Cottage Health Pays $2M to CA AG for Data Breach

Cottage Health, a three hospital health care system located in California has agreed to pay the California Attorney General’s Office $2 million to settle allegations that it failed to implement data security safeguards to protect patients’ health information that was accessible online and indexed by search engines.

In December 2013, it was discovered that one of Cottage Health’s servers was connected to the Internet without encryption, password protection, firewalls or access controls, which exposed health information of 50,000 patients between 2011 and 2013.

Then on November 8, 2015, when state authorities were investigating the first incident, the hospital’s server was misconfigured and the medical records of 4,596 were publicly available.

According to the California Department of Justice, Cottage Health violated the California Confidentiality of Medical Information Act and Unfair Competition Law by failing to keep the information secure. It stated that “Cottage Health failed to employ basic security safeguards, leaving vulnerable software unpatched or out-of-date, using default or weak passwords, and lacking sufficient perimeter security, among many other problems.” Sounds like a data security roadmap.

In addition to the payment of the $2 million fine, Cottage Health is required by the settlement to hire a data privacy and security officer to develop and maintain appropriate policies and procedures and perform annual privacy risk assessments.

North Carolina DHS Notifies 6,000 of Data Breach of Drug Testing Information

The North Carolina Department of Health and Human Services has notified close to 6,000 individuals that a spreadsheet containing the names, Social Security numbers and test results for routine drug testing for employment, internships and volunteer opportunities was sent via an unencrypted email to a vendor in error.

Misdirected emails are a frequent occurrence and can have dire consequences. Limiting information in spreadsheets is a strategy to reduce the risk of a breach in the event that an email containing information is sent to the wrong recipient. It is unclear why full Social Security numbers were on this particular spreadsheet, or why they were needed by the recipient, but it is a potent reminder that deleting or not including high risk information before sending it to others is an important practice.

The Benefits and Hurdles of Using Drones for Conservation Surveillance

Drone technology has a myriad of conservation and environmental-protection applications. Drones offer quick, easy and cost-effective aerial imaging as well as sensor and monitoring capabilities. Unlike traditional surveying techniques, drones do not require substantial manpower, and can overcome common access issues (e.g., impenetrable vegetation, boulders, crevasses). With these benefits, more and more drones are being used for forest health monitoring, forest inventory, wildlife surveys, anti-poaching activities, reforestation, compliance monitoring, and air-quality monitoring.

Specifically, the Indonesian Tax Office uses drones to survey palm-oil plantations and track owners who misrepresent the actual size of their plantation. The World Wildlife Fund uses drones to monitor illicit trade in Africa. Brazil’s Sao Paulo Environmental Police use drones to monitor deforestation and illegal mining operations. Drones are even being used for surveillance of the emerging carbon-trade agreements in the recent Paris accord, where compliance is driven by the carbon value of standing forests.

While these uses will certainly increase, and greatly benefit the environment around us, there are still privacy and regulatory concerns surrounding the use of drones. While the Federal Aviation Administration (FAA) has issued Part 107 rules for drone operation, the rules do not address privacy, nor do they address issues of constitutional concerns and property rights in the area of environmental monitoring. And it is estimated that by 2030, there will be over 30,000 drones hovering in the U.S. skies alone. Certainly regulations will change and evolve as drone technology advances, and drones will become an even more valuable tool for both environmental-compliance issues and environmental conservation.

Privacy Tip #116 – Insider Error or Threat Continue to Cause Data Breaches

You continue to hear that your employees are your biggest risk when it comes to causing a data breach. Recent incidents that we have been involved in that were caused by employee error include:

  • lost or stolen unencrypted laptops, phones or removable media;
  • downloading sensitive information onto thumb drives or USB drives and losing them;
  • clicking on infected links or attachments and introducing malware or ransomware into the system; or
  • misdirecting an unencrypted email containing personal information.

The sad thing about these incidents is that they were all completely preventable. Protecting your company from your employees is an odd concept, but essential in the context of data security.

Some protections include:

  • implement security measures so employees can’t download information onto unencrypted laptops or thumb drives;
  • prohibit non-company encrypted thumb drives from being connected to your system;
  • educate employees to detect and report phishing and spear phishing schemes, test them with internal phishing drives and re-train employees when they fail;
  • require the transmission of sensitive data with encryption;
  • implement procedures for employees to use the phone or face to face contact when receiving odd requests via emails for financial information, benefit information or wire transfers;
  • implement multi-factor authentication and strong password procedures; and
  • educate employees to slow down, take their time and verify the intended recipient before sending an email
  • educate, educate, educate and engage your employees on data security so they can become the company’s stewards of data .

These basic data security measures may have protected the companies who suffered the incidents above from mistakes made by their own employees.

Connecticut Cyber Task Force Announced

The U.S. Attorney’s Office of the District of Connecticut has announced the creation of a Connecticut Cyber Task Force (“CCTF”) in partnership with the FBI, DEA, Secret Service, Homeland Security, IRS, Connecticut State Police, and 11 local police departments from throughout Connecticut as well as other federal authorities. The CCTF’s initial focus will be twofold: (1) to “target criminal activity on the dark web, notably the illicit acquisition and distribution of fentanyl and other dangerous drugs that are the cause of tens of thousands of overdose deaths annually” and (2) “to identify and disrupt criminal organizations that use computer intrusions to defraud companies of their money and information.” Continue Reading

Imgur Discloses Breach Affecting Email and Passwords of 1.7 Million Users

On November 24, 2017, image-sharing website Imgur disclosed that email addresses and passwords of 1.7 million users were stolen in a 2014 hack on the company. Imgur became aware of the breach on November 23, 2017 when a security researcher alerted the company about the potential issue. The breach was confirmed on November 24th and Imgur posted a notice of the breach on its blog later that same day. According to the blog post, the breach does not include personally-identifiable information (PII) because Imgur has never asked for users’ real names, addresses, telephone numbers or other PII. Imgur is still investigating the breach but believes that it may have been caused by a security algorithm in use at the time that has since been replaced. Imgur has already begun resetting passwords of affected users, and recommends that individuals use a different combination of email and password for every site and application. Imgur has approximately 150 million monthly users.

Pentagon Web Monitoring Data Exposed

Security researcher Chris Vickery has confirmed that web-monitoring data from the Department of Defense (DOD) was exposed through Amazon Web Services by the way the DOD configured access by authorized users. According to Vickery, anyone with a free AWS account had access to the DOD information, which included 1.8 billion internet posts that had been scraped from publicly available sites, including information about guns, scam alert websites and forums that contained offensive content.

Although none of the information was considered sensitive, it highlights that data is being exposed “haphazardly” according to Vickery, and “is a huge, epidemic sized problem.”

Florida Blue Breach Exposes Information of 939 Individuals

Blue Cross Blue Shield of Florida (Florida Blue) has announced that 475 applications for insurance were backed up to the cloud, on an unsecured cloud server, by an unaffiliated agent of Real Time Health Quotes, and exposed the personal information of 939 individuals.

The data that was backed up to the unsecured cloud server included Florida Blue files and copies of health, dental and life insurance applications from 2009-2014. The applications included the names, addresses, Social Security numbers, medical histories, and some banking and financial information.

Florida Blue is still investigating how the agent obtained the applications and files and why they were stored on an unsecured cloud server. Those affected have been offered two years of credit monitoring at no cost.

Forever 21 Latest Retailer to Suffer Credit Card Breach

Forever 21 has warned customers who used a credit card at any of its stores between March and October 2017 that their credit card may have been compromised.

According to Forever 21, its payment card readers were not encrypting credit card information during that time and it believes there may have been unauthorized access to the credit cards during that time. It has not indicated how many customers’ cards were compromised.

Forever 21 is advising its customers to check their monthly credit card statements and to notify their bank if there are any fraudulent charges.

Law Enforcement Forced to Learn New Skills—Criminals Turn to Drones

We know by now that there is a good chance someone is out there spray painting his drone black and taping over the lights so that he can get away with flying his drone into a prison yard to delivery contraband. But drones are also being used to spy on people, interrupt the work of emergency services, harass wild animals, and menace other aircraft. Because crime and nuisance with drones seems to be a growing trend, law enforcement has been forced to launch new forensic intelligence forces to deal solely with drone-related crimes. But how can a criminal drone pilot be identified, when, for example, only a drone is found at the scene of a crime? Or when only fragments from a drone are found? Or when only a controller or mobile phone is found? Or when a likely pilot is suspected but no drone is in sight? Well, that’s why law enforcement is turning to forensic teams.

Tying the digital and physical facets of a drone flight to a human pilot is not easy; that’s why drone forensics are becoming increasingly important as more drones hit the skies. Not only does law enforcement hope to protect the public from nuisance and petty crimes (and stop the infiltration of contraband into prisons through drones), but they hope to learn how to detect and stop weaponized drones, which are also becoming more of a concern. The need for drone-specific law enforcement also extends to civilian safety. And of course, the potential for invasion of privacy by a drone has led (and will likely continue to lead to) people shooting drone down which poses risks to the public if more firearms are used in this way. The key for law enforcement will be cracking the drone’s complex digital ecosystem. The ‘ecosystem’ includes peripheral devices like mobile phones, controllers and sensors that collect data like GPS position and crash analysis data from accelerometers, compass heading, and video images. And, of course, all of the metadata collected in the video could likely reveal where the images were taken, including the drone’s altitude. So, forensics, really seems to be the key, with the caveat that due to the diverse marketplace of drones, there may be some ‘digital quirks’ that put a kink in the forensic investigation.

What type of ‘quirks’ are at issue? Each drone could store flight data differently, store the latitude and longitude for different periods of time, store data in a mobile app or directly on the drone itself, plus drones use different operating systems, so law enforcement drone analysts need to be well-versed in each.

Not only can law enforcement use digital forensics in drone investigations, but they are finding that they can also look to physical evidence—a drone’s rotors are often sharp edged and retain trace skin cells, so sometimes law enforcement could retrieve DNA. Same goes for drones with SD video storage cards and batteries—law enforcement can look for fingerprints on these hidden parts of the drone.

While all of this seems promising that doesn’t mean that criminal drone operators aren’t aware of these tactics, which only means that law enforcement has quite the task ahead of them as drones and their technology get more sophisticated and more widely used.