According to Barbara Anthony, head of the Massachusetts Office of Consumer Affairs and Business Regulation, 5,000,000 residents of the Commonwealth have been affect by data breaches since October 2007, when the state’s data breach notification law was enacted.
According to a Herald report, the Office gets about fifty breach notifications each month. In all, the Office has received approximately 2,200 data breach notification letters reporting lost or stolen data since the law was enacted.
According to a settlement with the Massachusetts Attorney General’s office, Belmont Savings Bank has fined $7,500 for losing personal information belonging to more than 13,000 customers. In May, an unencrypted backup computer tape containing information from more than 13,000 customers was lost, according to a report by the Boston Herald. The backup tape, which was left out on a desk, was inadvertently thrown away by the cleaning crew. It is believed that the tape was most likely incinerated by the bank’s waste-disposal company.
The settlement reportedly requires the bank to improve its information security practices, including handling and storage practices.
This past Saturday, President Obama signed legislation that exempts many businesses, including lawyers, accountants, physicians’ offices, therapists, and many other types of healthcare providers, from the Red Flags Rule. This legislation narrows the definition of the term “creditor” so as to exclude professionals or businesses that “advance funds on behalf of a person for expenses incidental to a service provided by the [professional or business] to that person.” A creditor that “obtains or uses consumer reports… in connection with a credit transaction,” “furnishes information to consumer reporting agencies,” or advances funds to a person obligated to either repay the funds or pledge property as repayment (including payday loan businesses and pawn shops) will continue to be required to comply with the Red Flags Rule. The bill was introduced by Sens. John Thune, R-S.D., and Mark Begich, D-Alaska, and goes into effect immediately.
If you’ve been standing by your mailbox waiting for a breach notification letter to arrive from South Shore Hospital, the waiting is over. As things stand now, you will not receive anything via the United States Postal Service. Instead, if the hospital has your e-mail address, you may receive a notice sent through cyberspace. More likely, however, the only notification you’ll receive will be through public notices in newspapers and the press release posted to South Shore Hospital’s website. While the hospital original pledged to mail notices to each of the affected patients, employees, volunteers, and vendors, hospital management has had a change of heart. The hospital has decided instead to provide “substitute notice,” as allowed under M.G.L. ch. 93, Section 1. Because the number of affected residents exceeds 500,000, the hospital may forgo notification by mail. It may instead send notice to residents via e-mail if they have addresses available, publish its notification and/or broadcast notice throughout Massachusetts, and conspicuously post a notice on the hospital’s homepage.
This is all well and good, but I, like many others, have been a patient of South Shore Hospital on several occasions. Substitute notice does not inform me as to whether or not my records have been lost. As I understand it, two of three boxes of backup tapes shipped off site for destruction were lost. These tapes contained records from 1996 through January 6, 2010. The hospital contracted with Iron Mountain to manage the shipping and destruction, but apparently Iron Mountain hired a subcontractor to perform these duties. Which box were my records in? Apparently, anyone who has been a South Shore Hospital patient, volunteer, employee, or vendor between 1996 and 2010 should assume they’ve been affected by this fiasco.
The health care breaches just keep coming! Customers of Walsh Pharmacy of 202 Rock St., New Bedford, will be receiving notices from the pharmacy that their personal information has been compromised. A legal notice was placed in the Boston Herald earlier this month after a DVD containing prescription information as well as “names, social security, health care numbers, and driver’s license numbers” was lost in the mail.
Continue reading
Facebook friends beware! There is a new button popping up on Facebook that is nothing more than malware. The Better Business Bureau has issued a warning to Facebook members advising users to refrain from hitting the “Dislike Button.”
Continue reading
Since my last post I have read of three, and possibly four, data breaches in Massachusetts alone.
The first, reported by the Herald on August 2nd, involved a stolen laptop belonging to biomedical chemist Galen Loving, who is doing cancer research at Massachusetts General Hospital. The computer contained “reams of priceless data on cancer research.” The researcher forgot to retrieve his computer before departing from a Somerville restaurant. He realized the next morning that the computer and the thumb drive he backed up on were all in the same bag that he “mindlessly” left behind. In addition to many of Loving’s papers and presentations, the computer contained e-mails, failed studies and proposed future projects. No mention was made in the article as to whether the lost data contained information protected under 201 C.M.R 17 or HIPAA. And unfortunately, no mention was made of encryption.
The following day, the Patriot Ledger reported that the Town of Rockland disposed of hundreds of intact canceled paychecks bearing bank account numbers and, in some instances, Social Security numbers of town workers employed between 1992 and 2002. The checks subsequently flew out of a disposal trunk and onto the roadside. The Town Treasurer, responsible for disposal of the canceled checks reportedly “didn’t realize they had Social Security numbers” on them and made no effort to shred the documents. The driver for Mike DelPrete & Sons Trucking “assured the town that he would retrace his route and pick up any checks he saw.” The town, however, acknowledged they have “no way of knowing… how many were lost – blown to the wind, down a gutter, on somebody’s hedge.” Employees whose payroll was directly deposited into accounts are reportedly not affected by this breach.
Then just days later, the Town of Hingham distributed via e-mail 1300 employee names and social security numbers to its management. A town official describes the risk to affected employees as “beyond minimal,” but I suspect the owners of the compromised records might feel differently. Of the thirty or so e-mails originally sent out, eleven were forwarded to managers’ personal e-mails accounts and computers, leaving one to wonder: how appropriate it is to have town business stored on personal computers and smart phones that may by less than secure?
Today I wake up to learn that records from four Massachusetts community hospitals were found at a local dump. The Boston Globe reports that thousands of unshredded medical records containing social security numbers, names and addresses, diagnoses, pathology reports including cancer tests and other medical information ended up in a pile about 20 feet wide by 20 feet long at a public dump. Preliminary reports have been made to the Attorney General’s office. The AG’s office says it is reviewing “whether there has been a data breach.’’ It seems the issue has more to do with the extent of the breach and whether the AG’s office is going to give 201 C.M.R. 17 some teeth and start issuing fines. The Department of Public Health will undoubtedly be involved as well as they examine HIPAA and HITECH data protection issues.
Unfortunately, all of these breaches highlight the fact that data security is not just about keeping hackers out of corporate networks. A business’s data security is only as strong as the weakest link. In each of these incidents the weak link is directly tied to employee error. All of these breaches could have been prevented with better employee training, a comprehensive data security plan and properly enforced policies and procedures.
South Shore Hospital in Weymouth is the latest Massachusetts organization to announce a data security incident. The hospital issued a press release on July 19, 2010, reporting that backup computer files containing approximately 800,000 records have apparently been lost. The files were reportedly sent to a professional data management company for destruction, however, only a portion of the shipped records were actually destroyed. The remainder of the records are unaccounted for. Personal information involved includes names, birth dates, social security numbers, driver’s license numbers, medical and health insurance information including diagnoses, and in some instances bank and credit card account information. The records involved belong to patients as well as physicians, employees, volunteers, vendors and business partners. Continue reading
June 8, 2010 - The Massachusetts Secretary of Commonwealth’s office has acknowledged that it unintentionally released to a business publication personal information belonging to 139,000 state-registered investment advisers. The information was reportedly provided to IA Week, an investment industry publication, by a new employee when responding to a request for public information. The employee failed to take the necessary steps to remove personal information prior to releasing the records on CD. Continue reading
