Henry Ford Health System Notifies 18,000+ Patients of Health Data Breach

On December 6, 2017, Henry Ford Health System (HFHS) disclosed that health information of 18,470 patients may have been viewed or stolen. HFHS became aware of the incident on October 3, 2017 after employee credentials were accessed or stolen. According to a statement published on HFHS’ website, Social Security numbers and credit card information were not revealed. Affected information may include a patient’s name, date of birth, date of service, medical record number, provider name, department name, location, and health insurer. HFHS has stated that it will issue new medical record numbers to patients upon request.

CFPB Stops Collecting Personal Information in Light of Cybersecurity Concerns

The Consumer Financial Protection Bureau, one of the watchdogs of the financial services industry, has announced through Acting Director Mick Mulvaney, that it will no longer collect personal information of consumers due to cybersecurity concerns and in an effort to improve the CFPB’s cybersecurity program.

According to Mulvaney, the Inspector General’s report this year about the agency’s data security methods “scares me to death.” Therefore, he has halted the collection of personal information of consumers until the CFPB’s data security program is bolstered. He added that the agency’s previous leadership was also taking the report seriously.

This move should be comforting to consumers. More agencies and companies should evaluate whether they should halt collection of consumers’ personal information until their data security efforts are appropriate for the collection, maintenance, use and storage of personal information. If more entities did this, we wouldn’t need Have I Been Pwned?

Automated External Defibrillator Drones—Saving Lives One Flight at a Time

Drones have infiltrated almost all aspects of our lives. They have even infiltrated the medical world. One of the most useful ways drones have emerged in the medical world is as a vehicle for delivery of automated external defibrillators (AEDs) to bystanders who use it to save an individual who is experiencing cardiac arrest. Research by the Journal of the American Medical Association (JAMA) has shown that a drone can deliver an AED approximately 16 minutes faster than an ambulance during out-of-hospital incidents of cardiac arrest. While this research did not examine real-life circumstances, it simulated past incidences to compare speeds.

The Swedish Transportation Agency built the drone used in this research study, equipping it with an AED, GPS and a high-definition camera with an autopilot software system. JAMA conducted the testing in Sweden, using the Swedish Registry for Cardiopulmonary Resuscitation times to examine the difference between the simulation and ambulance times.

Out-of-hospital cardiac arrest survival rates are just 8-10 percent with time to defibrillation being the key component in boosting an individual’s chance of survival. If you are shocked with an AED within a minute, you have a 90 percent chance of living.  Dr. Clyde Yancy, a former president of the American Heart Association, said, “Ninety percent of people who collapse outside of a hospital don’t make it. This is a crisis and it’s time we do something different to address it.”

While this research certainly points us toward greater use of drones in the medical context, especially when it comes to cardiac arrest, the research study was limited as it was conducted in mostly good, clear weather during only a few mile trips. According to one of the researchers, “Saving 16 minutes is likely to be clinically important. Nonetheless, further test flights, technological development, and evaluation of integration with dispatch centers and aviation administrators are needed. The outcomes of [out-of-hospital cardiac arrest] using the drone-delivered AED by bystanders vs. resuscitation by [emergency medical services] should be studied.”

Privacy Tip #117 – How to Check to See if Your Personal Information is Being Sold On the Dark Web

People always ask me what hackers do when they are able to obtain our personal information, including our Social Security numbers. There are many things hackers use our information for, some of which include filing false tax returns in our name to obtain fraudulent tax refunds, opening up new credit card accounts and other credit accounts to buy merchandise, opening new bank accounts or trying to get into our bank accounts and steal our money, using a stolen credit card account or using stolen passwords to get into online accounts. Or they just sell it on the dark web to others who will use it for similar fraudulent purposes.

Just because we have been the victim of a data breach doesn’t mean we will become a victim, although it is prudent to protect yourself if you have received notice that your personal information has been compromised.

So how do you find out if your information is for sale on the dark web?

A security researcher from Australia named Troy Hunt has searched the dark web and other sources to assemble and develop a repository that contains the identities of billions of individuals whose personal information has been stolen and is being sold. And he lets people search his website without charge to determine whether their information is being sold on the dark web. The website is Have I been Pwned? He has collected information of 4.8 billion people.

The term Pwned is a gaming term that means “utterly defeated,” which is how we all feel after a data breach. Anyone can use his site to search whether their information has been exposed by using their email address, and also can also subscribe to his alerts when records do appear on the dark web.

In this day and age of massive data breaches, although many of us believe our information “is out there,” this is one tool for identifying whether personal information is being sold on the dark web.

Compliance With New York’s Cybersecurity Regulation 23 NYCRR Part 500

On March 1, 2017, New York’s Cybersecurity Regulation (23 NYCRR Part 500)[1] became effective.  The regulation is the first of its kind in the nation and requires certain companies, including banks, insurance companies and other financial services institutions regulated by the Department of Financial Services (“Covered Entities”), to have:

  • a cybersecurity program designed to protect consumers’ private data;
  • a written policy or policies that are approved by the Board of Directors or a senior officer;
  • a Chief Information Security Officer to help protect data and systems; and
  • in place controls and plans to help ensure the safety and soundness of New York’s financial services industry.[2]

In addition, pursuant to the regulation, Covered Entities must report a cybersecurity event if (a) the event impacts the Covered Entity and notice of it is required to be provided to any government body, self-regulatory agency or any other supervisory body; or (b) the event has a reasonable likelihood of materially harming any material part of the normal operation(s) of the Covered Entity.  Details regarding what makes up such an event are detailed on the New York Department of Financial Services website.[3]  Continue Reading

US Supreme Court Evaluates Privacy of Cell Phone Data

Last Thursday, the United States Supreme Court heard arguments in Carpenter v. United States.  At issue was whether the FBI violated the Fourth Amendment when it obtained the cellphone location records of Timothy Carpenter.  The FBI used these records to establish Mr. Carpenter’s whereabouts during time periods in which certain armed robberies occurred.  The government argued that Mr. Carpenter did not have an expectation of privacy in these records and, thus, no warrant was required.  Mr. Carpenter argued that “carrying a smartphone, checking for new emails from one’s boss, updating the weather forecast, and downloading directions ought not license total surveillance of a person’s entire life.” Continue Reading

The Reversal of Net Neutrality on Privacy 101

The Federal Communications Commission’s (FCC) potential reversal of the Obama Administration’s ‘Net Neutrality’ rules have been a constant headline lately. Most media coverage goes to the core principals of net neutrality, including blocking, throttling and pay for priority of internet content; however, privacy is also a factor.

Primarily, the FCC issued broadband privacy rules in 2016 after its 2015 net neutrality rules. The broadband privacy rules amongst other things, required websites and internet service providers (ISPs) to use an opt-in system to share or sell customer’s personal information like web history data, app usage data, etc. The FCC’s ability to enforce such rules hinged on a major component of the net neutrality rules which designated ISPs as common carriers and allowed the FCC to apply Title II of the Communications Act to ISPs.  Continue Reading

Intel Bug Affects Millions of Devices

Intel has confirmed that a bug in its remote server management tool, known as Management Engine, which allows administrators of IT systems to remote access devices to apply updates or troubleshoot problems for users, allows unverified code to be run on Intel chipsets, so the intruder to gain control of devices.

The Management Engine bug affects most Intel chips, which are embedded in most servers, personal computers and IoT devices, which means millions of devices may be impacted.

Intel has advised that firmware updates are available, and “businesses, systems administrators, and system owners using computers or devices that incorporate these Intel products should check with their equipment manufacturers or vendors for updates for their systems, and apply any applicable updates as soon as possible.” Intel has published a list of available firmware updates on its website—called Intel® Management Engine Critical Firmware Update (Intel-SA-00086).

The list will be updated, and should be checked frequently to minimize the risk of this vulnerability to systems.

Hacker Steals $31 Million of Tether Cryptocurrency

Virtual currency exchanges are popping up at breakneck speed. Tether, which operates USDT, a cryptocurrency that is backed up with the U.S. dollar, announced that almost $31 million of its USDT was stolen from its core treasury wallet “through malicious action by an external attacker.”

In response to the heist, Tether has flagged and is tracking the tokens so no one can exchange them or circulate them through the system. This means that the hacker has the tokens in his/her wallet, but can’t exchange them or profit from them.

Commentators say this is another case that shows how risky investment in virtual currency still is. Although virtual currencies are based on blockchain technology, they can still be stolen and are not backed by the Federal Deposit Insurance Corporation.

Healthcare Data Breaches Continue but Fell in October

The news about data breaches always seems to be dire lately. Some good news: data breaches in the healthcare industry were lower in October than in September, based upon reportable data breaches to the Office for Civil Rights (OCR). Note that only breaches involving more than 500 records have to be disclosed to the OCR at the time of the breach, so these are not the final numbers.

Healthcare providers reported 19 breaches, Health Plans reported six breaches and business associates reported two breaches in the month of October. The total number of records breached in October in the healthcare industry was 71,377.

Fourteen of the breaches were due to unauthorized access and disclosure, eight were caused by hacking or an IT security incident, four were the result of theft and one was caused by loss.