secure private patient medical […]

HIPAA Breach Notification Made Simple — Just Fill in the Blanks

The Department of Health and Human Services’ Office of Civil Rights (“OCR”) has tried to make a HIPAA security breach easy to report, with its newly-released online “Notice to the Secretary of HHS of Breach of Unsecured Protected Health Information.”  The online form is straightforward, featuring pull-down options tied to the new HITECH rules:  it […]

Congressional Aide Shares Secret Ethics List With The World

Last week, it was learned that a secret report of the U.S. House of Representatives Ethics Committee was disclosed — apparently inadvertently — by a junior committee staff member.  This staff apparently stored the file on a home computer that also ran a "peer-to-peer" file-sharing service.  Just as peer-to-peer services let you share music and […]

Incident of the Week: ChoicePoint Settles FTC Charges That It Failed To Turn On “Key Monitoring Tool”

This week, ChoicePoint, Inc. finalized its settlement with the Federal Trade Commission (FTC) to resolve charges stemming from a 2008 breach that compromised the personal information of 13,750 consumers. This case is notable, even though the size of the breach and the monetary payment involved are relatively modest, because the underlying breach allegedly resulted from the ineffective implementation of security tools.

Incident of the Week: Ever-Growing Breach Involving Passwords for Hotmail, Gmail, Yahoo, AOL, Earthlink and Comcast

What started out as an incident involving the leak of 10,000 user names and passwords for Windows Live Hotmail accounts continues to grow, both in terms of users and companies affected. According to reports from the beginning of the week, more than 10,000 user names and passwords from Hotmail were posted by an anonymous user on the site pastebin.com. The list was limited to accounts starting in A and B, leaving the fear that numerous more accounts had been affected. The original reports speculated that the breach was the result of a hack of Hotmail or a phishing attack. But more information is surfacing that indicates that the breach is much larger than first thought.

Incident(s) of the Week: Double Feature

Incident of the Week: in our first double feature, we report on the recent breach announced at the University of North Carolina and the plea agreement reached with one Massachusetts inmate who hacked the prison computer system while still behind bars.

California Hospital Fined $187,500 For Octuplet Mom Breach

As we reported on April 2, a California hospital breached the privacy of the infamous "OctoMom," Nadya Suleman.  When the breach was discovered, Kaiser Permanente’s hospital in Bellflower, California fired 15 employees.  These violations also were reported by Kaiser to the California Department of Public Health, which has announced a $187,500 administrative penalty against Kaiser.  […]

Garbage Dump in Ghana A Gold Mine For Sensitive Information

In June, a team of researchers investigating the disposal of electronics in Ghana for PBS series Frontline discovered that computers dumped in Ghana still contained highly sensitive data from their prior owners. The researchers procured seven hard drives from the dump in Ghana and they contained credit card numbers and resumes.  The highlight of the […]

AMA Adopts Principles on EMR Breach

In what it describes as an effort "[t]o protect the privacy and security of patients," the American Medical Association (AMA) last week adopted a lengthy report and related principles for physicians to follow in the event a patient’s electronic medical record were to be breached.  The new AMA guidelines ask physicians to: ensure patients are properly informed […]

Update on Hackers Ransom Demand for Virginia Prescription Database

Last month, an unusual ransom demand was made on the Commonwealth of Virginia.  See Encryption Used By Hackers to Demand Ransom for Virginia Prescription Database, May 5, 2009.  In a posting late last week, the Virgina Department of Health Professions announced that it had sent a letter to affected individuals ("persons whose PMP records contained […]

Interview with M. Eric Johnson, Part 3

In this, the third and final part of Security, Privacy and the Law’s interview with M. Eric Johnson (Part 1 may be found here and Part 2 is here), Dr. Johnson talks about why the fragmented nature of the American healthcare system is so dangerous and why he believes greater consolidation would better protect private information. He also […]

Interview with M. Eric Johnson, Part 2

In this, the second part of Privacy, Security and the Law’s three part interview with M. Eric Johnson (begun here), Dr. Johnson talks about why he thinks the healthcare sector is uniquely vulnerable to security breaches and what special problems that vulnerability poses.

Interview with M. Eric Johnson, author of “Data Hemorrhages in the Health-Care Sector”

Security, Privacy, and The Law recently had the chance to sit down with Dr. M. Eric Johnson to talk about his recent paper “Data Hemorrhages in the Health-Care Sector.” Dr. Johnson’s study has been in the news lately because many were startled by his finding that a great deal of patient healthcare information is available on peer-to-peer (P2P) file sharing networks. We are thrilled that Dr. Johnson agreed to do a interview with Security, Privacy, and The Law and we will be posting the full interview with Dr. Johnson in several parts.

Big Bump in Federal Cybersecurity Spending?

The Wall Street Journal reported on Wednesday, March 18, 2009 that, worried about the dangers of attacks launched against the nation’s computer systems, the federal government is likely to spend between $15 and $30 billion on cybersecurity in the next five years. The intelligence experts interviewed by the Journal estimate that U.S. losses from data breaches to […]

OPSEC, Data Security and A-Rod

The saga of Yankee superstar Alex Rodriguez (“A-Rod”) and the revelation of his past steroid use already exemplifies the far-reaching implications of information security practices. But the story is far from over. While the media firestorm over A-Rod appears to be dying down, the fate of the identities of 103 other Major League Baseball players who tested […]

Man Sentenced to 12 Months of Probation and Community Service for Illegal Access to Obama’s Passport Records

Dwayne F. Cross, the second of three people who have plead guilty to illegally accessing then Presidential Candidate Barack Obama’s passport files was sentenced to 12 months probation and 100 hours of community service on Monday. Mr. Cross admitted to accessing State Department passport records involving over 150 individuals, including celebrities, family members, and personal acquaintances, […]

Departing Employees Are Increasingly Stealing Company Information

As discussed by Mike Rosen on Foley Hoag’s Noncompete Blog here, and reported by the Washington Post and CNN, a recently released report by Symantec Corp. and the Ponemon Institute (which can be found here) revealed that 59% of ex-employees who leave their employment are stealing company information, and 67% of those who admitted to stealing company […]

Highlights from the IAPP Privacy Summit – March 11-13, 2009 Washington, D.C.

Between March 11, 2009 and March 13, 2009, the International Association of Privacy Professionals (IAPP) hosted a Privacy Summit in Washington, D.C. that featured keynote presentations from fraud expert Frank W. Abagnale and information security guru Bruce Schneier. The three-day event included dozens of breakout sessions with industry experts and government officials.  Read some of the highlights below.

Has the Consumer Privacy Legislative Forum Decided to Abandon Efforts to Draft Federal Privacy Legislation?

In early February, I noted that a group called the Consumer Privacy Legislative Forum (“CPLF”), which includes companies such as eBay, Microsoft, Google and Hewlett Packard, had released a statement calling for comprehensive harmonized federal privacy legislation and would be outlining recommendations for such legislation this month. Apparently, the CPLF’s focus has shifted. According to a BNA […]

$150,000 Penalty for Disclosure of Physician Information

This settlement is particularly interesting, given that it appears to stem from a voluntary disclosure, without any prejudice to any of the physicians whose information was disclosed.  Despite those mitigating factors, the disclosure still resulted in a six-figure penalty. As such, this is another suggestion that the days of soft enforcement of health-related information confidentiality are over. The […]

ALERT: Massachusetts Gives Businesses Until January 1, 2010 to Adopt Information Security Programs To Comply With Recent Identity Theft Regulations

On Thursday, February 12, 2009, the Massachusetts Office of Consumer Affairs and Business Regulation (OCABR) issued a public statement indicating that it is extending the May 1, 2009 deadline to comply with recent Massachusetts identity theft regulations until January 1, 2010.  The Massachusetts identity theft regulations affect entities that own, license, store or maintain personal […]

A bad week for the government – data breaches at federal organizations on the rise

 It has been a bad week for the federal government’s own information security track record. The first story comes from the FAA where hackers broke into the agency’s computer systems and stole personal information on some 45,000 individuals. The second story comes from Los Alamos National Laboratory, which confirmed the theft of 67 computers, 13 in the […]

Trends in Data Breach Incidents, Part 2: Avoiding Accidental Exposure

According to the Identity Theft Resource Center’s (ITRC) recently released report (.pdf) on data breaches in 2008, one of the top five causes of data breaches are what the ITRC labels “accidental exposure.”   [For our earlier coverage on the ITRC’s report see this link.] The ITRC reports that accidental exposure amount to 95 of the 656 […]

Economy Delivers A Perfect Storm In Information Security: Data Crimes Rising As Economy Stumbles

According to a recently-released report from McAfee, the downturn in the economy is creating a “perfect information security risk storm.” The report, entitled “Unsecured Economies: Protecting Vital Information,” can be found here [Note: MacAfee requires registration to downloade the report]. McAfee bases its findings on a worldwide survey of 1,000 IT decision makers. The McAfee Report makes […]

Data Privacy and Security Meets Winnie-the-Pooh: Using Honey Pots to Protect Your Data

Most of us remember fondly the Winnie-the-Pooh stories by A.A. Milne from our childhood. One that is memorable for me is “Piglet Meets a Heffalump.” In that story, Winnie-the-Pooh and Piglet plot to catch the new animal they believe is living in the Hundred Acre Wood. They have named this animal the Heffalump. They set a trap for the […]

Trends in Data Breach Incidents, Part 1: Identity Theft Resource Center (ITRC) Reports Breaches Up 47% in 2008, Hackers Only Responsible for 13.9% of All Incidents

On January 2, 2009, the Identity Theft Resource Center (ITRC) released its report(.pdf) on data breaches in the United States in 2008 (you can read the Washington Post’s primer on the ITRC’s findings here). The raw numbers are headline grabbing — 656 data breaches in 2008, a 47% increase from 2007. The sharp increase in numbers from […]

Senator Feinstein Introduces Two New Security/Privacy Bills

On January 6, 2009, Senator Dianne Feinstein (D-Cal.) introduced two bills related to data breaches and protection of social security numbers. Bill S. 139, entitled the "Data Breach Notification Act," would require any federal agency or business entity to notify an individual of a security breach involving personal information “without unreasonable delay.” The proposed bill defines “reasonable delay” […]

FTC Issues Guidance to Businesses on How To Handle Social Security Numbers

Anyone mystified by what practices the FTC wants businesses to improve on or abandon in response to federal “Red Flags” regulations received some specific guidance in December, when the FTC released the report Security in Numbers – SSNs and ID Theft. For anyone subject to new federal and state identity theft regulations, the Report helps identify some specific steps they should consider implementing by May 1, 2009, the deadline for businesses to adopt compliant identity theft prevention programs.

ALERT: Massachusetts Gives Businesses Until May 1, 2009 to Adopt Comprehensive Information Security Programs To Comply With Recent State Identity Theft Regulations

On Friday, November 14, 2008, Massachusetts regulators announced that they will give affected businesses until May 1, 2009 to comply with new identity theft regulations. This move parallels the October announcement by the Federal Trade Commission that it is delaying enforcement of federal identity theft regulations until the same day.

ALERT: FTC Gives Businesses Until May 1, 2009 to Adopt Identity Theft Prevention Plans that Comply With Recent FTC “Red Flags” Regulations

On Wednesday, October 22, 2008, the Federal Trade Commission issued an Enforcement Policy Statement that it will delay some elements of enforcement of recent “Red Flags” regulations until May 1, 2009, instead of the original November 1, 2008 date. Citing uncertainty and confusion within many industries over whether they are covered by the new regulations, the FTC indicated that it will not seek to enforce the regulations on November 1, 2008, when all affected businesses were originally required to come into compliance.