In this week’s breach roundup, read about the latest security incidents reported by organizations in the higher education, healthcare, and government industries.
Hackers Access College Application Records
According to DataBreach Today, “Hackers using an international IP address recently unlawfully accessed an online database containing student admissions records for Kirkwood Community College in Cedar Rapids, Iowa.
The hackers accessed archived admissions records for individuals who applied to take Kirkwood college-credit classes, the college reports. The information spanned from February 2005 to March 13, 2013.
Although the college hasn’t disclosed the number of individuals affected by the March incident, local ABC television affiliate KCRG is reporting 125,000 personal records were compromised in the hacker attack.
Information stored in the records may have included applicant names, birthdates, race, contact information, and Social Security numbers, according to an FAQ on the college’s website. No financial data or academic records, including grades and financial aid information, were stored in the system.
The college is offering affected applicants free identity protection services.”
Hospice Breach Affects More Than 5,000 Patients
Healthcare Informatics reported that “Hospice of Alamance Caswell and LifePath Home Health have notified approximately 5,370 current and past patients, or their next of kin, about a breach of unsecured personal patient protected health information after an incident occurred at their office.”
On Feb. 24th there was a break-in at their main office building in Burlington, N.C., officials said. During the break-in, three laptops were stolen that are used in connection with the provision of care to patients in their own homes. Although the patient database stored on the laptops was fully encrypted to conform to industry standards, the laptops also contained unencrypted e-mails that contained limited patient health information about a small percentage of patients. The laptops have not been recovered at this time.
According to officials, the perpetrators also had access to rooms that contain paper medical and billing records. The police investigation did not reveal any evidence that any record was touched or viewed, and no records were taken. These paper medical records contained personal information, including name, address, phone number, date of birth, Medicare or other health insurance number, prescribed medications, and full or partial Social Security numbers.
Although it does not appear that the files were viewed, Hospice has said there is no way of knowing whether the files were actually viewed. As of this date Hospice has not received any indication that the information has been accessed or used by an unauthorized individual.
“Hospice of Alamance Caswell understands the importance of safeguarding our patients’ personal information and takes that responsibility very seriously,” Peter Barcus, executive director, said in a statement. “We will do all we can to work with our patients or their loved ones whose personal information may have been compromised and help them work through the process. We sincerely regret that this incident has occurred, and we are committed to prevent future such occurrences. We appreciate our patients’ and families’ support during this time.”
Medical Records of 2k Patients Left Unprotected on Contractor’s Server
SC Magazine disclosed that “thousands of patients of a New York state hospital had their medical records exposed when they were left unprotected on a third-party server for several months.”
How many victims? More than 2,300.
What type of personal information? Medical records, including handwritten doctors’ notes that typically include diagnoses, test results, and emergency department records.
What happened? On Thursday, Glens Falls Hospital announced that an outside contractor, which stores medical records for the hospital, left the data of patients on an unprotected server between November and mid-March. A forensic audit led hospital officials to learn of the breach.
What was the response? Notifications were sent to victims. In addition, the hospital set up a call center for patients with inquiries.
Details: Auditors concluded that some patient records may have been accessed or downloaded by intruders. A hospital spokeswoman said Social Security numbers, addresses, and financial information were not on the unsecured server.
On March 14th the server was taken offline and, since discovering the incident, the hospital fired the contractor, Portal Healthcare Solutions.
Quote: “There’s no way to tell how the records were accessed, or even if any actually were,” Darlene Raynsford, a Glens Falls Hospital spokeswoman, said.
Source: www.poststar.com, The Post-Star, “Glens Falls Hospital alerts patients of possible information breach,”
Laptop Stolen From S.C. Medical Center Contains Data on 7k Veterans
According to SC Magazine “A Department of Veterans Affairs (VA) laptop containing the sensitive data of several thousand patients was stolen in South Carolina.”
How many victims? 7,405.
What type of personal information? Names, birth dates, and partial Social Security numbers.
What happened? The VA sent notification letters to affected patients last week, after discovering the laptop was stolen in February. The theft occurred at the respiratory therapy department of the William Jennings Bryan Dorn VA Medical Center in Columbia, S.C.
What was the response? The VA is offering one year of free credit monitoring to affected patients and has directed individuals with questions to call Lisa Boxton, the Dorn VA privacy officer.
Details: Law enforcement has begun a criminal investigation, though VA officials believe no patient information has been misused. Since the incident, the hospital has secured all laptops that are connected to medical devices.
Quote: “Any time a veteran’s personal information may be compromised, we take the matter very seriously,” said Rebecca Wiley, the medical center director. “We are reaching out to each veteran who may have been impacted.”
Source: www.wistv.com, WIS News 10, “Dorn VA warns patients of possible security breach,”
About Tactical FLEX, Inc.
For nearly a decade, Tactical FLEX, Inc. has taken great pride in providing best-of-breed security solutions to every type of organization around the world. Our wide spectrum of customers demonstrates our sincere commitment to an industry that remains at the forefront of the digital evolution of the world. Information security is our business and our customers are our greatest asset. Tactical FLEX, Inc. is a trusted security vendor protecting more than 6,000 organizations within every industry in more than 100 countries. Our product Aanval® is the industry’s most comprehensive Snort and Syslog Intrusion Detection, Correlation, and Threat Management console on the market. Aanval supports both Snort and Suricata, as well as virtually any Syslog data source, and is designed specifically to scale from small single-sensor installations to global enterprise deployments.
We invite you to visit our Industry Focus page at http://www.aanval.com/industry to find out how our products and services can aid securing your valuable assets and information.
Learn more about Aanval SAS™ by visiting http://www.aanval.com. Aanval® is also available for download as a free Community edition for testing and evaluation at http://www.aanval.com/download.