Update on Adobe Attack: Millions More Victims

Check out the latest from Debra Diener, courtesy of Privacy Made Simple.

 

Back on October 4th and 7th, I wrote about the hackers who had gotten into the customer Adobe files (see, “Top 5 Things to Know About Abobe Hacking” and “Alert! Adobe Hacking Update”).

 

When the breach was first reported, Brad Arkin, Adobe’s Chief Security Officer, estimated there were around 2.9 million Adobe customers whose Adobe IDs, names, encrypted passwords, encrypted credit and/or debit card numbers (and expiration dates) along with order details had been hacked.  That now seems like a vastly underestimated number.

 

Anna Brading just reported that the final number is 38 million active Adobe customers (see, nakedsecurity.sophos.com; “Adobe breach THIRTEEN times worse than thought”).  Ms. Brading’s report is based on an announcement by Heather Edell, an Adobe spokesperson.   In her announcement, Ms. Edell says that Adobe has finished its investigation during which it identified the 38 million Adobe customers with active accounts who were affected.  Ms. Edell says those customers have already been contacted and that Adobe is now investigating whether any inactive Adobe customer accounts were hacked.

 

This is a “heads up” to Adobe customers — keep an eye on your credit and debit card bills and other financial account statements.  Remember to change passwords and don’t use the same one for multiple accounts.  Do check the Adobe website for further updates.

 courtesy of Privacy Made Simple.

Biggest Data Security Threats Come From Inside

PCWorld shared details about a new report showing that “insiders” are the top source of breaches over the last 12 months: 36% of breaches result from “inadvertent misuse of data by employees.” The article goes on to say that, “Obviously, the issue here is ignorance” due to lack of proper training on how to remain secure at work. Additionally, businesses must be able to see what’s happening with their networks; they must pay attention to what’s happening within the company and going out, as well as what’s happening outside the company and coming in.

Bottom line: People need guidance, prevention is key, and patients must have a way to see who all has accessed their information and when it’s been disclosed.  (Read more about PPR’s comments on Accounting of Disclosures here.)

Read the full article here.

Experts name top 7 trends in health information privacy for 2011

A panel of healthcare experts representing privacy, trends, technology, regulatory, data breach and governance have identified the top seven trends in healthcare information privacy for 2011.

The experts suggest that as health information exchanges take form, millions of patient records – soon to be available as digital files – will lead to potential unauthorized access, violation of new data breach laws and exposure to the threat of medical and financial identity theft.

“Endemic failure to keep pace with best practices and advancing technology has resulted in antiquated data security, governance, policy plaguing in the healthcare industry,” said Larry Ponemon, chairman and founder, Ponemon Institute.

“Millions of patients are at risk for medical and financial identity fraud due to inadequate information security,” he said. “Information security in the healthcare industry is at the fulcrum of economic, technological, and regulatory influence and, to date, it has not demonstrated an ability to adapt to meet the resulting challenges – but it must. The reputation and well-being of those organizations upon which we rely to practice the healing arts depends on it,” he said…

Steady Bleed: State of HealthCare Data Breaches — Comments

Comments on Information Week Article: Steady Bleed: State of HealthCare Data Breaches

This is a very ominous story. As every state rushes to connect offices and hospitals with weak security and privacy together to exchange data, the federal government is giving doctors and hospitals tens-to-hundreds of thousands of dollars to install electronic health records that also lack ironclad security and also prevent patients from controlling their records. Hooking systems of ‘weak links’ to thousands of new systems that are also ‘weak links’ is a prescription for disaster.

Like the author, Patient Privacy Rights has been pointing out the abysmal state of health data security for years. What the author does not know is Congress LISTENED TO PATIENTS. Senator Snowe deserves credit for these consumer protections because she refused to allow the meaningful breach protections she crafted to be weakened. Powerful support by the bipartisan Coalition for Patient Privacy (see our letter to Congress) helped convince Congress to put Senator Snowe’s tough breach reporting and tough penalties into the stimulus bill. Perhaps now those who hold our sensitive health data will start to take security seriously.

What is really new in this story are FairWarning’s report about the very high monthly frequency of breaches in doctor’s offices and major hospitals in the US and across the world. The statistics from FairWarning show clearly that the number of breaches officially reported to HHS are just the tip of the iceberg. See quotes:

  • 200-bed hospital with a few small clinics, Rurally based: 24 confirmed incidents [breaches] per month.
  • U.S. based physician practice with 20 clinics metro and rurally dispersed: 29 confirmed incidents [breaches] per month.
  • UK based teaching hospital in major metropolitan area as well as rurally based facilities: 130 confirmed incidents [breaches] per month
  • Top 50 U.S. Health System with multiple affiliated hospitals and clinics – Based in a major metropolitan area: 125 confirmed incidents [breaches] per month.

You can see reported breaches to HHS affecting 500 or more here: http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.html

Financial System vs. Healthcare System

The financial system is often lauded as being good at protecting Americans’ sensitive financial and demographic data, but the evidence is not so clear. Heartland had a massive breach of credit card data in its system of sponsored banks. In addition to the $12.6 million in costs, it will also have to pay to “implement end-to-end encryption when payment data is sent from the merchant to the processor”.

Will breaches of healthcare data cost any less? That is highly doubtful. The pain and exposure is far worse and there are NO remedies. The privacy of health data can never be recovered or restored. With identity theft you can eventually recover from the damage and restore your credit.

Plus its harder to protect electronic health data because there is SO MUCH MORE sensitive personal data than exists in financial systems. Payment and credit card data are just the start, everything is included in electronic health systems, from prescriptions to DNA.

And compared to the financial industry, the healthcare industry has millions more employees—-of insurers, hospitals, pharmacies, data management and data warehousing corporations, HIT vendors, and even state and federal government agencies—-who all have access to sensitive data.

See article “Heartland breach cost $12.6 million, CEO says”

Equipment losses still plague VA: GAO report — by Joseph Conn

This is powerful story because the expert quoted points out that most organizations do not bother to account for lost or stolen equipment that costs less than $2,000. That means laptops and PDAs. Worse—these organizations have NO IDEA whose data was even on the mobile devices, so they cannot notify anyone! Makes you feel REALLY safe.

This should be highly relevant to Congress–as it drafts requirements for encrypting data and breach notification.

View Full Article