http://blog.cleveland.com/metro/2009/12/attempt_to_spy_on_worker_at_ak.html
The FBI was contacted and Graham ultimately pleaded guilty to a felony, intercepting electronic communications, in U.S. District Court. He faces possible prison time when sentenced early next year, although probation is also possible.
Graham's case raises questions. How could a hospital's security be breached with a legal product? And how many other people might be trying something similar?
Early last year, Graham, a cardiac surgical technician at University Hospitals in Cleveland, wanted to sneak a peek at the online activity of a woman he knew.
------------------------------------(WHAT HAPPENED)
So he sent an e-mail to her personal Yahoo! account with an attachment that would unleash spyware when opened.
The spyware, legally purchased on the Internet, was designed to capture e-mails and screen shots from the infected computer and forward them to a stealth e-mail account Graham could peruse without anyone knowing.
Graham was soon receiving hospital files, including more than 1,000 screen views, most containing confidential information about medical procedures and diagnostic notes for specific patients. He also received personal e-mail and financial records of four hospital employees.
-----------(HOSPITAL SECURITY?)
MIAOULIS NOTE: What should the Hospital have done to prevent this? Virus software, firewalls, etc. could may have prevented this. Could this happen at your organization? Do you allow Gmail, Yahoo mail, etc.? It was through this GMAIL account that this breach occured.
Monday, December 21, 2009
Internet security breach found at UCSF-PHISHING
SAN FRANCISCO – Over 600 patients at the University of California, San Francisco are being notified of a possible data breach that occurred when a hacker obtained e-mails containing their personal information.
UCSF officials say the breach occurred in late September 2009 when a faculty physician in the School of Medicine fell prey to a phishing scam. According to officials, the physician unknowingly provided the user name and password for his/her e-mail account in response to an e-mail message that appeared to come from the university's internal computer servers.
UCSF Enterprise Information Security officials identified the security breach and disabled the compromised password. After conducting a complete audit of the incident, the university determined that e-mails in the physician's account - including those containing demographic and clinical information (and, in the case of four individuals, Social Security numbers) - may have been exposed.
http://www.healthcareitnews.com/news/ucsf-notifies-600-patients-hacker-attempts
MIAOULIS NOTE: Just another example of how security can be breached. Does your training program cover Phishing? Could this happen at your facility? What are you doing to prevent? Learn from these incidents.
UCSF officials say the breach occurred in late September 2009 when a faculty physician in the School of Medicine fell prey to a phishing scam. According to officials, the physician unknowingly provided the user name and password for his/her e-mail account in response to an e-mail message that appeared to come from the university's internal computer servers.
UCSF Enterprise Information Security officials identified the security breach and disabled the compromised password. After conducting a complete audit of the incident, the university determined that e-mails in the physician's account - including those containing demographic and clinical information (and, in the case of four individuals, Social Security numbers) - may have been exposed.
http://www.healthcareitnews.com/news/ucsf-notifies-600-patients-hacker-attempts
MIAOULIS NOTE: Just another example of how security can be breached. Does your training program cover Phishing? Could this happen at your facility? What are you doing to prevent? Learn from these incidents.
Tuesday, December 15, 2009
Federal data breach notification law passes in U.S. House
MIAOULIS NOTE: We can all hope that this legislation passes as it would pre-empt the jumbled state laws and give everyone a single requirement to follow.
http://searchcompliance.techtarget.com/news/article/0,289142,sid195_gci1376407,00.html?track=NL-1166&ad=740484&asrc=EM_NLS_10340767&uid=7932224
The United States House of Representatives took a major step this week toward enacting a national data breach notification law.
H.R. 2221, the Data Accountability and Trust Act (DATA), cleared the House with a voice vote. In its current form, DATA requires businesses to notify customers and the Federal Trade Commission (FTC) if sensitive information has been exposed to a security breach.
If the U.S. Senate can reconcile its own approach to data breach notification legislation with DATA, a new federal standard will emerge. If signed into law by President Barack Obama, a federal data breach law would pre-empt the jumbled mass of dozens of state laws.
http://searchcompliance.techtarget.com/news/article/0,289142,sid195_gci1376407,00.html?track=NL-1166&ad=740484&asrc=EM_NLS_10340767&uid=7932224
The United States House of Representatives took a major step this week toward enacting a national data breach notification law.
H.R. 2221, the Data Accountability and Trust Act (DATA), cleared the House with a voice vote. In its current form, DATA requires businesses to notify customers and the Federal Trade Commission (FTC) if sensitive information has been exposed to a security breach.
If the U.S. Senate can reconcile its own approach to data breach notification legislation with DATA, a new federal standard will emerge. If signed into law by President Barack Obama, a federal data breach law would pre-empt the jumbled mass of dozens of state laws.
Wednesday, December 2, 2009
WDH wasn't required to report patient privacy breach
DOVER — Wentworth-Douglass Hospital may have had to disclose the patient privacy breach had it occurred more recently, but since it did not the hospital wasn't required to do so.
The HIPAA Privacy Rule, however, would have "permitted" the hospital to notify patients or proper authorities of a violation, according to a statement from the U.S. Department of Health and Human Services. The agency's Office for Civil Rights enforces the rule protecting health information.
The breach took place between May 2006 and June 2007, involving a former hospital employee who improperly accessed patients' electronic records more than 1,800 times. http://www.fosters.com/apps/pbcs.dll/article?AID=/20091202/GJNEWS_01/712029961
Miaoulis Note: The Health Information Technology for Economic and Clinical Health (HITECH) Act breach notification requirements went into effect on Sept. 23. Even though the hospital was not legally required to notify the individuals affected; to minimize risk to the patients whose records had been breached organizations may want to notify the individuals.
The HIPAA Privacy Rule, however, would have "permitted" the hospital to notify patients or proper authorities of a violation, according to a statement from the U.S. Department of Health and Human Services. The agency's Office for Civil Rights enforces the rule protecting health information.
The breach took place between May 2006 and June 2007, involving a former hospital employee who improperly accessed patients' electronic records more than 1,800 times. http://www.fosters.com/apps/pbcs.dll/article?AID=/20091202/GJNEWS_01/712029961
Miaoulis Note: The Health Information Technology for Economic and Clinical Health (HITECH) Act breach notification requirements went into effect on Sept. 23. Even though the hospital was not legally required to notify the individuals affected; to minimize risk to the patients whose records had been breached organizations may want to notify the individuals.
Tuesday, December 1, 2009
16 Employees Fired (HOUSTON)
HOUSTON (KTRK) -- Eyewitness News has learned that 16 employees of the Harris County Hospital District - most of whom worked at Ben Taub General Hospital - were fired last week for allegedly looking through patients' confidential medical information.
The fired employees range from supervisors to assistants. A source tells Eyewitness News some of the information accessed is that of a Ben Taub doctor who was robbed and shot late last month.
According to a source, they were all interested in just one patient, Dr. Stephanie Wuest, a first-year medical resident who was shot multiple times late last month during an attempted robbery. She was taken to Ben Taub, where she also works. http://abclocal.go.com/ktrk/story?section=news/local&id=7137559
MIAOULIS NOTE: The hospital took strong action, but all hospitals should review their audit trails, sanction processes and training to determine if they are adequate. Important to note EVERYTIME you have a breach, ask yourself, has MY organization done enough to prevent this? What more should we do to prevent this in the future.
The fired employees range from supervisors to assistants. A source tells Eyewitness News some of the information accessed is that of a Ben Taub doctor who was robbed and shot late last month.
According to a source, they were all interested in just one patient, Dr. Stephanie Wuest, a first-year medical resident who was shot multiple times late last month during an attempted robbery. She was taken to Ben Taub, where she also works. http://abclocal.go.com/ktrk/story?section=news/local&id=7137559
MIAOULIS NOTE: The hospital took strong action, but all hospitals should review their audit trails, sanction processes and training to determine if they are adequate. Important to note EVERYTIME you have a breach, ask yourself, has MY organization done enough to prevent this? What more should we do to prevent this in the future.
Another Laptop Stolen - CHOP
http://www.philly.com/philly/news/pennsylvania/20091201_Hospital_laptop_stolen__data_may_be_breached.html
A Children's Hospital of Philadelphia laptop computer containing Social Security numbers and other personal information for 943 people was stolen from a car outside an employee's home on Oct. 20. The billing information on the computer was password-protected, but an analysis found it was "possible to decode the security controls on the laptop and gain access to the personal information."
Children's Hospital is providing the affected families access to a service that monitors for signs of identity theft and includes identity-theft consultation and restoration.
MIAOULIS NOTE: ENCRYPT, notice the article does not mention encryption. HITECH clearly states that password protection does not offer a safe harbour for breaches.
A Children's Hospital of Philadelphia laptop computer containing Social Security numbers and other personal information for 943 people was stolen from a car outside an employee's home on Oct. 20. The billing information on the computer was password-protected, but an analysis found it was "possible to decode the security controls on the laptop and gain access to the personal information."
Children's Hospital is providing the affected families access to a service that monitors for signs of identity theft and includes identity-theft consultation and restoration.
MIAOULIS NOTE: ENCRYPT, notice the article does not mention encryption. HITECH clearly states that password protection does not offer a safe harbour for breaches.
Laptops Stolen
MIAOULIS NOTE: Laptops will be lost or stolen. All healthcare organizations should take steps to encrypt their laptops. Take an inventory, find out what information is on your laptop and encrypt. One possible solution is a open source (TrueCrypt). I do not endorse product, but this is free for those with some level of technical knowledge. http://www.truecrypt.org/
Laptop With Personal Information Stolen From Aurora St. Luke's-- Their notification letter can be found here: http://www.wisn.com/download/2009/1125/21726538.pdf
MILWAUKEE -- A Milwaukee hospital is warning thousands of its patients that personal information about them may have been stolen. The theft happened last month at Aurora St. Luke's Medical Center on Milwaukee's south side. More than 6,000 people who were in-patients at St. Luke's will be getting a letter in the mail. It warns them that their name, Social Security number and other information may have landed in the hands of thieves.
http://www.wisn.com/news/21726827/detail.html
Laptop With Personal Information Stolen From Aurora St. Luke's-- Their notification letter can be found here: http://www.wisn.com/download/2009/1125/21726538.pdf
MILWAUKEE -- A Milwaukee hospital is warning thousands of its patients that personal information about them may have been stolen. The theft happened last month at Aurora St. Luke's Medical Center on Milwaukee's south side. More than 6,000 people who were in-patients at St. Luke's will be getting a letter in the mail. It warns them that their name, Social Security number and other information may have landed in the hands of thieves.
http://www.wisn.com/news/21726827/detail.html
Subscribe to:
Posts (Atom)