Blog

Archive for April, 2010

Stolen Hard Drive Puts Data from 5,418 Patients at Risk

Friday, April 30th, 2010

On April 1st a hard drive was stolen from the mammography suite of The Medical Center at Bowling Green. The missing drive contained information on 5,418 patients who had undergone bone density testing between 1997 and 2009–including names, addresses, birth dates, physician names, medical records, and possibly Social Security numbers.

Of course the data was not encrypted or protected on the drive itself, placing it at risk of exposure to anyone who happens to examine the contents of the drive. The medical center managed the investigation internally for 17 days before notifying authorities and turning the case over as a criminal incident. At that point, it also began to notify the affected patients.

Looking at the positive side of the incident “Since the theft occurred, hospital officials have taken steps to strengthen the security of patient information and that includes linking to a secure network eliminating the need for computer hard drives, such as the one that was stolen.”

Yet again, a case of reacting after the fact. Installing a sprinkler system AFTER the building burns down offers little consolation for the lost building–yet so many companies and IT administrators seem to be willing to gamble with the personal information they are entrusted with–and frequently lose.

A small investment in proactively encrypting data to prevent unauthorized access would have protected the data and saved the Medical Center from the bad publicity and damaged reputation. “Fixing” the problem after the fact is almost always a more costly proposition than doing right in the first place.

Tags: , , , , , ,
Posted in Security Breaches & Data Loss Incidents | 1 Comment »

UK Police Officer Emails Sensitive Information

Monday, April 19th, 2010

Oops. Have you ever hit SEND just as you realize that you are sending an email to the wrong person or group? Well, imagine how one Gwent Police officer felt when he accidentally forwarded an unprotected Excel spreadsheet containing sensitive information on over 10,000 people…to a journalist.

The officer, now facing a gross misconduct investigation and possible termination, sent an Excel file attachment containing names, dates of birth, and detailed results of criminal background investigations on 10,006 individuals dating back to 2001.

It is up to the Gwent Police to determine whether it was negligence, incompetence, or simple human error that led to this data breach. But, incidents like this are preventable if you remove the human error factor from the equation. Zecurion Zgate monitors inbound and outbound email for sensitive information and ensures that private and confidential data is handled according to established rules and policies and that sensitive data is not transmitted unencrypted.

Tags: , , , ,
Posted in Security Breaches & Data Loss Incidents | 2 Comments »

Portable Hard Drive Theft Puts Client Data at Risk

Monday, April 19th, 2010

A portable hard drive containing unencrypted data was stolen from the car of an LPL Financial representative, putting the names, addresses, birth dates, and Social Security numbers of an undisclosed number of clients at risk.

In LPL Financial’s defense, there is an existing branch security policy requiring that all portable hard drives or laptops storing client data must be encrypted and accessible only by use of a passcode or key. Apparently, that policy was not obeyed in this case.

There are forty-five states with some sort of disclosure law requiring data breaches be reported, but only two states–Massachusetts and Nevada–actually require that personal client data be encrypted.

It is admirable that LPL Financial has an established policy mandating that data be encrypted, but as this incident illustrates policies can be broken. LPL Financial, and other companies serious about protecting data, should have a solution in place that doesn’t rely on human intervention to function. Sensitive data should only be allowed to be written to drives with the appropriate encryption mechanisms in place.

Tags: , , , ,
Posted in Security Breaches & Data Loss Incidents | 1 Comment »

Zecurion Captures Unique Honor in UK

Tuesday, April 13th, 2010

Zecurion has emerged as one of two organizations–chosen from a field of 75 submissions–selected as winners of a competition sponsored by IT recruitment firm Acumin. The Critical Security Solutions initiative was launched to address a perceived lack of innovation among security vendors and security products in the UK. The other winner was Modulo–a specialist in governance, risk and compliance management.

Chris Batten, managing director of Acumin, said: “Both vendors were able to demonstrate that their products had the innovation that our panel was looking for and could add value to the UK information security market.”

The unique honor comes with a unique award. Both Zecurion and Modulo will “be given advice on defining a UK market entry plan, help with sales and marketing and introductions to appropriate resellers. They will also receive free sponsorship of the Risk and Network Threat (Rant) forum, an end user security forum organised by Acumin.”

Zecurion is pleased to have been recognized with this distinctive honor, and is looking forward to capitalizing on the valuable opportunity to extend its market presence in the UK and provide UK customers with innovative and effective solutions to protect data and guard against internal information security threats.

Tags: , , , , ,
Posted in Events | 1 Comment »

Closing the Barn Door After the Horses Escape

Tuesday, April 6th, 2010

There is an old saying about closing the barn door after the horses have escaped. Obviously, that is too late.

John Muir Health is “closing the barn door after the horses escape” by implementing disk encryption software on its laptops AFTER two laptops with unencrypted data were stolen–leading to the compromise of nearly 5,500 patients’ sensitive and confidential data.

John Muir Health waited two months–the maximum amount of time allowed under the HITECH amendment to the HIPAA compliance mandate that governs data security in the health industry. Hala Helm, Muir’s vice president and chief compliance and privacy officer, is quoted explaining the delay with the justification “We wanted to make sure we had accurate information and could address questions from our patients.”

The move to encrypt the data on John Muir Health laptops is a good one–but in hindsight it is obviously a security control that should have been in place already. Had the data on the stolen laptops been encrypted, no patient data would be exposed or compromised as a result of the theft of the laptops. John Muir Health could have simply written off a few thousand dollars for the lost hardware, replaced the laptops, and carried on with business as usual.

If your organization has laptops, and those laptops have private, sensitive, or confidential data on them–ever, perhaps you should consider shutting the barn door now–while the horses are still safely inside?

Tags: , , , , , , ,
Posted in Data Storage Security | 1 Comment »