Dec 142018
 

Hilary Bird reports:

An N.W.T man says he found hundreds of confidential medical records at the Fort Simpson dump.


The documents contain detailed information about patients’ mental health and history of drug use, including applications to addictions treatment facilities, progress reports from those facilities, and detailed notes from one-on-one counselling sessions.


The documents, many of which were on N.W.T. government letterhead, also included social insurance, treaty and health card numbers.

Read more on CBC.ca.

Dec 132018
 

Laura Hautala reports:

The US doesn’t have a single data privacy law that applies to all fifty states. On Wednesday, a group of 15 US senators indicated it wanted to change the status quo, introducing the Data Care Act.


The bill (PDF) would require companies that collect personal data from users to take reasonable steps to safeguard the information. The act also has provisions to prevent them from using the data in ways that could harm consumers. 


If the bill becomes law, the US Federal Trade Commission would be in charge of implementing it.


“People have a basic expectation that the personal information they provide to websites and apps is well-protected and won’t be used against them,” Sen. Brian Schatz, a Democrat from Hawaii who is sponsoring the bill, said in a press release.

Read more on CNET.

Dec 122018
 

Catalin Cimpanu reports:

Ships suffer from the same types of cyber-security issues as other IT systems, a recent document released by the international shipping industry reveals.


The document is the third edition of the “Guidelines on Cyber Security onboard Ships,” an industry-approved guide put together by a conglomerate of 21 international shipping associations and industry groups.


While the document contains what you’d expect to contain –rules and guidance for securing IT systems onboard vessels– it also comes with examples of what happens when proper procedure isn’t followed.


These examples are past cyber-security incidents that have happened on ships and ports, and which have not surfaced in the public eye before until now.

Read more on ZDNet, where Catalin provides some chilling examples from the report. The guideline can be accessed from hereherehere, or here.

Dec 112018
 

Another enforcement action by HHS/OCR was announced today. This settlement involving Upper San Juan Health Service District (d/b/a Pagosa Springs Medical Centeris not an incident that I have been able to locate on HHS’s public breach tool or in this site’s records. According to the resolution agreement, the HHS investigation was opened in 2013.  No, that’s not a typo. 2013. It’s a pity this wasn’t settled and announced years ago, as there are still situations in which employees may retain remote access after termination.

Pagosa Springs Medical Center (PSMC) has agreed to pay $111,400 to the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services and to adopt a substantial corrective action plan to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules.  PSMC is a critical access hospital, that at the time of OCR’s investigation, provided more than 17,000 hospital and clinic visits annually and employs more than 175 individuals.


The settlement resolves a complaint alleging that a former PSMC employee continued to have remote access to PSMC’s web-based scheduling calendar, which contained patients’ electronic protected health information (ePHI), after separation of employment. OCR’s investigation revealed that PSMC impermissibly disclosed the ePHI of 557 individuals to its former employee and to the web-based scheduling calendar vendor without a HIPAA required business associate agreement in place. 

Under the two-year corrective action plan, PSMC has agreed to update its security management and business associate agreement, policies and procedures, and train its workforce members regarding the same.

“It’s common sense that former employees should immediately lose access to protected patient information upon their separation from employment,” said OCR Director Roger Severino.  “This case underscores the need for covered entities to always be aware of who has access to their ePHI and who doesn’t.”

Covered entities that do not have or follow procedures to terminate information access privileges upon employee separation risk a HIPAA enforcement action. Covered entities must also evaluate relationships with vendors to ensure that business associate agreements are in place with all business associates before disclosing protected health information.  The resolution agreement and corrective action plan may be found on the OCR website at http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/pagosasprings.

Source: HHS

Read the Resolution Agreement – PDF

Dec 112018
 

Catalin Cimpanu reports:

A Russian cyber-security firm says it discovered login credentials for more than 40,000 accounts on government portals in more than 30 countries. The data includes usernames and cleartext passwords, and the company believes they might be up for sale on underground hacker forums.

Alexandr Kalinin, head of Group-IB’s Computer Emergency Response Team (CERT-GIB), says these account details have been collected over time by cyber-criminals with the help of off-the-shelve malware strains such as the Pony and AZORult infostealers, but also the Qbot (Qakbot) multi-purpose trojan.

Read more on ZDNet.