This is the kind of breach that makes you go “huh”? The Breach Blog tells a sad tale of mailing labels gone awry:
On July 1st, 2008, the University of Maryland Department of Transportation Services mailed an on-campus parking brochure to all students registered for Fall 2008 classes as of June 15, 2008. Recipient Social Security numbers were inadvertently exposed on the mailing labels.
I hope the regulators fine the DoT for every label. Everyone knows the DoT love to hand out violations, so fair is fair. On the other hand, they might incorporate the fine by raising parking violation fees…
The U.S. Department of Health & Human Services (HHS) has entered into a Resolution Agreement with Seattle-based Providence Health & Services (Providence) to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules. In the agreement, Providence agrees to pay $100,000 and implement a detailed Corrective Action Plan to ensure that it will appropriately safeguard identifiable electronic patient information against theft or loss.
Ouch. This follows a recent warning by the Department of Justice that HIPAA is now being taken seriously and will be enforced.
The incidents giving rise to the agreement involved two entities within the Providence health system, Providence Home and Community Services and Providence Hospice and Home Care. On several occasions between September 2005 and March 2006, backup tapes, optical disks, and laptops, all containing unencrypted electronic protected health information, were removed from the Providence premises and were left unattended. The media and laptops were subsequently lost or stolen, compromising the protected health information of over 386,000 patients. HHS received over 30 complaints about the stolen tapes and disks, submitted after Providence, pursuant to state notification laws, informed patients of the theft. Providence also reported the stolen media to HHS. OCR and CMS together focused their investigations on Providence’s failure to implement policies and procedures to safeguard this information.
It is vital to note in the above text how breach notification played a role.
Blame the victim? Unfair market? Legitimate fraud? But seriously, studies continue to show that American shoppers are highly susceptible to simple tricks:
Shoppers do crazy things. And retailers bank on it.
Several studies reveal how Americans shop in irrational ways, and increasingly scientists are figuring out how easily we can be duped. Retailers in turn use these tricks to get inside our heads, encouraging window shoppers to become real shoppers, driving purchases of sales items regardless of real value, and helping buyers feel good about the things they walk out with … often for no good reason.
I find the “retailers bank on it” phrase a bit cold-hearted. Now that we have motive out of the way, tell me the difference between a retailer and an underground economy site.
I am always asked about interpretation of rules and regulations related to information security. Hopefully someone will bring up the “wardrobe malfunction” example in discussion soon, so I can point to the recent court ruling. This seems like a fair interpretation to me:
“The Commission’s determination that CBS’s broadcast of a nine-sixteenths of one second glimpse of a bare female breast was actionably indecent evidenced the agency’s departure from its prior policy,” the court found. “Its orders constituted the announcement of a policy change — that fleeting images would no longer be excluded from the scope of actionable indecency.”
And people think it is hard to figure out what constitutes virtual system security compliance…