Category Archives: Breaches

Breach Notifications

87 weaknesses in 7 FDA systems

The Government Accounting Office (GAO) was asked to examine and assess seven key Food and Drug Administration (FDA) information systems.  The assessment was based on the effectiveness to which the FDA may have implemented information security controls intended to protect the confidentiality, integrity, and availability of information.  In the assessment, security policies, procedures, reports, and other documents were reviewed along with an examination of the FDA network infrastructure and interviews of FDA personnel.

The findings by GAO specifically state that the FDA did not always 

  1. adequately protect the boundaries of its network
  2. consistently identify and authenticate system users
  3. limit users’ access to only what was required to perform their duties
  4. encrypt sensitive data
  5. consistently audit and monitor system activity
  6. conduct physical security reviews of its facilities
# of GAO identified weaknesses at FDA
Control Area # of weaknesses # of recommendations
Access Controls 58 122
Configuration Management 23 37
Contingency Planning 5 6
Media protection 1 1
Total 87 166

 

Unauthorized Filming for “NY Med” Results in $2.2 Million Settlement with New York Presbyterian Hospital

Today, the Department of Health and Human Services, Office for Civil Rights (OCR) announced that it has reached a $2.2 million settlement with New York Presbyterian Hospital (NYP) for the egregious disclosure of two patients’ protected health information (PHI) to film crews and staff during the filming of “NY Med,” an ABC television series, without first obtaining authorization from the patients. In particular, OCR found that NYP allowed the ABC crew to film someone who was dying and another person in significant distress, even after a medical professional urged the crew to stop. 

“This case sends an important message that OCR will not permit covered entities to compromise their patients’ privacy by allowing news or television crews to film the patients without their authorization,” said Jocelyn Samuels, OCR’s Director.  “We take seriously all complaints filed by individuals, and will seek the necessary remedies to ensure that patients’ privacy is fully protected.”

By allowing individuals receiving urgent medical care to be filmed without their authorization by members of the media, NYP’s actions blatantly violate the HIPAA Rules, which were specifically designed to prohibit the disclosure of individual’s PHI, including images, in circumstances such as these. 

OCR also found that NYP failed to safeguard protected health information and allowed ABC film crews virtually unfettered access to its health care facility, effectively creating an environment where PHI could not be protected from impermissible disclosure to the ABC film crew and staff.  In addition to the $2.2 million, OCR will monitor NYP for two years as part of this settlement agreement, helping ensure that NYP will remain compliant with its HIPAA obligations while it continues to provide care for patients.

~~~~~

For further information on the application of the HIPAA Rules in situations involving media access to protected health information, please see OCR’s new FAQ on this subject: http://www.hhs.gov/hipaa/for-professionals/faq/2023/film-and-media/index.html.

The Resolution Agreement and Corrective Action Plan can be found on the HHS website at: http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/new-york-presbyterian-hospital/index.html.

To learn more about non-discrimination and health information privacy laws, your civil rights, and privacy rights in health care and human service settings, and to find information on filing a complaint, visit us at www.hhs.gov/ocr

Follow OCR on Twitter at http://twitter.com/HHSOCR.

 

###

3rd Breach at UC Berkeley in 5 years, 80k in Berkeley Financial System

Despite having recently touted (and being criticized) for being discovered as having a network monitoring system from Fidelis CyberSecurity, and as the third breach in the past 5 years, now 80,000 current and former faculty, staff, students and vendors have been alerted starting Friday February 26, 2016 about a December 28, 2015 data breach of social security numbers and financial records including bank account numbers.

The intrusion occurred on the Berkeley Financial System, or BFS, a software used by UC Berkeley for financial management.  The breach itself affects over 50% of the current students and employees.

“We don’t see any evidence that this is the kind of attacker that actually did access the data or did anything to take that data from the system,” said campus Chief Information Security Officer Paul Rivers in a phone press conference Friday.

UC Berkeley doubled its cybersecurity budget in 2013 from $1.5M to $3M after its email system, CalNet, was taken over by hackers and used to house a phishing attack banking scam.

Approximately 50k tax filings lost by Youngstown OH tax agency

Income taxes filed by approximately 50,000 citizens in Youngstown and Girard, Ohio before July 2012 may be victims of a Regional Income Tax Agency (RITA) breach caused by a lost DVD disc.  The discs contained income tax filings which include taxpayer names, addresses, dates of birth, and social security numbers.

The DVD disc was noted as missing when backup DVDs were beign destroyed in November 2015.

The Regional Income Tax Agency (RITA) purports to be sending notices to those possibly impacted and will be offering credit monitoring services for one year to those notified.

Improper secret docs stored at HMC Dockyard

Canadian Forces Base Halifax also known as HMC Dockyard is Canada's east coast navy base and home port to the Atlantic fleet, known as Maritime Forces Atlantic.

A website designer, a Mr. Zawidski, at HMC Dockyard’s intelligence facility HMC Trinity, is currently under investigation after a Canadian Defense information security officer conducted a routine scan of one of the systems.  The scan found sensitive documents with date-stamps between 2004 and 2009 consisting of 1,086 secret documents and eleven confidential documents (“Canada Eyes Only”.)

A military police officer seized from the a Mr. Zawidski’s cubicle and file cabinet at least 4 hard disk drives, 21 CDs, 4 GB USB drive, and 19 floppy disks.

The website designer’s accounts were then frozen and his physical access was revoked from the HMC Dockyard building where he worked.

The person under investigation is now assigned to work on unclassified documents while the investigation continues.

Security of Information Act, which was passed after the attacks in the United States on Sept. 11, 2001, was possibly violated which states "endangering the safety of the secret official code word, password, sketch, plan, model, article, note, document or information. The person in question allegedly improperly stored over 1,000 classified files on their personal network storage.”