Donald's Information Security

An electronic storage device stolen from an employee’s car in Sacramento last month contained health information from 15,500 patients, including about 800 in the Fresno area, Kaiser Permanente Northern California said Tuesday.

There is no evidence the information has been used inappropriately, a Kaiser official said. The risk for fraud and identity theft is considered low.

No Social Security numbers or financial information of patients were on the device, Kaiser said. Information included patient names, medical-record numbers and, for some individuals, ages, dates of birth, gender, phone numbers and other information related to their care and treatment.

Without Social Security numbers or credit card numbers, there should be very low risk of financial identity theft, said Linda Foley, founder of the nonprofit Identity Theft Resource Center in San Diego.

The device, known as an external drive, was stolen Dec. 1 from the employee’s car at her home in Sacramento, Kaiser said. The employee notified Kaiser of the theft on Dec. 8.

Connecticut Attorney General (AG) Richard Blumenthal announced Wednesday that he is suing Health Net of Connecticut for failing to secure private patient medical records and financial information involving 446,000 Connecticut enrollees and promptly notify consumers exposed by the security breach.

Blumenthal also is seeking a court order blocking Health Net from continued violations of HIPAA by requiring that any protected health information contained on a portable electronic device be encrypted.

This case marks the first action by a state attorney general involving violations of HIPAA since the Health Information Technology for Economic and Clinical Health (HITECH) Act, which authorized state attorneys general to enforce HIPAA.

“Protected private medical records and financial information on almost a half million Health Net enrollees in Connecticut were exposed for at least six months—most likely by thieves—before Health Net notified appropriate authorities and consumers,” said Blumenthal. “The staggering scope of the data loss, and deliberate delay in disclosure, are legally actionable and ethically unacceptable. Even more alarming than the breach, Health Net downplayed and dismissed the danger to patients and consumers.” Read the rest of this entry »

An electronic storage device stolen from an employee’s car in Sacramento last month contained health information from 15,500 patients, including about 800 in the Fresno area, Kaiser Permanente Northern California said Tuesday.

There is no evidence the information has been used inappropriately, a Kaiser official said. The risk for fraud and identity theft is considered low.

No Social Security numbers or financial information of patients were on the device, Kaiser said. Information included patient names, medical-record numbers and, for some individuals, ages, dates of birth, gender, phone numbers and other information related to their care and treatment.

Without Social Security numbers or credit card numbers, there should be very low risk of financial identity theft, said Linda Foley, founder of the nonprofit Identity Theft Resource Center in San Diego.

The device, known as an external drive, was stolen Dec. 1 from the employee’s car at her home in Sacramento, Kaiser said. The employee notified Kaiser of the theft on Dec. 8.

Heartland Payment Systems Inc., a New Jersey-based payments processor, has agreed to pay up to roughly $60 million to cover losses caused to Visa Inc. credit and debit cardholders as a result of a huge 2008 security breach, the companies have announced.

The settlement agreement is contingent upon acceptance by financial institutions representing 80 percent of the eligible issuers’ U.S. accounts that Visa says were put at risk during the Heartland intrusion, which Heartland disclosed in January 2009 had exposed more than 130 million credit and debit card numbers.

Heartland last month settled with American Express Co. for nearly $3.6 million, and settlements with other card issuers are expected.

Albert Gonzalez, a hacker federal prosecutors say was behind the Heartland and other big card breaches in recent years, has pleaded guilty in the case and is awaiting sentencing.

Data being crunched by Cobit-authors ISACA will reveal that although enterprises believe they are realising value from their IT investments they cannot be sure, because most of them fail to fully measure it.

When details of its findings are published later this week, Isaca’s report will show how in a nine-country survey of 1,217 IT professionals two-thirds accepted they were failing to measure IT in ways that provide a full account of its benefits.

The IT governance, security and assurance body carried out its Value of IT Investments survey to assess if any progress is being made in the area of IT benefits realisation.

It found that half of the respondents believe they are realising between 50% and 74% of the value they expected from their IT investments. Nearly 20% believe they are realising between 75% and 100%. Yet, half measure the actual value only ‘to some extent’ while 10% of sites apparently do not measure value returns at all. 

Fewer than half of respondents believe their organisations have a shared understanding of value across the enterprise. A similar number reported that accountability for such value measurements is delegated to the IT function itself, instead of remaining with the business, where it belongs. Read the rest of this entry »