CBR maintains that while the lost data did contain personally identifiable information (PII), medical details were not included. Said CBR’s director of corporate communications, Kathy Engle, “The tapes may have contained personal client data of adults (credit card numbers, driver’s license numbers or social security numbers); nothing on children and no health information at all.”

It costs a lot of money to mail 300,000 letters. As the new Ponemon Cost of a Data Breach Study confirms yet again, the costs may be only beginning.

But there is good news. According to officials at the Salvation Army, “We’re password protected and then we have two more layers of protection… Their information, I feel very confident that it’s secure. It’s very difficult to break into our systems that we’ve been using.”

Of course, the “password protection” part doesn’t inspire confidence, as usual. But multi-layered security? That’s a very good sign. Let’s hope it holds, indeed.

A key element of the attack is the fact that in many cases a bank or financial institution will ALLOW a red-flagged transaction to proceed, even in the midst of fraud suspicion, if the institution cannot get ahold of the account owner. It may seem odd, but in many cases the default posture is to hold, check, then allow if not denied.

The ring of thieves used a malware program called “Zeus Trojan” to hijack bank account info. They embedded the malware in emails and attachments. Once in possession of the necessary account access, the crooks were ready to strike. But what to do about the alert responses that the institutions would make–the calls to account owners to verify suspicious transactions?

Just ask good old Joe Jones: “You Talk Too Much.” The thieves used automated calling programs to bombard the victims’ telephone lines with bogus calls. While the lines were tied up with this bogus traffic (essentially a telephone DDOS), the financial institutions couldn’t get through to verify transactions. And because of the “proceed if not denied” policy in play in many cases, the transactions succeeded, with funds shuttled off to standard “mule” accomplices who could transfer it overseas.

Read the full article for details. You just never know what creativity these criminals will show.

An Indiana adoption lawyer whose client files were scattered in the wind after his adult children left boxes of them beside a recycling bin has received a public reprimand.

The Indiana Supreme Court on Sept. 30 issued the reprimand against Steven Litz, whose Monrovia, Ind., practice focuses on adoption and criminal law. The court noted that it was the third time Litz had received a public reprimand.

Litz directed his two children to take about 14 boxes of client files he wanted to discard to a local recycling bin, according to the decision. Finding that the bins were full, they left the boxes on the ground beside the bins and did not tell Litz. The wind later blew the tops off the boxes and sent some of the papers flying into public view. After someone notified Litz of the situation, he and his children retrieved the documents.

Wow. This immediately brought Kansas to mind. Not the state. The band.

This data breach gets a theme song–a true classic:

Verse 1: Car thieves get personal data on Portland psychology patients, unemployed Oregonians (thanks to Jake K and lyger on DataLoss DB)
4,000 psychology patients and 2,900 jobless residents breached by stolen laptop and stolen data storage device in Oregon.

Verse 2: Stolen laptop puts data at risk: Information on Texas Children’s Hospital patients was compromised (thanks to lyger on DataLoss DB)
Doctor’s laptop containing clinical and demographic information of about 1,600 patients stolen.

Verse 3: Fort Worth medical clinic spends $15,000 notifying patients of theft (thanks to security curmudgeon on DataLoss DB)
Employees at a Fort Worth allergy clinic found the office door kicked in and four computers gone, containing PII and SSNs for 25,000 patients.

Verse 4: Aultman Health Foundation Laptop Computer Stolen (thanks to Redemtech)
13,800 home health care patients breached by a stolen laptop.

Verse 5: Boise Employee Information on Lost Tape (thanks to Redemtech)
About 300 employees breached by a missing backup tape.

It’s difficult to decide where to stop once this river gets flowing. We’ll call it good at five.

Regardless, an additional 860,000 current and former members of AvMed are being notified that their personal information is at risk due to the apparent theft of two laptops, which went missing from a locked conference room at AvMed Health Plans’ Gainsville office back on December 11.

AvMed once again mentions that there is no evidence of any malicious use of the data, which is normal, and that they are “strengthening data security and procedures.” Thanks to Redemtech for the heads up on the article.

GovInfo Security reports that the data was unencrypted, and the theft actually involved a government contractor.

Most of the details of the case are quite standard: a third party with access to data, security controls lacking or completely non-existent, crime of opportunity, and now 207,000 more potential ID theft cases. And, as is common, policies and procedures are under review in response to the breach. Hopefully, good security technology will be one prong in the resulting PnP’s.

For now, however, 207,000 more victims are added to the stack. Thanks to kirniki for the tip.

The report was based on a biannual survey of 250 healthcare professionals nationwide and was commissioned by Kroll Fraud Solutions. The overall flavor of the report seems to suggest a bit of an “overconfidence” by healthcare IT professionals regarding the actual security of their data–they perceive it to be much more secure than it is. And, as we see in breach after breach, that often turns out to be true.

Kroll’s summary of key findings states:

• New regulatory activity, including the implementation of the Red Flags Rule and HITECH Act, has created a false sense of security among healthcare organizations that their facilities are secure and prepared should a breach occur.
• Healthcare organizations continue to underestimate the high costs of a data breach, despite new industry data which puts the average cost per industry data breach at $6.75 million.
• Healthcare organizations continue to think of data security in specific silos (IT, employees, etc.) and not as an organization-wide responsibility, which creates unwanted gaps in policies and procedures.

A more extensive list of highlights is found in the Healthcare IT News article:

• Despite new regulatory activity, including the implementation of Red Flags Rule and HITECH Act, and increased compliance among healthcare providers, the reporting of healthcare breaches is on the rise.
• The majority of survey participants indicated that they were compliant with existing laws and regulations.
• Average responses were above a 6.0 (on a scale of 1-7, with 7 being the highest level of compliance) for almost all laws and regulations, including CMS Regulations, HIPAA, State Security Laws and Red Flags Rule. Only HITECH scored lower (5.75), most likely due to the fact that HITECH was still not fully implemented at the time of the survey.
• The number of healthcare organizations that reported a breach increased by six percent in 2010 to 19 percent of total respondents – up from 13 percent in 2008.
• When asked to rate their level of “preparedness” for a future security breach, respondents from organizations having experienced a breach cited a preparedness level of 6.06 (on a scale of 1-7, with 7 being most prepared).
• Healthcare organizations continue to underestimate the high costs of a data breach, despite the fact that penalties for HITECH violations can reach as high as $1.5 million dollars.
• Patient satisfaction was most frequently cited as the primary impact of a data breach on their organization (38 percent), while only 15 percent cited the financial costs —  down from 18 percent in 2008.
• Healthcare organizations continue to think of data security in specific silos (IT, employees, etc.) and not as an organization-wide responsibility, which creates unwanted gaps in policies and procedures.
• Eighty-seven percent of respondents indicated that they have policies in place to monitor access and sharing of electronic health information, yet research shows that 84 percent of healthcare breaches since 2003 were due to “low tech” incidents such as lost or stolen laptops, improper disposal of documents, stolen backup tapes, etc.
• Sixty percent of respondents said they required third party vendors to provide proof of employee training and only half indicated that they required third party vendors to provide proof of employee background checks. As organizations prepare for the broader sharing of electronic health records across massive networks of providers, payers, state and federal repository systems, third party involvement is only expected to increase in the coming years.

There is indeed a lot to crunch and, as noted in the articles, it’s a “bittersweet” set of results. On the positive side, data security is getting much more attention and many healthcare organizations are taking action. But on the negative side, there’s still a very serious gap between “theory and practice,” so to speak. In theory, organizations think they’re secure and are shooting entirely for “compliance.” In practice, not so.

This elicits thoughts of the old cliche: In theory, there’s no difference between theory and practice. In practice, there is.

Download the full report here. Thanks to security curmudgeon on DataLossDB for the heads up.

Apparently, the stolen hard drive contained patient names, dates of birth, medical record numbers, addresses, and physician names, and in some cases Social Security numbers, all of mammography suite patients who underwent bone density testing from 1997 to 2009. According to hospital officials, there were no test results, images or clinical information.

An interesting note is that, since the theft, the hospital has taken many actions to increase security, such as “linking to a secure network eliminating the need for computer hard drives.”