Latest News and Upcoming Events
Check here for the latest news and information about upcoming events, corporate activities and data security updates.
We have a new Blog Page! We hope you'll subscribe for updates related to regulatory changes, recent data breaches, enforcement efforts and anything else that catches our attention.
We'll continue to post upcoming events and corporate news on this page, but data security updates will now be found on our blog. Thanks for your understanding as we continue to build our site.
And the Breaches Keep On Coming!
August 13, 2010 - Since my last post I have read of three, and possibly four, data breaches in Massachusetts alone.
The first, reported by the Herald on August 2nd, involved a stolen laptop belonging to biomedical chemist Galen Loving, who is doing cancer research at Massachusetts General Hospital. The computer contained "reams of priceless data on cancer research." The researcher forget to retrieve his computer before departing from a Somerville restaurant. He realized the next morning that the computer and the thumb drive he backed up on were all in the same bag that he "mindlessly" left behind. In addition to many of Loving's papers and presentations, the computer contained e-mails, failed studies and proposed future projects. No mention was made in the article as to whether the lost data contained information protected under 201 C.M.R 17 or HIPAA. And unfortunately, no mention was made of encryption.
The following day, the Patriot Ledger reported that the Town of Rockland disposed of hundreds of intact canceled paychecks bearing bank account numbers and, in some instances, Social Security numbers of town workers employed between 1992 and 2002. The checks subsequently flew out of a disposal trunk and onto the roadside. The Town Treasurer, responsible for disposal of the canceled checks reportedly "didn't realize they had Social Security numbers" on them and made no effort to shred the documents. The driver for Mike DelPrete & Sons Trucking "assured the town that he would retrace his route and pick up any checks he saw." The town, however, acknowledged they have "no way of knowing... how many were lost - blown to the wind, down a gutter, on somebody's hedge." Employees whose payroll was directly deposited into accounts are reportedly not affected by this breach.
Then just days later, the Town of Hingham distributed via e-mail 1300 employee names and social security numbers to its management. A town official describes the risk to affected employees as "beyond minimal," but I suspect the owners of the compromised records might feel differently. Of the thirty or so e-mails originally sent out, eleven were forwarded to managers' personal e-mails accounts and computers, leaving one to wonder: how appropriate it is to have town business stored on personal computers and smart phones that may by less than secure?
Today I wake up to learn that records from four Massachusetts community hospitals were found at a local dump. The Boston Globe reports that thousands of unshredded medical records containing social security numbers, names and addresses, diagnoses, pathology reports including cancer tests and other medical information ended up in a pile about 20 feet wide by 20 feet long at a public dump. Preliminary reports have been made to the Attorney General's office. The AG's office says it is reviewing "whether there has been a data breach.'' It seems the issue has more to do with the extent of the breach and whether the AG's office is going to give 201 C.M.R. 17 some teeth and start issuing fines. The Department of Public Health will undoubtedly be involved as well as they examine HIPAA and HITECH data protection issues.
Unfortunately, all of these breaches highlight the fact that data security is not just about keeping hackers out of corporate networks. A business's data security is only as strong as the weakest link. In each of these incidents the weak link is directly tied to employee error. All of these breaches could have been prevented with better employee training, a comprehensive data security plan and properly enforced policies and procedures.
South Shore Hospital Unable to Locate 800,000 Records Containing Personal Information
July 19, 2010 - South Shore Hospital in Weymouth is the latest Massachusetts organization to announce a data security incident. The hospital issued a press release on July 19, 2010, reporting that backup computer files containing approximately 800,000 records have apparently been lost. The files were reportedly sent to a professional data management company for destruction, however, only a portion of the shipped records were actually destroyed. The remainder of the records are unaccounted for. Personal information involved includes names, birth dates, social security numbers, driver’s license numbers, medical and health insurance information including diagnoses, and in some instances bank and credit card account information. The records involved belong to patients as well as physicians, employees, volunteers, vendors and business partners.
The hospital reportedly shipped the files out for destruction on Feb. 26, 2010. Interestingly, these records were sent out just days before the March 1, 2010 compliance deadline for 201 C.M.R. 17. In its press release, the hospital states “When certificates of destruction were not provided to the hospital in a timely manner, the hospital pressed the data management company for an explanation. South Shore Hospital was finally informed on June 17, 2010 that only a portion of the shipped back-up computer files had been received and destroyed.”
The hospital stops short of stating that the records were encrypted utilizing current technology, however it reports that experts have confirmed that it would take specialized software and hardware expertise to open and decipher the files. The hospital has yet to explain, however, why it took nearly four months to get answers from the data management company or to disclose the data management or shipping companies involved. The hospital has since ceased offsite destruction of back-up computer files and is reportedly establishing policies to prevent a recurrence.
While the hospital and the undisclosed data management company may not feel the full force and effect of 201 C.M.R. 17, both still are still required to conform to the requirements imposed by HIPAA and HITECH as well as MGL ch. 93I related to the disposal and destruction of records. The law provides that a third party may be contracted with to dispose of personal information. The disposal company is required under the law, however, to “implement and monitor compliance with policies and procedures that prohibit unauthorized access to or acquisition of or use of personal information during the collection, transportation and disposal of personal information.”
Chapter 93I violations may result in potential fines of not more than $100 per data subject affected, provided said fine shall not exceed $50,000 for each instance of improper disposal – a far cry from those associated with 201 C.M.R. 17 violations.
Massachusetts Data Breach Compromises 139,000 Records
July 8, 2010 - The Massachusetts Secretary of Commonwealth's office has acknowledged that it unintentionally released to a business publication personal information belonging to 139,000 state-registered investment advisers. The information was reportedly provided to IA Week, an investment industry publication, by a new employee when responding to a request for public information. The employee failed to take the necessary steps to remove personal information prior to releasing the records on CD.
Personal information released included: investors' names, Social Security numbers, dates and places of birth, height, weight, hair color and eye color.
The CD on which the data was contained was returned to the Secretary of Commonwealth's office. The business publication denies that any copies were made. Read More About this Breach
While 201 CMR 17 does not apply to state agencies, Executive Order 504 issued on September 19, 2008, requires all state agencies to " develop, implement and maintain written information security programs governing their collection, use, dissemination, storage, retention and destruction of personal information... All agency heads, managers, supervisors, and employees (including contract employees) shall attend mandatory information security training within one year of the effective date of this Order. For future employees, such training shall be part of the standardized orientation provided at the time they commence work. Such training shall include, without limitation, guidance to employees regarding how to identify, maintain and safeguard records and data that contain personal information."
Educational Workshop Services
InfoSafe Inc. is available to provide workshops on data security and 201 CMR 17 compliance to help small and medium-sized companies improve their business security practices. For more information please contact us.
InfoSafe Inc. Welcomes You to its New Website!
InfoSafe Inc. is online with a new website. We hopes prospective clients will explore the full range of services online, and we invite you to contact us directly via the site of by phone for a free, no-obligation phone consultation to discuss your data security needs.