HIPAA Compliance for Medical Practices
62.2K views | +12 today
Follow
HIPAA Compliance for Medical Practices
HIPAA Compliance and HIPAA Risk management Articles, Tips and Updates for Medical Practices and Physicians
Your new post is loading...
Your new post is loading...
Scoop.it!

Massive data breach could affect every federal agency

Massive data breach could affect every federal agency | HIPAA Compliance for Medical Practices | Scoop.it

China-based hackers are suspected once again of breaking into U.S. government computer networks, and the entire federal workforce could be at risk this time.


The Department of Homeland Security said in a statement that data from the Office of Personnel Management — the human resources department for the federal government — and the Interior Department had been compromised.


"The FBI is conducting an investigation to identify how and why this occurred," the statement Thursday said.

The hackers were believed to be based in China, said Sen. Susan Collins, a Maine Republican.


Collins, a member of the Senate Intelligence Committee, said the breach was "yet another indication of a foreign power probing successfully and focusing on what appears to be data that would identify people with security clearances."


A spokesman for the Chinese Embassy in Washington called such accusations "not responsible and counterproductive."


"Cyberattacks conducted across countries are hard to track and therefore the source of attacks is difficult to identify," spokesman Zhu Haiquan said Thursday night. He added that hacking can "only be addressed by international cooperation based on mutual trust and mutual respect."


A U.S. official, who declined to be named because he was not authorized to publicly discuss the data breach, said it could potentially affect every federal agency. One key question is whether intelligence agency employee information was stolen. Former government employees are affected as well.


The Office of Personnel Management conducts more than 90 percent of federal background investigations, according to its website.

The agency said it is offering credit monitoring and identity theft insurance for 18 months to individuals potentially affected. The National Treasury Employees Union, which represents workers in 31 federal agencies, said it is encouraging members to sign up for the monitoring as soon as possible.


In November, a former DHS contractor disclosed another cyberbreach that compromised the private files of more than 25,000 DHS workers and thousands of other federal employees.


Cybersecurity experts also noted that the OPM was targeted a year ago in a cyberattack that was suspected of originating in China. In that case, authorities reported no personal information was stolen.

Chinese groups have persistently attacked U.S. agencies and companies, including insurers and health-care providers, said Adam Meyers, vice president for intelligence at Irvine, California-based CrowdStrike, which has studied Chinese hacking groups extensively.


The Chinese groups may be looking for information that can be used to approach or compromise people who could provide useful intelligence, Meyers said. "If they know someone has a large financial debt, or a relative with a health condition, or any other avenues that make them susceptible to monetary targeting or coercion, that information would be useful."


One expert said hackers could use information from government personnel files for financial gain. In a recent case disclosed by the IRS, hackers appear to have obtained tax return information by posing as taxpayers, using personal information gleaned from previous commercial breaches, said Rick Holland, an information security analyst at Forrester Research.


"Given what OPM does around security clearances, and the level of detail they acquire when doing these investigations, both on the subjects of the investigations and their contacts and references, it would be a vast amount of information," Holland added.


DHS said its intrusion detection system, known as EINSTEIN, which screens federal Internet traffic to identify potential cyberthreats, identified the hack of OPM's systems and the Interior Department's data center, which is shared by other federal agencies.


It was unclear why the EINSTEIN system didn't detect the breach until after so many records had been copied and removed.


"DHS is continuing to monitor federal networks for any suspicious activity and is working aggressively with the affected agencies to conduct investigative analysis to assess the extent of this alleged intrusion," the statement said.


Cybersecurity expert Morgan Wright of the Center for Digital Government, an advisory institute, said EINSTEIN "certainly appears to be a failure at this point. The government would be better off outsourcing their security to the private sector where's there at least some accountability."


Senate Intelligence Committee Chairman Richard Burr, R-N.C., said the government must overhaul its cybersecurity defenses. "Our response to these attacks can no longer simply be notifying people after their personal information has been stolen," he said. "We must start to prevent these breaches in the first place."

more...
No comment yet.
Scoop.it!

Does Obama privacy push have oomph?

Does Obama privacy push have oomph? | HIPAA Compliance for Medical Practices | Scoop.it
President Barack Obama’s rollout of privacy and data security policies Monday offered big promises to protect consumer information online, but the reality is his legislative ideas are a long shot in Congress and his voluntary industry initiatives lack enforcement teeth.

The package of proposals — including a data-breach notification law and a privacy bill of rights — are mostly a rehash of previous administration proposals. While some lawmakers have expressed interest in data breach and student privacy bills, such legislation has made little progress in the past. Congress has even less enthusiasm for the base-line privacy bill that Obama says he will release in coming weeks.

The president’s announcement comes on the heels of the high-profile Sony hacking case and after a year of major retail hacks that compromised millions of Americans’ credit cards. But the glacial progress of privacy and data security legislation shows just how difficult it has been for Washington to come up with workable new laws in this area.

In a 15-minute speech at the Federal Trade Commission, Obama previewed proposals that will be part of his State of the Union address on Jan. 20. Pressing Congress to take action, the president led his speech with recent headlines from the Sony hack.

“This mission, protecting our information and privacy in the information age, this should not be a partisan issue,” Obama said. “It’s one of those new challenges in our modern society that crosses the old divides — transcends politics, transcends ideology. Liberal, conservative, Democrat, Republican, everybody is online, and everybody understands the risks and vulnerabilities as well as opportunities that are presented by this new world.”

White House press secretary Josh Earnest later put it more bluntly. “I do think that, certainly, in the aftermath of some of the more recent cyberattacks we’ve seen that have been carried out against a number of private companies, including most recently Sony, hopefully that got the attention of people on Capitol Hill,” he said.

Obama’s data-breach proposal would impose a national standard for companies to notify consumers, in the event their information is stolen or compromised, within 30 days of the discovery of an incident. His student privacy bill, modeled on a California measure, would impose new restrictions on companies that collect or store student data while providing products and services to K-12 schools.

The president also announced that JPMorgan Chase and Bank of America are joining a list of firms making credit scores available for free to consumers to combat identity theft, the top consumer complaint for 14 years running at the FTC.

Some privacy advocates, while bullish for laws that will tighten consumer privacy, remain skeptical that Obama’s push will have any oomph behind it, seeing it more as a public relations maneuver designed to reassure European privacy officials as they work to complete a trade deal by the end of the year.

“An unannounced but intended audience for the administration’s plan is to remove a serious obstacle to its plans for a U.S.-EU trade deal, known as TTIP,” or the Transatlantic Trade and Investment Partnership, said Jeff Chester, executive director of the Center for Digital Democracy. Consumer privacy has been one of the sticking points with EU officials who worry that the U.S. doesn’t have a comprehensive privacy framework.

There is some support for a data-breach bill in the new Congress, and industry groups and the FTC have long pressed for a federal law to streamline the 49 different state breach rules they have to follow. Reps. Marsha Blackburn (R-Tenn.) and Peter Welch (D-Vt.) say they are already working on a data-breach bill.

“There has been consensus and a call from many in the business community several years running for data-breach legislation,” said Stu Ingis, a partner at Venable and counsel to the Digital Advertising Alliance, which represents several marketing and advertising groups.

But such legislation has repeatedly run into fears that a federal standard would weaken stricter rules enacted by states — a theme some privacy advocates hit again Monday.

“The Personal Data Notification and Protection Act would pre-empt stronger state laws and contains no private right of action,” said Marc Rotenberg, executive director of the Electronic Privacy Information Center. He said the president’s student privacy plan “looks promising,” adding the country ultimately needs a more comprehensive approach to online privacy issues.

“The White House announcement is a step in that direction. But more needs to be done,” Rotenberg said.

Obama touted the 75 education tech companies that have voluntarily committed to keeping student data private, including Microsoft. Apple, which did not sign on initially, has now committed to the pledge. But other major players in the ed tech market, including Google and Pearson, are still not listed as signatories.

Concerns over student privacy have grown steadily as the use of online tools has exploded in classrooms. Ed tech companies can scoop up millions of data points on each child by monitoring them as they click through digital textbooks, educational games and online homework assignments. They can build detailed profiles of students’ academic ability — and also of their cognitive skills, including their learning styles.

The prospect of such intimate information being mined for possible commercial gain has mobilized parent privacy activists from across the political spectrum.

The administration has eyed privacy and data security measures since the president’s first term and proposed a national data-breach standard as part of a cybersecurity proposal in 2011. It unveiled a blueprint for a consumer privacy bill of rights in 2012.

Some parts of the tech industry said the president should have broadened his proposal to include surveillance reform, a key issue for Internet companies following Edward Snowden’s leaks about the National Security Agency.

“The president missed an opportunity to address the continued push by law enforcement and intelligence agencies to weaken security for the purpose of surveillance,” said Daniel Castro, senior analyst for the Information Technology and Innovation Foundation. “These actions threaten the competitiveness of the U.S. tech sector and discourage consumer confidence in digital products and services.”
more...
No comment yet.
Scoop.it!

Stolen Patient Information Prompts Data Breach Warning from Shoreview Company

Stolen Patient Information Prompts Data Breach Warning from Shoreview Company | HIPAA Compliance for Medical Practices | Scoop.it

An alert about a data breach involving an orthopedic medical device company in Shoreview affects not only Minnesotans, but others across the country as well.

A contractor for the company DJO Global went inside a coffee shop in Roseville on Nov. 7 and left a laptop containing private patient information in a backpack on the backseat of his car. A thief saw the backpack, smashed the window and stole it.

DJO Global notified patients in a letter that their private information stored on the computer had been stolen. The data included patients names, phone numbers, diagnosis code, surgery dates, health insurer, and clinic and doctor names. A handful of social security numbers were swiped, too. 

Worried individuals have contacted police.

"We received hundreds upon hundreds of phone calls from all over the country," Lt. Lorne Rosand with the Roseville Police Department said.

A spokesman for DJO told 5 EYEWITNESS News via email that no credit card information was taken. The information was in limbo from Nov. 7-21.

"If someone is able to glean information, name, dates, birth, social security information — that's a gold mine," Rosand said.

DJO says the laptop had password protection in place but wasn't encrypted. There were firewalls, tracking and remote software intact that allowed the data to eventually be erased remotely. DJO says it's doing an internal investigation and security assessment.  

Roseville police call this situation a reminder for everyone.

"When people leave valuables in vehicles such as laptops, there's only a piece of glass between the bad guy and your property; that glass can be shattered," Rosand said.

If you received a letter from DJO or believe your information might be at risk, you can set up a fraud alert with the three credit reporting agencies as a precaution. 

The thief has not been caught.


more...
No comment yet.
Scoop.it!

Premera data breach affected Oregon's LifeWise members

The cyberattack at Premera Blue Cross in Washington state also affected 60,000 current and former members of LifeWise Health Plan of Oregon.

The two companies are affiliated and share a common IT system for claims, said Eric Earling, vice president of corporate communications at Premera.


The attack began last May and affected data going back to 2002.

"It was a sophisticated cyber attack," Earling said. "They got access, but there's no evidence they removed information from the system."

Altogether, the cyberattack may have exposed medical data and financial information of 11 million customers. It is the largest breach reported to date involving patient medical information, Dave Kennedy, an expert in health care security, told the New York Times.

Medical records can be sold on underground criminal exchanges and can be used to engage in insurance fraud, the Times reported.

It's not the first large breach uncovered this year. On Jan. 29, insurer Anthem disclosed a cyberattack involving records of 79 million customers in Blue Cross Blue Shield plans across the U.S. That attack was unrelated to the one at Premera, Earling said.


He referred Oregon customers to Lifewiseupdate.com for information on the attack and to access two years of free credit monitoring and identity protection services to anyone affected by the incident.

A message on the site reads in part: "Our investigation determined that the attackers may have gained unauthorized access to applicants and members' information, which could include member name, date of birth, address, telephone number, email address, Social Security number, member identification number, bank account information, and claims information, including clinical information.

"Individuals who do business with us and provided us with their email address, personal bank account number or social security number are also affected."


The FBI is investigating the attack.

more...
No comment yet.
Scoop.it!

Obama's data-breach initiative has privacy advocates optimistic, cautious

Obama's data-breach initiative has privacy advocates optimistic, cautious | HIPAA Compliance for Medical Practices | Scoop.it

There may finally be a standard set of rules for how US companies protect customer's data in the aftermath of a breach, if new proposed rules from the president become law.

For years, companies in America have contended with a patchwork of laws regarding how they treat customer information. Some states have strict rules, designed to ensure consumer protection. Others have none.

President Barack Obama wants that to change, and so do consumers. A Pew Research study conducted last year found 18 percent of consumers have seen their credit card, bank account, or Social Security number stolen, up from 11 percent only six months earlier.

They have reason to be concerned. The Identity Theft Resource Center said data breaches in the US were up 27.5 percent in 2014 over the year before. The past couple of years have been filled with headlines about catastrophic data breaches from Target and Home Depot, as well as arts and crafts chain Michaels and restaurant chain P.F. Chang's. In November, Sony Pictures suffered one of the worst hacks in corporate history.

Now, the government may step in, at least to ensure consumers are protected. President Obama on Monday proposed a new law called the Personal Data Notification and Protection Act, which would create a basic set of rules for how companies handle their customer information. It also would criminalize international trade in stolen personal identity information.

Aside from one specific rule that would require companies to notify customers within 30 days of the discovery of a data breach, there aren't many other details available yet about Obama's proposal. The president is expected to outline more specifics in his State of the Union speech next week.

In the mean time, tech industry executives and privacy advocates are excited at the prospect of a renewed effort to create a national standard. They say the bills that succeed are typically aimed at the government and how it handles information, rather than corporations.

Now that could change.

"This is a huge shot in the arm to a much-needed advancement for our legislative protections," said Scott Talbott, who heads up government relations for the trade group Electronic Transactions Association.

Some, like Alvaro Bedoya, the executive director of the Center on Privacy and Technology at Georgetown University, are cautiously optimistic. "Some states tend to have very strong data breach laws," he said. "We're going to need to put the Obama proposal side-by-side with those states' laws and see how they stack up."

Many questions still remain

While 47 states have laws requiring companies to at least notify consumers of security breaches involving their personal information, according to the National Conference of State Legislatures, the similarities often end there.

The toughest state laws, said Bedoya, have strong provisions for credit monitoring, requiring companies give affected consumers at least a year of free credit protection. Companies must notify consumers that their information has been compromised within 30 days. California, for example, lets its residents attempt to recover damages, making it one of most aggressive.

But South Dakota, Alabama and New Mexico have no data breach protections at all for consumers, according to Heidi Shey, a security and risk analyst at research firm Forrester.

The Electronic Privacy Information Center, a research group that tracks privacy and civil liberties issues, said the proposal would greatly impact consumers in those places, while also creating a minimum set of rules that all companies would have to follow.

President Obama isn't the first to propose such nationwide measures. In the previous session of Congress alone, which lasted from 2013 to 2015, there were four similar bills in the House of Representatives and two in the Senate. All of them went nowhere.

But that was before the latest string of privacy breaches. "It's important to have this in place from a consumer perspective," said Forrester's Shey. "If we have 50 separate laws, it makes it so much harder for a company to respond. It gets easy to drop the ball."


more...
No comment yet.