May 152019
 

Doug Levin kindly alerted me that the Hartford Courant has a story on the Total Registration data security incident. 

… The school officials said that Total Registration, used by the district to register students for certain exams, informed them that certain information provided by students including name, grade level, gender, date of birth, address, email address, and parent/guardian names may have been exposed, but it did not extend to credit card numbers or social security numbers.

So far, that is pretty consistent with what this site observed, although parent email addresses were also in the exposed records. But then there’s this:

The company told West Hartford school officials that they are not aware of any outsiders having access to the information that was exposed.

This site had notified Total Registration that a researcher had found their leak. And this site published some redacted screenshots, indicating that this site had at least some data or proof of leak. Does Total Registration have access logs?

Read more on Hartford Courant.

 

May 132019
 

Condé Nast is notifying about 1,100 WIRED subscribers of a breach involving their payment information.

In a notification letter dated May 9, they write:

The WIRED subscription page is hosted by a third-party vendor. We believe that an unauthorized party accessed our vendor’s systems in an attempt to acquire information about approximately 1,100 WIRED subscription transactions processed between April 14 and April 17, 2019.
An investigation was undertaken and, by April 24, we learned that the information that may have been acquired included names, postal and email addresses, and credit/debit card numbers, security codes, and card
expiration dates.
The unsigned notification does not name the vendor for the WIRED subscription page.
Those affected are being offered Experian’s IdentityWorks credit monitoring and identity protection services for one year.
May 132019
 

OS, Inc. provides revenue management (billing) services to covered entities. I recently reported on a phishing-related breach they experienced in 2018 that was first disclosed this month. As I noted in that post, their notification specifically mentioned a number of their affected clients. Their disclosure did not, however, provide a total number of patients affected, nor name clients who probably wanted to make the disclosure to their patients themselves.

So here’s what we know so far, and there’s likely a lot more to come:

  • Spectrum Health Lakeland: they disclosed the breach to 1,100 St. Joseph’s patients
  • Tahoe Forest Health District – mentioned in OS’s notice, but no release or numbers from them yet.
  • Sparta Community Hospital – mentioned in OS’s notice, but no release or numbers from them yet.
  • Sauk Prairie Healthcare, Inc. – mentioned in OS’s notice, but no release or numbers from them yet.
  • Idaho Department of Health and Welfare – mentioned in OS’ notice. A media report reveals that  2,060 were notified.
  • Fort Healthcare in Wisconsin – mentioned in OS’s notice. A media report reveals that they are  reportedly notifying 19,000 patients.
  • Midwest Medical Center – not mentioned in OS’s notice, but media reports that they are notifying 8,000 patients.

I’ll try to update this post as I find more details. Feel free to let me know of any updates if you find them.

May 102019
 

A data breach involving a medical collection agency affected more than 200,000 patients who had used the firm’s online payment portal between September, 2018 and the beginning of March, 2019.

At the end of February, Gemini Advisory analysts identified a Card Not Present (CNP) database that had been posted for sale in a dark web market. The offering had been described as “USA|DOB|SSN,” and because CNP data is rarely sold with associated date of birth and Social Security numbers, their analysts suspected a compromise in an online portal that would collect these types of data as part of a transaction.

Through further analysis, Gemini analysts identified several top affected banks that primarily focus on Health Savings Accounts (HSAs), Health Reimbursement Accounts (HRAs), Flexible Spending Accounts (FSAs), and Medicare Medical Savings Accounts (MSAs). These various medical accounts are used to pay health insurance deductibles, dental and vision care, and any other qualifying medical expenses.

In a statement to DataBreaches.net, Gemini Advisory’s Director of Research, Stas Alforov, explained:

On February 28, 2019, Gemini Advisory identified a large number of compromised payment cards while monitoring dark web marketplaces. Almost 15% of these records included additional personally identifiable information (PII), such as dates of birth (DOBs), Social Security numbers (SSNs), and physical addresses. A thorough analysis indicated that the information was likely stolen from the online portal of the American Medical Collection Agency (AMCA), one of the largest recovery agencies for patient collections. Several financial institutions also collaboratively confirmed the connection between the compromised payment card data and the breach at AMCA.

Gemini initially identified approximately 8,000 victims and hundreds of banks, but additional research revealed that the exposure window lasted for at least seven months beginning in September, 2018, and had affected more than 200,000 victims.

On March 1, 2019, Gemini Advisory attempted to notify AMCA, but tells this site that they did not get any response to phone messages they left. Not getting any response, Gemini promptly contacted federal law enforcement, who reportedly followed up by contacting AMCA.

Several days ago, DataBreaches.net e-mailed AMCA with questions about the incident, but received no response. Anyone attempting to use their payment portal over the past few weeks would have seen a notice, however:

AMCA’s payment portal was unavailable for weeks following notification by law enforcement that they had a problem.

DataBreaches.net does not know when AMCA first disabled their payment portal, but Google’s cache indicates that it had been disabled by April 8 at the latest. It could have been much sooner.

This week, the payment portal was operational again.

But there is no notice on the site about any breach and there is nothing on HHS’s breach tool from them.

Among the questions that AMCA did not answer was a question about HIPAA. I can find no reference to HIPAA on their site, but medical collection agencies generally have obligations under HIPAA and HITECH in the event of a breach and must have business associate agreements in place with HIPAA-covered entities that they provide billing/payment collection services to.

AMCA’s payment card breach posed greater risks for some of the patients than we usually think about with payment card breaches. Alforov explained why:

In a medical breach, personal debit and credit cards are not the only thing at stake. Health Savings Accounts (HSAs) are often tied to specialized debit cards that are used to make medical-based payments but can also be used for regular purchases at the cost of a severe tax penalty.

Account holders often only periodically use HSAs due to the incentives for accumulating funds that can later be withdrawn without any penalties during retirement, meaning that they are likely not as closely monitored for any daily unauthorized activities. Thus, they make easier targets for criminal actors who attempt to monetize the compromised data from medical breaches such as AMCA’s.

We are often encouraged to — and many of us do — routinely and regularly check our bank statements for unusual activity or check our credit card statements for signs of misuse. But if you have an account linked to a debit or credit card that you do not use except for paying medical bills in an emergency or it is your savings account for your future care, then criminals could be draining your account and you may not find out in time to report the theft to your bank. And without timely reporting, your bank might not restore your funds or cover your losses.

So if you are not doing it already, add “Regularly check ALL accounts — including the ones you are not currently using.” And where possible, put freezes on accounts that you don’t intend to use in the near future.

Regardless of whether AMCA is covered by HIPAA, they might find themselves in the unenviable position of debtors threatening to sue them for the breach. Think of the exchange, “If you keep hounding me for payment of this doctor’s bill, I will sue YOU and the doctor for violating my privacy and exposing me to embarrassment and possible fraud or identity theft.” What would AMCA or another collection agency do? Would they just drop the payment demands to protect themselves and their clients from litigation over the breach? Would they offer debtors a discount to compensate them?

This post will be updated if more details become available from AMCA about its HIPAA status or about the breach itself.

May 092019
 

A school contractor that provides online registration so students can sign up for AP and PSAT exams misconfigured their cloud storage, exposing students’ and parents’ personal information.

A number of school districts or schools contract with a firm in Colorado called Total Registration, who, according to their web site, registered more than 525,000 students from more than 1,220 schools in 2018.

In early April, DataBreaches.net was contacted by a researcher who had discovered that Total Registration had failed to secure their Amazon bucket, leaving student and parent information exposed in plain text, without any password required to access it.

DataBreaches.net reached out to the firm to notify them, and received an acknowledgement that the problem had been taken care of.  But the firm did not respond when this site subsequently sent them an inquiry as to whether they were notifying any students or their client school districts about the exposure.

In the absence of an answer about notification, DataBreaches.net took a closer look at what was in the files provided to this site by the researcher.

One type of file was mail merge spreadsheets.  Cursory analysis of those files showed that they contained students’ last and first names, their student ID number, their email address (which in many cases was a school-issued email address), their parent’s email address, their telephone number, their postal address, the AP exams they were registering to take, as well as when the exam would be and who was proctoring it.

In the mail merge files,  there was data for almost 13,000 students from Chandler School District in Arizona, St. Vrain Valley School District in Colorado, Community High School District 117 in Illinois, Utica Community Schools in Michigan, Edina Public Schools in Minnesota, Wake County Public Schools in North Carolina, Wausau School District in Wisconsin, Fox Chapel Area School District in Pennsylvania, Cherokee County School District in Georgia, Woodland Joint Unified School District in California, Pflugerville Independent School District (ISD) in Texas, Cypress Fairbanks ISD in Texas, Friendswood ISD in Texas, Midway ISD in Texas, RoundRock ISD in Texas, Lewisville ISD in Texas, Duncanville ISD in Texas, and Garland ISD in Texas.

And that was just the mail merge files. There were hundreds of other files that each contained data on hundreds of students. Some of the students with data in the other files were from the districts named above, but there were students from hundreds of other districts throughout the country as well, as the partial list below suggests:

Partial listing of files unsecured bucket.

Some of the files contained students’ date of birth, as well as additional demographic information on students and their parents.  A quick analysis of files in one directory returned approximately 300,000 unique email addresses. If there were two email addresses for each student (one the student’s and one their parent’s), that would suggest that there were approximately 150,000 students’ whose data may have been in the unsecured files.

DataBreaches.net redacted a registration confirmation file for a student from Miller Place School District in New York. As you can see, the form contained information about the student and parents:

AP_exam_registration_confirmation_Redacted

 

Miller Place School District was sent a notification and inquiry on May 7, but did not respond.

DataBreaches.net sent email notifications to a few other school districts as well, inquiring whether they had been notified of any potential leak by the vendor, and providing them with some student data from the exposed files that they could use to verify whether the data was indeed, student data.  DataBreaches.net got no response from the few schools this site emailed, but did get an immediate response to a voicemail left for St. Vrain Valley School District in Colorado.  Kudos to them for their prompt response.

If you are the parent of a student who signed up for an AP test, the PSAT, or an IB examination in April, you may want to inquire whether your child’s school used TotalRegistration.net as their vendor for the sign-ups.  From my brief analysis of the exposed data, it appears to be a time-limited database, i.e.,this is not a cumulative database with past records, but just contained registrations for then-upcoming tests.