Headlines
Data Breaches and Compliance Issues in the News
The test scores and personal information of more than 100,000 students was published on The Princeton Review's Web site and remained there for seven weeks, says a New York Times report. The incident also exposed files on the company's network, including internal communications and test study guides. The company is investigating how many files may have been accessed. The event exposed the standardized test scores and personal information of 34,000 Sarasota, FL public school students, and the names and dates of birth of 74,000 Fairfax County, VA school children. A Princeton Review competitor first exposed the flaw.
A former Department of Consumer Affairs employee who e-mailed herself a confidential personnel roster containing 5,000 state worker names and Social Security numbers was arrested Friday and charged with five felony counts. Rachael Rivas Dumbrique, 33, of Sacramento was arrested by Consumer Affairs investigators just after 2 p.m., department spokesman Russ Heimerich said. Dumbrique was charged with three counts of stealing confidential documents from three state agencies and two counts of illegally accessing the information using computer systems or networks. No further details were given. Dumbrique was booked into the Sacramento County jail and is scheduled to appear in court Tuesday. Her bail was set at $500,000, court documents show. Workers affected by the security breach were notified of Dumbrique's arrest two hours later in a departmentwide e-mail that vowed to hold staffers who abuse the public trust accountable. Department of Consumer Affairs investigators raided Dumbrique's Sacramento home in June after she e-mailed a personnel roster to her own Yahoo account on her last day at the department, triggering security software alerts. She switched jobs and went to work at the Department of Mental Health. Consumer Affairs officials were particularly worried because Dumbrique was married to Edward Dumbrique, a member of the Mexican Mafia serving a 28-year prison sentence for a gang murder in Southern California. When investigators raided Dumbrique's home, they found confidential California Department of Corrections and Rehabilitation and California Air Resources Board records containing personal information about staffers. Dumbrique said she didn't realize the personnel roster contained Social Security numbers and would not have sent it outside the department if she had known. In a message to Consumer Affairs workers Friday, Scott Reid, chief deputy director, said officials so far have no evidence that the personnel roster or Social Security numbers have been misused. But, he said, Dumbrique's actions "were very serious and warrant criminal prosecution."
Two men were arrested today on charges related to the illegal access of computers containing personal identification information of Countrywide Home Loan customers and the illegal sale of the data, announced Salvador Hernandez, assistant director in charge of the FBI in Los Angeles, and United States Attorney Thomas P. O'Brien. Rene L. Rebollo Jr., 36, of Pasadena, a former employee of Countrywide Home Loan, was recently arrested by special agents with the FBI. Rebollo is scheduled to make his initial court appearance this afternoon in United States District Court in Los Angeles. A second man charged in the case -- Wahid Siddiqi, 25, of Thousand Oaks -- was also recently arrested. Siddiqi allegedly purchased the identification data; he is expected to make his initial court appearance on Monday. According to a criminal complaint, the FBI, as well as investigators with Countrywide Financial, discovered a security breach at the company and initiated a joint investigation. The complaint alleges that Rebollo was employed as a senior financial analyst for Countrywide Home Loan's subprime mortgage division, Full Spectrum Lending in Pasadena. In his position, he had access to Countrywide computer databases, many of which contained sensitive information of Countrywide clients. Countrywide terminated Rebollo's employment in July 2008. According to the complaint, Rebollo was interviewed by FBI agents last month and acknowledged that he was responsible for giving out account information belonging to Countrywide customers to third parties over the course of two years. Rebollo said he obtained the information from Countrywide computers at his workspace and saved the reports to personally owned flash drives, according to the complaint. After Rebollo saved the Countrywide Home Loan data on the flash drives, he left the Countrywide Home Loan premises with the intent to sell the data. Rebollo opened a personal bank account specifically for the purpose of depositing and holding the illegal proceeds of the Countrywide data sales, and he estimated that he profited approximately $50,000 to $70,000 from the sale of the Countrywide-owned data, according to the complaint. Rebollo was requested by other individuals to obtain specific types of data from Countrywide, and he was able to provide the information because of his access to many of Countrywide's databases that contained information about clients from around the United States, according to the complaint. Siddiqi was recorded by a confidential witness working for the FBI when he placed an order for personal profiles at a negotiated price, according to the complaint. Siddiqi subsequently met the confidential witness and delivered the data, in exchange for cash. Copies of the discs were provided to Countrywide investigators for verification and authentication. Countrywide investigators are currently analyzing evidence to determine if any of their customers' identities may have been compromised so that they can be formally notified and assisted in the immediate future. Rebollo is charged with of exceeding authorized access to the computer of a financial institution, a charge that carries a statutory maximum penalty of five years in federal prison. Siddiqi is charged with fraud and related activity in connection with access devices, a crime that carries a statutory maximum penalty of 15 years in prison. This case is a result of an investigation by the FBI. Investigators at Countrywide Financial provided considerable assistance and continue to fully cooperate with the FBI in this investigation.
Eleven perpetrators allegedly involved in what U.S. Attorney General Michael B. Mukasey termed "the single largest and most complex identity theft case ever charged in this country" have been arrested. The global cast of characters come from the U.S., Estonia, Ukraine, China and Belarus. The extent of their alleged offenses, while still unknown, includes the theft and sale of at least 40 million credit and debit card numbers from mainstream retail chains such as Barnes and Noble, Sports Authority, Office Max and others. But while the extent appears huge, the techniques allegedly used to gather confidential data are almost laughable in their simplicity. Wardriving -- driving around looking for unsecured wireless networks -- was the entrée, and lack of common sense security measures allowed the building of a short-lived empire on fraud and theft. In an indictment returned yesterday by a federal grand jury in Boston, ringleader Albert "Segvec" Gonzalez, of Miami, was charged with multiple offenses. Gonzalez, according to media reports, while previously working as a confidential informant for the Secret Service, was arrested in 2003 for access device fraud and was found to be criminally involved in the case he was working on. Because of the size and scope of his recent alleged criminal activity, Gonzalez faces a maximum penalty of life in prison if he is convicted on all the charges alleged in the Boston indictment. The indictment alleges that after they collected the data, the conspirators concealed the data in encrypted computer servers that they controlled in Eastern Europe and the United States and later sold some of the credit and debit card numbers, via the Internet, to other individuials in an international distribution ring. The stolen numbers were "cashed out" by encoding card numbers on the magnetic strips of blank cards. The defendants then used these cards to withdraw tens of thousands of dollars at a time from ATMs. Gonzalez and others were allegedly able to conceal and launder their fraudulent proceeds by using "anonymous Internet-based currencies" both within the United States and abroad, and by channeling funds through bank accounts in Eastern Europe. "The people accused of carrying out this scheme worked out of several different countries, and targeted retail operations without regard to jurisdiction," said Mukasey. "That sort of international conspiracy is increasingly common. With the worldwide reach of the Internet, criminals can now operate from almost anywhere on the globe to steal personal information from our citizens. And when they do, there are international online marketplaces where they can peddle that stolen information." In May 2008, Gonzalez and the other defendants were also charged in a related indictment in the Eastern District of New York. The New York charges allege that they were engaged in a sophisticated scheme to hack into computer networks run by the Dave & Buster's restaurant chain, and stole credit and debit card numbers from at least 11 locations. Specifically, the indictment alleges that the defendants gained unauthorized access to the cash register terminals and installed at each restaurant a "packet sniffer," a computer code designed to capture communications on a computer network. The packet sniffer was configured to capture credit and debit card numbers as this information was processed by the restaurants. At one restaurant location, the packet sniffer captured data for approximately 5,000 credit and debit cards, eventually causing losses of at least $600,000 to the financial institutions that issued the credit and debit cards. "Cases like this send a clear message to those who might be tempted to abuse our computer networks to steal information and harm law-abiding people and businesses: If you do, we will track you down wherever you are in the world, we will arrest you, and we will send you to jail," continued Mukasey. "This case highlights the efforts of the Justice Department to fight this pernicious crime and shows that, with the cooperation of our law enforcement partners around the world, we can identify, charge and apprehend even the most sophisticated international computer hackers." "While technology has made our lives much easier," said U.S. Attorney Michael J. Sullivan, "it has also created new vulnerabilities. This case clearly shows how strokes on a keyboard with a criminal purpose can have costly results. Consumers, companies and governments from around the world must further develop ways to protect our sensitive personal and business information and detect those, whether here or abroad, that conspire to exploit technology for criminal gain." "Technology has forever changed the way commerce is conducted, virtually erasing geographic boundaries," said U.S. Secret Service Director Mark Sullivan. "While these advances and the global nature of cyber crime continue to have a profound impact on our financial crimes investigations, this case demonstrates how combining law enforcement resources throughout the world sends a strong message to criminals that they will be pursued and prosecuted no matter where they reside."
Computers with sensitive medical information are among 5,000 items lost or stolen nationally by the federal Indian Health Service (IHS), The Washington Post reported July 22. The value of the items missing from the agency’s headquarters and 12 regional offices is approximately $15.8 million, according to the article. The investigation began when a whistleblower alleged widespread discrepancies in the agency’s inventory. Investigators found a number of “egregious” errors, including: $700,000 worth of IT equipment damaged by bat dung, A yard sale during which 17 computers were given away for free, and The theft of a laptop computer containing personal details about 849 uranium miners from a New Mexico hospital.
The stolen laptop containing unencrypted personal information for 33,000 travelers who applied for the Transportation Security Administration's (TSA) Registered Travel program has been located, reports The Daily Journal. An official from Verified Identity Pass, the owner of the laptop and operator of the program, said the laptop was found in the same locked airport office from which it went missing. Now, the company is trying to determine whether any data was compromised, says the report. The laptop was reported stolen on July 26 and the TSA suspended Verified Identity Pass from enrolling new applicants for violating security requirements--the TSA requires its service providers to encrypt all files containing participants' sensitive information. The Registered Travel program lets pre-qualified travelers pass through airport security checkpoints quickly.
Eleven people have been charged in connection with the TJX data breach that exposed the card numbers of about 100 million, reports the Associated Press. The indictment alleges that hackers infiltrated the wireless networks of nine U.S. retailers, and then installed programs to capture customers' personal and financial information, which they allegedly sold to others or used themselves. The charges include conspiracy, computer intrusion, fraud and identity theft. The hackers hail from the U.S. Estonia, Ukraine, Belarus and China. Three are in custody, but eight remain at large and one is known only by a pseudonym.
The personal information of travelers who had applied to enroll in the Transportation Security Administration's (TSA) "Registered Travel" program may have been exposed when a laptop containing the information was stolen late last month. The Washington Post reports the laptop belonged to Verified Identity Pass, the New York company that pre-screens applicants for the program. It was stolen from a locked office at the San Francisco International Airport. The computer contained unencrypted information about 33,000 applicants, including their names, addresses, driver's license and passport numbers. The Registered Travel program eases the security checkpoint process for pre-screened customers. The TSA has suspended the company from enrolling travelers.
More UCLA Medical Center staff members than originally estimated inappropriately accessed the medical records of celebrities and other well-known patients between 2004 and 2006, says an Associated Press report. A California Department of Public Health report, released yesterday, revealed that 127 employees viewed the records of "well-known" individuals without permission, which is nearly double the number authorities originally estimated. "It's very disturbing to see this," said Kathleen Billingsley, director of the department's Center for Healthcare Quality. UCLA Health System chief executive David Feinberg said that all employees who violated patients' confidentiality were disciplined or dismissed.
A senior financial analyst for a Countrywide Financial Corp. division was arrested by the FBI on Friday for conspiring to sell the personal information of about two million mortgage applicants. Authorities also arrested a co-conspirator. The men were allegedly selling the customer information--including Social Security numbers--to other loan agents as "leads." The Los Angeles Times reports that Rene Rebollo Jr. was charged with unauthorized access to a financial institution's computers. He used a computer with reduced security features to transfer customer data to his thumb drive, then created spreadsheets to sell to other mortgage lenders. The scheme had been going on for two years and was detected by Countrywide.
bout 2,250 New Hampshire residents have been notified that their personal information was stored on a laptop computer taken by thieves that burgled an Anheuser-Busch Co. office in Missouri in June. The brewer said the laptop contained encrypted personal data, including names, addresses, case notes from a company employee assistance program, Social Security numbers, birth dates, ethnicities and marital status, of current and former employees and their dependents. The company confirmed that information on residents of other states was also contained in the laptop, but declined to elaborate. The laptop was password-protected, it said. The company notified New Hampshire employees and dependents of the data breach via mail after the company alerted the New Hampshire state attorney general about the incident, as required by state law. In the July 21 letter to New Hampshire Attorney General Kelly Ayotte, Lisa Joley, vice president and general counsel at Anheuser-Busch, disclosed details of the burglary and told of plans to notify affected employees and dependents who live in the state. Contacted by telephone, Joley declined to comment on the case. Anheuser-Busch said that five Hewlett-Packard laptop machines, including one containing the personal data, were stolen from a company office in Sunset Hills, Mo., during the weekend of June 6 to 8. The theft is being investigated by the Sunset Hills Police Department. Tim Farrell, vice president of corporate human resources at Anheuser-Busch, said in a statement that the company is cooperating in the investigation. "At this time, there is no evidence that the theft has resulted in any unauthorized disclosure, fraudulent credit card applications or other identity theft crimes," Farrell said. "We have taken precautions by notifying all affected individuals and offering free credit monitoring from Equifax Personal Solutions for one year." Thomas McQuillan, a technology consultant and principal of Quill Consulting LLC in Grand Rapids, Mich., said that while government agencies typically must fully disclose details of data breaches, private companies may do internal investigations or work with police, so they may have to be more close-mouthed about such incidents, he said. "The majority of breaches are probably happening in the private sector, but they're just not being reported," McQuillan said.
Officials at the University of Maryland have apologized to 23,000 students for mailing a parking brochure with their Social Security numbers printed on the address label. The brochures were sent through U.S. Postal Service third-class mail on July 1. Officials discovered the problem on July 8. "We are initiating immediate action to ensure that this error does not recur," said a university spokesperson in an e-mail to the students. "We strongly recommend that you take appropriate precautions to mask, black out or destroy this document after use." The university is offering free credit reports to those affected.
The Social Security numbers (SSNs) of thousands of former and current employees of Washington DC's Metro transit system were exposed in a data breach, reports the Associated Press. The SSN data of 4,675 was accidentally posted to the Metro's Web site between June 9 and June 25 when the agency was soliciting for worker's compensation and risk management providers. Metro is offering free credit protection services to those affected. An agency spokesperson said Metro is also taking steps to improve Internet security.
Three Metro employees have been disciplined after the Social Security numbers of nearly 4,700 current and former employees were mistakenly posted on the transit agency's Web site last month, officials said yesterday. The information was posted between June 9 and June 25, when the breach was discovered. The information was part of a solicitation from Metro to companies interested in providing workers' compensation and risk management services. The document mistakenly included the Social Security numbers of 4,675 employees. The names and Social Security numbers of a smaller group of employees also were posted in the lengthy document. Letters warning of the breach dated July 3 were sent to all affected employees, Metro spokeswoman Candace Smith said. Last week, the agency set up a separate Web site where employees can determine whether their numbers were among those posted. The three disciplined employees, including a manager, have been suspended for up to a month without pay, officials said. Although the affected employees were informed through letters and an e-mail sent last week, officials did not make the security breach public until yesterday, in response to a reporter's query. The letter to employees urges them to watch their credit reports for signs of identity theft. Metro is offering the employees one year of free credit report monitoring, $25,000 in identity theft insurance and counseling services. Smith said she was not aware of any cases of reported identity theft as a result of the breach. "We deeply regret this incident, and believe the likelihood of misuse of the information is low," Metro Chief Safety Officer Ronald Keele said in a statement. "However, we have taken additional steps to protect employee information by bolstering Internet security and requiring more checks and balances of materials before they are being released publicly." Smith said the Social Security numbers were buried within a document that officials had posted on the Web as part of Metro's effort to hire a company to handle some of its workers' compensation and risk management work. Included in that document, she said, were typical claims that Metro handles. The information about names and Social Security numbers should have been redacted but was not. "Thankfully, somebody in the office spotted it and they pulled it down immediately," she said. Metro sent out letters based on information the agency had on file. Smith said she did not know whether all of the former employees' addresses are current. Security breaches have become a common problem for companies, government agencies and universities nationwide. Metro officials, citing the Identity Theft Resource Center, a nonprofit fraud-prevention group, said such data breaches were up 69 percent in the first half of 2008, compared with a similar period in 2007.
Personally identifiable information (PII) for as many as 17,000 Williamson County, Tennessee students and faculty were posted to a Web site where the information may have been freely available for nearly one year before being discovered, the Tennessean reports. PII, including Social Security numbers, birth dates and names, was posted to a Web site by a schools assessment specialist in order to transfer the data to another computer, but following the transfer the unencrypted information was cached and available online.
Supreme Court Justice Stephen Breyer is among the nearly 2,000 victims of a data breach resulting from the use of peer-to-peer file sharing by an employee of an investment firm used by the judge. A reader of the Washington Post's Security Fix blog noticed client information for the McClean, Virginia investment firm Wagner Resource Group, including names and social security numbers on the LimeWire network. It is estimated that the breach went undetected for at least six months. Justice Breyer had no comment on the incident, but at least one other client reported receiving a phone bill with $9,000 in bogus charges since the breach was discovered.
Japan's Self Defense Force lost sensitive data pertaining to a joint U.S.-Japan military exercise last year, the Ministry of Defense said Tuesday The loss occurred just before an apparently more serious case in which information regarding the Aegis missile system was found on the home computer of a Self Defense Force member, and could bring further criticism from the U.S. of Japan's military and its data handling. The case detailed Tuesday concerns data on a joint training exercise that was stored on a USB stick. The stick was taken by a captain in the Ground Self-Defense Force who later threw it in the trash, Defense Minister Shigeru Ishiba said at a news conference. The data concerned unit deployment maps, in particular those of U.S. helicopters and tanks, and was categorized as requiring caution in its handling but it was not confidential, the Mainichi Shimbun reported in its Tuesday morning edition. Ishiba was speaking at the news conference in response to the newspaper's report. The Aegis data incident, which came to light in March last year, resulted in the arrest of an officer of the Maritime Self Defense Force and embarrassed Japan at a time when it was trying to persuade the U.S. government to give it some access to information regarding the F22A Raptor aircraft ahead of a possible purchase. The Raptor is one of the most technically advanced in the U.S. fleet and the leak dented confidence in Japan's ability to keep the information secret. Japan apologized to the U.S. regarding the Aegis incident last year, but as recently as last month the issue was still in the thoughts of the U.S. government when Thomas Schieffer, U.S. ambassador to Japan, speaking on defense cooperation, told a news conference, "The United States could do more if Japan increased its ability to protect classified material and proprietary information."
What's on your server? Whatever it is, in this day and age, if your data concerns the public, it better be encrypted on your server. A recent report noted that nearly a third of consumers terminate their relationship with an organization that has suffered a data breach involving their personal information. So, if you find that someone has raided your customer data files, you might be tempted to keep mum about it-but you can't. By one count, 39 states plus the District of Columbia have data breach notification laws, requiring that if you have a data breach, the people whose personal data was exposed must be notified. If this is not done "without unreasonable delay," you could face civil or criminal penalties. There is no comparable federal law, but you might as well pretend there was. Because all the major states have such laws, exempting residents of the other 11 is not practical. But conforming to these laws is not only humiliating, it's expensive -- the average data breach cost $197 per exposed file, according to one study. Sending out the notification letters only cost $15 each, with the bulk of the cost stemming from lost business. But most of the state laws in question include a "get out of jail free card," specifically exempting encrypted data, so that losing it doesn't count. For the other states, the exemption is presumably implied, as a thief could not extract information from the data. Basically, the genie is out of the bottle. Data that escapes into the wild can live there indefinitely, thanks to the Web, where scam artists swap stolen identities as if they were baseball cards (and for comparable prices). One list shows that 227 million personal records have been lost in the U.S. since the start of 2005. Obviously, encrypting sensitive data on your server is your best move. Your server may be locked up tight, in both the physical and network sense, but tomorrow someone could copy a sensitive file to his laptop, and the day after tomorrow that laptop could be stolen out of his car. And then you'll learn more than you ever wanted to know about data breach notification laws.
Records kept at Colt Express Outsourcing Services, an external company Google and other companies use to handle human resources functions, were stolen in a burglary on 26 May. An undisclosed number of employees' details and those of dependents such as names, addresses, and social security numbers were on the stolen computers. It is understood that Colt did not employ encryption to protect the information. It's still unclear how many more of Colt Express' clients were affected by the breach. CNET Networks (publisher of ZDNet.com.au and Builder AU) was another company affected by the burglary with around 6,500 employee's details stolen. Although there is no evidence of misuse of the data to date, the information obtained could be used by ID thieves to create fake accounts and identities. It's only come to light now that Google was one of the companies affected. Google itself was not burglarised, nor was any of its internal systems compromised. Danny Thorpe, former chief scientist at Borland and engineer at Google who now works for Microsoft was informed of the theft on 1 July. I've just received a letter from Google that personal data of Google employees hired prior to 31 December, 2005 may have been stolen in the 26 May burglary of Colt Express Outsourcing Services. No credit card numbers were in the stolen data, just names, addresses, SSNs(Social Security Numbers) — all the info needed for a thief to open new accounts using your identity. According to Thorpe, Google has offered to cover the cost of a one-year subscription to a credit report and identity theft monitoring service. Similar benefits were offered to CNET Networks employees last week. ITWorld reported last week that Colt Express Outsourcing Services was in financial difficulty and could not help those affected. The company's CEO, Samuel Colt III said in a statement "We do not have the resources, financial and otherwise, to assist you further". A Google spokesperson — who confirmed the data leak — confirmed that Google is offering all affected employees and former employees a free one-year credit monitoring service. "We take the security of our employees very seriously and require outside vendors to meet appropriate security standards. We review and update these standards on an on-going basis. "Google is not currently using Colt's services and had made this decision long before this incident," the spokesperson said.
Greg Abbot, the state of Texas’ Attorney General, has reached an agreement with two Austin companies that will protect Texans from identity theft. The settlement resolves the state's May 2007 enforcement action against EZMONEY, L.P. and EZPAWN L.P., which were charged with violating state laws governing the disposal of customer records containing sensitive personal information. Under Texas law, vendors must take specific precautions before discarding documents that include customers' bank accounts, driver's license and Social Security numbers. The agreement requires that EZMONEY and EZPAWN overhaul their information security program and pay $600,000 to the State of Texas, which will help fund future identity theft investigations. "Today's agreement protects Texans from identity theft and ensures that the defendant will comply with important laws governing the disposal of sensitive customer information," said Abbott. "Recognizing that identity theft is one of the state's fastest growing crimes, the Texas Legislature enacted legislation to ensure that customers' sensitive information is protected from identity thieves. The Office of the Attorney General will continue cracking down on identity theft." Under the agreement with the state, EZMONEY and EZPAWN must implement a new training program to inform its Texas employees about the companies' enhanced information security procedures. The employee training program must provide employees with a review of the companies' privacy procedures and a review of state laws governing the disposal of customer records. Today's agreement requires that the training program explain identity theft, its costs to individual customers, and the importance of abiding by the company's newly implemented document disposal protocol.
A study released yesterday reveals that hundreds of thousands of laptops are stolen from U.S. airports each year, and most contain unprotected confidential company information, says a PCWorld report. The Ponemon Institute survey found that nearly 12,000 laptops are reported stolen each week at large and medium-sized airports, often at security checkpoints. Sixty-five percent of victims report having taken no steps to protect confidential company information contained on their machines. Sixty-nine percent of those laptops stolen are not reclaimed, according to PCWorld.
Reports of data breaches are on the increase compared to 2007 figures, reports The Washington Post. The Identity Theft Resource Center (ITRC) analyzed 342 data breach reports between January 1 and June 27 of this year, finding a 69 percent increase in the number of breaches reported compared to the same time frame in 2007. Reports of breaches within businesses, health care providers and banks rose, while reports from educational institutions, the government and military declined. More than 20 percent of the data breach cases studied were attributed to lost or stolen laptops or digital storage media, according to the report. The number of breaches attributed to insider theft increased from six to 16 percent. Forty-four states and Washington, D.C. now have data breach notification laws.
A December breach involving the credit card numbers of 51,000 Montgomery Ward customers has just now come to light, says an SC Magazine report. The retailer, now called Wards.com and operating exclusively on the Internet, did not notify customers when it learned of the breach. Forty-four states have passed laws requiring businesses and organizations that house consumer data to notify consumers in the event of a breach of security. Wards.com could be sued for failure to notify.
A burglary at Colt Express Outsourcing Services has left the personal information of 6,500 CNET Networks employees exposed, says a PCWorld report. Burglars stole computer systems from the company, which administers benefit plans for CNET and other clients. The computers contained the names, birth dates, Social Security numbers and beneficiary information for those enrolled in CNET's health insurance plans, according to the report. CNET employees can sign up for one year of free credit monitoring, said Jose Martin, senior vice president of Human Resources at CNET. Colt Express is currently going out of business and said they "do not have the resources, financial or otherwise, to assist" those exposed.
A security breach at Walter Reed Army Medical Center in Washington, DC, and other military hospitals has exposed sensitive information about approximately 1,000 patients, the Associated Press (AP) reported June 2. This is the latest in a series of security breaches that have plagued the federal government—including HHS, the Veterans Affairs Department, the Agriculture Department, and the National Nuclear Security Administration—in recent years, according to the article. The affected computer file included names, Social Security numbers, and birth dates, but did not include medical records or information pertaining to diagnoses or prognoses, according to the AP. Walter Reed officials said the Army and the hospital were investigating the incident and declined to say how the information was compromised. Walter Reed learned of the breach May 21 from an unidentified outside data mining company that was working for another client, according to the article. Officials said they were notifying people whose information was in the compromised file and offering them free credit protective services. The hospital has established a hotline for patients .
Texas Attorney General Greg Abbott levied the charge yesterday on Petroleum Wholesale, L.P., the operator of convenience stores and travel centers in 10 states. The company is under fire for discarding customer records in a publicly-accessible trash bin. Records included customers' names, full credit and debit card numbers with expiration dates, returned checks, bank routing numbers, driver's license numbers and Social Security numbers, says the report. "This defendant is charged with failing to protect its customers' sensitive information," said Texas Attorney General Greg Abbott, who also charged the company for violating the Business and Commerce Code for not having developed retention and disposal procedures for clients' personal information.
The Associated Press reports that, in a proposed settlement, Ameritrade Holding Corp. will pay nearly $1.9 million to plaintiffs affected by the company's September 2007 data breach that exposed the personal information of more than six million people. Although it still needs judge's approval, the agreement covers plaintiffs' legal fees and a year of anti-spam service. According to the company, no identity thefts have occurred as a result of the breach. Ameritrade also agreed to third-party security audits twice annually until December 2009.
The billing records of 2.2 million University of Utah Hospital patients have been stolen, says a KUTV report. The records were contained on backup tapes in a gray metal box and were stolen from the vehicle of a courier who failed to deliver the box to a storage center immediately after picking it up from the hospital on June 1. At least 1.3 million records contained patients' Social Security numbers. The hospital is notifying patients by mail, at an estimated cost of $500,000 for postage and envelopes alone. The courier was fired from Perpetual Storage Inc., where he had worked for 18 years.
The personal information of more than 11,000 current and former University of Florida students was compromised after being posted on a school website, officials said Tuesday. The information, which included Social Security numbers, was put on a school tutoring site without a password. In the wrong hands, Social Security numbers can be used to open credit card accounts, get government benefits or apply for a job. Letters were sent out Tuesday to students notifying them of the privacy breach, which was discovered last month during a routine school audit. School officials emphasized that the site would not have been easy to find and they do not believe it was accessed by anyone outside the school. The site contained information from students at the school from 2003 to 2005 who expressed an interest in tutoring through the Office for Academic Support and Institutional Services, said Steve Orlando, a UF spokesman. ''The risk of someone outside actually finding this information and using it inappropriately is very low,'' Orlando said. ''We've done computer forensics, and we don't have any evidence that anybody accessed this information,'' he added. ''But because we can't say that with absolute certainty, we're going through with the notification out of an abundance of caution,'' Orlando said. The site has since been taken down and the information has been removed from the UF system.
Stanford University has notified tens of thousands of current and former employees that their personal information was on the hard drive of a stolen university laptop, says a San Francisco Chronicle report. The names, dates of birth, Social Security numbers, home addresses and telephone numbers of up to 72,000 staffers was made vulnerable in the incident. University officials are hopeful that the thief was not aware of the computer's contents. "We believe that the perpetrator of the crime was not seeking the records on the computer or even aware of them," wrote Stanford Chief Financial Officer Randy Livingston in an e-mail to employees. "Often, such thefts are property crimes in which the laptop's hard drive is erased before the laptop is resold."
The Times of India recently reported a case that will strike fear into the hearts and minds of information security specialists and C-level executives that support and promote the use of outsourcing for company processes and operations. According to the report, the owner of an IT business process outsourcing (BPO) service provider has been accused of stealing information from Florida-based company Noble Ventures, and reselling it to their U.S.-based rivals. When Noble Ventures cancelled their contract for Web site creation and maintenance with Ahmedabad-based Business Bee Solutions, the company's owner closed his BPO shopfront and moved operations to his home. It is not known when he sold the data belonging to Noble Ventures, but he used an American-based accomplice to sell the stolen information to Noble Ventures' U.S. competitors. Related Content Spurned by the loss of the contract, and with the unspecified data worth a quarter of a million Australian dollars ($238,200), it is likely the BPO owner saw it as a way to regain some lost earnings from the deal. While the nature of the stolen data was not identified, the operations engaged in by the company suggest it could be the personal and professional details of up to 12.5 million Americans. Some might see the case as justified karma, given Noble Ventures' operations in selling mailing lists, email lists, and other direct marketing operations facilitate the sending of junk mail and e-mail to vast numbers of unknowing Americans. The breach highlights the risks companies face when sensitive information leaves the corporate perimeter. A solid information security risk assessment should consider the risks associated with a third party selling sensitive company information, and the associated costs of client retention and servicing provider replacement.
A data breach at UnitedHealthcare has resulted in the stolen identities of at least 155 University of California-Irvine students. The thief or thieves accessed the files of 1,132 students and filed fake tax returns for 155 of them, says an Orange County Register report. No arrests have been made at this time. Students became aware of the situation when they tried to file their tax returns and found that someone had already filed in their name and collected their refund. UnitedHealthcare has offered to pay for credit monitoring for all affected students. "We take our obligation to protect our members' information seriously, and continue to work with law enforcement officials in this ongoing investigation," a company spokesperson said.
A computer file containing sensitive information on about 1,000 patients of Walter Reed Army Medical Center and other military hospitals was found on a "non-government, non-secure computer network," says an Associated Press report. The hospital will offer credit protection services at no cost to those patients whose names, Social Security numbers and birth dates were exposed. No medical information is believed to have been breached. Walter Reed learned of the breach on May 21 from an outside data mining company. While the Army investigates, the hospital is working to notify those patients whose data may have been accessed.
A computer stolen from Staten Island University Hospital (SIUH) during December 2007 contained the names, Social Security numbers, and health insurance numbers of 88,000 patients, but the hospital didn’t notify patients until early May, the Staten Island Advance reported May 11. "In taking a look at this, could it have been done sooner? I believe perhaps it could have been done sooner," Anthony Ferreri, SIUH president and CEO, said during an interview with the newspaper. Ferreri told the newspaper that hospital officials decided to select a credit monitoring program for all 88,000 patients before notifying them. "We wanted to make certain we had the best possible vendor with the experience in the particular area who could protect the credit and the information of those who were affected," he said. That explanation was unsatisfactory to former patient Dawn Bertoldo who read about the computer theft in the newspaper before receiving any notification from the hospital. "Right now, I'm looking at a hospital not doing the right thing,” Bertoldo told the newspaper. “If they're bound by law to protect my identity and keep it private, and they are compromised and can't do that anymore, it's both courtesy and common sense that you inform people."
Attorney General Richard Blumenthal today announced that a storage company for a New York bank lost an unencrypted backup tape containing Social Security numbers and bank account information belonging to as many as hundreds of thousands of Connecticut consumers and personal information of millions more nationwide. Among the Connecticut consumers are depositors and investors of People’s United Bank of Bridgeport, which gave Bank of New York Mellon the information so it could offer those consumers an investment opportunity. Blumenthal today wrote Bank of New York Mellon, which lost the information in February, demanding that it provide affected consumers with credit monitoring and other identity theft protections, as well as a full account of how the loss occurred and other information. The banks have cooperated fully thus far with Blumenthal’s office. Consumers seeking information about the breach should call a toll free number set up by Bank of New York Mellon, (877) 278-3451. “I am alarmed and deeply concerned by a recent and serious data breach at The Bank of New York Mellon (‘BNY’) involving the loss of computer backup tapes containing sensitive information of some 4.5 million consumers, including People’s United Bank account holders and shareowners,” Blumenthal said in his letter. “Several hundred thousand Connecticut citizens may be affected, and possibly more, by this loss of highly significant personal information. “This security breach seems highly dangerous, indeed possibly devastating in light of the identity theft threat. You have also informed this office that BNY began notifying the affected customers six weeks ago and is offering one year of credit monitoring through Equifax. Given this extraordinarily serious security breach, this offer of protection is grossly inadequate. Connecticut agencies that have experienced data security breaches less serious in magnitude or potential damage have offered consumers two years of credit monitoring, $25,000 identity theft insurance and free credit freezes. BNY should do no less. “I am especially concerned by the delay in informing consumers, possibly heightening the risks of wrongdoing. Neither People’s nor its customers were promptly notified. Even now, many may be in the dark. “The loss of this tape -- so far unrecovered and unremedied -- is inexplicable and unacceptable. It must be addressed by protective measures to forestall identity theft immediately.” On February 27, Bank of New York Mellon gave the unencrypted backup tape containing information on about 4.5 million consumers -- hundreds of thousands of them People’s United Bank customers and investors -- and nine other tapes to a storage firm, Archive Systems, Inc., for transportation to a storage facility. When the storage company vehicle arrived at the storage facility, the tape was missing. The other nine tapes reached the facility safely. People’s United Bank informed Blumenthal’s office of the breach earlier this week, shortly after New York Bank of Mellon informed it. The banks are working with Blumenthal’s office to provide information on exactly how many Connecticut consumers are affected and how many are People’s depositors versus investors.
The University of Florida (UF) privacy office this week mailed letters to about 1,900 patients to notify them that their health information may have been breached, says a Jacksonville Business Journal report. An assistant professor of plastic surgery improperly disposed of unsecured patient data--including digital photographs, names, dates of birth, Social Security numbers and other PII-- when he gave his computer to friends earlier this year. The privacy compliance manager at UF's College of Medicine said the doctor violated UF policy, which states that confidential patient information should only be stored on secure university servers, not individual hard drives.
A laptop and unencrypted flash drive stolen from an employee's vehicle has made vulnerable the personal information of 13,000 Pfizer employees, says a report in The Day. It was the second Pfizer employee laptop theft and the sixth potential data breach the company has reported in less than a year's time. The flash drive contained names, home addresses, home telephone numbers, employee identification numbers, positions and salaries of employees, and was unencrypted despite the company's requirement to encrypt. "The company is now encrypting laptops and desktops worldwide," said a Pfizer spokeswoman. Connecticut Attorney General Richard Blumenthal said: "The time has come for us to have a frank and serious visit with the company to determine what preventive steps are underway to end this series of information releases."
The Los Angeles Times reports that as many as 14 more employees of the UCLA Medical Center have been implicated in the scandal that saw the health records of some well-known patients compromised by unauthorized access. The total number of staff now suspected of snooping into the files of celebrities and political figures such as Britney Spears, Farrah Fawcett and Gov. Arnold Schwarzenegger now totals 68, according to the Times. One employee indicted in the case may have accessed the files of as many as 61 patients, including celebrities and co-workers, between July 2006 and May 2007.
Hundreds of employee laptops are unaccounted for at the U.S. Department of State, which conducts delicate, often secret, diplomatic relations with foreign countries, an internal audit has found. As many as 400 of the unaccounted for laptops belong to the department’s Anti-Terrorism Assistance Program, according to officials familiar with the findings. The program provides counterterrorism training and equipment, including laptops, to foreign police, intelligence and security forces. Ironically, the Anti-Terrorism Assistance Program is administered by the State Department’s Bureau of Diplomatic Security (DS), which is responsible for the security of the department’s computer networks and sensitive equipment, including laptops, among other duties. It also protects foreign diplomats during visits here. DS officials have been urgently dispatching vans around the bureau’s Washington-area offices to collect and register employee laptops, said department sources who could not speak on the record for fear of being fired. The inventory sometimes strips DS investigators of their laptops for “days, or weeks,” they said. The State Department’s Inspector General launched an audit of the equipment about three months ago. Only the first stage, or inventory of equipment, has been completed. A State Department official referred all questions regarding laptop losses to the Inspector General. A senior IG official, asking not to be identified, said he could “not comment on ongoing work.” Nita M. Lowey , D-N.Y., who heads a House Appropriations subcommittee that oversees State Department operations, said she was concerned about the security revelations. “The importance of safeguarding official laptops and office equipment containing sensitive information is not a new concern,” she said through a spokesman. “I intend to review the facts about this situation.” “Unaccounted for” does not necessarily mean the laptops have been lost. But they are “missing” until they have been found or otherwise accounted for. Auditors found that the department had lost track of $30 million worth of equipment, according to one official, “the vast majority of which . . . perhaps as much as 99 per cent,” was laptops. Calculating that the average State Department laptop costs $3,000, another official said, hundreds, perhaps as many as a thousand, were missing. It could not be learned how many employees have been issued laptops. On Feb. 6, the department’s Senior Assessment Team gathered at the State Department headquarters in Foggy Bottom to discuss the security of “personal identification information.” The department’s official in charge of computer equipment, John Streufert, warned the more than two dozen officials present that the department did not have good records of its inventory. A “significant deficiency” relating to laptops existed, Streufert said, according to a source who attended the meeting. Mark Duda, a representative of the Inspector General’s office at the meeting, warned the managers that they needed to get on top of the equipment issue before it “blows up.” He said a scandal loomed akin to the one that engulfed the Veterans Administration in 2006, when news broke that a VA official had taken home a laptop with the personal records of 26 million veterans, where it was stolen. The official who chaired the meeting, Christopher Flaggs, the department’s deputy chief financial officer, also warned that revelation of the laptop losses could develop into a “material weakness,” an accounting term-of-art that essentially means inventories are out of control. “It’s the worst flaw you can have in management control,” one close observer of the State Department’s problems said. It would have to alert the White House Office of Management and Budget (OMB) and Congress. There could be hearings, headlines, camera crews on the doorstep of State Department officials. That’s what happened in 1999, when a laptop containing the names of foreign agents working for the U.S. government was stolen from the State Department. The security of laptops has vexed federal officials, as well as private industry, for years. The CIA, FBI and other national security agencies have all lost significant numbers of laptops containing sensitive information. More than a year ago, the administration’s Identity Theft Task Force warned of security vulnerabilities within the government’s Internet technology systems. In May 2007, OMB had ordered all federal departments and agencies to “develop and implement a breach notification policy within 120 days.” Hints of the State Department’s laptop losses first surfaced March 31 in an anonymous post at an obscure Web site frequented by employees of the Bureau of Diplomatic Security, called Dead Men Working. We’re not talking about a missing laptop or two,” said a poster who identified himself as “Steve.” “A Department-wide audit found hundreds of laptops unaccounted for and identified DS, now rushing to close the barn door before the scandal really breaks, as having the laxest control of any bureau in the agency,” Steve wrote. John Naland, a retired diplomat who is president of the American Foreign Service Association, said the alleged losses were worrisome, and perplexing. “If the missing ones might have contained classified data, this could be serious,” Naland said. “At my last overseas post, we did not have any laptops,” Naland continued. “But we sure did an annual serial number physical inventory of computers. Sometimes our initial count came up with discrepancies, but then we remembered that we returned one to Washington or whatever and that cleared up the paperwork discrepancy.”
Customer data of more than 40 major international financial institutions has been compromised in what one official describes as "the tip of the cybercrime iceberg," says a Bank Info Security report. A computer server holding 1.4 gigabytes of business and personal data stolen from Trojan-infected computers was discovered last month in Malaysia. Compromised data found on the crime server includes user names, passwords, account numbers, Social Security numbers, credit card numbers, patient data and e-mail communications. Finjan, the information security vendor that discovered the server, said that two other servers holding similar data have been turned over to law enforcement officials
Following a privacy breach that exposed the personal information of an undisclosed number of individuals, online mortgage broker LendingTree has filed suit against five home loan lenders and two former company executives, says a Washington Post report. LendingTree charges that the lenders gained access to LendingTree customer information inappropriately by garnering passwords from former LendingTree employees. Ari Schwartz, deputy director of the Center for Democracy and Technology, says the LendingTree business model raises questions about privacy. "You fill out a form for free. They have companies that pay to see your information," Schwartz says. "When you make personal information that much of a commodity...there's a higher risk of mistakes on privacy and security."
A lost tape containing the names, addresses and social insurance numbers of Chrysler auto customers has the Office of the Privacy Commissioner of Canada monitoring the company's lending arm, Chrysler Financial, says a report in the Toronto Star. "We are communicating with [the organization] to determine what took place and what is being done to remedy the situation," said spokesperson Anne-Marie Hayden. An investigation has not been started. The tape disappeared in early March while en route from Farmington Hills, Michigan to Quebec, via UPS.
Online mortgage lead generation service LendingTree disclosed this week that a number of former employees used their old passwords to give mortgage brokers unauthorized access to subscribers' personal records, according to NetworkWorld. LendingTree said that when it learned of the breaches, which took place between October 2006 and early 2008, it contacted law enforcement authorities, made changes to its security procedures and filed lawsuits against those involved. It is not known at this time how many subscribers to the service were affected, but the information involved likely included names, addresses, telephone numbers, Social Security numbers and employment and income data.
So far no fraud has been detected in relation to a Bank of Ireland data breach that left exposed the account numbers, medical backgrounds, life assurance details, and names and addresses of more than 10,000 customers. IN an RTE News report, Ireland's Data Protection Commissioner Billy Hawkes said he learned of the incident on Friday, but the four unencrypted laptop computers that caused the breach were stolen last year. The computers belonged to staff working for the bank's life assurance division. Hawkes said he is investigating the incident as "a matter of urgency".
George Hulme reports in his recent Security Weblog entry for InformationWeek that, according to a new Ponemon Institute survey, nearly a third of consumers who receive a breach notification letter will terminate their relationship with the offending vendor, while another 57 percent said the letter caused them to lose confidence in the company. Fifty five percent of those surveyed had received two or more breach notice letters in the previous 24 months according to the study, which was sponsored by ID Experts, and only two percent reported that the disclosure of their personal information had resulted in being victimized by ID theft.
The personally-identifiable information of 2.1 million University of Miami patients was stolen on March 17, says a Miami Herald report, when thieves made off with a case of computer backup tapes from the van of an off-site storage company. In a press release, the university said "Anyone who has been a patient of a University of Miami physician or visited a UM facility since Jan. 1, 1999, is likely included on the tapes," Patients' names, addresses, Social Security numbers, and health information was stored on the tapes, as well as the credit card or other financial information for some. Two computer security expert firms engaged by the university were unable to extract the data, presumably due to the "complex and proprietary" format in which they were written, said a UM statement.
The new requirements for HIPAA compliance may mean that existing computer systems will require upgrading. But per the standard, before the PC is recycled, donated, or re-sold, all PHI data must be removed. Other options for passing on that old computer include taking it to a PC recycler or toxic waste disposal center. Besides, filling up landfills is not environmentally friendly, especially considering the foul substances that can leech out of old computers. With increasing pressure to reduce costs and the availability of new methods to resell computers, businesses are looking for ways to either internally recycle their aging computer inventory or sell them into a growing used computer market. It is not unusual to find companies reselling their excess equipment on Internet sites such as eBay. However, in all cases there is a requirement to remove all of the PHI data stored on the computer before its disposal. Data Storage Basics To understand the challenges of data removal, you must first understand the basics of data storage. There are fundamentally two ways of retaining data in the PC, RAM memory and disk, principally the hard drive. Initially, before a hard drive can be used it has to be conditioned to accept information. This occurs in two steps. Using FDISK will establish the areas on the drive and how they are going to be used. Formatting sets up an environment on the disk so that the operating system can store and access files from the drive. The misconception is that these steps can also be used to remove any existing information. Myths about Data Removal Myth #1 – I can just empty my recycle bin As many users will already know, when a file is deleted with a delete command, it is not really removed; it just goes to the Recycle Bin. Once the recycle bin is emptied, it is gone, right? Unfortunately, no, it isn’t. The operating system makes the disk space available for future use. New data will overwrite the unused information. Until it is overwritten, the previous data can easily be recovered. When the drive is reformatted the utility will merely rewrite the information that is used to locate the files on the drive. Essentially, it will tell the operating system that there are no files and that all of the space on the disk is free. Until the operating system comes along and writes new data over the old, the original data still exists. Myth #2 – I can just run FDISK on the drive again In the case of an FDISK operation, all of the information that is needed to locate the data from the operating system is removed. But as in the reformatting case, the original data is still there in its rawest of forms. Tools are readily available which will extract large portions of data even though the disk is presumed clean. The Bottom Line None of the standard tools described above will remove the bulk of the data contained on the hard drive. The only solution to ensure that the information on the hard drive is removed is to either physically destroy the drive itself, or write over all of the existing data so that it cannot be recovered. US Department of Defense (DOD) 5220.22-M Standard There has been a standard in place for some time that addresses the problem of permanent removal of data from a hard drive. The standard was developed by the Defense Security Service (DSS) and is used by many federal and commercial organizations. Under the National Industrial Security Program (NISP), DSS Industrial Security Representatives oversee cleared contractor facilities and assist the organizations' management staff and Facility Security Officers in formulating their security programs. As part of the NISP initiative, DSS has developed the DOD standard 5220.22-M NATIONAL INDUSTRIAL SECURITY PROGRAM OPERATING MANUAL. Among other items, the standard outlines the method to be used for removing data from unclassified hard drives – sanitizing. NISP defines an overwriting technique that will remove any existing data yet leave the hard drive in a state where it can be reused. The process involves the following two steps: 1. Before any sanitization product is acquired, careful analysis to the overall costs associated with overwrite/sanitization should be made. Depending on the contractor’s environment, the size of the drive and the differences in the individual products time to perform the sanitization, destruction of the media might be the preferred (i.e., economical) sanitization method. 2. Overwrite all addressable locations with a character, then its complement. Verify “complement” character was written successfully to all addressable locations, then overwrite all addressable locations with random characters; or verify third overwrite of random characters. Overwrite utility must write/read to “growth” defect list/sectors or disk must be mapped before initial classified use and remapped before sanitization. Difference in the comparison lists must be discussed with the DSS Industrial Security Representative (IS Rep) and/or Information System Security Professional (ISSP) before declassification. Note: Overwrite utilities must be authorized by DSS before use. View the full matrix of recommended disposal methodologies for a wide variety of computer components. Other Considerations when Choosing a Disk Sanitizing Product In addition to meeting the process defined by the DOD 5220.22-M standard there are some other important criteria that should be taken into consideration before selecting a product. BIOS independence Part of the PC hardware contains the BIOS (basic input/output system) program. Older BIOSs can return an incorrect disk size when it is not compatible with a newer larger hard drive. This is not noticed during normal operation as the flaw is automatically corrected by the operating system. However if the sanitizing product is not independent of the BIOS, then it will only remove the data from part of the hard drive as reported by the BIOS. This will result in data being left behind on the disk, which could be PHI data. Hard drive standard compatibility There are two predominant standards for hard drive technology used by personal computers today. One is IDE and the other is SCSI. The sanitizing utility should be able to sanitize either drive type Size compatibility As hard drive sizes continue to increase, it is important to verify that the sanitizing product is able to address the larger drives. Hard drive sizes have already exceeded the 100 gigabyte limit. Many products are not yet capable of handling this size of drive. Reporting An important part of the HIPAA regulation is accounting. There needs to be a record that all of the software that was on the drive has been removed. This will allow the software to be legally re-used on another computer. By having a record that all company information has been removed, the drive can then be safely resold outside of the company. Summary As computer systems become faster and cheaper, the desire to replace them in the workplace will result in the need to dispose of the obsolete equipment. Although this equipment may not meet the needs of the business there is a thriving market, especially for personal use, for reselling it. However, it is important that no PHI or software is lost in this transaction. If this occurs the impact can range from inconvenience, public embarrassment, fiscal damage or violations of HIPAA requirements. The DOD standard 2550.22-M provides a good, proven framework for designing a digital data disposal process. This can be augmented by some other considerations that are not currently included in the standard to help select the right sanitizing product. This will result in meeting the goal of retiring obsolete equipment and recovering any residual value while not compromising digital data security.
The News & Observer and nine other North Carolina news organizations sued Gov. Mike Easley on Monday over his administration's deletion of e-mail, which they say violates the state's Public Records Law. The news media coalition accuses Easley's administration of "the systematic deletion, destruction or concealment of e-mail messages sent from or received by the Governor's Office" in violation of the law, according to the lawsuit, which was filed in Wake County Superior Court. The practice was meant to stop North Carolinians from seeing information and records to which they are entitled, the suit alleges. The lawsuit also accuses the state Department of Cultural Resources, which oversees government records, of establishing an illegal policy permitting government workers to delete e-mail messages that they decide are of "short-term value" or "when they no longer have reference value to the sender or receiver." The Public Records Law, which trumps administrative policies, does not allow the destruction of public records for those purposes, the plaintiffs say. The lawsuit accuses Easley and his administration of failing in their legal duty to install adequate electronic storage systems to preserve public-record e-mails. And the lawsuit accuses Easley himself of violating the law last month by discarding a hand-written note from Carmen Hooker Odom, former state secretary of health and human services, concerning her views on the failure of state mental-health reforms her department implemented. In a meeting last week with several newspaper editors, Easley said Hooker Odom's letter was "a personal note" to him that "didn't have any news in it." "If it needed to be saved, I would have saved it -- if it had any kind of value to it at all," he said. Under the Public Records Law, that's not Easley's call, the news organizations argue. Hooker Odom's note concerned public business and therefore was a public record, so destroying it was illegal, they say. They say that based on Easley's other public statements, the governor probably has discarded additional public records. The news organizations seek a judge's ruling that Easley and his administration's policies violated the law and will follow it in the future. The media groups also seek reimbursement of their legal expenses in pursuing the lawsuit, as the law allows. "They are taking this step reluctantly after not getting any indication from Governor Easley that he is willing to admit that the law has been violated, or to fix the violations," said the lead attorney in the lawsuit, Hugh Stevens of Raleigh. Asked for comment Monday, Easley spokesman Seth Effron said, "We have not seen the lawsuit." Easley's term ends in January, likely before the case will end. But Stevens said he'll ask the courts to expedite it. And the result should give the next governor useful legal guidance, he said. "The issue of the scope of the governor's authority is never moot," Stevens said. The controversy arose last month as a result of an N&O series reporting on the failure of mental health reforms that the state enacted in 2001, during Easley's first year as governor. Days after the series ran, the Department of Health and Human Services, which implemented the reforms, fired its top spokeswoman, Debbie Crane. Franklin Freeman, Easley's senior assistant for governmental affairs, said he ordered Crane fired in part for dissuading Hooker Odom from giving the N&O an interview on the subject. The day Crane was fired, she told the N&O that Easley's press officials had told subordinates to destroy e-mail messages to the Governor's Office daily as a way to evade the Public Records Law. At first the Governor's Office denied the charge, but the administration later produced notes from two other agency spokespeople that support Crane's assertion. Their records from a meeting with other public information officers last May, led by Easley press secretary Renee Hoffman, included notes to delete e-mail messages to and from the governor's office every day. In last week's meeting with newspaper editors, Easley said Hoffman's deletion instruction "never should have happened." But the governor said that everyone involved followed the administration's policy to save important e-mail anyway. Easley defended the policy that allows employees to discard official e-mails and written documents if they decide the communication holds no lasting "administrative value." "Everything doesn't get saved," he said. "We've got two rules: One, if it's of administrative value, save it. Two, if it's of no value, you have the option to delete it or save it, whatever you want to do. But you're not required by law to." The Public Records Law, however, says that, with some exceptions, all government e-mail concerning public business is a public record, and must be retained and provided upon request. Easley said last week that he hopes a commission he appointed to study e-mail retention will develop a clearer policy. "People who work for the state are very honest, and they try to do the right thing," he said. "But they need to know what that is, and the guidelines are going to have to be much more specific."
A new mother, Poli Marinova set out to find the best possible day-care provider for her infant son. She had little trouble finding a list of nearby caregivers, but she discovered there was no easy way to check their track records in Maryland. Then a friend sent her a link to an online system in Virginia, where she could view inspections and complaints. "You could look back over a number of years and see if there was anything major," said Marinova, 30, who settled on a day-care center near her Alexandria office. "That was very important to me." At a time when many parents worry about safety in child care, a growing number of states have launched online record systems that bring a new layer of accountability into day-care decision making. Locally, Virginia's online system will be matched soon by similar initiatives in the District and Maryland. Experts laud the improved access to public records for both day-care centers and home day-care operators, which they say is vital for parents, but many suggest that it will also take other changes to make the nation's day-care system safer. Many states need to conduct more inspections and tighten licensing standards, they say. "We totally believe parents should have access and that it should be online and readily available," said Linda K. Smith, executive director of the National Association of Child Care Resource & Referral Agencies. Still, the online system would be improved by better monitoring, Smith said. Otherwise, she said, "what parents see online is not going to be the full picture." A study by researchers at Wellesley College that focused on Broward County, Fla., found that the Internet system alone improved the quality of child care at centers serving low-income children. The study also found that inspectors produced more detailed critiques, in greater number. "I definitely think it's valuable," said sociologist Julia Wrigley of the City University of New York, who has studied child-care fatalities. "I think very often inspection reports are buried in state files, and few parents understand they can have access to them." At least 17 states have posted inspection reports, full or in part, online. In Virginia, where child-care inspection records went online in 2005 through the Department of Social Services, many parents say they take note of the infractions: an unlocked medicine cabinet, missing baby gates, lack of soap in a bathroom, caregivers found reading magazines or talking on cellphones. In one case, children were found restrained by snap belts and cords. In another, a child was forgotten in the back of a vehicle. After each violation is a notation about what corrective action is to be taken. "Parents need all the information they can get," said Karen Metivier-Carreiro, 44, a mother of two in Fairfax County. "You can get more information about buying a car than you can about who is caring for your children." The online system, she said, "helps make people more accountable, and it also gives parents some leverage." Parents can better advocate for improvements or changes if they have a sense of history, Metivier-Carreiro said. Tracy Frost, 34, a mother in Alexandria, used the online system when she was first shopping for day care -- and ruled out several possible caregivers after reading about their infractions. "Some of them seemed too serious or very repetitive," she recalled. When she did choose a provider, she discussed with her the kinds of problems the woman had been cited for before signing her child up. Even now, with her daughter happily situated with a new caregiver, "I go back periodically and check it," Frost said. Some parents point out that the online system is especially useful because it allows them to check on safety without making an issue of it. The day-care world is a competitive place, they say, with years-long waiting lists at some places and a premium on spots for infants. Julie Bindeman Belgard, 30, of Rockville said that when she was expecting her first child, she found a day-care provider she liked, and they agreed that her baby would get a spot. But Belgard also let her know she wanted to check the provider's record with the state, which took three to four weeks. When she contacted the provider again, her son's spot was gone. "My feeling was that she was a little put off by the background check," Belgard said. Among child-care providers, reaction to the online system has been mixed. Jim Kendzel, executive director of the National Child Care Association, which represents licensed centers, said the group does not oppose online records posting but urges states to also post responses from providers and a weighting factor "so the parent understands what is critical and what isn't." "We totally believe in transparency for the parent, but if they're going to put the information online, let them see the whole picture," Kendzel said. Monica Jackson, president of the Virginia Alliance of Family Child Care Associations, described the online system as "just another opportunity for us to do the best that we can" and noted that providers already post their most recent inspection reports in their day-care homes. "It's tying in very well with the states trying to push programs to support children's development," she said. Child-care experts say that many parents are surprisingly uninformed about how child-care is monitored. Twenty-one states inspect home-based day-care operations less than once a year -- or not at all, Smith said. A majority of states allow home day-care providers to go without a license, and still others allow such businesses to open before an inspector checks the premises, Smith said. Until the online system is working in Maryland -- later this year or early next -- parents must write letters to request information about complaints and violations. In Montgomery County, several parents said they were told to file Freedom of Information Act requests. In the District, the system is expected to be in place before Oct. 1, officials said. In the meantime, parents can inquire about inspections and complaints by telephone, letter or in person at the D.C. Health Regulation and Licensing Administration office. Jeanne Woodbridge, 38, of Gaithersburg said the new systems will be a welcome improvement. She recalled that when she searched for child care in 2004, it seemed impractical and cumbersome to write letters for records about potential providers. An online system, she said, "would give you a peace of mind about where you're placing your child and where they're going to be for seven, eight or nine hours a day."
Currently, medical identity theft makes up only a small portion of identity theft crimes, but as states, nations, and the marketplace move toward electronic medical records (EMRs), privacy experts worry that instances of medical identity theft will rise considerably, says a Star-Telegram report. And although most states have breach laws that mandate disclosure of financial data loss, it is unclear how medical record breaches would apply under these laws. U.S. News and World Report writer Michelle Andrews unravels the challenges and offers tips for recovering from medical identity theft.
Pharmaceutical firm Pfizer disclosed that a password-protected laptop computer stolen from a contractor in February contained personally-identifiable information for about 800 employees, according to TheDay.com. The report adds a new chapter to the company's data breach trouble; in 2007 the company experienced four data breaches that exposed personal data for more than 52,000 people. Commenting on the event, Connecticut Attorney General Richard Blumenthal said "The latest security breach again raises questions as to why any company would leave sensitive information on laptops. We will be discussing very seriously with Pfizer how to avoid incidents in the future."
The health insurance information of 71,000 Georgia families enrolled in insurance programs for the poor was left exposed on the Internet for a number of days, and may have been viewed by unauthorized parties, the Atlanta Journal Constitution reports. The families involved were enrolled in insurance programs by WellCare Health Plans Inc., a Tampa, Fla.-based firm. A spokesperson for the firm said the information was exposed for an unknown period before being removed on April 2. The state of Georgia was notified of the error on March 31.
SACRAMENTO -- Gov. Arnold Schwarzenegger said this morning that the snooping into his wife's medical records by an unauthorized UCLA Medical Center employee follows a long history of such intrusions on California's first couple. "I have been a victim of this in my own hospital visits," Schwarzenegger said at a news conference to promote volunteerism, "if it was for heart surgery or hip surgery, shoulder surgery, all of those things." Schwarzenegger click to enlarge Celebrities who got snooped for scoop Photo Gallery Celebrities who got snooped for scoop Every time he has left an operating room, the governor said, he has been told there were "people going through your file that had white coats on. Obviously, they snuck into the hospital. They had nothing to do with the hospital staff at all. So those things happen." The Times reported in today's paper that California first lady Maria Shriver and 1970s TV icon Farrah Fawcett were among 32 celebrities, politicians and other high-profile patients at UCLA Medical Center whose files were improperly viewed by an employee. Schwarzenegger reiterated that his administration will push hospitals to implement new safeguards to stop such snooping. "It is not just UCLA," he said. "This kind of thing has been happening all over the state, wherever there are celebrities involved. . . . Everyone's medical history ought to be protected. That is the responsibility of the hospital. So we are going to work with them and find a way."
AUSTIN — After the Texas Secretary of State's Office spent more than a quarter of a million dollars to remove Social Security numbers from business and financial documents posted online, an anti-fraud businessman said it took him just a few minutes to find documents that still appeared to have such numbers. "My belief is that if there's one or three, in this case, there are more, and probably many more," said SellitSAFE.com president Steven D. Peisner, whose business is to protect companies from fraud related to identity theft and who last year raised an alarm about personal information on the Texas site. "There's no way I just found the only three that they forgot," Peisner said. Scott Haywood, spokesman for Secretary of State Phil Wilson, said the numbers discovered by Peisner were removed after the state learned of them. "We're dealing with millions of files. We knew there would be some that would probably slip through the cracks," Haywood said. "We are going to do everything we can to make sure those are minimized." Documents posted on the state's "SOSDirect" site include corporation filings, federal tax liens, trademarks and limited partnership filings, among others. Peisner found the three documents containing the numbers after being contacted by a reporter concerning the state office's efforts to secure the information. As it happens, the documents appear to be fraudulent filings, Haywood said, but there was still a big enough concern on the state's part to remove the numbers. A duty to protect Concern over personal information on documents posted online by the state bubbled up last summer, when Peisner found what appeared to be Troy Aikman's Social Security number on one. That number was quickly removed, but Peisner highlighted his find to illustrate the problem. "It's dangerous because it gives people ... the ability to search and find our personally identifiable information that we as consumers believe is secure and that I believe our government has a higher duty to protect," Peisner said. "I could take this information and I could apply for a credit card. I could apply for a loan." Even before Peisner's Aikman discovery last year, the secretary of state's office had started to remove Social Security numbers from posted documents, Haywood said. The project was completed last fall, he said. To help in the effort, the state contracted with Mobilis Technologies LLC of Houston, he said. Of 25 million documents on the site, the state office forwarded to the company 6.3 million that had the potential to include Social Security numbers. The secretary of state's office paid the company $272,000 — money generated by records-usage fees — for the work. Mobilis got the job without a competitive bid because the company already was working on the state's system and was knowledgeable about it, Haywood said. "It's money well spent because we're protecting Texans' private information, and we're making an aggressive effort to make sure that kind of information isn't made publicly available," Haywood said. Being cost-effective Jack Hanson, president of Mobilis Technologies, said the company's familiarity with the system meant it could perform the work in a more cost-effective manner. "When you are reviewing millions upon millions of documents, there are going to be numbers that slip through the cracks," he said, noting that the need for precision was weighed against what would have been a cost-prohibitive triple-verification system to improve on the 98 percent accuracy requirement. He said any numbers that are discovered to remain on the documents "can be immediately redacted as soon as they're identified." The three documents found by Peisner were among those sent to Mobilis, Haywood said. In addition to the work by Mobilis, the secretary of state's staff in 2005 began removing Social Security numbers from public documents as they were filed with the office. They also allowed people to contact the secretary of state's office to speed up removal of the information from already-posted documents. The numbers aren't required, but some people have included them in filings anyway. As of early February, 531,704 Uniform Commercial Code documents and 248,130 corporate documents had been reviewed and possible Social Security numbers had been removed, including work done by Mobilis and state staff, Haywood said. Although Peisner questioned the thoroughness of the job, he gave the secretary of state credit for mounting the effort and said his greatest concern is for counties, which vary in their efforts to remove such information online. "The state set a great example," Peisner said. "Now the counties should follow." Harris County only has document indexes on its Web site, not actual documents, which people must come to the office to see, said Chief Deputy Kevin Mauzy in Harris County Clerk Beverly Kaufman's office. A primary reason, Mauzy said, is that "Mrs. Kaufman was concerned with putting personal information out there. We've held back on doing that."
A laptop containing medical test results for 2,500 patients was stolen from the car trunk of a National Institutes of Health (NIH) employee, exposing the names, birth dates and unencrypted test results of participants in a heart imaging study. The Baltimore Sun reports it is the third federal agency in recent months dealing with the breach of sensitive information due in part to its failure to encrypt laptop computers. The theft occurred February 23. Patients were alerted to the breach last week. Rep. Bart Stupak, chairman of the House Subcommittee on Oversight and Investigations said, "The theft of a government laptop from an NIH employee and subsequent mishandling of the situation raises serious questions about the agency's commitment to data security."
Katrina Brooke felt well prepared for the birth of her son, Andrew, three Aprils ago. The only complication was her Caesarean section; otherwise, everything went smoothly. After three days in the hospital, Brooke returned to her home outside of Seattle to recover and enjoy her baby boy. Three weeks later, as Brooke stood in her kitchen opening mail, she found a curious $94 bill from a local health clinic, a place neither she nor her husband had ever heard of. Stranger still, the notice was addressed to her newborn son: Andrew had apparently visited the clinic and been prescribed the painkiller OxyContin for a work-related back injury. It seemed like a simple clerical error at first — one that might even have been funny, considering the only labor Andrew had been involved in was his own birth. But the more Brooke scrutinized the letter, the more concerned she grew. Andrew’s middle name was on the bill, and no one knew the baby’s full name but a handful of friends and family — as well as the hospital, where she had filed the paperwork for Andrew’s birth certificate, which included their family’s home address and Social Security numbers and Brooke’s maiden name. A call to the clinic confirmed that a mystery man had used their child’s newly minted identity to obtain health care only one week after Andrew was born. The Brookes had become victims of a crime they’d never heard of: medical identity theft. “People aren’t aware of this unless it happens to them,” Brooke says. “When you first get the bill, you’re confused. Then when you delve into it, you think, What other information do they have? What else is going to happen to us now? At that point, it was scary.” Luckily for the Brookes, the clinic agreed to waive its charges. But for many victims, the crime doesn’t surface until unthinkable damage has been done. The worst case: insurance maxed out to its lifetime limit, years spent untangling paper trails, and medical records permanently altered. Unlike a stolen credit card or savings account number, this kind of identity theft could be life-threatening. Imagine what could happen if someone else’s medical history was injected into your records: You could arrive at an ER and be given the wrong type of blood or be refused medication because your file says you are allergic. And because mistakes in medical records can be notoriously hard to expunge, you could spend years convincing doctors you weren’t actually diagnosed with the diseases, mental illness or substance-abuse problems appearing in your file. According to a recent survey by the Federal Trade Commission (FTC), 3 percent of U.S. identity-crime victims had someone use their personal information — a Social Security number, an insurance policy ID, even a mere driver’s license — to obtain medical services or to profit from filing false claims in their name. That means nearly 250,000 Americans may be victims each year. For an increasing number of career criminals, health care workers and consumers struggling to keep up with bills, the lure of medical identity theft is too great to resist, notes Chris Dorn, a fraud expert with Ingenix, a health care fraud investigation firm in Eden Prairie, Minnesota. “The overall cost of health care has risen so much that it has become a valuable commodity,” Dorn says. “Any time you have 47 million Americans without adequate health care coverage, you will have people out there willing to steal it.”The stakes are high It took one phone call to make Anndorie Sachs, a mother of four in Salt Lake City, aware of how serious medical identity theft has become. She says that in April 2006, a Utah social worker notified her that her newborn had tested positive for methamphetamines — as a result, the state planned to take away all of her children. In fact Sachs, then 27, hadn’t been pregnant in more than two years; her stolen driver’s license had ended up in the hands of Dorothy Bell Moran, a meth user who gave birth using Sachs’s name. After a tense few days of phone calls with child services, Sachs was allowed to keep her kids. She then hired a lawyer to sort out the damage to her legal and medical records, and figured her worries were over. Months later, when Sachs suffered a kidney infection, she was careful to avoid the hospital where Moran had used her identity. It didn’t matter: The thief’s records had circulated electronically and intermingled with her own. Moran’s emergency contact number was listed in Sachs’s file, and there may have been other mistakes, such as the thief’s blood type. Sachs — who has a blood-clotting disorder and for whom the wrong medication could be disastrous — was savvy enough to alert the hospital staff, who straightened out her charts before making a critical error. “Had [Moran’s] baby not tested positive for drugs, I wouldn’t have known anything about it,” Sachs says. “I have a hard time believing that everything is back the way it was before. It’s terrifying to think about.” Consider the number of people who see your personal information when you become sick. “There are so many players,” says Robert Gellman, a privacy consultant and attorney in Washington, D.C. “Doctors, hospitals, pharmacies, labs, insurance companies — any single medical treatment can involve a half dozen entities.” To turn your life upside down, it takes only one person at one of those places willing to use her access as an opportunity for exploitation. In Florida, an office coordinator at the Cleveland Clinic in Weston printed out 1,100 patient records, then sold them to her cousin for $5 to $10 per patient, according to an FBI agent involved in the case. The World Privacy Forum, a nonprofit research group in San Diego, reports that prosecutors in New York, California and Florida have uncovered a technique that would make Tony Soprano proud: “clinic takeovers,” in which criminals buy a health care center, steal information from it to file false insurance claims, and then shut the whole thing down before anyone catches on. Click for related content Concerned about medical identity theft? Hospital ID theft: How to protect yourself The doctor will see your credit now More doctors, insurers asking, 'Who are you?' It’s not just professional crooks working the system. In Miami, physicians sold their medical licenses and provider numbers to a clinic that racked up $6.5 million in false claims. A Boston-area psychiatrist altered records of his patients and their families to reflect sessions and diagnoses they didn’t have, then billed insurance companies for treatment he never provided. Then there are victims like Joanne Lomax of Philadelphia, a 32-year-old package handler who was surprised when her insurance rejected her claim for a $189 gynecological visit. She was even more stunned to learn why — only one annual checkup was covered, and another woman had already used Lomax’s name to pay for her own exam. As Lomax learned, your insurance card isn’t just something you dust off for doctor’s appointments — in the hands of a thief, it becomes a credit card, a PIN and a license to spend. FTC numbers suggest that medical identity crimes may cost the U.S. economy $468 million per year. “This crime is so insidious,” warns Pam Dixon, founder and executive director of the World Privacy Forum. “It affects more people than you realize — and the stakes are as high as they can get.” Regaining control of identity On Christmas Day in 2003, Jo-Ann Davis pulled out of a gas station near Pittsburgh without realizing she’d left her wallet on the roof of her car. She hoped she could minimize the damage by quickly canceling her credit cards. But her insurance card was in the wallet, too. Before her identity thief was caught, she had used Davis’s information nearly 40 times, racking up almost $14,000 in prescription meds and treatment in Pennsylvania and Ohio. For the next four months, regaining control of her identity became a second job for Davis, a 42-year-old veterinary nurse. She exchanged faxes and phone calls with her insurer and fended off bill collectors. She says the police investigated her to make sure she wasn’t a conspirator. And then came the day she stopped by her pharmacy to pick up her migraine medication. When a well-meaning clerk noticed her account was flagged and called the police, Davis was nearly arrested. “I don’t think my insurance company realized the magnitude of this,” says Davis, who eventually convinced the cops she wasn’t her impostor. “You don’t know how long this is going to go on.” The unsettling reality is that it’s far easier to safeguard your financial well-being than records that could affect your physical health. “On the medical side, we’re at the same stage as we were 10 years ago with financial identity theft,” Gellman says. Three credit bureaus serve as centralized gatekeepers to your financial records; it takes mere minutes to download a free annual credit report. It could take years to track down the hundreds of records compiled by every medical provider you’ve ever used. And after you’ve found them, some providers charge hundreds of dollars to copy all the pages. Complicating matters is the federal regulation designed to protect your medical privacy — the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule. In theory, the rule provides access to your medical records and the ability to correct mistakes. But in practice, when patients challenge the accuracy of their files, insurance companies and physicians are often loath to delete information, preferring to red-flag the items in question. No one is compelled to amend records they didn’t create, so if an M.D. submitted a claim to your insurance based on an identity thief’s scam, the insurer is not required to correct it as long as the doctor is still in business. “There’s a tendency among medical professionals to be suspicious of why you need to make changes,” says Adam Levin, chairman of Identity Theft 911, a crisis-resolution firm in Scottsdale, Arizona. Worse yet, once someone else’s history is entangled with yours, health care providers will sometimes prevent you from seeing that information, for fear of violating the thief’s privacy rights under HIPAA. When Sachs asked to see her records at the hospital where the impostor had given birth under her name, officials refused, saying the records were no longer technically hers. “The hospital said they’re not the police — they’re in the business of trusting people,” she recalls. ‘You have to be persistent’ The costly, time-consuming investigation of these crimes often falls on the victim’s shoulders. “To say there’s little recourse for these folks would be an understatement,” Dixon says. Brooke and her husband had to go to two stations before police agreed to look into the matter; at the time in Washington, some medical ID theft was treated as a property crime, akin to a stolen iPod or car break-in on the police priority scale. On the federal level, the FTC logs complaints but doesn’t have the authority to pursue them. The U.S. Department of Health and Human Services is the agency to contact if you’re denied access to your medical records. Although every insurance company has its own investigators, victims may be made to feel they aren’t a priority, says Byron Hollis, managing director of the Blue Cross and Blue Shield Association’s national antifraud department in Washington, D.C. “There are a lot of different kinds of fraud, and medical ID theft is a small subsection of that. So the consumer may feel, when they first call, that it’s the most important thing to them, but the person they’re talking to may have 20 to 40 cases of other kinds of fraud they’re working on. You have to be persistent.” Thirty-nine states have laws requiring companies to alert you when a security breach compromises your personal information, but not all of the laws specifically protect medical information. A California law that took effect in January took that step, and other states may follow. But lawmakers have made little headway on fixing federal laws so that they affirm the victim’s right to clear corrupted medical records. Meanwhile, there’s an Orwellian scenario keeping privacy advocates up at night: The government is moving forward with plans to create an online records locator called the Nationwide Health Information Network, designed to help physicians share records. Its upside is that doctors would have nearly instantaneous access to your health history in an emergency, no matter where you are. On the other hand, millions of health care workers — and potential criminals — could be a mouse-click away from those same records. With so little standing between your health information and the con artists who covet it, the future of medical identity theft might get worse before it gets better. But as more victims step forward, more legislators will be pressured to take action. In Washington, the story of the Brookes and their son, who may be the youngest identity-theft victim in the country, helped inspire a measure now making identity theft a priority for law enforcement across the state. Two-year-old Andrew was sitting on the lap of Governor Christine Gregoire as she signed the law. “At least one good thing came out of it,” Brooke says. “When you’re affected by this crime, you want to see things change. I’d like to see other states pass similar laws. This is just the beginning.”
A British computer repair technician says he found highly confidential government data on a disc inside a laptop purchased over eBay. Lee Bevan, managing director of Leapfrog Computers near Bolton, said a customer brought a laptop into the repair shop and "in between the keyboard and the circuit board we found a CD that said, 'Home Office, highly confidential.'" Bevan said he called the police and officers from the Counter Terror Command took the equipment, Sky News reported. The incident follows a number of embarrassing losses of information by government departments in recent months with personal information on millions of Britons missing.
An article by Tom Kenny of WTVQ in Lexington, KY on February 19th tells how a discarded computer yielded some pretty interesting information about the previous owner. Not only did it contain e-mail messages, a name, age and birth date of an individual, presumably the owner, but also personal letters, including an individual's name and address, and what the users looked at on the Internet, which included everything from instant messaging to pornography.
A British computer repair technician says he found highly confidential government data on a disc inside a laptop purchased over eBay. Lee Bevan, managing director of Leapfrog Computers near Bolton, said a customer brought a laptop into the repair shop and “in between the keyboard and the circuit board we found a CD that said, ‘Home Office, highly confidential.’”
Wisconsin's WEAU television news team reports that more than 100,000 doctors in 10 states have had their Social Security numbers exposed as a result of an erroneous Web posting by California-based Health Net Federal Services, a health insurance firm that works primarily with military families and veterans. The breach occurred in December of 2007 and was disclosed this week. The breach was rectified, and in a statement to the station Health Net in part said, "Unfortunately, in late December 2007, we were notified of potential vulnerability for us that provider data was accessible through our Web site that included Social Security numbers of a limited group of network and non-network providers."
A Georgia Department of Transportation employee was arrested Thursday on charges she stole $20,000 by using the identities of people who bought permits from the agency. Dnez Bracy, 21, of Union City, and five other accomplices are facing identity fraud charges, GBI spokesman John Bankhead said. Bracy was fired Thursday from her job as a clerk in DOT's permits office, where she had worked since April, agency spokeswoman Karlene Barron said. GBI began investigating the case in January and discovered an identity theft ring that involved the five others and $200,000 in fraudulent charges, Bankhead said. The others arrested were: Qwan Boykin, 30; Shuna Hutchins, 27; Jimia Ragin, 28; Verique Johnson, 30; and Robert Smith, 29. All are believed to be metro Atlanta residents. Bracy is accused of taking $20,000 in the names of 55 DOT customers, Barron said. Her job was to take payments for truck permits for oversize or overweight loads, such as mobile homes and large equipment.
A laptop computer stolen in early January contained personal information about 30,000 members of Fallon Community Health Plan (FCHP), according to an article in the January 25 Worcester Telegram & Gazette. FCHP, the fourth largest HMO in Massachusetts, told the newspaper that the laptop at a vendor office in Boston contained the names, dates of birth, and Social Security numbers of approximately 30% of its members. The data analysis company, which FCHP declined to identify, originally told the HMO that the stolen laptop contained encrypted information about approximately 150 members, the newspaper reported. However, FCHP later concluded, with the assistance of a forensic technologist, that the laptop was not password-protected in accordance with company policy and that it contained personal information about additional members. FCHP told the newspaper that it has mailed letters to 29,800 members affected by the breach in Worcester, Middlesex, Norfolk, Hampden, and Hampshire counties and has offered free credit monitoring service for 12 months. Savvy criminals know the value of stolen financial information, Beth Givens, director of the San Diego-based Privacy Rights Clearinghouse, told the newspaper. Data breaches have exposed more than 215 million records since 2005, she said. Givens described credit monitoring services as the standard response from those responsible for data breaches, but she said that these services don't protect consumers when thieves use the stolen data to register a motor vehicle, file a civil lawsuit, or register a firearm
A backup tape containing credit-card information from hundreds of U.S. retailers is missing, forcing the company responsible for the data to warn customers that they may become the targets of data fraud. GE Money, which manages in-store credit-card programs for the majority of U.S. retailers, first realized that the tape was missing from an Iron Mountain secure storage facility in October, said Richard Jones, a company spokesman. "We were informed that one of the tapes could not be located. But at the same time there was no record of it ever having been checked out," he said. The tape contained in-store credit-card information on 650,000 retail customers, including those of J.C. Penney, he said. GE Money employees are also affected by the breach. The missing backup tape was unencrypted. Although J.C. Penney was the only company that Jones would confirm as affected by the missing tape, that retailer accounts for just a small percentage of all accounts that were compromised. In total, 230 retailers are affected by the breach. "Clearly that number includes many of the national retail organizations," he said. The tape also contained Social Security numbers of 150,000 customers. When matched with name and address information, Social Security numbers can be used to set up fraudulent credit-card accounts, a common form of identity theft. Jones said that following a GE Money investigation, there is no evidence that the tape in question has been stolen or that the data it contained was misused. After reconstructing the data that was on the missing tape, GE Money began sending out letters to those affected by the breach in December. The company has set up a toll-free number and is offering one year of free credit monitoring services to those affected by the breach. In 2006, retailer TJ Maxx discovered that thieves had broken into its computer networks, stealing an estimated 94 million credit- and debit-card numbers. Costs related to that breach are expected to be in the hundreds of millions of dollars. GE Money is a division of General Electric.
Names, Social Security numbers and other personal information for 219 Minnesotans licensed by the state Department of Commerce are on a laptop computer reported stolen more than three weeks ago. Commerce Department officials said Friday that the computer belonging to a vendor went missing Dec. 6 in Philadelphia. The vendor, Promissor Corp., notified police of the apparent theft but waited until Dec. 21 to tell the Minnesota agency, a state spokesman said. The department uses the company to manage licensing data for the real estate, mortgage and debt collection industries in Minnesota. According to the Minnesota department, the data was stored on an employee's computer hard drive, which was protected by a password but lacked more sophisticated encryption. Commerce Department spokesman Bill Walsh said the agency didn't know the full extent of the missing data on Minnesotans until Friday. "We're very concerned about the delay, and we're looking into whether they followed our state laws disclosing the information," Walsh said. The agency is working to notify people whose sensitive data could be compromised. The company is offering to pay for a credit-watch monitoring service for the affected people. State officials were told the computer contains information for a total of 257 people, including some living in Alabama, Arizona, Georgia, Illinois, Iowa, Kansas, Missouri, North Dakota, Ohio, South Dakota and Wisconsin.
Dumpster-diving -- going through trash bins in hopes of finding paper records with valuable information like customer names or future product plans -- is alive and well in the age of USB flash drives and portable music players. Every user who throws away (or loses) a keychain-size flash drive could be unintentionally leaking critical information to a competitor. Any of the tens of millions of desktop and notebook computers disposed of each year in landfills, junkyards and yard sales could be a rich trove of corporate data left on a hard drive by lazy users or IT departments. Dumpster-diving remains "an extremely effective way of gathering a lot of information quickly," says Dennis Szerszen, senior vice president at patch management and security software vendor PatchLink Corp. "It's become even more of a threat with the added dynamic that removable media brings to the table." But any IT manager who lets sensitive data get out the door into the trash can -- or anywhere else PCs or mobile devices are disposed of -- has only himself to blame. Tools ranging from low-cost or free disk-wiping software to low-cost encryption and more-expensive "disintegration" machines for disk drives are available for any IT manager with the will and awareness to use them. Risk Factors "Dumpster-diving" originally referred to going through the trash looking for paper records that might hold valuable information such as customer names, product plans or budget projections. Paper records still pose a challenge, of course. As an estimated 50 million or more PCs, notebooks and servers are disposed of each year, the information they hold also poses a new and growing risk for their former owners. New portable storage devices, such as USB flash drives and portable music players, can store gigabytes of data and make it easier for a disgruntled insider to download and walk out the door with sensitive information. Moreover, handheld computing and communications devices such as BlackBerries and PDAs can, via e-mail, funnel sensitive data out of the organization -- or let viruses or other malware in. Converge Global Trading Exchange in Peabody, Mass., offers an IT asset disposal service called NextPhase. Chris Adam, director of NextPhase says "the hot topic now is portable devices, BlackBerries and other PDAs, cell phones and even USB drives. We get requests all the time [asking] 'How do we secure those?'" Lines of defense The easiest, least expensive technology for protecting digital information is encryption. Observers say modern encryption software is inexpensive and easy to use and is capable of protecting virtually any organization against the theft of data on devices after they are disposed of -- or if they are lost or stolen. Among the vendors offering free or low-cost encryption, are TrueCrypt Foundation, PGP Corp. and Voltage Security Inc., according to Paul Kocher, president and lead scientist at Cryptography Research Inc., a security consulting and technology licensing firm in San Francisco. "In a lot of cases organizations already have the software they need," he says, citing the BitLocker encryption included in some versions of Microsoft's Windows Vista operating system. "It's just a question of getting the configuration right and the policies right and training users." "Encryption," says Szerszen, "is far too available not to be making use of it." Kocher notes that modern notebooks and desktops are powerful enough that encryption won't significantly slow down other applications. The larger obstacle, he says, is that encryption creates "one more password for somebody to remember," and that the IT staff must create processes to recover encrypted data "if somebody loses their password or leaves" the organization. Encryption is so widely available and easy to use that the loss of unprotected data "speaks loud words" about the IT policies of the company involved, says Neel Mehta, team leader of X-Force Advanced Research & Development at IBM Internet Security Systems. His group strongly recommends that its customers encrypt sensitive data wherever it resides, whether it's at rest on a hard drive or being transmitted over a private or public network. To prevent, or at least detect, insider data theft, many vendors offer software that can restrict the use of physical ports on a computer or even dictate what types of files they can download to which types of devices. USB-Defender from TriGeo Network Security Inc., for example, detects the insertion of devices such as flash drives into USB ports, captures details about the device and logs every file copied to or from the device, according to a company spokesman. Jeff Fuhler, information security officer at the Nevada Office of Veterans Services, uses Sanctuary device control software from PatchLink Corp. (formerly SecureWave) to protect sensitive information. Because Windows will automatically configure portable storage devices such as USB drives, allowing them to upload or download data, he has configured Sanctuary to deny access to such mobile storage devices except for users to whom he has specifically granted access. Credant Technologies Inc. 's Mobile Guardian provides server-based control over portable devices, enforcing policies covering areas such as what data can be transferred to or from the devices and the strength of the encryption and the passwords used on them. Mobile phones and PDAs such as BlackBerries also pose a risk because of their ability to receive and store e-mail. But observers say most of them support encryption and note that administration tools allow administrators to automatically deny access or even wipe the data from them if anyone repeatedly enters an incorrect user name or password. End of life protection After a device is disposed of, the Dumpster becomes the greatest risk. Depending on the sensitivity of the data on the drive, IT managers can rely on anything from low-cost manual processes and commercial software to physical destruction to be sure no data can be taken from a disposed-of device. As most IT managers know, simply reformatting a hard drive just erases the directory information that indicates where data is stored, but doesn't erase the data itself, says Kocher. A wide variety of tools, ranging from freeware and shareware to commercial software do an effective job wiping data from hard drives. Just completely filling a drive with meaningless data does "a reasonably good job of erasing the content," says Kocher. Some users pass a powerful magnet over a disk drive (or magnetic tapes) to scramble the magnetic orientation of bits and bytes that stores the actual data on the media in a process known as degaussing. For data whose loss would be catastrophic, the ultimate step is to physically destroy the drive, including the magnetic platters that hold the data. NextPhase can reduce hard drive platters to fragments of a quarter inch or less