Dec 142018

Courtney Godfrey reports:

Taking work home with you sounds like something a hardworking employee would do, unless that work includes private, sensitive data like it did with one employee in Wright County.

The county knew about the data breach for seven months before notifying possible victims.

It wasn’t until FOX 9 filed a public records request that Wright County notified victims of the data breach.

Now it is seven months after the county became aware that more than 1,000 people were potential victims of the breach.

Read more on Fox9.  It seems that the breach was the employee taking PII home on a USB and then transferring the files/data to his home computer. There’s no report of any misuse or sale or other exposure of the data. 

Dec 142018

It seems Contra Costa Health Plan discovered that a contractor that they had hired and who had access to EHR beginning on December 1, 2014 had used a falsified identity to get the contractor position. The position involved access to EHR as part of the contractor’s functions relating to utilization management.

In a letter to those affected, Frank Lee, J.D., Director of Compliance and Government Relations, writes that CCHP has no indication that the contractor misused the information that she accessed, but under the circumstances, they are notifying everyone whose records she might have accessed.  The number of patients is not indicated in CCHP’s sample notification letter, which is reproduced below. The incident is not yet up on HHS’s breach tool, although I imagine we will see it there eventually.


Dec 142018

Todd Wallack reports:

Save the Children Federation, one of the country’s best-known charities said it was the victim of a $1 million cyberscam last year.

The Connecticut-based nonprofit said hackers broke into a worker’s e-mail, posed as an employee, and created false invoices and other documents, to fool the charity into sending nearly $1 million to a fraudulent entity in Japan. The con artists claimed the money was needed to purchase solar panels for health centers in Pakistan, where Save the Children has worked for more than 30 years.

Read more on Boston Globe.

Dec 132018

One of the newer incidents appearing on HHS’s public breach tool this week is a report from Mind & Motion, LLC in Georgia.  Mind & Motion offers various types of therapeutic modalities. 

On September 30th, 2018,  they discovered that their server had been attacked with ransomware.

In a notification to patients, they write:

We have learned that your personal information potentially including: name, address, birthday, gender, medical history, social security number, medical diagnosis, insurance information, and medical records may have been compromised.

Ouch. It’s a great notification letter in terms of transparency, though, as it also details findings by the external consultants they brought in to assist and the steps they are taking to prevent a similar incident in the future. I’m sure some readers will pick up on all the past detritus from attacks and wonder why nothing got detected or prevented sooner, but it is what it is and it sounds like they have taken serious steps to improve their data security. I wish them well.

According to their report to HHS, 16,000 patients have been notified.

You can read their entire web site notice, below:


Dec 132018

Errors involving spread sheets continue to contribute to breaches.  Consider this description in a notification from San Bernardino Community College District – Crafton Hills College Campus. The breach occurred on October 25:

What Happened
We recently learned that a District employee inadvertently sent a spreadsheet containing certain individuals’ information to a community college distribution list. Although the spreadsheet was sent to a known group of individuals and related to certain program information, there was additional information contained in the spreadsheet that was not intended for broader distribution.

What Information Was Involved
The information stored in the spreadsheet varies by individual, but may include first and last name, address, date of birth, Social Security number, and certain course-related information.


This incident does not involve any unauthorized access to or use of any of San Bernardino Community College District’s internal computer systems or network and, as outlined above, this information was sent to a community college distribution list. Please note that we are not aware of any fraud or misuse of your information as a result of this incident.

It’s not clear from the sample notice whether this was a case of hidden fields in the spread sheet or if the employee just didn’t really pay attention to all the fields with additional information.  Either way, it’s yet another breach that might have been easily avoided but will now cost the college to investigate and mitigate.