The laptop was in an employee’s car and may have contained patient names, dates of birth, physicians’ names, medical record numbers, diagnoses and dates of service. But Arnett’s press release indicates that Social Security numbers, financial information or patients’ medical records were not included on the device.

Arnett said in a statement that the month-long delay was caused by an investigation of who was included in the breach and the data involved as part of cooperation with the White County Sheriff’s Office. As is the case with most of these types of breaches, Arnett claims that it doesn’t believe any data has been misused or accessed with malicious intent, but the laptop still hasn’t been found.

We apologize for any inconvenience this may cause you. Arnett takes very seriously its obligation to keep the information it maintains secure and we appreciate the trust that you place in us. Arnett is reviewing its policies and procedures to minimize the chance of such an incident occurring in the future. In addition, Arnett has mandatory privacy and security training for all of its workforce members.

While it’s still unclear as to why it took a month for Arnett to tell patients of the breach, once again it would be helpful if the organization explained how exactly it will improve its privacy training practices. Does that involve a PowerPoint (hopefully) not or more extensive, hands-on training that encompasses all types of patient privacy risk? It seems as though the breach could have been avoided by simply encrypting the device so that even when human error is involved, no data is compromised. Answers to questions such as whether staff will know what has and hasn’t been encrypted going forward would give insight to what Arnett is doing to progress training.

Source: Health IT Security

Imagine, then, how surprised Name.com customers must have felt to discover that such an email from the domain-name registrar and Web-hosting provider was not only real, but carried with it news of credit card theft.

A number of users took to Internet forums to describe the suspicious email they received: “Name.com recently discovered a security breach where customer account information including usernames, e-mail addresses, and encrypted passwords and encrypted credit card account information may have been accessed by unauthorized individuals.”

The administrators believe that the hackers had no real interest in most customers’ information, targeting only one high-profile client by raking in as much data as they could and sorting through it later. At present, there is no evidence that anyone’s data — financial or website-related — has been used maliciously, even the data of the targeted commercial account.

Source: Tech News Daily

It was a familiar storyline, as a resident physician lost an unencrypted USB computer flash drive that was used to evaluate surgical results at a URMC outpatient orthopaedicfacility. The flash drive belonged to the resident and the copied PHI included patient names, gender, age, date of birth, weight, telephone number, medical record number (a number internal to URMC), orthopaedic physician’s name, date of service, diagnosis, diagnostic study, procedure and any complications. There were no Social Security numbers on the drive, however, which is a good thing for patients who may have identity theft concerns.

The medical center seems to believe the drive was destroyed after going through the laundry, but it’s still missing at the moment. PHIPrivacy.net also notes that URMC has reinforced mobile device security training and education and alert staff of new rules around BYOD usage while trying to guide staff to use its virtual private network (VPN).

Source: Health IT Security

Convenience store operator MAPCO Express Inc. has experienced a security breach by third-party hackers that may have compromised the credit/debit card information of certain MAPCO customers.

MAPCO operates convenience stores in Tennessee, northern and central Alabama, northern Georgia, Arkansas, Virginia, southern Kentucky and northern Mississippi under the MAPCO Express, MAPCO Mart, East Coast, Discount Food Mart, Fast Food and Fuel, Delta Express, and Favorite Markets brand names.

“Our first concern is our customers,” said Tony Miller, vice president of operations for MAPCO. “We regret any inconvenience this criminal act by hackers may have caused and are enhancing our information security efforts to combat future information security threats. Through our internal investigation and collaboration with forensics security firms, we have disabled the malware that was used in this incident while establishing additional safeguards designed to prevent this from happening in the future.”

The incident involves credit/debit card payments for transactions at MAPCO locations between March 19-25, April 14-15 and April 20-21. MAPCO is notifying potentially affected customers because information may have been stolen that can be used to initiate fraudulent credit and debit card transactions. Upon discovering the issue, MAPCO took immediate steps to investigate the incident and further strengthened the security of its payment card processing systems to block future information security attacks.

MAPCO is working with nationally recognized computer forensics investigation firms and the payment card associations to determine what happened and the extent of the information that may have been compromised. MAPCO is also working with law enforcement, including the FBI’s Joint Cyber Crime Task Force, to identify the perpetrator.

MAPCO customers who suspect that their card information may have been compromised are advised to immediately contact their bank, credit union, or credit/debit card company and diligently monitor account activity and credit reports. Customers may also visit www.mapcoexpress.com/security-alert-notification for more information on important steps to take if they believe they were impacted.

Customers with questions may call a special help line that has been set up by MAPCO for additional customer support at 877-297-2081 Monday through Friday 7 a.m. to 10 p.m. Central Time and on Saturday and Sunday from 8 a.m. to 4 p.m. Central Time.

Source: CS Decisions

LivingSocial, the daily deals site owned in part by Amazon, has suffered a massive cyberattack on its computer systems, according to officials at the company.

The breach has impacted 50 million customers of the Washington, D.C.-based company, who will now be required to reset their passwords. All of LivingSocial’s countries across the world appear to have been affected, except in Thailand, Korea, Indonesia and the Philippines.

The firm began sending emails to customers Friday afternoon telling them they would have to change their site passwords.

“We recently experienced a cyber-attack on our computer systems that resulted in unauthorized access to some customer data from our servers. We are actively working with law enforcement to investigate this issue,” LivingSocial CEO Tim O’Shaughnessy said in an email.

The memo said that customer credit card information was not stolen — it was stored in a separate database. And while the hacker stole customer passwords, they were encrypted and “salted,” or scrambled.

“Although your LivingSocial password would be difficult to decode, we want to take every precaution to ensure that your account is secure, so we are expiring your old password and requesting that you create a new one,” O’Shaughnessy said.

The company advised consumers who used their LivingSocial password at other sites to change their password at those sits, also.

The firm expects its customer service phone lines to be deluged, so O’Shaughnessy warned that he may decide to temporarily suspend telephone customer service relations.

“Because we anticipate a high call volume and may not be able to answer or return all calls in a responsible fashion, we are likely to temporarily suspend consumer phone-based servicing. We will be devoting all available resources to our Web-based servicing,” he said.

Source: USA Today

Forces in Bedfordshire, Cambridgeshire and Hertfordshire oversaw an operation in which G4S managed to acquire confidential information belonging to employees.

Police believe the data was lost during a period in which it was negotiating to outsource some of its operations to G4S, but that deal has since collapsed.

David Craig from the union Unison said: “Many of the members of staff affected are understandably angry and will be reviewing their individual position following any determination by the Information Commissioner’s Office.”

G4S has now confirmed that all of the files it received by mistake have now been deleted from its systems.

It could serve as a reminder to organisations that they must carry out more stringent protective measures of the data they hold.

Source: BCS

The non-profit agency learned of the breach on March 19, but has been unable to determine who the thief was from video surveillance. The patient notification letter, which can be readhere, says that while there were no Social Security numbers or financial data, names, addresses, dates of birth, Medicaid numbers, and certain health information and notes from home visits were included in the compromised files.

CFS has no information to suggest that any client’s Medicaid number has been fraudulently used. Given the challenges associated with an individual attempting to obtain services using only a Medicaid number, it is unlikely an CFS client who’s file was stolen will experience financial harm. Nevertheless, out of an abundance of caution, CFS advised the impacted clients to consider taking precautionary measures to protect the integrity of their Medicaid number. CFS provided the affected New Hampshire residents with an Access to Records Request from the New Hampshire Department of Health and Human Services (HHS) and recommended the client use this form to request records of their Medicaid usage to determine if there is any activity dissociated with their Medicaid number.

It looks as though CFS has a pretty good handle on making the breach transparent to both patients as well as the New Hampshire HHS. Physical data breaches can at times be avoidable, but we don’t know which physical safeguards were in place when the theft occurred. CFS’s proactive nature in this case would benefit the agency if there were ever an issue with a patient’s identity.

Source: Health IT Security

The Information Commissioner’s Office (ICO) has stepped up its enforcement activities, by issuing double the number of data breach fines in 2012-2013 as it did in the previous 12 months.

This is according to data obtained via a Freedom of Information (FoI) request by digital comms vendor ViaSat.

The ICO issued 20 monetary penalties in 2012-2013 totalling £2.6 million, according to the figures. During the previous year, the organisation fined just nine organisations generating £791,000 in the process.

During the past 12 months the ICO issued a record fine of £325,000 against a NHS Trust in Brighton for a data protection failure that allowed hard drives containing patient details to be sold on an internet auction site.

The apparent rise in the number of fines issued should go some way to appeasing data protection campaigners that have previously hit out at the ICO for being too soft on people that breach the Data Protection Act.

The figures also revealed a year-on-year uptick in the number of self-reported breaches made to the ICO, which may partly explain why the organisation has issued more fines this year.

Between March 2012 and March 2013, there were 1,150 self-reported breaches made to the ICO, despite only 730 being made between 22 March 2011 and 17 February 2012.

Chris McIntosh, chief executive of ViaSat UK, said it’s pleasing to see the ICO make good on its promise to use both the “carrot and the stick” when enforcing the Data Protection Act.

“Not only has the number of monetary penalties increased year-on-year, but they have grown in size and been implemented across both the public and private sectors,” he added.

ViaSat submitted a similar FoI request last year, prompting the firm to hit out at the ICO for being too lenient on private sector firms, after it emerged that nearly every fine handed out between March 2011 and February 2012 was levied against a public sector organisation.

However, this year’s results revealed that four out of the 20 fines the ICO dolled out in 2012-2013 involved data protection lapses in the private sector, while the remainder were handed to local councils (eight fines) and NHS organisations (six fines).

Even so, McIntosh said the response to his firm’s FoI request suggests more work needs to be done to educate users about data protection best practice.

“What is clear from these findings is that the human factor is still the primary cause behind data breaches…while the ICO can keep issuing undertakings and penalties, it is only widespread change in public awareness and expectations that will truly drive organisations to change,” he added.

In a statement to IT Pro, the ICO said penalties and enforcement action are not all it does to safeguard the data of UK citizens.

“The guidance and support we offer, including the free audits and advisory visits we provide to organisations of all sectors and sizes, is designed to make sure that organisations avoid problems further down the line,” the organisation said.

“This is why it is important that organisations don’t bury their head in the sand but visit our website, read our guidance and ask for our help where required, to make sure they are on the right side of the law.”

Source: ITPro

The data breach involving personal information about more than 1,000 ‘backroom’ staff at Cambridgeshire, Bedfordshire and Hertfordshire police happened amid negotiations to privatise services.

That deal was scrapped after the private firm was caught up in the fiasco over providing security for the London Olympic Games.

Campaigners have now urged police to put extra measures in place to ensure a similar breach does not happen again fearing details could get into the wrong hands, after the News uncovered the blunder.

Cambridge MP Julian Huppert said: “This is a very worrying issue and serves to highlight, once again, the danger of storing personal and confidential data. A simple mistake can lead to serious consequences.

“Fortunately, on this occasion the force acted swiftly taking all measures to make sure that staff were informed and the data contained and deleted.

“I hope the investigation will result in tighter procedures being put in place so nothing like this can happen again in the future.”

Nick Pickles, director of privacy and civil liberties campaign group Big Brother Watch, fears any data could be “dangerous”.

He said: “This kind of error goes to the heart of the public’s confidence that the police can keep information secure.

“Given the information wasn’t needed as part of the negotiations, it was clearly a significant error for such a large number of staff’s details to be sent to G4S. The important question is to get to the bottom of how this error was allowed to happen and ensure those responsible are held to account.

“The risk is that today the data was sent to a responsible person, but tomorrow the same error could see confidential details end up somewhere far more dangerous.”

The three forces notified the Information Commissioner’s Office in February of the breach under the Data Protection Act 1998.

The gaffe occurred as the three forces were developing a deal with G4S, which was scrapped.

Five files were sent electronically about staff from the three forces to G4S breaching the Data Protection Act 1998, police admitted.

Deputy Chief Constable John Feavyour from Cambridgeshire Constabulary said: “The three forces acknowledged, in their letter to the Information Commissioner, that the sharing of the information was not fair and proportionate, however the non-disclosure agreement in place between the three police forces and G4S ensured that no data left the four organisations involved.

“I wrote to the members of staff affected by this data security breach in February explaining what occurred and apologised to them.

“G4S responded extremely promptly and professionally when this matter was raised with them, ensuring that all personal data was deleted from their hard drives and records.”

Source: Cambridge News