A security breach exposing the data of over 1,200 patients has recently been disclosed by the University of Miami. The Miller School of Medicine patient data was stolen back in November 2011, together with a flash drive, when someone broke into a pathologist’s car and took the briefcase where the portable device was stored.

The flash drive contained details such as age, sex, diagnosis and treatment information for patients treated from 2005 to 2011, the University of Miami disclosed in a press release. No financial information or Social Security numbers had been stored on the drive, according to the same press release.

Following federal law, UM is informing the patients involved, according to the press release, but “there is no indication that the information was accessed or misused in any way.”

The university promised to review and revise its physical and digital security policies to make sure patient data is safely stored and privacy is ensured. However, this is not the first incident they have had to deal with. Back in 2008, computer tapes with confidential information on 2.1 million patients was taken by a thief from a van transporting them. So when it comes to patient data kept in cars, the University of Miami has not changed anything in the past three years, but we can hope they will do better than empty promises next time.

Till the next data breach, we can surely hope so!

The Kansas Department on Aging has recently reported a hardware theft that caused a data breach affecting about 7,000 of its customers. A laptop, a flash drive and paper files were stolen out of an employee’s vehicle, putting thousands of senior customers at risk.

The stolen files contained personal and protected health information belonging mainly to customers located in Sedgwick, Harvey, and Butler counties. The theft was immediately reported to the Wichita Police Department. The Kansas Department on Aging says it is cooperating with the police, but the stolen hardware has not yet been recovered.

Fortunately, there is no evidence to indicate that the information has been accessed and misused. The stolen data and documents may include full customer names, complete addresses, dates of birth, social security numbers, gender, in home services program participation information, Medicaid identification numbers, case management location and case manager names and telephone numbers.  No banking, credit card, or driver license information was stored on the stolen devices.

The Kansas Department of Aging has confirmed that at least 100 customers have had their Social Security Numbers stolen and trying to inform those affected through phone calls. They will further notify everyone affected by the breach through letters explaining the situation.

“We are immediately reviewing policies and procedures relevant to information security, especially for those employees whose duties require travel off-site to prevent a similar situation from recurring,” stated Secretary Shawn Sullivan of the Department on Aging.

The Department of Aging also advised their customers to contact their banks and credit card companies and let them know they are victims of a data theft, prompting them to keep an eye on any suspicious activity in the following months.

The Ramnit worm, first discovered a year and a half ago, a malware that used to target online banking and FTP credentials, makes victims among UK and French Facebook users.

A new version of the worm managed to steal more than 45000 Facebook usernames and passwords and tried to attack the e-mail accounts and virtual private networks of affected persons. The worm has sent malicious links to victims’ friends, links that downloaded malware to the person’s computer, which helped spread the worm even faster.

It seems like the attackers are adapting to market tendencies, targeting social networks rather than traditional communication means (such as email).

For more details, you can read the techweekeurope.co.uk report.

A whole lot was written on loss/theft of hardware (laptops, USB sticks, external hard drives, etc.) and we had thought that organizations would learn their lesson and encrypt sensitive data on such supports. Apparently, things aren’t quite like that and two recent incidents come to prove it.

A resident student at Vancouver Coastal Health lost a laptop and a USB stick (there is a high probability that the hardware was stolen) at the Toronto Airport. The information stored on the drives was password protected but it wasn’t encrypted.

A Vancouver Coastal Health official calls the incident ‘unfortunate’ and says that ‘This is the way physicians and other health care workers need to do their job. They need to use these devices.’ He admits that many professionals use laptops and that the agency has some issues handling mobile technologies.

Another mishap took place in the United Kingdom and the theft of a laptop that stored personal information of 100 young people who participated in inclusion programs. This laptop was in the house of a contractor of the Newcastle Youth Offending Team organization. The ICO (Information Commissioner’s Office) has established a fine for this organization for not encrypting the data. According to Sally-Anne Poole ‘Encryption is a basic procedure and an inexpensive way to ensure that information is kept secure.’ She underlines the fact that organizations working with contractors must make sure that the latter ones align to their security policies.

It’s so simple and cheap to track the use of portable devices and encrypt sensitive data stored on them, that we really ask ourselves why don’t organizations do it?

Let’s hope that at least legal constraints will force private data handlers to implement solutions and politics to maintain their data safe and secure.

While data breaches are as common as any other daily occurrence in the business and individual worlds, the large security incidents don’t happen as often, especially if you think that one of the breaches in the top ten all time largest data exposures dates back to 1984. 2011 is not yet over and it already is the poster child of this top we all want to see unchanged.

2011 is the only year with three major data loss incidents in the top ten: Sony Corporation with 77 million records exposed, SK Communications, Nate, Cyworld with 35 million and again Sony Corporation through their Sony Online Entertainment division with close to 25 million records exposed. Luckily for us, although it featured large incidents, 2011 did not create as many victims as 2009 with its two incidents, Heartland Payment Systems, Tower Federal Credit Union, Beverly National Bank which share the number one position in the infamous top with 130 million records exposed and RockYou Inc. with another 32 million. 

Here’s the ultimate data breach top, the place where you never want to see your company’s name or that of any other company that has your data stored:

1. Heartland Payment Systems, Tower Federal Credit Union, Beverly National Bank – 130 million records (2009)
2. TJX Companies Inc. – 94 million records (2007)
3. TRW, Sears Roebuck – 90 million records (1984)
4. Sony Corporation – 77 million records (2011)
5. CardSystems, Visa, MasterCard, American Express – 40 million records (2005)
6. SK Communications, Nate, Cyworld – 35 million records (2011)
7. RockYou Inc. – 32 million records (2009)
8. U.S. Department of Veterans Affairs – 26,5 million (2006)
9. HM Revenue and Customs, TNT – 25 million records (2007)
10. Sony Online Entertainment, Sony Corporation – 24,6 million (2011)

Endpoint security developer CoSoSys has released a new version of their data loss prevention, device control and endpoint security solution for Windows and Mac OS, Endpoint Protector. Offering enhanced protection, increased effectiveness and the fastest implementation time in its segment, the out-of-the-box Hardware and Virtual Appliance is now available for small, medium and large companies and organizations.

Coming with a long list of new features targeting better security, reliability, ease of use and better adapting to company structures and organization charts, Endpoint Protector 4 is designed to protect networks ranging from 20 computers (endpoints) to more than 5.000 endpoints.

Some of the top benefits of this latest Endpoint Protector solution are:

• Seamless integration in business processes
• Saving time and money when the solution is installed
• Increased security through enhanced protection
• Reducing allotted resources of the security staff
• Optimum security through enhanced stability
• Enhanced protection through complex, adaptable end efficient security
• Reliable security through enhanced monitoring and policy control

No one is safe from inside threats, not even state departments and ministry, as a very recent incident at Israel’s Ministry of Labor and Welfare. A contract worker has stolen personal information of over 9 million Israelis from the country’s Population Registry. The Jerusalem Post quoted by Dark Reading states that the perpetrator copied the ID numbers, full names, addresses, dates of birth, information on family connection as well as other details and used it to create a searchable database which was going to be sold to a private buyer.

As the contract worker lacked the tech skills needed to create the database, he shared the 9 million stolen records to another individual who did the actual design of the software program that exploited the existing database of Israeli citizens and called his creation “Agron 2006″. 

And to make it easier for those who wanted to steal the identities of the affected Israeli, a copy of the software made its way to the internet, and as it happens with everything online, a website dedicated to explaining how to use the program soon followed.

The authorities are currently investigating the breach.

While the piece of news affects only the Israeli Ministry and those charged with data theft, a lesson needs to be learned. Internal threats are real and they should be managed just as carefully as outside ones when it comes to endpoint and data security. From the inside, confidential records, undisclosed projects and other restricted files are much easier to steal than from the outside, especially when the trust is implicit and the security policies are loos.

Health systems company Spectrum has been the victim of a data breach affecting confidential health information of some of their clients. The breach was the result of an electronic device theft, the perpetrators also taking a hard drive that included the medical details. According to Spectrum representatives, the stolen information was not encrypted, but it was double password protected.

The thieves took three electronic devices when breaking in the offices located at  484 Main St. in Worcester in late August, but only one was used to temporarily store personal and protected health information.

Spectrum, a nonprofit organization that specializes in substance abuse and mental health treatment for individuals suffering from addiction, announced that only those clients who may have received services between 2002 and March 2011 at one of Spectrum’s inpatient and outpatient programs in Westboro, Worcester, Milford, Framingham, Southbridge, Fitchburg and Weymouth have been affected. While no financial information was stolen, the hard drive contained patient information included names, mailing addresses, phone numbers, dates of birth, Social Security numbers, diagnostic codes and medical insurance numbers.

The theft is currently being investigated by the Worcester police.

The Alaska Department of Education and Early Development issued a warning for school districts across the state announcing that a computer hard drive containing information on 90,000 students was stolen from Juneau.The Juneau Police Department is currently investigating the theft.

“Alaska law requires government agencies that collect personal information to notify you if your information is lost or stolen,” Commissioner Mike Hanley wrote in a news release. “This theft has unfortunately resulted in the release of some of your personal information to an unauthorized third party.”

Personal information such as names, birth dates, id numbers and more could have been accessed with the help of the stolen equipment.

The information on the stolen hard drive referred to 12,099 students from all 54 districts, who participated in the state Standards Based Assessments in April 2010 and another almost 77,000 students in grades from 3 through 10 that have participated in High School Graduation Qualifying Examination.

Also, 279 students with disabilities from the Northwest Arctic Borough School District and 269 students with disabilities from the Fairbanks North Star Borough School District may have been affected by this theft.

According to the department’s news release, “the key piece of personal information required for identity theft,” – the social security numbers, were not disclosed.

As the information was not available in a universal format, nor easily recognized by file names, the actual threat is deemed minor, but the department is willing to change the Alaska Student Identification Numbers if asked.

The Department of Education and Early Development can be contacted at 465-8727. So far only 6 calls have been made regarding this issue. Also, the Fairbanks school district will be sending letters to the parents of the potentially affected students.

Printed, stored on computers or on flash drives, your data is just not safe. Your personal details that you entrust to companies you work with, doctors and other third parties will just end up exposed. If you are lucky enough, they might get in the hands of someone who won’t use your address, social security number or card details to harm you on their quest to get fast and easy money. If you’re unlucky, your accounts will just turn empty one day, your identity will be used to commit felonies or crimes and you will have years of paperwork and bad credit records in front of you.

Let’s check the recent data breach news. We have a stolen computer that contained names, ages, addresses and medical conditions of 700 children. Next come rushing in: backup tapes and other media containing cord blood bank customer information stolen from car, which ended up exposing about 300,000 records; and 113 patients’ names and Medicare numbers on a document stolen from a vehicle…

Of course, not all private details are stolen! Some of them are merely lost! You can read all about a lost flash drive with 2777 names, medical record number and test results or another lost flash drive with 59 patients’ name, age, diagnosis, admission date and brief treatment notes as well as some ID card numbers on it!

Data breaches cost. First customers, then companies. You need to pay for your deed and there are fines, law suits and the big elephant in the room – loosing all your customers! Sounds like fun!

It actually does not. Data breaches are dead serious and you should try to prevent them. It’s always cheaper than dealing with the consequences. So take your time to find out about and then invest in an effective data loss protection and endpoint security solution. And try to do that soon!