Stolen hardware, and particularly laptops, is still a very common cause for data breaches, especially when it comes to hospitals and other healthcare companies. Three recent incidents have all involved patient details being exposed to identity theft, fraud and other risks, after being taken together with laptops held in medical offices.

While in some cases the stolen portable computers happened to be password protected, none of them had been encrypted to better prevent access to stolen private records.

Stolen laptop exposes medical data of over 2,000 patients

A laptop computer containing medical data for 2,070 people was stolen on December 2011 from healthcare provider Triumph LLC . The company which provaides psychiatric evaluations, medication monitoring, clinical assessments and outpatient therapy and is based in Raleigh, notified its clients and their families of the breach through letters mailed.

The laptop was stolen from the office of a Triumph manager at its operation at 725 N. Highland Ave. in Winston-Salem. The password-protected laptop, contained patient information such as names, dates of birth, medical record numbers, insurance and Medicaid numbers, billing codes and authorization status.

Laptop stolen from podiatry clinic contained data on 1,500 patients

A laptop, containing unencrypted personal and medical information beloging to over 1,500 people, was stolen from the Walking On Air clinic in Gosport. Podiatrist Natasha Townsend said the laptop did have a password. According to Ms Townsend, the laptop contains notes regarding her patients and their medical records. The laptop was most probably taken by an opportunistic thief.

Laptop stolen in burglary exposes 900 Concentra patients

An unencrypted laptop was stolen from the Concentra Medical Center. The computer contained names and Social Security Numbers and pre-employment work-fitness test results of approximately 900 Concentra patients from the Springfield area.

Concentra representatives believe the information has not been used inappropriately, but they have notified all the patients whose information was on the computer, and will provide them free access to a credit-monitoring service.

A security breach exposing the data of over 1,200 patients has recently been disclosed by the University of Miami. The Miller School of Medicine patient data was stolen back in November 2011, together with a flash drive, when someone broke into a pathologist’s car and took the briefcase where the portable device was stored.

The flash drive contained details such as age, sex, diagnosis and treatment information for patients treated from 2005 to 2011, the University of Miami disclosed in a press release. No financial information or Social Security numbers had been stored on the drive, according to the same press release.

Following federal law, UM is informing the patients involved, according to the press release, but “there is no indication that the information was accessed or misused in any way.”

The university promised to review and revise its physical and digital security policies to make sure patient data is safely stored and privacy is ensured. However, this is not the first incident they have had to deal with. Back in 2008, computer tapes with confidential information on 2.1 million patients was taken by a thief from a van transporting them. So when it comes to patient data kept in cars, the University of Miami has not changed anything in the past three years, but we can hope they will do better than empty promises next time.

Till the next data breach, we can surely hope so!

The Kansas Department on Aging has recently reported a hardware theft that caused a data breach affecting about 7,000 of its customers. A laptop, a flash drive and paper files were stolen out of an employee’s vehicle, putting thousands of senior customers at risk.

The stolen files contained personal and protected health information belonging mainly to customers located in Sedgwick, Harvey, and Butler counties. The theft was immediately reported to the Wichita Police Department. The Kansas Department on Aging says it is cooperating with the police, but the stolen hardware has not yet been recovered.

Fortunately, there is no evidence to indicate that the information has been accessed and misused. The stolen data and documents may include full customer names, complete addresses, dates of birth, social security numbers, gender, in home services program participation information, Medicaid identification numbers, case management location and case manager names and telephone numbers.  No banking, credit card, or driver license information was stored on the stolen devices.

The Kansas Department of Aging has confirmed that at least 100 customers have had their Social Security Numbers stolen and trying to inform those affected through phone calls. They will further notify everyone affected by the breach through letters explaining the situation.

“We are immediately reviewing policies and procedures relevant to information security, especially for those employees whose duties require travel off-site to prevent a similar situation from recurring,” stated Secretary Shawn Sullivan of the Department on Aging.

The Department of Aging also advised their customers to contact their banks and credit card companies and let them know they are victims of a data theft, prompting them to keep an eye on any suspicious activity in the following months.

A data breach affecting 1.8 million customers of two New York utilities companies has recently been made public by the  New York State Public Service Commission. The investigation into this data breach was initiated after an employee from a third party IT company contracted by New York State Electric & Gas (NYSEG) and Rochester Gas and Electric (RG&E) was given unauthorized access to the company’s databases.

It is not clear if accessing the customer databases had any malicious intent, both affected companies claiming there was no proof of any data having been misused as a consequence of the breach. But, to stay on the safe side, they have decided to send out notifications regarding the data access, as it exposed Social Security Numbers, dates of birth and financial account information, as shown in the official press release sent out by the NY Commission.

“This investigation will seek a complete understanding of the root causes for this security breach, and the measures in place to protect against such a breach,” said the Commission’s Chairman Garry Brown.

NYSEG and RG&E have  also partnered with credit service group Experian to offer free credit card monitoring to the 1.8 million customers affected by the data breach. They also promised their full cooperation to forensics experts and law enforcement.

When you are the lead artist of a security mishaps that ended up in a data breach affecting some 24 million people, consequences are bound to catch up with you. And they just have caught up with shoe retailer Zappos.com and the bigger online fish behind them, Amazon.com. The two companies are being sued by the customers affected by the data breach, being accused of negligence.

A woman from Texas seems to be the main promoter in this Kentucky lawsuit. She claims that she and millions of other customers were harmed by the exposure of their personal account information. Zappos and Amazon have not commented on the lawsuit as of earlier today. 

The Zappos data breach was made public on Sunday when the company emailed employees and customers to let them know that names, phone numbers and email addresses of customers might have been accessed in a hacker attack.  The same statement reassured them that credit card and payment information had not been stolen. Zappos also advised its customers to reset account passwords on their site and any other sites where similar passwords were being used.

The attorneys of the Texas woman are seeking class-action status on behalf of the 24 million affected customers, claiming the security breach was actually a violation of the federal Fair Credit Reporting Act. The sum the lawsuit seeks has not been specified, but it is in the range of millions of dollars in compensatory and exemplary damages for emotional distress and loss of privacy. It also seeks to have Zappos court-ordered to pay for credit monitoring and identity theft insurance, plus periodic audits, for all those affected by the data breach.

The Ramnit worm, first discovered a year and a half ago, a malware that used to target online banking and FTP credentials, makes victims among UK and French Facebook users.

A new version of the worm managed to steal more than 45000 Facebook usernames and passwords and tried to attack the e-mail accounts and virtual private networks of affected persons. The worm has sent malicious links to victims’ friends, links that downloaded malware to the person’s computer, which helped spread the worm even faster.

It seems like the attackers are adapting to market tendencies, targeting social networks rather than traditional communication means (such as email).

For more details, you can read the techweekeurope.co.uk report.

Based on the many stories about data breaches reported by organizations in the healthcare industry, from hospitals to insurance companies and other third-party companies that deal with healthcare data, we could have guessed this is not even close to being a top sector when it comes to data security. A new report released by the Ponemon Institute now brings even further insight into the state of the healthcare industry, showing a spike in data breaches of over 30% and average annual costs of 6.5 billion US dollars.

The “2011 Benchmark Study on Patient Privacy and Data Security,” commissioned by IDExperts, idendified employee error to be one of the main cause for data breaches in hospitals and healthcare providers. These types of organizations in the healthcare industry suffered an average of four data breaches in the past year. Nearly 30 percent of healthcare companies said the breaches they suffered resulted in medical identity theft – an over 25 percent increase over 2010.

The jump is not entirely determined by a larger number of breaches happening in the past year compared to the previous one. It’s actually the effect of better detection capabilities by healthcare organizations, according to Larry Ponemon, chairman and founder of the Ponemon Institute.

“It was not too surprising that the rate of data loss increased … [But] we think that finding may not be as negative as it appears, and could be a discovery-rate increase with more control and governance practices and use of enabling technologies.”

The strong increase of mobile device usage in the healthcare segment is also a high-impact factor. About 80% use such devices to gather, transmit and store patient data, and a troubling 50% don’t secure their mobile devices. The help they provide in patient care is overshadowed by the major risks to data security the patients are exposed to.

Nearly half of the healthcare industry breached were caused by stolen or lost computing or data devices and another 46% were caused by errors by third-party providers. Moreover, the healthcare organizations are just unaware of where patient data is stored – 61% don’t really know where all their patient data is kept. If that’s not enough, over half of them aren’t sure they actually can detect incidents where patient data is exposed.

Hospitals don’t lack written policies when it comes to data breach reporting – about 80% have them. Too bad about 60% consider them ineffective.

A full copy of the report is available here for download.

Only 55 of the data loss breaches have actually been reported

If you can’t stop data breaches, at least cover them up! This seems to be the data security code British authorities go by. Too bad for them there is something called Freedom of Information Act requests… A new report issued by privacy campaign group Big Brother Watch showed that councils across the UK experienced over a thousand data loss cases over a three year period – August 2008 to August 2011.

To get the information, the group sent 433 FOIs to local authorities and councils across the Great Britain and showed s shocking discrepancy between the reported 50 something incidents and the harsh reality. Not only did BBW uncover the data mishandling cases, they also requested information on what happened to the employees of said councils – if they had been disciplined, fired or prosecuted over the data breaches -, and inquired about the council’s response to each incident. 

According to the 395 replies received,

“We have uncovered more than 1,000 incidents across 132 local authorities, including at least 35 councils who have lost information about children and those in care,” said BBW in a statement accompanying its report (PDF). ”Highly confidential information has been treated without the proper care and respect it deserves. At least 244 laptops and portable computers were lost, while a minimum of 98 memory sticks and more than 93 mobile devices went missing.”

Only 55 of the incidents were subsequently reported to the Information Commissioner’s Office, which handles data loss complaints. In only 9 cases, those involved in the data breach were fired.

“I welcome this research by Big Brother Watch,” local government minister Grant Shapps told the data protection advocates. ”This reinforces the need for steps to protect the privacy of law-abiding local residents. Civil liberties are under threat from the abuse of town hall surveillance powers, municipal nosy parkers rummaging through household bins and town hall officials losing sensitive personal data on children in care.”

For a list of some of the most important data incidents included in the report, read the story published by the Register.

Almost two weeks ago, we revealed the major changes that had happened this year in the major data breaches top of all times. 2011 was leading in what the number of high profile of breaches is concerned. The top might change once more, ensuring an even stronger position for the current year as hackers hit Steam, a gaming giant that is home to 35 million user accounts.

What we know so far is that the Steam customer data base has been indeed accessed by hackers.

“We learned that intruders obtained access to a Steam database in addition to the forums,”  said Gabe Newell, co-founder and managing director of Steam parent company Valve. “This database contained information including user names, hashed and salted passwords, game purchases, email addresses, billing addresses and encrypted credit card information.”

While the most sensitive account information was encrypted and there is no evidence that the hackers stole any of the details in the database or that they attempted to misuse any credit cards, Valve advises users to keep a close eye on credit card activity for the time being.

“We do not know of any compromised Steam accounts, so we are not planning to force a change of Steam account passwords, which are separate from forum passwords,” Newell’s statement explains. “However, it wouldn’t be a bad idea to change that as well.”

Let’s all keep our fingers crossed and hope only a few forum accounts have been compromised and the 35 million records are safe.

The ICO conducted an investigation on a case of hardware loss in May at the Rochdale Metropolitan Borough Council. The incident consisted in the loss of an unencrypted memory stick by a Council’s finance department employee, stick which contained names, addresses and payment details for 18.000 residents. The missing hardware was not found to the date.

The investigation concluded that the Rochdale Council has breached the Data Protection Act by not providing employees with encrypted memory sticks (although it was a known fact that these devices would be used to transfer private information) and by not training their employees to properly use portable devices for work purposes.

Sally Anne Poole, ICO’s head of enforcement qualifies this mishap as ‘unacceptable’ and says ‘This incident could have been easily avoided if adequate security measures had been in place.’ in a quote by eWeek.

The measures taken by the ICO in this case consist of signing an undertaking of actions to take to implement data protection policies by 31^st March 2012.

Let’s hope that more than one private data handling organization learns from this incident and encrypts their portable devices using proper solutions.