In response to the article in ITnews.com by Brett Winterford: Epsilon breach used four-month-old attack
Epsilon, the world’s largest email service provider, did not respond to 4 month-old warnings that their systems were vulnerable to hackers trying to access email deployment systems. Victims reported not only email addresses, but phone numbers were stolen. Some got hundreds of phone calls.
Everyone should expect very sophisticated “spear-phishing” attacks via email, where someone gets you to open an email by pretending to know you by using details from social media, etc.
2500 global companies like Citibank trusted Epsilon with sensitive details about millions of us, their customers.
Hospitals, insurers, pharmacies, and many unknown third parties/corporations/government agencies hold also data bases with millions of Americans’ sensitive financial and health records. Reports of health data breaches are soaring because securing data is very difficult and expensive.
Shouldn’t we demand that Congress and the federal government require and validate that all businesses holding health data have ironclad data security protections in place, BEFORE REQUIRING ever more data exchange, when we already know that healthcare systems are extremely vulnerable?
Shouldn’t health IT systems have ironclad security and require patient consent first? Shouldn’t the horse go before the cart?
Check out the latest proposed Federal Strategic Health IT Plan:
• it requires vast amounts of data-sharing NOW for a myriad of “meaningful uses” and other reporting without patient consent
• we still can’t see who accessed or used our health data because we can’t get audit trails of all disclosures yet, even though federal law (HITECH, 2009) requires that data holders give us a 3-year accounting of all disclosures if requested. This new consumer right and protection has not been implemented in regulations by HHS.
• See: ONC Announces open public comment period on the Federal Health IT Strategic Plan: 2011-2015
PPR will circulate comments for the Coalition for Patient Privacy to sign.