LifeLock Blog

Police are still investigating a security breach at Mercy Medical Center in Baltimore. The security breach has left a unknown number of victims open to identity theft according to the attorney general’s office.

The Hospital has already sent out letters to the affected former patience of the hospital. The letters expressed that a former employee had accessed patient records for the purpose of applying for credit cards and loans.

The spokesman for the attorney general didn’t know how many people had been sent letters. However, Hugh Williams, who is the coordinator of the identity theft office of the state attorney general’s office, said that the number of people that could have been affected could be significant. He is also not sure when the data breach was discovered, but encouraged people who receive letters to take them serious.

The data breach is still under under investigation. This is a situation that falls under the state law passed last year where businesses are required to inform people promptly of any data breach that could effect them.

Laws like the one past last year in maryland are getting passed all over the US and I think it’s a very good idea. Businesses handle data breaches very differently. Some tend to try and cover it up until the last minute while others do the right thing and informed people early. Laws that force businesses to inform people of data breaches promptly are a step in the right direction.

Somehow consumers aren’t making the connection between receiving a data breach notification and later becoming an identity theft victim, according to a new study. As a result, people whose information has been compromised in a data breach are four times more likely to become victims of either identity theft or credit fraud within the next 12 months.

Yet, when asked later about having become identity theft victims, few of the survey respondents attributed their fraud to the data breach they’d been involved in.

The objective behind sending the data breach notification letters is to let consumers know their personal or financial information has been compromised. The notices should spur credit card and bankcard holders to place fraud alerts or credit freezes on their credit reports, or to enroll in identity theft protection services or credit monitoring services.

Unfortunately, it seems few recipients of the data breach notifications are taking heed. (more…)

JP Morgan Chase Bank admits to having lost a computer data tape containing customer information earlier this year. Bank officials have so far refused to reveal how many customers are affected by the data breach, how many customers have been notified, or even when the data breach occurred. But it appears they’ll have to answer those questions soon.

This week two Republican members of the Congressional Committee on Energy and Commerce, Rep. Joe Barton and Rep. George Radanovich, sent a letter to James L. Dimon, Chairman and CEO of JPMorgan Chase and Co. asking these questions and more.

In notifying the untold number of affected customers, the bank offered them one year of free enrollment in Chase Identity Protection. The congressmen asked whether the affected customers will be automatically charged for ongoing participation in the program, or will the program be automatically discontinued unless customers specify otherwise.

The committee members sent the letter October 7, and set a deadline of October 31 for a written response from the bank.

In July 2006 Chase Card Services (a division of JP Morgan Chase) notified 2.6 million current and former Circuit City credit card account holders that five computer tapes containing their personal information had been accidentally sent to the trash. It indicated that it believed the tapes were safely “buried in a landfill.”

In August 2005 JP Morgan Chase admitted that a laptop containing customers’ personal and financial information was stolen. The bank said then that the number of customers affected was unknown.

A new Act has gone into effect as part of the U.S. Department of Health & Human Services, the Health Information Technology for Economic, and Clinical Health (HITECH) Act. According to this Act insurance providers that don’t use the HHS-approved techniques of encrypting and protecting data will be forced to notify individuals within 60 days of a data breach. If the breach affects for than 500 people the breach must be reported to the HHS and to the media.

The Act later goes on to say that “healthcare companies must publicly disclose data breaches only if the breach threatens significant financial or reputational harm to the individuals affected.” The HHS decides whether or not the threat is significant enough to inform the press and make the data breach public.

I feel this law will aid in forcing companies to protect their data better and making them release information about their data breaches. I only hope that the HHS policies on data encryption and security are tight enough to keep people out. If they are not then the law will help protect companies from having to release information about their data breaches. After all the HHS gets to decide what to disclose and what to keep from the public. I feel it could be a step in the right direction to keeping insurance information just a little bit safer.

Health care related businesses have only two more days to prepare a data breach notification plan. A new rule requiring that health care providers, insurers and clearinghouses must notify individuals whose information has been inappropriately accessed goes into effect September 23.

Additionally, the data breach notification rule applies to any business associates of any entity covered by HIPAA.

The notification is to be made “as soon as reasonably possible,” but in most cases within 60 days of discovery. An exception to this provision is made if law enforcement requests a delay, a common occurrence when an investigation is ongoing, particularly if the breach appears to affect a large number of people or is part of a larger scam.

However, even if notification takes place within 60 days, but the Department of Health and Human Services (HHS) could determine the covered entity failed to meat the provision if notification could have been made sooner.

If the breach involves 500 or more people, HHS and the media have to be notified. All other smaller breaches should be reported annually.

Another exception to the rule is encrypted or destroyed information. If a hacker breaks into a server or database that the health care entity has taken measures to adequately protect, the entity is off the hook and doesn’t have to make any notification.

Data breach is defined as “the acquisition, access, use or disclosure of protected health information in a manner not permitted (by the HIPAA Privacy Rule) that compromises the security or privacy of the protected health information” or that means a “significant risk of financial, reputational or other harm to the individual.”

The rule is part of an alphabet soup of new legislation. It applies to any entity covered by the Health Insurance Portability and Accountability Act (HIPAA), and is part of the new Health Information Technology for Economic and Clinical Health (HITECH) Act, which is part of the American Recovery and Reinvestment Act of 2009 (ARRA).

The Identity Theft Resource Center released the results this week of their most recent data breach study, an analysis of data breaches publicly reported so far this year. Little of the news is good, but two of the ITRC’s findings are especially alarming.

Perhaps the most disturbing discovery is that of the roughly 250 reported breaches, only one of the victims could say the stolen information was encrypted.

Almost every state has laws compelling entities to report data breaches, but apparently even the fear of public disclosure and bad publicity still isn’t enough to make businesses and other organizations protect the data they hold.

“It’s a dual problem here undeterred by law or common sense,” said Linda Foley, co-founder of the ITRC. “You’d think if all these organizations have to notify, that they would take some steps to make sure their data doesn’t get exposed in the first place.”

Another surprising finding is that employees are stealing records at the same rate as hackers. Together, the two types of attacks are responsible for 36.4% of the roughly 250 data breaches reported publicly this year as of June 12.

The only good news to be found in the study is that the total number of data breaches is down by roughly 30% from the same time last year when 342 breaches had already been reported.

Unfortunately, even that slight ray of sunshine is dimmed by the fact that at least 12 million businesses and consumers are affected by this year’s data breaches, and the total is probably far greater than that; fewer than half of the entities that reported breaches revealed the number of victims affected.

By now just about everyone you know has gotten the dreaded data breach letter: “Dear Customer, we regret to inform you we have become aware…” If you haven’t gotten this letter yet, that doesn’t mean your information hasn’t been exposed.

A recent survey of 300 companies by Logica–an information technology security firm—revealed that only 40% of the companies who experienced data breaches notified their customers. Only 50% of the companies notified police or other authorities. Only 30% of them give their employees training on how to prevent or respond to data breaches. (more…)