Dec 102018
 

From the good folks at EPIC.org:

In a report released today, the House Committee on Oversight declared that the Equifax breach, which affected 148 million U.S. consumers, was “entirely preventable.” The breach, one of the largest in U.S. history, compromised the authenticating details, including dates of birth and social security numbers, of more than half of American consumers. The House report concluded that Equifax “failed to fully appreciate and mitigate” the cybersecurity risks and placed corporate growth over data security. Despite several agencies, such as the CFPB and the FTC, pledging to take action against Equifax, nonehave done so. The House Committee recommended that Equifax “provide more transparency to consumers” about data use and security practices and reduce the use of social security numbers as identifiers, longstanding priorities of EPIC. Following the Equifax data breach in 2017, EPIC President Marc Rotenberg testified before the Senate Banking Committee and recommended free credit freezes and other consumer safeguards to mitigate the risk of identity theft.

Dec 102018
 

Kimberly Bosco reports:

New York-based health insurance provider EmblemHealth, Inc. is paying the state of New Jersey a hefty fine for disclosing confidential personal information of over 6,000 New Jersey customers.


Attorney General Gurbir S. Grewal and the Division of Consumer Affairs announced on Dec. 10 that EmblemHealth will pay NJ a $100,000 civil penalty. The terms of the settlement also stipulate that the insurance company must also implement a variety of significant internal compliance reforms to better safeguard the personal information of its policy holders, according to the Attorney Generals’ office.

EmblemHealth’s subsidiary, Group Health Incorporated, is also a party to the settlement.

Read more on Jersey Shore Online.  

This is the 2016 breach that had affected more than 80,000 policyholders.  New York settled with EmblemHealth in March of this year for $575,000, but NY had many more residents affected than New Jersey.  The press release from the NJ Attorney General’s Office appears below.  You can access a copy of the consent order here.

TRENTON – Attorney General Gurbir S. Grewal and the Division of Consumer Affairs announced today that health insurance provider EmblemHealth, Inc. has agreed to pay the State a $100,000 civil penalty to resolve allegations it improperly disclosed the highly confidential personal information of more than 6,000 New Jersey customers. 


Under terms of the settlement, EmblemHealth, one of the nation’s largest non-profit health insurance plans, also must implement a variety of significant internal compliance reforms designed to better safeguard the personal information of its policy holders. EmblemHealth’s subsidiary, Group Health Incorporated, is also a party to the settlement. Both companies are headquartered in New York. 


The agreement announced today resolves the State’s investigation into an October 2016 breach incident in which EmblemHealth improperly displayed the Medicare Health Insurance Claim Numbers (HICN), which mirror individual Social Security numbers, belonging to more than 81,000 policy holders, 6,443 of whom reside in New Jersey. 


“Health insurers entrusted with their customers’ sensitive personal information have a duty to avoid improper disclosures,” said Attorney General Grewal. “EmblemHealth fell short of its obligations to its customers in this case, and I am pleased that our settlement includes measures designed to prevent similar breaches at this company in the future.” 


“Consumers need to know that when companies ask for or require highly sensitive personal information – such as their Social Security numbers — the information will be stored securely and utilized discretely,” said Paul R. Rodríguez, Acting Director of the Division of Consumer Affairs. “This settlement should serve as a reminder that we are committed to safeguarding consumer privacy, and will hold accountable any businesses that are careless in the handling of such personal data.” 


The incident at issue took place on October 3, 2016 when EmblemHealth’s vendor sent a paper copy of EmblemHealth’s Medicare Part D Prescription Drug Plan’s Evidence of Coverage to 81,122 of its customers, including 6,443 who live in New Jersey.


The label affixed to the mailing improperly included each customer’s HICN, which incorporates the nine digits of the customer’s Social Security number, as well as an alphabetic or alphanumeric beneficiary identification code. (The number shown was identified as the “Package ID#” on the mailing label and did not include any separation between the digits.)


During its investigation, the Division found that following the departure of the EmblemHealth employee who typically prepared the Evidence of Coverage mailings, the task was assigned to a team manager of EmblemHealth’s Medicare Products Group, who received minimal training specific to the task and worked unsupervised. Before forwarding the data file to the print vendor, this team manager failed to remove the patient HICNs from the electronic data file. 


The Division’s investigation resulted in allegations that EmblemHealth violated the New Jersey Identity Theft Prevention Act, the New Jersey Consumer Fraud Act and the Health Insurance Portability and Accountability Act (HIPAA).


Among other settlement terms, EmblemHealth has agreed to no longer use HICNs that include Social Security numbers and/or Medicare Beneficiary Identifiers to identify customers in mailing files. Instead, the company will convert to a system that employs unique identifiers to identify its customers.


EmblemHealth also has agreed to require the formal transfer of an outgoing employee’s responsibilities to another qualified employee or third party, and that the transition process will include necessary training. Further, the company has agreed to engage a training vendor and implement new privacy and security training modules for employees upon hiring, and on an annual basis after that. 


In addition, EmblemHealth has agreed to notify not only its customers but, for the next three years, the Division of Consumer Affairs when any breach of security affecting the personal information of New Jersey customers takes place.


Investigator Walter R. Kaminski of the Office of Consumer Protection within the Division of Consumer Affairs conducted this investigation.
Deputy Attorney General Lara J. Fogel, along with former Deputy Attorney General Michelle T. Weiner of the Government & Healthcare Fraud Section within the Division of Law, represented the State in this matter. 


Follow the New Jersey Attorney General’s Office online at TwitterFacebookInstagramFlicker & YouTube. The social media links provided are for reference only. The New Jersey Attorney General’s Office does not endorse any non-governmental websites, companies or applications.

Dec 092018
 

Stuff reports on a case in New Zealand that was cited in a newly-released annual report by the Privacy Commissioner. Disturbingly, the unnamed government agency not only did not set a great example for data protection, but they demonstrated less than admirable response to the incident of insider-wrongdoing that harmed a member of the public.  Stuff reports: 

A government employee in dispute with his neighbour  snooped on him 73 times after accessing his employer’s “sensitive” records.


He also changed the man’s file to add allegations of “improper conduct”.


When the government agency  found out about the privacy breach  it reviewed its processes but was not willing to apologise to the neighbour or pay him compensation.

[…]


The commissioner has called for changes to the Privacy Act to introduce “meaningful consequences” for non-compliance, including for the commissioner to decide which cases should go to the tribunal and for the commissioner to take the claims.


Read more on Stuff.  That the agency didn’t even apologize for the anguish or harm to the individual is concerning.

It is one thing to argue that you had policies and procedures in place that you monitored, but despite that, an employee willfully managed to violate both, but then not to give the affected individual anything — even a “We agree with you with and have terminated the employee’s position with us,” well…. there has to be more redress and/or compensation for those whose complaints are founded.  And government agencies should be setting good examples instead of needing to be dragged before a tribunal or sued. 

More information on the Privacy Commissioner’s 2018 Report can be found on the Commission’s web site.

To jump directly to the annual report, go here

Dec 082018
 

Ionut Arghire reports:

A threat group possibly originating from North Korea has been targeting academic institutions since at least May of this year, NetScout’s security researchers reveal.


The attackers use spear-phishing emails that link to a website where a lure document attempts to trick users into installing a malicious Google Chrome extension. Following initial compromise, off-the-shelf tools are used to ensure persistence. 


The campaign likely hit other targets as well, though NetScout says that only those domains targeting academia were intended to install a malicious Chrome extension. Many of the intended victims, across multiple universities, had expertise in biomedical engineering. 


The actors behind the attack, however, displayed poor OPSEC, which allowed the researchers to find open web browsers in Korean, English-to-Korean translators, and keyboards switched to Korean. 

Read more on SecurityWeek.

Dec 082018
 

Okay, I tend to laugh at the sextortion emails and have tweeted or posted some of them at times, usually after I check the referenced BTC wallet to see if anyone actually fell for the scam and paid.  But Catalin Cimpanu reports on a new – and important – development:

This past week, users in the United States have been bombarded by an email spam campaign that pushed a double-whammy of a sextortion attempt combined with a possible ransomware infection.

[…]

Security researchers at Proofpoint have told ZDNet that they’ve seen a variation of a sextortion scam campaign that included a link at the bottom of the blackmail message [in full here].

The scammers claimed to have a video of the user pleasuring himself while visiting adult sites, and they urged the user to access the link and see for himself. But Proofpoint says that instead of a video, users received a ZIP file with a set of malicious files inside.

Read more on ZDNet.