Hospital Data Breach Week 4

A data breach happened back in August at a physician’s office in Vermont. This data breach was not through the internet, but from a burglary. In the past weeks I have discussed data breaches over the internet, but not any physical ones. Companies are worried about data being stolen over the internet, but they also need to worry about physical break in’s as well.

About two thousand patients’ medical records are being exposed.  This includes patient names, dates of birth, Social Security numbers and Medicare/Medicaid numbers (Burglary of Vermont Medical Practice Reported). Since the break in the physician’s office has installed security cameras, they are going to encrypt the computers and train employees on data security. They have also given patients one free year of credit monitoring and identity theft repair as well. The good thing is that the doctor’s office had an identity theft insurance policy!

Why didn’t they have cameras install and the computers encrypted before the break in? Every business should have security cameras install, especially doctors’ offices and businesses that deal with people’s person information. It shouldn’t take a data breach to make businesses increase their security. After four weeks its becoming apparent that companies in both the physical and virtual aspect aren’t prepared for data breaches. I keep asking the same questions every week.

References

           

Burglary of Vermont Medical Practice Reported: PHI of 2,000 Patients Exposed - HIPAA Journal. (2015, September 16). Retrieved September 25, 2015, from http://www.hipaajournal.com/burglary-of-vermont-medical-practice-reported-phi-of-2000-patients-exposed-8103/ 

School Breach week 3

A data breach has happened at the vendor of Cal State called We End Violence. This is a vendor that is recommended by the White House. Students at eight California State University campuses had information such as their login names, course passwords, campus email addresses, gender, race, ethnicity, relationship status and sexual identity stolen when the Agent of Change website provided by vendor We End Violence was hacked (Derespina, 2015). There were about 80,000 students that were exposed in the hack. Students got lucky because no driver’s license numbers or social security numbers were stolen.

Once We End Violence found out about the hack they shut down their website two days after the incident. Any students that had their information stolen were alerted by the university. Cal State has given the students new usernames or login names and passwords. The vendor has contacted a third-party company about launching a forensic investigation.

This data breach could have been a lot worse than it was. Since the forensic investigation is still ongoing, there are no details as to why the hack happened. It is interesting to see that a third party vendor was hacked and not the actual college itself. Some data breaches occur this way. The hacker gets into the vendor’s system and pulls data from all their customers. So not only does the company have to be secure, but they have to make sure their vendors are secure as well. The university said, "Protecting student data and personal information is a top priority of the California State University (CSU)" (Eng, 2015).  It’s good to see that the university cares about the personal information of their students.

References

Derespina, C. (2015, September 11). Nearly 80,000 college students affected by data breach. Retrieved September 18, 2015, from http://www.foxnews.com/us/2015/09/11/nearly-80000-college-students-affected-by-data-breach/

Eng, J. (2015, September 10). Info on 79K Cal State Students Exposed in Hack of Third-Party Vendor. Retrieved September 18, 2015, from http://www.nbcnews.com/tech/security/info-79k-cal-state-students-exposed-hack-third-party-vendor-n425146

Health Records Breached Week 2

Earlier this week Excellus BlueCross BlueShield and another partner company had 10 million health records exposed. The breach follows Anthems this year in January with 80 million health records. Other health insurance based companies are being targeted as well. It's become such a large problem that law enforcement began warning health care industry companies last year that they may face an increased risk of data breach attacks (Hautala, 2015)

            It took Excellus over a year and a half to find out they had been breached. The companies said unauthorized computer access was discovered Aug. 5, and further investigation revealed that the initial attack occurred on Dec. 23, 2013 (Hack of Health Insurer Excellus May Have Exposed 10M Personal Records.). Excellus is not sure at this time if any of the information stolen had been sold or used.

            My question is if law enforcement warned them about data breach attacks why didn’t they increase their security? To me it seems the health insurance companies don’t have proper security measures setup for protecting their customer’s data. Would you trust these companies with your personal information? I know I wouldn’t trust them with my personal information if they have no way of keeping it safe. Excellus is doing the right thing by providing free credit monitoring for two years.

            I wonder how and when more of these incidents are going to happen? When will companies learn, the less you spend on security the more it will cost you when there is a data breach. I heard once from a security conference that if company a spent that extra 100,000 on security equipment it would have saved them 2.5 million when they got breached.

References

Hautala, L. (2015, September 10). Data breach exposes 10M health records from New York insurer - CNET. Retrieved September 12, 2015.

Hack of Health Insurer Excellus May Have Exposed 10M Personal Records. (2015, September 9). Retrieved September 12, 2015.

Company Data Breaches

On the news anymore it seems that you keep hearing about data breaches, mostly hacking! Ashley Madison is a more recent one that was high profile and got a lot of attention. Two other high profile data breaches were Anthem and OPM. Those are just the high profile ones. Here is a pdf of data breaches so far in 2015 http://www.idtheftcenter.org/images/breach/DataBreachReports_2015.pdf! I bet you didn't know that many companies were breached this year!

           

In 2014, we heard about Home Depot and the Target breach. The number of data breaches per year has increased from 2014. There seems to be a trend in that the data breaches per year keeps growing. Here http://www.idtheftcenter.org/ITRC-Surveys-Studies/2014databreaches.html they have a chart of how hacking has increased in the past seven years.

The number one reason why business are being hacked are because of lack of security. Why don't companies spend more money on security? You would think after all the hacks in the news, companies would invest more in their InfoSec division to prevent this lost. I think that companies are starting to realize how important information security is.

I will be keeping this blog updated with data breaches and why they happened as the weeks go on. I look forward to keeping track of data breaches and see how the trend develops. We will get to see if companies are hardening there security in the coming weeks.