Recent healthcare data breaches writeup in Darkreading…
So, if you don’t read it regularly, check out the recent coverage over at Dark Reading on some of the recent healthcare breaches and the lessons learned. This writer did a really good job, I think, of pulling out the biggest and most-impactful breaches that occurred within the past few months. Lincoln is on here as is South Shore (the one in Mass, not the other one as depicted in the...
Read MoreBreaches in healthcare vs. finance: unpacking the data
So, if you pay attention to this stuff, you may have noticed that recent studies show that healthcare breaches have outpaced financial services incidents. That’s an interesting piece of data in and of itself (I tweeted about it the other day). However, I think we have to be careful about how we interpret this data. For example, I think that Art Gross is right in saying that...
Read MoreQuality care: justifying patients’ trust through responsible stewardship
Your data: missing in action. It’s just like the classic movie (Chuck Norris FTW!), except nobody comes to the rescue. If you haven’t seen it already, check out the recent loss of 800,000 records over at South Shore hospital. It’s pretty ugly. Apparently, the 800k records that went missing included credit card numbers, personally identifiable data, and also PHI. Yep,...
Read MoreThe difference between compliant and not is how hard you look
The other day, while researching the thing about the PED devices, I came across some chatter about folks making the statement that a PCI-compliant entity has not been successfully hacked. I recall hearing this particular line in QSA training many years ago (2005 maybe?) and apparently, folks are still saying it today. From the article I cited in the prior post re: the PED devices: Perhaps...
Read MoreHospitals: Pretty please, with sugar on it, encrypt the data
If you didn’t see it already, check out what happened to NY-based Lincoln Medical and Mental Health Center. If you don’t feel like reading the whole backstory, the deal is that they had to notify their patients – and the world at large – about the fact that they “lost” 130,000 records. It sort of a worst-case scenario for everyone involved: Not only did...
Read MoreIs Colorado Casualty the Devil?
It’s getting pretty ugly over there in Utah. What’s that have to do with Colorado Casualty? Wait for it, we’ll get there. Anyway, long story short: University of Utah had some backup tapes containing ePHI for about 2 million patients (containing patient medical records from the university hospital) go missing on their way to an offsite storage provider. The University...
Read MoreVA and E&Y: Soulmates….
You’d probably think that Ernst and Young’s “misplacement” of the credit card data for 243,000 Hotel.com patrons was a security issue, but you’d be wrong. Someone uninformed about these things might mistakenly believe that when Veteran’s Affairs lost information on 26.5 million people that there was a problem. But not so! You see, really this missing data is...
Read MoreAlan on Aetna
I received this via email from Alan Borack (a friend and colleague) about the recent disclosure by Aetna about losing member data, and with his permission am posting his comments here. How long do you think it will take for the 2 companies impacted to notify their employees they are among the 38,000 names on the laptop? I know 2 that have Aetna as their medical insurance carrier — Merrill...
Read MoreWhy I don’t trust E&Y
What is it exactly, do you suppose, that Ernst and Young sells its clients? If you said “auditing services” or “consulting”, you’re right, but I’m asking a more general question than that. To get to the heart of the matter, why would you listen to E&Y moreso than you would listen to your neighbor, a cousin, or that dude on the street that talks to...
Read MoreSux to be Citi.
I came across this really super-interesting story about how tons of Citi customers are SOL due to mismanaged fraud control via the Identity Woman Blog. It’s just painful. Citibank customer: I’m stranded in a foreign country, I need cash, and I can’t withdraw cash from my account. Citibank drone: d00d omfg we wuz 0wnz0red, it is teh suck!!!1!1 Go home and we’ll re-issue a...
Read MoreCardsystems
First, CyberSource to buy CardSystems. Did I not prophesy that it was only a matter of time before CardSystems hit the mat? Well, there it is… In other news, some judge decided to once again make disclosure of credit card data volountary in California.
Read MoreKorean banks now eat hacking-related damages
ouch. If this sets a trend, the world of financial services as we know it will change permanently. If it does not and just impacts Korea, expect things to shake up anyway for anybody doing business internationally.
Read MoreMy Tax Records at ChoicePoint?
In a characteristic move, the IRS has announced their data broker of choice, and shiver me timbers, if it isn’t ChoicePoint. At least someone over there had the sense to take a second look at that doozey of a decision. I’m really, really, really hoping that my tax records stay out of the hands of...
Read MoreExamples Galore
Remember when I said in my previous post (in reference to ChoicePoint) that there are folks watching? Well, unbeknownst to me, at that exact second, Adam Shostack was authoring his “two minutes of hate”. In short, he lays down enough spicy content to keep the interested ChoicePoint follower in reading material for days. Now that’s...
Read More“I ain’t no …… son of a Baich.”
He’s back! My favorite whipping boy, Richard “Dick” Baich is back with some commentary on the elite SWAT-team that is the ChoicePoint information security organization. Check out some of the choice commentary from everybody’s favorite CISO: (on why it’s not a security breach) “It’s no different than credit card theft and credit card fraud. Those are...
Read MoreOne eye on CardSystems
Wow. Apparently CardSystems is talking a big game about the added security protection from the software installed by eEye. Not that I’m the hugest eEye fan (really, I’m not), but I really think this is an unhealthy setup for eEye; the way this is being spun in the press (and by CardSystems), it sounds like eEye is publicly going on record associating themselves with...
Read MoreInteresting CardSystems Development
Here’s an interesting new tidbit: apparently, CardSystems had been certified to comply with the Payment Card Industry Data Security Standard (PCI). They were audited, found to be in compliance, but were operating out of compliance in a manner contrary to the regs. According to the PCI, these folks should be fined for non-compliance. So will they be? CardSystems will be an interesting...
Read MoreCardSystems Fallout Continues
According to CardSystems CEO as reported by Forbes, CardSystems were keeping the recently-stolen credit card information for “research purposes.” Does anybody else see anything wrong with this picture? More wrong beyond the exposed financial data, that is. Think about it – hypothetically speaking, if you were a payment processor, why would you want to keep account data if...
Read MoreWhat, Me Worry?
40 million credit card numbers (with associated CVV’s apparently) hit the streets via CardSystems; I recommend Adam’s take on the incident for anyone who hasn’t heard. In my opinion, it is the volume of this exposure that makes it significant and not anything intrinsic to the data itself. I don’t know about the rest of the world, but I’m starting to become...
Read MoreMore Pain for BoA
Bank of America has a PR problem right now; there has been a stream of unrelated public data exposures in which BoA was right in the center. For example, the incident where the financial records of those 100,000 people were stolen or any of the numerous other public theft incidents in the press recently. To see evidence of the “world of hurt” they are in, just do a google search for...
Read MoreLost? Destroyed? Stolen? Ameritrade just knows a tape is gone
and with it, possibly 200,000 users’ account information. According to this NetworkWorld Fusion report, “Ameritrade warns clients about potential breach,” some backup tapes were damaged in transit and one of the tapes is currently unaccounted for. This incident is a good reminder that data security concerns extend beyond the physical boundaries of the enterprise. Or, in other...
Read MoreChoicePoint Wins Highly-Prized “Menace” Award
ChoicePoint CEO prepares acceptance speech for this year’s “Big Brother” Awards. “I would like to thank the academy…”
Read MoreChoicePoint? BusinessWeek says “sue ‘em”…
Wow… Business Week recommends litigation against companies exposing personal data? Go, Business Week; I didn’t see that coming…
Read MoreLexisNexis
Of course, the recent data theft incidents are only the tip of the iceberg at LexisNexis and ChoicePoint. I think we pretty much all saw that one coming. What scares me, however, is the fact that a) they didn’t know about it themselves or b) if they did, they weren’t going to tell anybody. Their plan to “improve the security of their passwords and ID administration” is...
Read MoreCitibank fraud
Given that fact that outsourcing overseas is a politically charged topic, I expect that this will see quite a bit of attention in the media. People are looking for an excuse to throw stones at the practice of FS outsourcing operations overseas; I am of the opinion that fraud can happen anywhere at any time: across the street or across the ocean. My question is how the details of this got leaked...
Read MoreCalifornia Security Breach Notification Statute">Alston and Bird Advisory on California Security Breach Notification Statute
A+B is a law firm that specializes in legal issues pertaining to Information Technology. They’ve got also got a very useful privacy library that addresses both US and International privacy regulations.
Read MoreTuesday September 7, 2010
Diana Kelley's profile