EHIP

Wake Radiology has suspended its relationship with the UNC Chapel Hill medical school study whose computer server was recently hacked, exposing personal data including social security numbers of more than 100,000 patients.

In July, UNC-CH med school officials discovered that a hacker had infiltrated a computer server housing the personal data of about 160,000 patients, including 114,000 social security numbers.

That data should have been secure but was not, officials say. It was sent to the university over time by the dozens of radiology practices who contribute to the Carolina Mammography Registry, a 14-year-old med school study that collects and analyzes mammogram information.

The security breach has caught the eye of the N.C. Attorney General's office and has sparked fears among many women whose personal information was exposed.

Automated summary from: newobserver.com

The House Energy and Commerce Committee recently passed the Informed P2P User Act, which is designed to make it safer for consumers to use peer-to-peer, or P2P, file-sharing software.

If passed, the bill would require developers of file-sharing apps to clearly explain to users whether and how their files will be made available for sharing with others on a P2P network.

The bill would make it illegal for P2P developers to make software that causes files from a computer to be inadvertently shared over a P2P network without a user's knowledge.

It would also require the developers to clearly inform users about files that are being made available for searching and sharing, and would mandate that a user agree to the file-sharing first.

The law was proposed in an attempt to address growing concerns about the problem of inadvertent data leaks on P2P networks.

Automated summary from: ComputerWorld

The inspector general of the National Archives and Records Administration is investigating a potential data breach affecting tens of millions of records about U.S. military veterans, Wired.com has learned. The issue involves a defective hard drive the agency sent back to its vendor for repair and recycling without first destroying the data.

The hard drive helped power eVetRecs, the system veterans use to request copies of their health records and discharge papers. When the drive failed in November of last year, the agency returned the drive to GMRI, the contractor that sold it to them, for repair. GMRI determined it couldn’t be fixed, and ultimately passed it to another firm to be recycled.

The incident was reported to NARA's inspector general by Hank Bellomy, a NARA IT manager, who charges that the move put 70 million veterans at risk of identity theft, and that NARA's practice of returning hard drives unsanitized was symptomatic of an irresponsible security mindset unbecoming to America's record-keeping agency.

"NARA does not believe that a breach of PII (personally identifiable information) occurred, and therefore does not believe that notification is necessary or appropriate at this time," NARA told Wired.com in an e-mailed background paper. “This view could change if the [inspector general] investigation of this incident later determines that GMRI … or their subcontractors took some illegal or unethical action that may have compromised sensitive data contained on the inoperable November 2008 disk drive.”

Automated summary from: Wired

The personal data of tens of thousands of U.S. soldiers - including those in the Special Forces - continue to be downloaded by unauthorized computer users in countries such as China and Pakistan, despite Army assurances that it would try to fix the problem, according to a private firm that monitors cybersecurity.

Tiversa, which scours the Internet for sensitive data, discovered the data breaches while conducting research for private clients. The company found documents containing Social Security numbers, blood types, cellphone numbers, e-mail addresses, and the names of soldiers' spouses and children.

The availability of such data, security experts say, exacerbates the threat of identity theft and retaliation against troops on sensitive missions. In addition to using the information to drain financial accounts, hackers could pose as soldiers in an effort to ferret out sensitive data, including passwords to government systems.

The company found the sensitive documents by using "peer to peer" file-sharing software.

Automated summary from: The Washington Post

More than three-quarters of healthcare executives believe their industry's most valuable asset is going to be information contained in electronic medical records, according a report issued Thursday by PricewaterhouseCoopers.

The report, based on a survey of more than 700 healthcare executives, noted that the hundreds of billions of gigabytes of health and medical information being compiled will have a secondary use in five years that will make it the industry's most valuable asset.

Even though the main challenges of using of the healthcare data remain, PWC found that many organizations have already started to use e-medical records and nearly 60% of those have seen quality improvements resulting in some cost savings, patient/member satisfaction, and revenue gains.

Automated summary from: Information Week

Cybercriminals have gotten craftier, often looking toward popular trends and events -- such as tax season, the mortgage meltdown and the growth of social media -- to scam people into giving them sensitive information.

In addition to criminal scams, corporate data breaches can leave your privacy compromised.

As of September 22, there have been 379 data breaches reported by the Identity Theft Resource Center in 2009, affecting more than 13 million records.

"It's not one or two companies that are acting irresponsibly with consumer data," said Andrea Matwyshyn, a law professor who teaches technology regulation at the Wharton School at the University of Pennsylvania. "It's a large-scale problem where industry norms of care are arguably not adequate to address the challenges of data security optimally."

Exercising caution before you submit sensitive information can save you a lot of aggravation down the line.

“If you don't perceive a symptom and convey it to a physician, nobody's going to be able to help you," Ravi Sandhu, a professor of cyber security at the University of Texas at San Antonio said. "So here, also, consumers need to be vigilant and watch over their accounts and look out to see if anything strange is happening."

Automated summary from: CNN.com

All new cell phones can track a person's geographic location. Government regulators required the features as a safety measure to help authorities find individuals in the case of an emergency.

Such capabilities have caught the eye of marketers and corporations, many of whom have started to build location-based applications for the iPhone and other devices.

Marketers are particularly excited about being able to target ads at particular consumers based on their geographic location.

Privacy advocates question whether consumers fully understand how their data could be used. The typical iPhone app simply asks users whether it can "use your current location." It doesn't explain in detail how that information will be used.

Many consumers assume the information will be used by that program just to, say, determine the closest Starbucks. But privacy advocates note that there's little to limit a marketer to just that. There are few rules for what marketers can do with location data they collect.

Location data collection has obvious implications for personal security. With access to that kind of information, a stalker could easily track down a potential victim and criminals could know precisely when to break into people's homes.

Automated summary from: Mercury News

The University of North Carolina at Chapel Hill on Friday began notifying about 163,000 women about the potential compromise of their Social Security numbers and other personal information after a hacker breached a system containing the data.

The breached server belonged to the UNC School of Medicine and contained information that was collected as part of a federally funded mammography research project.

Matt Mauro, chairman of the university's Department of Radiology said the breach was first discovered in July when a researcher reported problems accessing the system.

The sites that were sending the information to UNC have stopped doing so for the moment, while stronger precautions are implemented to prevent a similar breach in future, he said.

The reason that notifications have only just started going out is because UNC technology officials and an external forensic team have required time to piece together the extent of the compromise and to figure out exactly who may have been affected by it, Mauro said.

Automated summary from: Computer World

The announcement that Twitter will soon give users the option to disclose their physical whereabouts kindled debate over the role of location-based services (LBS) in social media and elicited criticism that the tools are an invasion of privacy.

Besides helping us track our location patterns or the nearest Starbucks (SBUX), these apps collect valuable data about our daily routines and the routines of those closest to us. They track personal tastes in food, fashion, and music so we can receive alerts and location-based notifications.

Yet as the space crowds with LBS players, the challenge will be to protect users' privacy, find ways to make marketing pitches relevant, and separate useful sites from also-rans.

Twitter plans to make its location services opt-in, also letting users choose whether to tell others where they are.

A related but more fundamental question: What happens to the data that are being collected about our whereabouts?

"The majority of [existing] apps are very centralized—they remain Internet-based, and the controls are with the company," says MIT researcher Nadav Aharony.

Automated summary from: Business Week

New rules governing consumer notification when the security of their health information is breached go into effect this week. But federal agencies won't enforce the rules for several more months.

A final rule from the Federal Trade Commission, published Aug. 25 and effective Sept. 24, requires vendors of personal health records--and entities that offer third-party PHRs--to notify consumers of data breaches. In the rule, the FTC noted the quick deadlines that were statutorily mandated and imposed a grace period on enforcement.

"Therefore, the Commission will use its enforcement discretion to refrain from bringing an enforcement action for failure to provide the required notifications for breaches that are discovered before Feb. 22, 2010," according to the rule.

"During this initial time period--after this rule has taken effect but before an entity is subject to an enforcement action--the Commission expects regulated entities to come into full compliance with the final rule."

A separate rule for HIPAA-covered entities, the HHS interim final rule, was published on Aug. 24 with a Sept. 23 effective date. The rule requires providers, payers, clearinghouses and other HIPAA-covered entities to promptly notify affected individuals in instances of a data breach. Prompt notification to HHS and the media is required when a breach affects more than 500 individuals. Smaller breaches must be annually reported to HHS. Business associates of HIPAA-covered entities must notify the affected covered entity of breaches.

Automated summary from: Health Data Management