According to a Herald report, the Office gets about fifty breach notifications each month. In all, the Office has received approximately 2,200 data breach notification letters reporting lost or stolen data since the law was enacted.

The settlement reportedly requires the bank to improve its information security practices, including handling and storage practices.

This is all well and good, but I, like many others, have been a patient of South Shore Hospital on several occasions. Substitute notice does not inform me as to whether or not my records have been lost. As I understand it, two of three boxes of backup tapes shipped off site for destruction were lost. These tapes contained records from 1996 through January 6, 2010. The hospital contracted with Iron Mountain to manage the shipping and destruction, but apparently Iron Mountain hired a subcontractor to perform these duties. Which box were my records in? Apparently, anyone who has been a South Shore Hospital patient, volunteer, employee, or vendor between 1996 and 2010 should assume they’ve been affected by this fiasco.

The breach affects approximately 11,440 people in six or seven states, including Massachusetts and New Hampshire. Walsh Pharmacy is offering two years of free credit monitoring to customers whose data has been compromised. Owner Tom Pasternak is quoted as saying, “Personally, I don’t think anyone has anything to worry about, but I just wanted to take this precaution. I’m extremely confident no data got breached.”

The information is reportedly “protected through the use of multiple passwords and can only be opened on a specific operating system.” (In a letter to the New Hampshire Attorney General’s office it is identified as a UNIX operating system.) That, however, does not meet the protection requirements set forth in 201 C.M.R. 17, which mandate that records stored on portable memory devices must be encrypted if they contain personal information such as social security numbers, driver’s license numbers or financial account information. Password protection is not encryption and operating systems such as UNIX, may be less common, but are by no means unique to Walsh Pharmacy.

Attorney Paul Garbarini, who represents the Pharmacy stated, “You’d have to be a computer whiz to get at that language.” This is little assurance given the fact that many kids over 12 are computer whizzes these days and folks dealing with stolen data sold on the black market have more than enough technology and skill to crack passwords and UNIX code.

Garbarini said “information will no longer be sent via mail, and instead sent through a secure e-mail system.” While this is a good start to enhance data security, compliance with 201 C.M.R. 17, HIPPA and HITECH would have prevented this issue altogether. Portable data would have been encrypted, employees would have been properly trained, and there would have been procedures in place to ensure that vendors were taking the proper steps to protect this information as well. Instead, Walsh Pharmacy has made the news, they’re now in the position of having to tell their customers about their lax record-keeping practices, they’re faced with legal and credit-reporting fees they could have avoided, and they may may still incur extensive fines for numerous regulatory violations.

This malware, if activated by a click, forwards the user to the approval menu and requests access to the user’s basic information and Wall at any time. And of course, to make matters worse, in true Facebook viral fashion, if the user authorizes access it will automatically invite all of your friends to get their own “Dislike Button,” making you just a little less popular on Facebook… And then finally, the last step to get the “Dislike Button” requires the unsuspecting user to complete a survey that the scammers can then sell off.

So if by chance you fell for this rouse, immediately remove the app from your Facebook profile. You may also have to remove the original and any other related messages from your status, your News Feed, and your Likes and Interests. In order to do this go to the “Edit my Profile” menu and clean house.

The first, reported by the Herald on August 2nd, involved a stolen laptop belonging to biomedical chemist Galen Loving, who is doing cancer research at Massachusetts General Hospital. The computer contained “reams of priceless data on cancer research.” The researcher forgot to retrieve his computer before departing from a Somerville restaurant. He realized the next morning that the computer and the thumb drive he backed up on were all in the same bag that he “mindlessly” left behind. In addition to many of Loving’s papers and presentations, the computer contained e-mails, failed studies and proposed future projects. No mention was made in the article as to whether the lost data contained information protected under 201 C.M.R 17 or HIPAA. And unfortunately, no mention was made of encryption.

The following day, the Patriot Ledger reported that the Town of Rockland disposed of hundreds of intact canceled paychecks bearing bank account numbers and, in some instances, Social Security numbers of town workers employed between 1992 and 2002. The checks subsequently flew out of a disposal trunk and onto the roadside. The Town Treasurer, responsible for disposal of the canceled checks reportedly “didn’t realize they had Social Security numbers” on them and made no effort to shred the documents. The driver for Mike DelPrete & Sons Trucking “assured the town that he would retrace his route and pick up any checks he saw.” The town, however, acknowledged they have “no way of knowing… how many were lost – blown to the wind, down a gutter, on somebody’s hedge.” Employees whose payroll was directly deposited into accounts are reportedly not affected by this breach.

Then just days later, the Town of Hingham distributed via e-mail 1300 employee names and social security numbers to its management. A town official describes the risk to affected employees as “beyond minimal,” but I suspect the owners of the compromised records might feel differently. Of the thirty or so e-mails originally sent out, eleven were forwarded to managers’ personal e-mails accounts and computers, leaving one to wonder: how appropriate it is to have town business stored on personal computers and smart phones that may by less than secure?

Today I wake up to learn that records from four Massachusetts community hospitals were found at a local dump. The Boston Globe reports that thousands of unshredded medical records containing social security numbers, names and addresses, diagnoses, pathology reports including cancer tests and other medical information ended up in a pile about 20 feet wide by 20 feet long at a public dump. Preliminary reports have been made to the Attorney General’s office. The AG’s office says it is reviewing “whether there has been a data breach.’’ It seems the issue has more to do with the extent of the breach and whether the AG’s office is going to give 201 C.M.R. 17 some teeth and start issuing fines. The Department of Public Health will undoubtedly be involved as well as they examine HIPAA and HITECH data protection issues.

Unfortunately, all of these breaches highlight the fact that data security is not just about keeping hackers out of corporate networks. A business’s data security is only as strong as the weakest link. In each of these incidents the weak link is directly tied to employee error. All of these breaches could have been prevented with better employee training, a comprehensive data security plan and properly enforced policies and procedures.

The hospital reportedly shipped the files out for destruction on Feb. 26, 2010.  Interestingly, these records were sent out just days before the March 1, 2010 compliance deadline for 201 C.M.R. 17.  In its press release, the hospital states “When certificates of destruction were not provided to the hospital in a timely manner, the hospital pressed the data management company for an explanation. South Shore Hospital was finally informed on June 17, 2010 that only a portion of the shipped back-up computer files had been received and destroyed.”

The hospital stops short of stating that the records were encrypted utilizing current technology, however it reports that experts have confirmed that it would take specialized software and hardware expertise to open and decipher the files.  The hospital has yet to explain, however, why it took nearly four months to get answers from the data management company or to disclose the data management or shipping companies involved.  The hospital has since ceased off-site destruction of back-up computer files and is reportedly establishing policies to prevent a recurrence.

While the hospital and the undisclosed data management company may not feel the full force and effect of 201 C.M.R. 17, both still are still required to conform to the requirements imposed by HIPAA and HITECH as well as MGL ch. 93I related to the disposal and destruction of records.  The law provides that a third party may be contracted with to dispose of personal information.  The disposal company is required under the law, however, to “implement and monitor compliance with policies and procedures that prohibit unauthorized access to or acquisition of or use of personal information during the collection, transportation and disposal of personal information.”

Chapter 93I violations may result in potential fines of not more than $100 per data subject affected, provided said fine shall not exceed $50,000 for each instance of improper disposal – a far cry from those associated with 201 C.M.R. 17 violations.

June 8, 2010 - The Massachusetts Secretary of Commonwealth’s office has acknowledged that it unintentionally released to a business publication personal information belonging to 139,000 state-registered investment advisers. The information was reportedly provided to IA Week, an investment industry publication, by a new employee when responding to a request for public information. The employee failed to take the necessary steps to remove personal information prior to releasing the records on CD.

Personal information released included: investors’ names, Social Security numbers, dates and places of birth, height, weight, hair color and eye color.

The CD on which the data was contained was returned to the Secretary of  Commonwealth’s office.  The business publication denies that any copies were made. Read More About this Breach

While 201 CMR 17 does not apply to state agencies, Executive Order 504 issued on September 19, 2008, requires all state agencies to ” develop, implement and maintain written information security programs governing their collection, use, dissemination, storage, retention and destruction of personal information…  All agency heads, managers, supervisors, and employees (including contract employees) shall attend mandatory information security training within one year of the effective date of this Order.  For future employees, such training shall be part of the standardized orientation provided at the time they commence work.  Such training shall include, without limitation, guidance to employees regarding how to identify, maintain and safeguard records and data that contain personal information.”