Dissent

Dec 142018
 

Courtney Godfrey reports:

Taking work home with you sounds like something a hardworking employee would do, unless that work includes private, sensitive data like it did with one employee in Wright County.


The county knew about the data breach for seven months before notifying possible victims.


It wasn’t until FOX 9 filed a public records request that Wright County notified victims of the data breach.

Now it is seven months after the county became aware that more than 1,000 people were potential victims of the breach.

Read more on Fox9.  It seems that the breach was the employee taking PII home on a USB and then transferring the files/data to his home computer. There’s no report of any misuse or sale or other exposure of the data. 

Dec 142018
 

Zack Whittaker reports:

Popular animated avatar creator app Boomoji, with more than five million users across the world, exposed the personal data of its entire user base after it failed to put passwords on two of its internet-facing databases.


The China-based app developer left the ElasticSearch databases online without passwords — a U.S.-based database for its international customers and a Hong Kong-based database containing mostly Chinese users’ data in an effort to comply with China’s data security laws, which requires Chinese citizens’ data to be located on servers inside the country.


Anyone who knew where to look could access, edit or delete the database using their web browser. And, because the database was listed on Shodan, a search engine for exposed devices and databases, they were easily found with a few keywords.

Read more on TechCrunch.  Reportedly, Boomoji did not provide an accurate answer or explanation when TechCrunch reached out to them, leading TechCrunch to practice skills U.S. journalists are getting a lot of practice at — the art of calling someone a liar.

After TechCrunch reached out, Boomoji pulled the two databases offline. “These two accounts were made by us for testing purposes,” said an unnamed Boomoji spokesperson in an email.

But that isn’t true.

Read the rest of Zack’s report to find out how they proved that Boomoji’s assertion wasn’t accurate. 

Dec 142018
 

It seems Contra Costa Health Plan discovered that a contractor that they had hired and who had access to EHR beginning on December 1, 2014 had used a falsified identity to get the contractor position. The position involved access to EHR as part of the contractor’s functions relating to utilization management.

In a letter to those affected, Frank Lee, J.D., Director of Compliance and Government Relations, writes that CCHP has no indication that the contractor misused the information that she accessed, but under the circumstances, they are notifying everyone whose records she might have accessed.  The number of patients is not indicated in CCHP’s sample notification letter, which is reproduced below. The incident is not yet up on HHS’s breach tool, although I imagine we will see it there eventually.

CCHP-CA-AG-Breach_0

Dec 142018
 

Jasper Lindell reports:

ActewAGL has confirmed 400 electricity, gas and water customers have received bundles of bills addressed to other utility customers in a massive privacy breach affecting 6000 customers in the ACT and NSW.


ActewAGL notified the Privacy Commissioner of the breach after it became aware of the mistake on Wednesday and had set up a taskforce by Friday afternoon to respond to affected customers.

Read more on Canberra Times.

Dec 142018
 

Hilary Bird reports:

An N.W.T man says he found hundreds of confidential medical records at the Fort Simpson dump.


The documents contain detailed information about patients’ mental health and history of drug use, including applications to addictions treatment facilities, progress reports from those facilities, and detailed notes from one-on-one counselling sessions.


The documents, many of which were on N.W.T. government letterhead, also included social insurance, treaty and health card numbers.

Read more on CBC.ca.