Carbonite account email and passwords breaches

Users of the online backup service Carbonite have been assigned new passwords.

(Below) Carbonite sent a notification and put a statement on their website that they’re creating new passwords for all users due to a password-reuse attack much related to its lack of a required 2-factor authentication aka (2FA.)

Notification of Carbonite breach
Notification of Carbonite breach

Unauthorized Filming for “NY Med” Results in $2.2 Million Settlement with New York Presbyterian Hospital

Today, the Department of Health and Human Services, Office for Civil Rights (OCR) announced that it has reached a $2.2 million settlement with New York Presbyterian Hospital (NYP) for the egregious disclosure of two patients’ protected health information (PHI) to film crews and staff during the filming of “NY Med,” an ABC television series, without first obtaining authorization from the patients. In particular, OCR found that NYP allowed the ABC crew to film someone who was dying and another person in significant distress, even after a medical professional urged the crew to stop. 

“This case sends an important message that OCR will not permit covered entities to compromise their patients’ privacy by allowing news or television crews to film the patients without their authorization,” said Jocelyn Samuels, OCR’s Director.  “We take seriously all complaints filed by individuals, and will seek the necessary remedies to ensure that patients’ privacy is fully protected.”

By allowing individuals receiving urgent medical care to be filmed without their authorization by members of the media, NYP’s actions blatantly violate the HIPAA Rules, which were specifically designed to prohibit the disclosure of individual’s PHI, including images, in circumstances such as these. 

OCR also found that NYP failed to safeguard protected health information and allowed ABC film crews virtually unfettered access to its health care facility, effectively creating an environment where PHI could not be protected from impermissible disclosure to the ABC film crew and staff.  In addition to the $2.2 million, OCR will monitor NYP for two years as part of this settlement agreement, helping ensure that NYP will remain compliant with its HIPAA obligations while it continues to provide care for patients.


For further information on the application of the HIPAA Rules in situations involving media access to protected health information, please see OCR’s new FAQ on this subject:

The Resolution Agreement and Corrective Action Plan can be found on the HHS website at:

To learn more about non-discrimination and health information privacy laws, your civil rights, and privacy rights in health care and human service settings, and to find information on filing a complaint, visit us at

Follow OCR on Twitter at



3rd Breach at UC Berkeley in 5 years, 80k in Berkeley Financial System

Despite having recently touted (and being criticized) for being discovered as having a network monitoring system from Fidelis CyberSecurity, and as the third breach in the past 5 years, now 80,000 current and former faculty, staff, students and vendors have been alerted starting Friday February 26, 2016 about a December 28, 2015 data breach of social security numbers and financial records including bank account numbers.

The intrusion occurred on the Berkeley Financial System, or BFS, a software used by UC Berkeley for financial management.  The breach itself affects over 50% of the current students and employees.

“We don’t see any evidence that this is the kind of attacker that actually did access the data or did anything to take that data from the system,” said campus Chief Information Security Officer Paul Rivers in a phone press conference Friday.

UC Berkeley doubled its cybersecurity budget in 2013 from $1.5M to $3M after its email system, CalNet, was taken over by hackers and used to house a phishing attack banking scam.

Obama administration modifies HIPAA to strengthen the firearm background check system

The following e-mail was sent Tuesday, January 5, 2016 from the OCR-Privacy-List listserv, operated by the Office for Civil Rights (OCR) in the US Department of Health and Human Services:

On January 4, 2016, the Department of Health and Human Services (HHS) moved forward on the Administration’s commitment to modify the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule to expressly permit certain covered entities to disclose to the National Instant Criminal Background Check System (NICS) the identities of those individuals who, for mental health reasons, already are prohibited by Federal law from having a firearm.

This modification better enables the reporting of the identities of prohibited individuals to the background check system and is an important step toward improving the public’s safety while continuing to strongly protect individuals’ privacy interests.

The final rule gives States improved flexibility to ensure accurate but limited information is reported to the NICS.  This rulemaking makes clear that, under the Privacy Rule, certain covered entities are permitted to disclose limited information to the NICS.  The information that can be disclosed is the limited identifying information about individuals who have been involuntarily committed to a mental institution or otherwise have been determined by a lawful authority to be a danger to themselves or others or to lack the mental capacity to manage their own affairs – that is, only about those who are covered under the pre-existing mental health prohibitor. 

The new modification is carefully and narrowly tailored to preserve the patient-provider relationship and ensure that individuals are not discouraged from seeking voluntary treatment. This rule applies only to a small subset of HIPAA covered entities that either make the mental health determinations that disqualify individuals from having a firearm or are designated by their States to report this information to NICS

The rule does not apply to most treating providers. 

It is important to note that the vast majority of Americans with mental health conditions are not violent and that those with mental illness are in fact more likely to be victims than perpetrators.  An individual who seeks help for mental health problems or receives mental health treatment is not automatically legally prohibited from having a firearm; nothing in this final rule changes that.  HHS continues to support efforts by the Administration to dispel negative attitudes and misconceptions relating to mental illness and to encourage individuals to seek voluntary mental health treatment.  And the Department remains committed to robust enforcement of the civil rights laws that bar discrimination based on disability by entities that receive funding from the Department.  

The Final Rule is available for review at:

To learn more about non-discrimination and health information privacy laws, your civil rights, and privacy rights in health care and human service settings, and to find information on filing a complaint, visit us at

To learn more about mental health resources and recovery, visit


Information Assurance & Cyber Security Research and Education, a 501(c)(3)