The Utah Department of Technology Services DTS notified the Utah Department of Health UDOH on Monday the server that houses Medicaid claims was hacked. On Wednesday, the UDOH publicly announced the breach. On Friday, DTS revealed the damage:

181,604 Medicaid and Children’s Health Insurance Plan CHIP recipients had their personal information stolen.

Of those, 25,096 appear had their Social Security numbers SSNs compromised.The agency is cooperating with law enforcement in a criminal investigation. The hackers, who are believed to be located in Eastern Europe, breached the server in question on March 30, 2012.

via Medicaid hacked: over 181,000 records and 25,000 SSNs stolen | ZDNet.

In March 2012, BCBS of Tennessee agreed to pay $ 1.5M for HIPAA data breaches.

BCBSoTenn failed to encrypt hard drives containing voicemail files.

 Is YOUR medical practice encrypting hard drives and flash drives embedded within

• Laptops
• Desktops
• Servers
• Copiers
• Voice Mail systems
• And other smart systems

The settlement is available at http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/resolution_agreement_and_cap.pdf.?

Continue Reading

Still think HIPAA compliance is strictly for the big guys?

Still think your small medical practice or medical billing business is safe from hackers, criminals and litigators?

From the NY Times:

The New Year’s Eve burglary of a California office building has led to the collapse of a national medical records firm.

Impairment Resources LLC filed for bankruptcy Friday after the break-in at its San Diego headquarters led to the electronic escape of detailed medical information for roughly 14,000 people, according to papers filed in U.S. Bankruptcy Court in Wilmington, Del. That information included patient addresses, social security numbers and medical diagnoses.

Police never caught the criminals, and company executives were required by law to report the breach to state attorneys general and the Department of Labor’s Office of Inspector General. Some of those agencies, including the Department of Labor, are still investigating the matter, the company said in court papers.

via New Year’s Eve Burglary Triggers Medical Records Firm’s Bankruptcy – Bankruptcy Beat – WSJ.

Oct 19, 2011 – Full Day ISC2 Local Event

Oversharing: Managing Risk in the Social Age
Co-presented by Raj Goel and Brandon Dunlap

Social Media has quickly woven itself into the very fabric of everyday life and computing. This boom in sharing, even the most banal of details, has had a resounding impact on how our profession manages
enterprise security. In this day-long, interactive event, we’ll explore strategies for managing the risks associated with:

•  Data Loss Prevention
•  Brand Protection
•  Privacy Erosion
•  Malware Protection

Massachusetts AG Says Having a WISP is Not Enough to Comply With Massachusetts Data Security Regulations

The Massachusetts Attorney General’s Office and Belmont Savings Bank have agreed to resolve allegations that Belmont Savings Bank has violated the Commonwealth’s stringent data security regulations (see our post about 201 CMR 17.00 here) through an Assurance of Discontinuance, which has been filed in Massachusetts state court (see document here). Belmont Savings Bank has agreed to pay a civil penalty of $7,500 and has also agreed to institute new security and training procedures following a breach in May 2011, when an employee left a computer backup tape on a desk overnight, rather than in a storage vault. A surveillance camera showed that the backup tape was inadvertently discarded by the evening cleaning crew and, according to the Attorney General’s Office, was likely incinerated by the bank’s waste disposal company.

While there is no evidence indicating that any customer’s personal information has been acquired or used by an unauthorized person or used for an unauthorized purpose, the Assurance of Discontinuance states that if actual harm to customers results, the Attorney General’s Office will reopen discussions in order to determine appropriate restitution. This is the first settlement related to a violation of the Commonwealth’s relatively new data security regulations. While the Attorney General’s Office entered into a consent agreement with a restaurant chain in April 2011 for data security failures, that alleged breach occurred before the new data security regulations went into effect on March 1, 2010. (See our post about this consent agreement here.)

via Massachusetts AG Says Having a WISP is Not Enough to Comply With Massachusetts Data Security Regulations : Privacy Law Blog.

Raj Goel, CISSPCTO Brainlink International, Inc. raj@brainlink.com 917-685-7731 Raj’s LinkedIn profile

Since 2005, the Ponemon institute has released an annual study comparing the costs of data breach.

According to the latest study, lost record costs range from $ 133 to $249, depending on your industry.

In light of that, the Office Of Civil Right’s penalty for CIGNET set’s new standards at $ 946/record ($ 4.3 million / 4541 records).

This should help healthcare CSOs and CPOs get more attention from their CEOs and CFOs.

The OCR isn’t kidding about HIPAA penalties anymore.

About time.

Raj Goel, CISSP, is chief technology officer of Brainlink International, an IT services firm. He is located in New York and can be reached at raj@brainlink.com.

Each of my talks runs from 45-120 minutes.

I present the specific topic in 45 minutes, or really dive into it for 2 hours.

Multiple topics can also be combined into 2,3,4 or 6-hour sessions for 1/2-day and full-day events.

The agendas/descriptions for each of the topics is:

1) Perils of Social Media – How Facebook, Google, Twitter, Social Media & Cloud Computing are creating Threats to Privacy, Security and Liberty

Social Media has quickly woven itself into the very fabric of everyday life. This boom in sharing, even the most banal of details, has had a resounding impact on how our children, employees and colleagues communicate.

Using case studies from the US and around the world, we’ll examine how people have lost jobs, college admissions, college degrees, fortunes and freedom through (un)social media.

We’ll also investigate the rampant OVERCOLLECTION of customer and subscriber data by major corporations and governments.

We’ll also discuss some strategies and steps we can take to protect civil liberties and privacy in the age of Social Media.

2) Trends in Financial Crimes

This interactive and lively discussion presents an overview of US laws (HIPAA, Sarbanes Oxley (SOX), Gramm Leach Bliley Act (GLBA), PCI CISP Credit Card Compliance, the growing number of US state data breach notification laws). We trace the history of information security regulations and ID Theft. We examine credit theft and the threat it poses to the American banking industry, as well as the global economy and what governments around the world are doing to combat these crimes.

Special attention is paid to trends and growth in financial crimes, including:

* ID Theft
* Mortgage/Title Fraud
* SPAM /Botnet for Hire
* Credit Fraud
* Case Studies from around the world

Length: 50 minutes

3) Are you Googling your Clients’ privacy away?

This presentation addresses how various services offered by Google can become a threat to your companies’ privacy and confidentiality policies.

It deals with Google’s capabilities to capture and aggregate information with or without user knowledge. Special attention is given to Google’s key offerings such as:

* Google Searches
* GMail
* Orkut
* Google Toolbar
* Google Desktop
* Android
* Chrome Browser
* Case Studies from around the world

Length: 50 Minutes

4) Expanding your practice using LinkedIn

* This seminar will discuss Common myths about LinkedIn
* Proper uses and misuses of LinkedIn
* The power of LinkedIn Groups
* Case Studies examine different LinkedIn profiles, and how to create effective profiles

Length: 50 Minutes

5) Living in a MultiCompliance World – Part I HIPAA, Sarbanes-Oxley, Gramm-Leach-Bliley and PCI-DSS compliance

This presentation provides an overview of the major federal and private information security laws and regulations in the United States.

Case studies examine the real-world impact of non-compliance, analysis of documented cases and guidance on implementing multi-compliance effectively.

Length: 90 minutes

6) Living in a MultiCompliance World – Part II

This presentation provides an ovewview of the impact the 37+ state privacy breach laws have on the federal regulations and PCI-DSS compliance. We examine the New York State Privacy Breach law in depth.

Length: 90 minutes

7) Lessons Learned From the FTC

The FTC has emerged as the leading investigator of privacy and security breaches, and has sanctioned companies and institutions across industries for breaches.  This presentation reviews the FTC’s track record, examines lessons learned from each sanction, and provides guidance based on current and proposed regulations.

Over the last decade, in the absence of a national Consumer Privacy Watchdog/Czar, the Federal Trade Commission (FTC) has set the standard for what it considers acceptable, and unacceptable behavior for companies and organizations conducting business within the United States.

The FTC doesn’t involve itself in the minutae of security standards ‘ala HIPAA, PCI, etc, nor does it dictate what protocols or technologies companies need to use.  Rather, the FTC uses it’s Constitutional and Congressional mandate for regulating Interstate Commerce to hold companies accountable for their breaches.

This presentation will examine the FTC’s track record, put the sanctions in a larger context of privacy and security breaches, and most importantly, we will look at where the FTC is trending with the FTC Health Breach and RED FLAG regulations.

Length: 90 minutes

8 ) PCI Compliance is an expensive, moving target.

Many firms have chosen to become PCI compliant, others are content to sit by the sidelines and hope they won’t get caught.

Countless other firms have engaged in PCI compliance efforts, only to fall short and have significant breaches while being PCI compliant.

Pay NOW for effective, common-sense based compliance, or pay LATER in FTC fines, PCI fines and lawsuits.
Either way, you’re going to pay.

This presentation looks at a Dollars and Cents approach to PCI compliance.PCI Compliance is an expensive, moving target.

Length: 45 minutes

9) Privacy and Security Challenges With Cloud Computing for Attorneys, Accountants and Business Owners

Dropbox, Gmail, Facebook, Amazon Web Services — they’ve become part of the IT DNA.  More than that, they have become household verbs.

Individual consumers and complete corporations moving to Social Media and the cloud has had a resounding impact on how our profession manages enterprise security. In this interactive event, we’ll explore strategies for managing the risks associated with:

- Data Loss Prevention
- Brand Protection
- Privacy Erosion
- Malware Protection
- FTC’s regulatory sanctions
- Guidance from the Courts, FTC, HHS and other regulatory bodies on Cloud Computing and Social Media

This has been presented twice at NYCLA(New York County Lawyers Association)  and makes for a great ETHICS CLE for your law practice or Bar association.

Length:  45-90 minutes

10) Case Studies in Privacy and Security failures from around the globe

We examine large breaches from around the world (US, Canada, Japan, South Korea, Israel, UK, etc), focusing on the historical, cultural and social factors that contributed to the breach.

We also draw out the common threads that tie these breaches together, into a comprehensive narrative.
Length: 45-90 minutes

http://www.brighttalk.com/webcast/188/3182

http://www.brighttalk.com/community/it-security/webcast/5385/25947