Stolen hardware, and particularly laptops, is still a very common cause for data breaches, especially when it comes to hospitals and other healthcare companies. Three recent incidents have all involved patient details being exposed to identity theft, fraud and other risks, after being taken together with laptops held in medical offices.

While in some cases the stolen portable computers happened to be password protected, none of them had been encrypted to better prevent access to stolen private records.

Stolen laptop exposes medical data of over 2,000 patients

A laptop computer containing medical data for 2,070 people was stolen on December 2011 from healthcare provider Triumph LLC . The company which provaides psychiatric evaluations, medication monitoring, clinical assessments and outpatient therapy and is based in Raleigh, notified its clients and their families of the breach through letters mailed.

The laptop was stolen from the office of a Triumph manager at its operation at 725 N. Highland Ave. in Winston-Salem. The password-protected laptop, contained patient information such as names, dates of birth, medical record numbers, insurance and Medicaid numbers, billing codes and authorization status.

Laptop stolen from podiatry clinic contained data on 1,500 patients

A laptop, containing unencrypted personal and medical information beloging to over 1,500 people, was stolen from the Walking On Air clinic in Gosport. Podiatrist Natasha Townsend said the laptop did have a password. According to Ms Townsend, the laptop contains notes regarding her patients and their medical records. The laptop was most probably taken by an opportunistic thief.

Laptop stolen in burglary exposes 900 Concentra patients

An unencrypted laptop was stolen from the Concentra Medical Center. The computer contained names and Social Security Numbers and pre-employment work-fitness test results of approximately 900 Concentra patients from the Springfield area.

Concentra representatives believe the information has not been used inappropriately, but they have notified all the patients whose information was on the computer, and will provide them free access to a credit-monitoring service.

A security breach exposing the data of over 1,200 patients has recently been disclosed by the University of Miami. The Miller School of Medicine patient data was stolen back in November 2011, together with a flash drive, when someone broke into a pathologist’s car and took the briefcase where the portable device was stored.

The flash drive contained details such as age, sex, diagnosis and treatment information for patients treated from 2005 to 2011, the University of Miami disclosed in a press release. No financial information or Social Security numbers had been stored on the drive, according to the same press release.

Following federal law, UM is informing the patients involved, according to the press release, but “there is no indication that the information was accessed or misused in any way.”

The university promised to review and revise its physical and digital security policies to make sure patient data is safely stored and privacy is ensured. However, this is not the first incident they have had to deal with. Back in 2008, computer tapes with confidential information on 2.1 million patients was taken by a thief from a van transporting them. So when it comes to patient data kept in cars, the University of Miami has not changed anything in the past three years, but we can hope they will do better than empty promises next time.

Till the next data breach, we can surely hope so!

Security professionals fear cyber-attacks and warn ab0ut them every chance they get. Countries all over the world are trying to put up the best cyber defenses technology advancements can buy, but it does take a well established institution in the field of global economy to actually make us all tremble and finally believe cyber attacks pose a great threat to global stability.

The World Economic Forum’s (WEF) Global Risks for 2012 report places cyber-attacks against governments and businesses among the top five risks in the world to global stability, in terms of likelihood. Cyber-attacks come right after income disparity, fiscal imbalances, and the rising greenhouse gas emissions, shows the report released in WEF’s annual conference held in Davos, Switzerland. 

The report put together by the WEF’s Risk Response Network is based on assessments of the tech industry which pointed out cyber-attacks as the biggest threat of all, as they can lead to devastating malfunctions in power plants, water supplies and other critical systems. The likelihood of such a globally debilitating attack is still up for debate, and other economic threats to global stability, such as income disparity, are far more pressing. WEF however believes we are not even close to understanding the risks posed to and handled by internet security.

Steve Wilson, chief risk officer for general insurance at Zurich and a member of the project, said:  ”We don’t even really understand the risks yet.”

The old-news threat to tech experts is now becoming an issue making its way into all the political agendas that matter. The the report calls “urgently” for new mechanisms to get private investment into exploring system vulnerabilities. It also pointed out how information about cyber-attacks and cybercrime is hard to get to in an objective fashion:

Research into cyber threats against governments and the private sector has largely been funded by those who are in the business of selling internet security solutions – a potential bias that causes scepticism. Academic and policy papers are based largely on anecdotal case studies.

Vendors of online security products have an interest in talking up the threats of cybercrime, while victims of cybercrime often have an interest in remaining silent. It is therefore very difficult for firms and organisations to get a clear picture of the true levels of the risk and needs for investment. Correcting such information asymmetries should be at the centre of policies to improve global cyber security and to ensure an efficient market.

The full report is available online here.

Almost two weeks ago, we revealed the major changes that had happened this year in the major data breaches top of all times. 2011 was leading in what the number of high profile of breaches is concerned. The top might change once more, ensuring an even stronger position for the current year as hackers hit Steam, a gaming giant that is home to 35 million user accounts.

What we know so far is that the Steam customer data base has been indeed accessed by hackers.

“We learned that intruders obtained access to a Steam database in addition to the forums,”  said Gabe Newell, co-founder and managing director of Steam parent company Valve. “This database contained information including user names, hashed and salted passwords, game purchases, email addresses, billing addresses and encrypted credit card information.”

While the most sensitive account information was encrypted and there is no evidence that the hackers stole any of the details in the database or that they attempted to misuse any credit cards, Valve advises users to keep a close eye on credit card activity for the time being.

“We do not know of any compromised Steam accounts, so we are not planning to force a change of Steam account passwords, which are separate from forum passwords,” Newell’s statement explains. “However, it wouldn’t be a bad idea to change that as well.”

Let’s all keep our fingers crossed and hope only a few forum accounts have been compromised and the 35 million records are safe.

The ICO conducted an investigation on a case of hardware loss in May at the Rochdale Metropolitan Borough Council. The incident consisted in the loss of an unencrypted memory stick by a Council’s finance department employee, stick which contained names, addresses and payment details for 18.000 residents. The missing hardware was not found to the date.

The investigation concluded that the Rochdale Council has breached the Data Protection Act by not providing employees with encrypted memory sticks (although it was a known fact that these devices would be used to transfer private information) and by not training their employees to properly use portable devices for work purposes.

Sally Anne Poole, ICO’s head of enforcement qualifies this mishap as ‘unacceptable’ and says ‘This incident could have been easily avoided if adequate security measures had been in place.’ in a quote by eWeek.

The measures taken by the ICO in this case consist of signing an undertaking of actions to take to implement data protection policies by 31^st March 2012.

Let’s hope that more than one private data handling organization learns from this incident and encrypts their portable devices using proper solutions.

While data breaches are as common as any other daily occurrence in the business and individual worlds, the large security incidents don’t happen as often, especially if you think that one of the breaches in the top ten all time largest data exposures dates back to 1984. 2011 is not yet over and it already is the poster child of this top we all want to see unchanged.

2011 is the only year with three major data loss incidents in the top ten: Sony Corporation with 77 million records exposed, SK Communications, Nate, Cyworld with 35 million and again Sony Corporation through their Sony Online Entertainment division with close to 25 million records exposed. Luckily for us, although it featured large incidents, 2011 did not create as many victims as 2009 with its two incidents, Heartland Payment Systems, Tower Federal Credit Union, Beverly National Bank which share the number one position in the infamous top with 130 million records exposed and RockYou Inc. with another 32 million. 

Here’s the ultimate data breach top, the place where you never want to see your company’s name or that of any other company that has your data stored:

1. Heartland Payment Systems, Tower Federal Credit Union, Beverly National Bank – 130 million records (2009)
2. TJX Companies Inc. – 94 million records (2007)
3. TRW, Sears Roebuck – 90 million records (1984)
4. Sony Corporation – 77 million records (2011)
5. CardSystems, Visa, MasterCard, American Express – 40 million records (2005)
6. SK Communications, Nate, Cyworld – 35 million records (2011)
7. RockYou Inc. – 32 million records (2009)
8. U.S. Department of Veterans Affairs – 26,5 million (2006)
9. HM Revenue and Customs, TNT – 25 million records (2007)
10. Sony Online Entertainment, Sony Corporation – 24,6 million (2011)

Health systems company Spectrum has been the victim of a data breach affecting confidential health information of some of their clients. The breach was the result of an electronic device theft, the perpetrators also taking a hard drive that included the medical details. According to Spectrum representatives, the stolen information was not encrypted, but it was double password protected.

The thieves took three electronic devices when breaking in the offices located at  484 Main St. in Worcester in late August, but only one was used to temporarily store personal and protected health information.

Spectrum, a nonprofit organization that specializes in substance abuse and mental health treatment for individuals suffering from addiction, announced that only those clients who may have received services between 2002 and March 2011 at one of Spectrum’s inpatient and outpatient programs in Westboro, Worcester, Milford, Framingham, Southbridge, Fitchburg and Weymouth have been affected. While no financial information was stolen, the hard drive contained patient information included names, mailing addresses, phone numbers, dates of birth, Social Security numbers, diagnostic codes and medical insurance numbers.

The theft is currently being investigated by the Worcester police.

Nemours, an American organization for children’s health announces through a press release the loss of three unencrypted backup tapes that contained information such as the name, address, date of birth, social security number, insurance and medical treatment information and bank account information of 1.600.000 patients and employees.

The three backup tapes were stored in a cabinet that might have disappeared during a facility modernization project.

So far, there is no evidence that the tapes were stolen, accessed or used for fraudulent purposes.

Nemours offers free credit monitoring, identity theft protection and call center support.

Find their press release here: http://www.nemours.org/mediaroom/news/2011/missingtapes.html

A data breach occurring at the Vacationland Vendors arcade games in Wisconsin Dells effected 40,000 credic and debit cards. The incident was caused by hackers who gained access to the card processing systems of the Wilderness Waterpark Resort in the Dells and Wilderness at the Smokies in Sevierville. The breach only affected the arcade systems, those using their credit cards for other services, such as reservations, eating at the resort restaurants or shopping for gifts have not been affected.

According to Vacationland Vendors, the hack was discovered on March 22, but it is believed that all cards used between December 12, 2008, to May 25, 2011. The good news is that the 40,000 cards exposed, company officials believe only 20 were actually impacted by the breach. 

Once the breach was discovered, Vacationland Vendors shut their card processing system down in both affected arcades and they are currently working with authorities and consultants to secure their system and prevent further intrusions.

The individuals whose credit and debit cards details have been breached are being notified of the incident by the credit card companies.

Photo source

As data storage devices get smaller and easier to carry, the chance of them being stolen or lost goes higher. Thumb drives, laptops, computers, everything shrinks, while storage capacity grows exponentially, great for productivity, awful for unencrypted data. While laptops and USB sticks have always been the easiest to steal or lose, it does not mean that the old fashioned desktop computers cannot share in the same fate.

The result of the following incidents? Exposed data affecting hundreds or thousands, making them perfect targets for identity theft or fraud. Another thing they have in common? You guessed it, they are all part of the healthcare industry! Most of these data breaches can be prevented and it’s a rather simple process. But let’s move on to our list of incidents!

The London Ambulance Service ended up losing the data of close to 3000 patients when a personal laptop storing their names, addresses, dates of birth, NHS numbers and accessibility requirements for transportation was stolen from the house of a staff member.

In the very same, frequently breached field we love to call healthcare, the University Hospital of South Manchester NHS Foundation Trust had a data breach incident. A student lost a thumb drive containing the details of some 90 patients, including name, age, occupation and surgical details.

Treatment Services Northwest had their own security breach to deal with. A computer that belonged to them and ended up stolen exposed the protected health information of 1,200 patients.

The last on today’s list is Indiana University School of Medicine. A researcher’s car was broken into, their laptop was stolen, resulting in a data breach involving 3,192 patients’ records, with details including name, gender, age, diagnosis, and some social security numbers.

A piece of advice to the healthcare industry worldwide: start taking better care of the data entrusted to you.

Have a great weekend everyone!

Photo by Peter Beug