Nov 172017

Fangzhou Liu, Hannah Knowles and Ada Statler report on a breach that has nightmarish qualities to it:  very sensitive information exposed, but you can’t figure out for how long and you can’t determine who, if anyone, accessed it? Ugh…..

Stanford is in the process of notifying some 200 people — a mix of employees and former students — that their privacy may have been breached due to incorrect settings in one of the University’s file-sharing systems.

Until this week, files including sexual violence records based on counseling sessions, confidential University statistics and emails to the Office of Judicial Affairs — some with names and email addresses attached — were left broadly available on an internet server that students, faculty and staff from over 50 institutions regularly use. Any Stanford faculty, student or staff member with a SUNet ID was able to access the sensitive files; The Daily also found that an MIT student username and password were able to grant access.

Read more on the Stanford Daily.

Nov 162017

We now know the name of a medical practice that was impacted by the theft of patient records in September. The records had reportedly been sold at the time by the thief. Mike Deak reports:

A medical practice with offices in East Brunswick and Franklin is notifying past patients that 13 boxes of medical records have been taken from an off-site storage facility.

However, Otolaryngology Associates of Central Jersey (OACNJ) said the risk of identity theft or financial fraud resulting from the burglary is low because of the quick involvement of law enforcement and the arrest of a suspect charged with the burglary.


Nov 162017

And while we’re talking about insider breaches, here’s a case from the U.K. From the Information Commissioner’s Office:

A nursing auxiliary has been fined for accessing a patient’s medical records without a valid legal reason.

Marian Waddell, 61, was working at the Royal Gwent Hospital in Newport when she unlawfully accessed the records of the patient, who was known to her, on six occasions between July 2015 and February 2016. She did so without a valid business reason and without the knowledge of the data controller, the Aneurin Bevan University Health Board.

Waddell, of Walsall Street, Newport, admitted unlawfully accessing personal data in breach of s55 of the Data Protection Act 1998 when she appeared at Cwmbran Magistrates’ Court. She was fined £232 and was ordered to pay £150 costs as well as a £30 victim surcharge.

Of the eight criminal prosecutions the Information Commissioner’s Office (ICO) has brought in 2017 against NHS employees for breaching patient privacy, three have been in Wales.

Read more on the ICO’s site.