Calvert Internal Medicine notifies employees of possible compromise of their SSN, payroll info

 Healthcare Sector, Malware, Subcontractor  No Responses »
Jun 092013
 

On March 19, Calvert Internal Medicine in Maryland notified current and former employees of a computer compromise that may have exposed their Social Security numbers to misuse. A copy of their notification was sent to the Maryland Attorney General’s Office. From reading their description of the breach, it seems that ADP failed to restore a firewall after attempting to deal with another problem, but it’s not clear whether that simply accounts for the spam run problem or if it also contributed to a malware problem that may have compromised employees’ information. See what you think:

Calvert Internal Medicine Group (CIMG) Sequence of Events Relating to Potential IT Breach March 20, 2013

- During the week of March 10, 2013, CIMG was notified by its domain service that ~9,000 spam emails were identified as originating from CIMG’s mail server’s domain. Spam sources were distributed across the internet using a CIMG finance department employee’s email account, an account which was hosted off-site on an independent network’s service computer. Malware was detected in files in the spam inbox of the suspected computer.

- Several weeks prior to the spam discovery, in an effort to resolve a time clock data transmission problem, the finance department employee using the suspect computer placed a service call to ADP technical support. During the call, ADP technical support took control of the computer and disabled the computer’s fire wall. At the end of the service call, ADP technical support failed to reactivate the computer’s firewall.

- During the week of March 10, 2013, the suspect personal computer was removed from CIMG’s server. A new computer was installed.

- The finance department employee’s CIMG domain email account was disabled and replaced with a new, password protected, email address.

- Access passwords were changed for payroll (ADP), accounting (PeachTree) and banking services portals/software which resided on the computer.

- During the week of March 17, 2013, a CIMG employee was notified of irregular personal financial activity by a federal agency.

- Given the proximity of the two events, spam email originating from CIMG’s domain and suspicious activity involving an employee’s personal information/data, CIMG elected to notify all active and terminated employees of a suspected IT breach involving payroll- related information, employees’ names, addresses and social security numbers.

- With counsel’s assistance an employee notification document (attached) was drafted.

Hacker ‘Kayla’ admits attacks on Sony, Nintendo, Arizona State Police

 Breach Incidents, Business Sector, Hack, Healthcare Sector  Comments Off
Apr 102013
 

Estelle Shirbon of Reuters reports:

A British computer hacker pleaded guilty on Tuesday to cyber attacks on targets including Sony, Nintendo, Rupert Murdoch’s News International and the Arizona State Police.

Ryan Ackroyd’s plea meant his planned jury trial did not go ahead and, as a result, the court did not hear any evidence on the motivation behind the attacks he made using the persona of a 16-year-old girl named Kayla as part of hacking group LulzSec.

[...]

Mustafa Al-Bassam, 18, and Jake Davis, 20, had both pleaded guilty to two counts while Ryan Cleary, 21, had pleaded guilty to six counts including that he attacked Pentagon computers operated by the U.S. Air Force.

[...]

The targets listed in the charge to which Ackroyd pleaded guilty also included Britain’s National Health Service, the U.S. public broadcaster PBS and 20th Century Fox.

Read more on NBCNews.

So how much time will Ackroyd get in exchange for his plea?

Leader of Florida ID theft ring convicted

 Breach Incidents, Healthcare Sector, ID Theft, Insider, U.S.  Comments Off
Jan 312013
 

Back in June 2012, the Department of Justice announced that Alci Bonannee had been arrested and charged with ID theft in a massive tax refund fraud scheme. At the time, they found evidence that over 1,000 fraudulent returns had been filed by Bonannee and her co-conspirators between January 2011 and June 6, 2012.

This week, Bonannee was convicted. Federal prosecutors claim that the ring that she headed had netted $11 million in federal tax refunds and involved the filing of approximately 2,000 fraudulent tax returns between December 2010 and June 2012.

Bonannee theoretically faces 351 years in prison when she’s sentenced. It would be nice if the DOJ press releases gave us a best guess of what the defendant will likely be sentenced to, as these “potentially faces” numbers are just not realistic.

This time, however, the government’s press release does give us some information about the source of the stolen identity information:

The defendant filed many of these fraudulent returns using compromised personal identification information obtained from a nurse at a local hospital.

So… which hospital breach was this and did we know about it?  There have been a number of insider thefts at Florida hospitals, some of which I’ve covered on PHIprivacy.net, but which one involved a nurse and pre-dated December 2010 when the ring started filing fraudulent returns?  Neither of Bonannee’s two co-conspirators – Chante Mozley and Sonyini Clay – appear to be the employee who provided the information. Was the employee ever prosecuted?

And when were patients whose information was stolen notified, and by whom?

Couple Stole the Identities of Doctors Who Applied for Fellowships at Johns Hopkins Hospital and Patients at Highlandtown Community Health Center

 Healthcare Sector, ID Theft, Insider, U.S.  Comments Off
Nov 142012
 

Another scheme involving insider breaches comes to light in Baltimore.  The U.S. Attorney’s Office in Maryland reports:

Ringleader Derrick Hill, age 52, and his girlfriend Renee Cabell, age 51, both of Woodlawn, Maryland, pleaded guilty to conspiring to commit wire fraud and aggravated identity theft.

According to their plea agreements, from August to October, 2009, Hill and Cabell conspired with their co-defendants John Coffey and Tawney King to negotiate counterfeit checks drawn on victim bank accounts.

Hill received checks which had been designated for destruction by banks and stolen before they could be destroyed. He also received personal identity information and personal financial information from King who was employed by Highlandtown Community Health Center. According to King’s plea agreement, King accessed patient files and provided Hill with the patient identifying information either directly or through her friend Cabell. Hill used this information to create counterfeit checks using victim’s financial account information and the identity information of other victims. He also obtained counterfeit identification cards and personally altered genuine Maryland driver’s licenses so that they displayed victim identity information but the photograph of one of several co-conspirators, including Coffey.

Hill recruited Coffey to help him cash the checks at banks and retail establishments. If the counterfeit checks were cashed at a retail store, Hill told his co-conspirators what to buy. Proceeds, whether cash or merchandise, were given to Hill, who paid his co-conspirators a small percentage for each successful transaction.

Additionally, Cabell provided Hill with the names and identity information of doctors who applied for fellowships at Johns Hopkins Hospital where Cabell worked, processing the fellowship applications. Hill used the doctors’ identities to rent apartments, buy merchandise and obtain services. Indeed, shortly before Hill’s arrest, Hill was attempting to rent another apartment in a doctor’s identity because he and Cabell were about to be evicted for non-payment on the apartment they rented in the identity of another doctor.

The defendants obtained cash, merchandise and services worth over $188,000. The identities of over 250 individuals were compromised. All four defendants will be required to pay restitution for the full amount of the victims’ losses, which exceeds $188,000.

Hill and the government have agreed that if the Court accepts the plea agreement, Hill will be sentenced to 11 years in prison. U.S. District Judge Richard D. Bennett scheduled his sentencing for March 18, 2013, at 3:00 p.m..

Coffey and King previously pleaded guilty to the same charges. Cabell, Coffey and King face a maximum sentence of 20 years in prison for the conspiracy and a mandatory consecutive sentence of two years in prison for aggravated identity theft. Judge Bennett scheduled sentencing for Cabell, Coffey and King on March 21, February 13, and February 19, 2013, respectively, all at 3:00 p.m..

Kaiser Permanente notifies employees after e-mail error exposes their SSN to unauthorized individual

 Breach Incidents, Exposure, Healthcare Sector, U.S.  6 Responses »
Nov 052012
 

On October 29, Kaiser Permanente began notifying employees of a breach that occurred August 24th when their names, Social Security numbers, and other information were mistakenly e-mailed to an individual not authorized to receive such information. From their letter:

[First Name] [Last Name] [Street Address] [City], [State], [ZIP code]

Dear [First Name],

We are writing to let you know of an incident involving the unauthorized transmission of confidential employee information, including some information belonging to you. We take privacy very seriously and we sincerely apologize that this happened. As a result of our investigation, we believe it is highly unlikely that your information has been, or will be used for unlawful purposes. This notification is in compliance with California law, which requires notifying all former and current employees when there is a release of certain confidential information.

On August 24, 2012, an employee in Kaiser Permanente’s Northern California Region Recruitment department mistakenly emailed a list of former Northern California KP employees who left the organization between 1990 and 2006 to a person not authorized to receive the information. Some of these NCAL former employees have since returned to KP in various regions. This list contained, among other information, your name and Social Security number. No personal health information was involved.

The unintended recipient who received the information has been extremely cooperative. Kaiser Permanente’s IT Security conducted a detailed analysis to confirm that the recipient effectively deleted the information and that the information had not been further emailed or printed. As a result of our investigation, we believe it is highly unlikely that your information has been, or will be used for unlawful purposes.

We also wish to reassure you that this incident involved your employment information with Kaiser Permanente only and that none of your personal health information as a member of Kaiser Foundation Health Plan was involved.

This situation was brought to our attention in late August, 2012, and we immediately took steps to investigate and secure the information that was inadvertently transmitted. We have since put in place new controls to secure this type of employee information and prevent this from happening again.

We understand your concerns about the privacy of your personal information. Again, we apologize that this unfortunate incident occurred. We have established the following phone number for you to call if you have questions or concerns: 866-578-5413. Thank you.

 

 Older Entries