Massive Australian Taxation Office data loss feared after Hewlett Packard Enterprise equipment crash

Fleur Anderson and Paul Smith report: The Australian Taxation Office has restored access to some of its online services, but concerns remain that large amounts of data have been lost after it suffered a “world-first” technical glitch to equipment from Hewlett Packard Enterprise more than 24 hours earlier. Tax officials were reportedly told to work from home for the second successive day, due to inability to access some key internal systems, and citizens were unable to access its website after a failure in the hardware that stores the ATO’s data. The systems went down on Monday after a failure of the HPE storage network, which was upgraded in November 2015 with technology news website ITNews reporting the loss of 1 petabyte of data, which it is still attempting to recover. Read more on AFR.

Lucile Packard Children’s Hospital notifying 12,900 after laptop stolen from secured badge-access area

Lucile Packard Children’s Hospital is no stranger to stolen equipment containing PHI.  In January, 2010, they self-reported a breach involving a stolen desktop computer with PHI on 532 patients, and as recently as January, they notified 57,000 patients after a laptop was stolen from a physician’s car.  Now the hospital is notifying patients about another breach involving the theft of hardware with unencrypted PHI. From a statement on their web site: Lucile Packard Children’s Hospital at Stanford is notifying patients by mail that a password-protected, non-functional laptop computer that could potentially contain limited medical information on pediatric patients was stolen from a secured, badge-access controlled area of the hospital sometime between May 2 and May 8, 2013. This incident was reported to Packard Children’s on May 8. Immediately following discovery of the theft, Packard Children’s launched an aggressive and ongoing investigation with security and law enforcement. To date, there is no evidence that any pediatric patient data has been accessed by an unauthorized person or otherwise compromised. What medical information was on the laptop? The information that could potentially have been on the stolen computer related to operating room schedules, which the employee accessed as part of her work functions through Packard Children’s secure and encrypted electronic systems. The computer was password protected, but some information could have transferred to the laptop, and the laptop was not encrypted. The computer was outdated and damaged, thus on a schedule for collection by information technologists. The information did not include financial or credit card information, nor did it contain Social Security numbers, insurance numbers or any other marketable information. The information on the operating room schedule that could have transferred to the computer would have been patient names, ages, medical record number, telephone number, scheduled surgical procedure, and name of physicians involved in the procedure over a three-year period beginning in 2009. To date, there is no evidence that any patient data has been accessed by an unauthorized person or otherwise compromised. How many patients were potentially affected? Out of an abundance of caution, we are providing outreach to approximately 12,900 patients, and we are assuring they are notified promptly. When did the notifications begin? Notifications to federal and state regulators, affected individuals and parents, and the media are under way as of June 11. Due to the law enforcement investigation, such notifications were delayed, as permitted by law, to avoid impeding the investigation. How are potentially affected individuals being notified? In addition to the mailed letters, a toll-free phone line has been established to answer questions for those notified. The toll-free number is (855) 683-1168, and is available Monday through Saturday from 6 a.m. to 6 p.m. PST. In addition, potentially affected individuals have been offered the option of free identity protection services. How is the investigation proceeding? So far, efforts to recover the computer have been unsuccessful, but the law enforcement investigation is still ongoing. Lucile Packard Children’s Hospital strives to be an industry leader in the area of medical information security. As a result of this incident, we are taking additional steps to further strengthen our policies and controls surrounding the protection of patient data. News Release

$250,000 penalty issued to Lucile Packard Children's Hospital was an error – CDPH

A breach at Lucile Salter Packard Children’s Hospital in 2010 generated a number of posts on this blog – especially after the hospital was reportedly fined $250,000 by California for a delay in notifying patients of the breach. I recently reported that the hospital had settled its appeal with the state and did not have to pay the $250,000 fine, but I didn’t know why or what we could learn from the settlement. Neither the hospital nor the state would give me any statement before I wrote that post. The state subsequently contacted me and said they would issue a statement, which I just received: The original $250,000 penalty posting was an error discovered during the appeal. The correct calculation should have been $100/day times the number of days the facility failed to report the breach to CDPH, for a total penalty of $1100. So after all that – and after all the blog entries and discussions with lawyers about the wisdom of such a steep penalty under the conditions of the breach and the possible constitutionality of California’s law, the fine was just a mistake. And thus endeth this story.

Lucile Salter Packard Children's Hospital avoids $250,000 penalty for late breach notification (updated)

UPDATE: In a statement sent to on March 7,  a CDPH spokesperson writes: The original $250,000 penalty posting was an error discovered during the appeal. The correct calculation should have been $100/day times the number of days the facility failed to report the breach to CDPH, for a total penalty of $1100. So after all that, it was just a mistake? Yikes… Original post: A penalty imposed by California on a hospital for failure to notify patients within 5 days was appealed and the case settled, but can we learn anything from the settlement? In March 2010, we first learned of an incident involving a stolen computer with 532 patients’ information at Lucile Salter Packard Children’s Hospital.  As more details emerged, we learned that while the incident occurred on January 11, 2010, the hospital had first reported the breach to the state on February 19, 2010, despite the fact that California law  governing hospitals requires notification to the state and affected patients within 5 days of detection of unlawful or unauthorized access, use, or disclosure. In April 2010, the state imposed a $250,000 penalty on the hospital for failure to timely notify patients. That amount was the maximum allowable under California’s law. The hospital appealed the penalty. Their case raised a number of questions, including whether a hospital had a legal obligation to notify if it was still investigating a report and trying to determine if there had been unauthorized access to patient information.  I uploaded the state’s report and covered some of the resulting controversy over the penalty, including a guest post about the constitutionality of laws and suspected data breaches. And that’s where things stood for quite a while, as whenever I checked back, the appeal was still under consideration. In due course, being well-intentioned but old, I forgot to keep checking. This week, a few remaining neurons kicked into gear, and I learned that the hospital and the state had reached a settlement in September 2011, a copy of which I obtained from the state. Under the terms of the settlement, the hospital paid $1,100.00 for late notification to the state and no penalty for late notification to patients. The settlement, which also included an additional $3,000.00 penalty for settlement of an unrelated privacy breach notification complaint, included a statement: Execution of THIS STIPULATION FOR SETTLEMENT does not constitute any acknowledgement or admission of error, faulty, liability or wrongdoing by either party. Neither the state nor the hospital would comment on the settlement. So where does that leave us on the possible constitutional issues raised?  What have we learned about how the state interprets the notification provisions? What should legal counsel for covered entities in California advise their clients going forward should a similar situation arise again, as it may if an employee with authorized access walks out with (possibly steals) a device containing PHI?  Does the entity need to notify all patients even if they haven’t yet determined whether the device might still be under the employee’s control and the data have neither been accessed nor used?  Your guess is as good as –  or better than – mine. There are probably lessons to be learned here about breach response in California, but damned if I know what they are without some explanation from the state. You can access the settlement here (pdf).  See what you think. Interestingly, HHS’s investigation of the incident still remains open.

Lucile Packard Children’s Hospital at Stanford notifying 57,000 patients after laptop stolen from physician's car

From their press release, issued yesterday: Lucile Packard Children’s Hospital at Stanford and the Stanford University School of Medicine are notifying patients by mail that a password-protected laptop computer containing limited medical information on pediatric patients was stolen from a physician’s car away from campus on the night of January 9, 2013. This incident was reported to Packard Children’s and the School of Medicine on January 10. Immediately following discovery of the theft, Packard Children’s and the School of Medicine launched an aggressive and ongoing investigation with security and law enforcement, and began contacting patients potentially affected. The medical information on the stolen laptop was predominantly from 2009 and related to past care and research. The patient data did not include financial or credit card information, nor did it contain Social Security numbers or any other marketable information. It did include names and dates of birth, basic medical descriptors, and medical record numbers, which are used only by the hospital to identify patients. In some cases, there was limited contact information. There is no indication that any patient information has been accessed or compromised. They also posted an FAQ on their site, which says, in part, that 57,000 patients are being notified. h/t, Mercury News

Did the punishment fit the "crime?" (the Lucile Salter Packard Hospital breach fines)

Jason C. Gavejian writes about a hospital breach that is causing waves because of the exorbitant fine the state imposed. Lucile Salter Packard Children’s Hospital at StanfordUniversity was fined $250,000 earlier this year by the California Department of Public Health (“CDPH”) for an alleged delay in reporting a breach under California’s health information privacy law. What makes this fine particularly disconcerting for health care providers is the relatively small number of patient records which were subject to the breach when compared to the considerable fine imposed.  For employers generally, this fine could establish a timing and penalty standard which is examined and utilized by other adminstrative entities. Personally, I think the significant issue/concern is not the number of patients affected (532) but the time issue. The hospital had confirmed that PHI were on the stolen computer by Feb. 1. Under California’s law, the state’s position is that the hospital had five (5) business days from that point to notify both the state and affected patients. The hospital, however, did notify the state or affected patients until February 19 — after it confirmed that it could not recover the computer. CDPH informed the hospital of the fine due to the reporting of the incident 11 days late on April 23, 2010. It is unclear if the fine was tied to a failure to notify the affected individuals or the CDPH.  The hospital is appealing the fine asserting its communication to CDPH was appropriate given that no unauthorized or inappropriate access took place to require it to notify affected individuals. As much as I empathize with the hospital, the statute does not appear to be give them wiggle room on this: A clinic, health facility, home health agency, or hospice to which subdivision (a) applies shall report any unlawful or unauthorized access to, or use or disclosure of, a patient’s medical information to the department no later than five business days after the unlawful or unauthorized access, use, or disclosure has been detected by the clinic, health facility, home health agency, or hospice. Does stealing a computer provide “unlawful access” to the patients’ records? If so, it seems to me that the clock started running on Feb. 1. I understand the hospital’s view and I understand that the stolen computer had software that enabled the hospital to know that it had not been turned on, but there is nothing in the statute that would seemingly toll the deadline for that. CDPH’s report can be found here (pdf). This incident highlights the seriousness of potential data breaches, regardless of size, and the urgency with which these situations must be addressed.  It also highlights an often asked question as to whether laptops that go unrecovered would constitute unauthorized access or acqisitiion (sic) of protected information. I think the answer is obvious: if an entity loses control of a device that contains unsecured PHI, it may or may not have been acquired by someone, but if you know it was stolen, then it was acquired. Whether it will ever be accessed or not is another question, but entities need to err on the side of caution and assume the worst and notify promptly. The HIPAA regulations also shed light on this issues stating, “if a computer is lost or stolen, we do not consider it reasonable to delay breach notification based on the hope that the computer will be recovered.” Agreed. Whether the fine should be this steep is another matter, though.  I personally think it’s quite harsh. Read Jason C. Gavejian’s full commentary without my interspersed remarks on Workplace Privacy Data Management & Security Report.

Lucile Packard Children's Hospital Appeals CDPH Fine (updated)

For Release: September 09, 2010 PALO ALTO, Calif. — Lucile Packard Children’s Hospital at Stanford is appealing a California Department of Public Health (CDPH) penalty. The CDPH on April 23, 2010, after the self-reporting of a security incident by Packard Children’s, alerted the hospital that a fine of $250,000 was being levied as a result of what CDPH believes was a late reporting of the incident. This isolated incident was related to the apparent theft earlier in the year of a password-protected desktop computer that contained information about 532 patients. The computer in question was used by an employee whose job required access to patient information. Even though the employee had signed written commitments to keep patient information confidential and secure in accordance with legal requirements and hospital policies, the hospital received reports that the now-former employee allegedly removed the computer from hospital premises and took it home. The hospital immediately began a thorough investigation and also reported the matter to law enforcement in an attempt to recover the computer quickly. As soon as the hospital and law enforcement determined the computer was not recoverable, the hospital voluntarily reported the incident to the California Department of Public Health (CDPH) and federal authorities, as well as the families of potentially-affected patients. The hospital also provided to the families identity theft protection and other support services. Theft charges have been filed against the former employee. Packard Children’s believes that there has been no unauthorized or inappropriate access to the information on the computer. “We use very sophisticated tools to conduct investigations such as this,” said Ed Kopetsky, chief information officer at Packard Children’s. “We are able to detect if the missing computer connects to a network that has access to the Internet and we’ve been monitoring this activity regularly to determine if this computer has been online anywhere. It has not.” “This theft was very unfortunate,” said Susan Flanagan, RN, chief operating officer. “We hold ourselves to the highest standards in taking care of the children we treat, and we are committed to providing the best care possible and to protecting our children’s privacy. The privacy and security safeguards we employ are some of the most advanced technologies and controls available to hospitals today.” CDPH fined the hospital $250,000 for allegedly reporting the incident 11 days late. “We believe our communication to CDPH was appropriate and we are appealing the late fee,” said Flanagan. “Lucile Packard Children’s Hospital is proud to have some of the industry’s strongest policies and controls in place for patient privacy protection,” added Kopetsky. “Even though the investigation revealed that no patient information was compromised and no patients were harmed, we are using this incident to further tighten our security and provide additional education to our staff.” CDPH has yet to set a date for a ruling on the hospital’s appeal. Hat-tip, FierceHealthcare Updated: Jaikumar Vijayan of Computerworld covers the appeal here. Earlier today, I made some comments to a hospital spokesperson who had responded to a previous blog entry on the fine and also attempted to contact the hospital by e-mail to get additional clarification on some points.

Keylogging Spyware Found On Dozens Of HP Laptop Models

Kate Cox reports: Owners and users of nearly 30 different Hewlett-Packard laptop models, beware: It turns out an unknown number of computers shipped with a keylogger embedded in them, tracing and recording your every keystroke. A security research firm based in Switzerland announced its discovery of the keylogger this week. The problem software is part of the audio driver — the little bit of code that make your laptop able to play sound through your headphones. In several laptop models, the Conexant driver was found to include a keylogger that captured every single keystroke on your machine. Read more on Consumerist.

Navy to notify 134,386 sailors whose PII was on “compromised” laptop

So at 5 pm on Thanksgiving eve, the Navy discloses a data breach? Story Number: NNS161123-13Release Date: 11/23/2016 5:01:00 PM By Chief of Naval Personnel Public Affairs WASHINGTON (NNS) — Oct. 27, 2016, the Navy was notified by Hewlett Packard Enterprise Services (HPES) that one of the company’s laptops operated by their employee supporting a Navy contract was reported as compromised. After analysis by HPES and a continuing Naval Criminal Investigative Service (NCIS) investigation, it was determined Nov. 22, 2016, that sensitive information, including the names and Social Security Numbers (SSNs) of 134,386 current and former Sailors were accessed by unknown individuals. “The Navy takes this incident extremely seriously- this is a matter of trust for our Sailors,” said Chief of Naval Personnel Vice Adm. Robert Burke. “We are in the early stages of investigating and are working quickly to identify and take care of those affected by this breach.” The Navy will notify those affected Sailors in the coming weeks by multiple means including phone, letter and email. For those affected by this incident, the Navy is working to provide further details on what happened, and is reviewing credit monitoring service options for affected Sailors. At this stage of the investigation, there is no evidence to suggest misuse of the information that was compromised. Earlier this month, reported an incident involving a stolen HPES laptop bag containing information on Indiana Health Coverage Program members.  That incident was based on a printout that was in the laptop bag, but the bag also contained a laptop that HPE reported was “encrypted.” It’s not clear whether this report from the Navy involves that laptop or if this is a totally separate and second incident. has emailed HPE to inquire whether this was part of the same incident, or a second incident, and will update this post when a response is received.

Ukrainian hacker admits hacks of MarketWired, PRN, and Business Wire press releases for securities fraud scheme

A Ukrainian hacker today admitted his role in an international scheme to hack into three business newswires, steal yet-to-be published press releases containing non-public financial information, and use the information to make trades that allegedly generated approximately $30 million in illegal profits, U.S. Attorney Paul J. Fishman announced. Vadym Iermolovych, 28, of Kiev, Ukraine, pleaded guilty before U.S. District Judge Madeline Cox Arleo to a three-count information charging him with conspiracy to commit wire fraud, conspiracy to commit computer hacking, and aggravated identity theft. Iermolovych was arrested on Nov. 12, 2014 in connection with other charges related to computer hacking and credit card fraud. Today’s guilty plea marks the first conviction of one of the hackers responsible for breaching the networks of Marketwired L.P. (Marketwired), PR Newswire Association LLC (PRN), and Business Wire (collectively, the “Victim Newswires”), and stealing press releases containing confidential nonpublic financial information relating to hundreds of companies traded on the NASDAQ and NYSE. According to documents filed in this case and statements made in court: At today’s plea hearing, Iermolovych admitted that he was personally involved in the hacks into the Victim Newswires. He admitted to hacking into PRN’s network between January 2013 and March 2013. He also admitted that he obtained a set of user credentials of PRN employees stolen from a computer hack into a social networking website and then used at least one of those credentials to ultimately gain access into PRN’s computer network. Iermolovych also admitted that he sold press releases stolen from the network intrusion into Marketwired, and purchased access into Business Wire’s network, all in furtherance of a larger conspiracy to profit from the stolen draft press releases. Five other members of the conspiracy – two computer hackers and three securities traders – were charged by federal indictment brought by the District of New Jersey (DNJ). The related 23-count DNJ indictment charged Ivan Turchynov, 28, Oleksandr Ieremenko, 24, and Pavel Dubovoy, 33, all of Ukraine, Arkadiy Dubovoy, 51, and Igor Dubovoy, 29, of Alpharetta, Georgia. Arkadiy Dubovoy and Igor Dubovoy both pleaded guilty to the wire fraud conspiracy charged in Count One of the DNJ indictment on Feb. 18, 2016 and Jan. 20, 2016, respectively. The Eastern District of New York (EDNY), in a related indictment, charged four securities traders: Vitaly Korchevsky, 50, of Glen Mills, Pennsylvania, Vladislav Khalupsky, 45, of Brooklyn, New York and Odessa, Ukraine, Leonid Momotok, 48, of Suwanee, Georgia, and Alexander Garkusha, 48, of Cummings and Alpharetta, Georgia. Garkusha pleaded guilty to the wire fraud conspiracy charged in Count One of the EDNY indictment on Dec. 21, 2015. As alleged in the indictments, between February 2010 and August 2015, computer hackers based in Ukraine, gained unauthorized access into the computer networks of Marketwired L.P. (Marketwired), PR Newswire Association LLC (PRN), and Business Wire. They used a series of targeted cyber-attacks, including “phishing” attacks and SQL injection attacks, to gain access to the computer networks. The hackers moved through the computer networks and stole press releases about upcoming announcements by public companies concerning earnings, gross margins, revenues, and other confidential and material information. The hackers shared the stolen releases with the traders using overseas computer servers that they controlled. In a series of emails, the hackers even shared “instructions” on how to access and use the overseas server where they shared the stolen releases with the traders, and the access credentials and instructions were distributed amongst the traders.  In an email, which was sent by one of the traders, the instructions for accessing the overseas server suggested that users conceal their Internet Protocol address when accessing the server as a precaution to avoid detection.  The traders created “shopping lists” or “wish lists” for the hackers listing desired upcoming press releases for publicly traded companies from Marketwired and PRN. Trading data obtained over the course of the investigation showed that, after the shopping list was sent, the traders and others traded ahead of several of the press releases listed on it. The traders generally traded ahead of the public distribution of the stolen releases, and their trading activities shadowed the hackers’ capabilities to exfiltrate stolen press releases. In order to execute their trades before the releases were made public, the traders sometimes had to execute trades in extremely short windows of time between when the hackers illegally accessed and shared the releases and when the press releases were disseminated to the public by the newswires, usually shortly after the close of the markets.  Frequently, all of this activity occurred on the same day.  Thus, the trading data often showed a flurry of trading activity around a stolen press release just prior to its public release. The traders traded on stolen press releases containing material nonpublic information about the following publicly traded companies that included, among hundreds of others: Align Technology Inc., Caterpillar Inc., Hewlett Packard, Home Depot, Panera Bread Co., and Verisign Inc. The traders paid the hackers for access to the overseas servers based, in part, on a percentage of the money the traders made from their illegal trading activities. The hackers and traders used foreign shell companies to share in the illegal trading profits. The conspiracy to commit wire fraud charge is punishable by a potential penalty of 20 years in prison and a $250,000 fine, or twice the gross gain or loss from the offense. The conspiracy to commit fraud and related activity in connection with computers carries a potential penalty of five years in prison and a $250,000 fine, or twice the gross gain or loss from the offense.  The aggravated identity theft charge carries a mandatory penalty of two years in prison consecutive to any sentence received in connection with the other two counts. Iermolovych’s sentencing is scheduled for Aug. 22, 2016. U.S. Attorney Fishman credited the special agents of the U.S. Secret Service, Criminal Investigations Division, under the direction of Director Joseph P. Clancy, and special agents from the Newark Field Office, under the direction of Acting Special Agent in Charge Jeffrey […]