LifeLock Settles with FTC for $12MM

by Doug Pollack

Federal agencies and regulators announced this week that LifeLock will pay $12 million to settle a complaint that it used false and misleading claims in its advertising. $11 million of the settlement will be paid to the Federal Trade Commission (FTC) and $1 million to 35 state attorneys general, all of whom worked together on this case.

The history of aggressive advertising by Lifelock, as well as Experian with their FreeCreditReport.com singing pirate ads, has been aimed at giving consumers a sense that they can prevent them from falling victim to identity theft.

FTC Chairman Jon Leibowitz said in a statement that:

“While LifeLock promised consumers complete protection against all types of identity theft, in truth, the protection it actually provided left enough holes that you could drive a truck through it.”

Illinois Attorney General Lisa Madigan concurred by saying:

“This agreement effectively prevents LifeLock from misrepresenting that its services offer absolute prevention against identity theft because there is unfortunately no foolproof way to avoid ID theft.”

Posted in Announcements | No Comments »

Equifax has their own data breach

by Doug Pollack

In an interesting twist of fate, Equifax, one of the three major national credit bureau, acknowledged this week that they experienced a data breach last month when they:

“sent out IRS W-2 statements to most if their current employees and some former employees, they discovered that some of the employees’ control ID numbers were partially or completely viewable in teh return address window of the envelope used by the payroll vendor. In an unspecified number of cases for US employees, the control number was the employees’ social security number instead of the intended unique 9-digit number” Source:  Databreaches.net

In a letter addressed to the New Hampshire Attorney General,  they described the incident and noted that they offered a year of Equifax credit monitoring to the affected individuals.

Now it is hard to escape the irony here.  A company that promotes themselves as “the leading provider of data breach services” noting that:

“Data breaches are on the rise. Be prepared. You’ll feel safer with Equifax”

has failed to protect the privacy of their employees and in this situation are offering them a credit monitoring solution as protection from the same company that compromised their identities in the first place, and on a regular basis sells their credit information to other organizations.

Now maybe its just me, but if I had a data breach, I’d probably feel safer working with an organization that isn’t in the business of monetizing my credit history.

Posted in Data Breach News | No Comments »

New healthcare data breach offering

by Doug Pollack

ID Experts today announced a new and unique solution for data breaches that involve protected health information (PHI) and associated risks of medical identity theft.

With the passage of the HITECH Act last year and the clarifying Rules published by Health and Human Services (HHS), healthcare organizations now face greater scrutiny and higher risks when it comes to patient privacy.

Historically, there has been the perception of a somewhat lax environment relative to the enforcement of HIPAA privacy regulations. With HITECH only just recently becoming enforceable, the first lawsuit has already been filed by the Attorney General of Connecticut against Health Net of Connecticut concerning their delayed response to a data breach incident that occurred months ago. If this is any indicator, the enforcement environment for HITECH is likely to be very vigorous.

With this backdrop, ID Experts created a data breach remediation offering that is tailored to meet the needs of healthcare providers and payers, and their business associates.

Until recently, common practice has been for organizations that have a data breach incident to offer victims a year or two of credit monitoring. Unfortunately, credit monitoring alone is woefully inadequate in helping individuals deal with the risks of medical identity theft and health insurance fraud. With that in mind, ID Experts created FraudStop Healthcare Edition.

FraudStop Healthcare Edition combines several components that help individuals affected by a data breach detect and address the identity theft issues that can result from a data breach. These include:

- Credit montoring

- CyberScan, a tool that scours cyberspace for the buying and selling of personal information including for use in insurance fraud

- Healthcare Identity Protection  Toolkit, a new and unique offering from ID Experts that includes a collection of tools, checklists, resources and guides for assisting an individual in monitoring their medical identity and resolving fraud issues

- Identity theft reimbursement insurance

- Fully managed identity theft restoration services

Together, this package provides the most robust offering in the market today for healthcare providers dealing with data breach risks to assist patients in ensuring their privacy.

If your organization is in the healthcare industry and subject to the HITECH Act, you now have a better and more caring answer for your patients when dealing with occasional, but typically recurring, data breach issues.

Posted in data breach | No Comments »

Customer Churn Main Data Breach Cost Driver

by Doug Pollack

The Ponemon Institute released their 5th annual 2009 Annual Study: Cost of Data Breach last month.  This year, the report explored several new areas and came up with some interesting and in some cases surprising conclusions. These include:

- A large proportion (82%) of organizations surveyed experienced at least one data breach of 1,000 or more records containing personal information over the last year. It is beginning to look like the myth of being able to totally eliminate the occurrence of data breaches is starting to disappear.

- Almost half (44%) of organizations outsourced the data breach response effort to an expert third party consultant. When outsourced in this way, the costs per victim declined a huge 26% vs. companies that “go it alone”. The ability to reduce costs by outsourcing the response process is counterintuitive to some, but validates the value of an outside consultant that is knowledgeable and can execute using best practices

-  “Companies that notify too quickly may incur higher costs”. This was surprising to me. The study found that these “quick responders”, organizations that notified within one month of detection of the breach, ended up paying 12% more than their peers. The assumption was that moving too quickly through the process causes inefficiencies that can be avoided.

As always, the study and report is full of valuable and interesting data and perspective for privacy, information security and legal officers.  It is a “must read” for anyone in a relevant role at an organization that is entrusted with PII and PHI.

Posted in Data Breach News | No Comments »

2010: The Year of the Healthcare Data Breach

by Doug Pollack

An article today on iHealthbeat titled “Innovation Inspired by Economics: 2010 Health IT Forecast” discusses trends and expectations for growth in healthcare information technologies despite the financial issues faced by many US healthcare providers currently.

“Necessity being the mother of invention, a constrained economic environment will lead to health IT innovations in two ways. First, lower cost technologies are emerging in health IT, such as open-source software, software as a service, and cloud computing, all of which will be priced lower than traditional health IT offerings. Cloud computing (the use of the Internet to store, manipulate and deliver data already existing on the Web) is seen by some health IT consultants as a useful tool in health, especially for small medical practices.”

The growth in adoption of electronic health record (EHR) systems, combined with the noted trends towards the use of open source software and cloud computing, combined with a new privacy legislation with steep penalties for breaches in security, creates a “perfect storm” for healthcare with respect to data breach incidents.

iHealthbeat article further notes the evolution of risks and new legal requirements now associated with HIPAA business associates.

“We can expect tougher privacy and security enforcement in health care in 2010 because of new and heftier privacy and security penalties written into the American Recovery and Reinvestment Act. The civil penalty cap will be raised from $25,000 to $1.5 million. This is a major issue for 2010 because nearly 60% of business associates interviewed in a HIMSS Analytics survey in November 2009 were unaware that changes to HIPAA will go into effect in 2010. That’s when consumers are guaranteed ‘prompt access’ to an electronic copy of their health records.”

Everything points toward 2010 being a very interesting year when it comes to patient privacy and data security.

Posted in Articles, hitech act | 2 Comments »

North Pole Data Breach

Just in,  data breach incident occurs at the North Pole. Santa has notified over 4MM good boys and girls and is providing one year of free credit monitoring and sleigh rides. While Linda Foley, chair of the Identity Theft Resource Center, was not familiar with this specific incident, she was quoted as having said that “Santa is planning on using data encryption on all north pole workshop laptops starting in 2010″.

Posted in Data Breach News | No Comments »

Identity Theft Myths

Article by Rachel James from ID Experts, reprinted in its entirety.

Thanks to identity theft awareness programs, many people are now exercising increased caution when online. Most folks understand the danger in revealing too much personal information on the Internet, or falling for phishing scams. However, there are still some persistent myths that may be keeping you from protecting yourself and your identity. Here we will look at just three of these myths, and the facts that lay behind them.

Myth 1: I know what those scams look like, bad spelling and terrible English- who falls for those things anyway?

Fact: Indeed, many people are familiar with the obvious signs of a scam. So many people are wise to these frauds that scammers have begun to outsource their products and develop corporate-like organizations to work on sophisticating their “product”. They are merging, expanding and training to improve their scams. Many of those “work from home” scams you see on craigslist are actually paid positions to edit these scam emails to make sure grammar and spelling are good enough to fool someone into believing the IRS really does have a bailout for you. In addition to emails and phone calls, scammers are moving to text messages and social networks and purchasing uniforms to pose as police, census works, UPS drivers and other “authorities”. Scams and fraud will continue to evolve and become more sophisticated. Remember to regularly look for scam updates from your state Attorney General, the BBB, the FTC and your local news in order to say on your toes.

Myth 2: I do not need to worry about identity theft because: I don’t use my credit and I don’t need credit / My credit is so bad / I’ve placed a alert or freeze on my credit bureau

Fact: Identity theft comes in many forms. Financial identity theft is just one of those- and even if your credit is terrible, it can still occur. There are many accounts (utilities, phones, payday loans) that can still be opened with a frozen credit report or with no credit. Collections and judgments on those accounts can still be issued and your wages could be garnished, your driver’s license revoked or other disruptive consequences can result if you ignore your credit reports. Additionally, other forms of identity theft such as criminal and medical identity theft can still occur and be very dangerous. Criminal identity theft could cause your car to be impounded, and you might find yourself spending a night in jail while the police figure out that you are not the same person they fingerprinted for the warrant. Medical identity theft can literally cost you your life. No matter what your situation is, you need to check your credit reports every 3-4 months by going to www.annualcreditreport.com

Myth 3: I have a Mac and I shred everything so I am safe.

Fact: You still need to run security software such as anti-malware and firewalls while operating your Mac. As Macs become more popular, more malware is being designed to specifically target those operating systems. Don’t believe me? Don’t take my word for it; see this article from MacWorld.com which discusses the call for the FTC to crack down on Apple’s advertising claims in the face of gross security negligence or this article on Mac myths. While data regarding the source of identity theft is limited, there is a bit common sense and a few statistics we should use as consumers. The first is that you are not the sole custodian of your data. Every bank you use, every merchant you make purchases with, every school, hospital and employer you have visited probably has some part or all of your personal information. Even if you do everything right, a breach at any of these places can place you at risk. Further, a recent report by Javelin indicates that those who are victims of a data breach are four times more likely to be a victim of fraud.

Now that you understand these three common identity theft myths, you might be wondering what you should do to protect yourself. The answer is that you should prepare for the worst. Don’t just get insurance to cover the costs of recovering your identity, hire a team of experts to be on your side who will restore your identity for you. Let trained professionals help you take steps to protect yourself and provide you peace of mind that they will advocate for you if you become a victim. If you should become a victim of a data breach, demand that restoration services be provided to you at no cost in the event that you become a victim. More information about these services, as well as tips, tricks and resources, can be found at www.idexpertscorp.com

Rachel James writes on behalf of IDExperts. You can follow their Twitter account here.

Posted in Articles | No Comments »

Government Data Breaches Expose 2500% More Records in 2009

by Doug Pollack

It has been reported that 2009 has been the year of the mega-data breach. Recently reported statistics by the Identity Theft Resource Center (ITRC)  would seem to bear this out as far as our federal government and military is concerned as well.

Government Technology, commenting on the report noted that “the breaches so far in 2009 have compromised more than 79 million records, whereas fewer than 3 million were hacked in 2008. A sobering upswing, to say the least. ” This represents a staggering 2500% growth in number of individuals who’s personal information was exposed via our federal government in 2009 (year to date) vs. 2008.

Linda Foley, founder and chairwoman of the ITRC stated that “it’s the same problem. Records are being exposed, so they’re being hacked into; they’re being lost; they’re being put into laptops and carried around. Again, it comes back to, ‘Why are they carrying information with them that they didn’t need?’”

The data confirmed what has become somewhat obvious to those who follow the data breach situation, that the increasing mobility of data and data access significantly contributes to the risks of loss. While there are technology solutions to this problem, the adoption and use of mobile devices seems to be outpacing organizations’ ability to address the new risks.

Posted in data breach | No Comments »

Reporting of Healthcare Data Breaches?

by Doug Pollack

Since the HITECH Act data breach notification provisions became effective this past September 23, 2009, I’d recently become curious about the number and nature of data breaches that would start to appear on the website at the Department of Health and Human Services (HHS).

The HHS Rules require healthcare organizations (specifically HIPAA covered entities) to report to HHS any data breach incidents that have affected over 500 individuals, shortly after the breach is discovered.  I noticed that the Identity Theft Resource Center (ITRC) 2009 ITRC Breach Report, a terrific compendium of public information from numerous sources on data breach incidents, had captured numerous healthcare data breaches since the September 23rd effective date. And of course there have been several very high profile healthcare data breaches recently including the Blue Cross Blue Shield Assocation breach that affected over 850,000 of their medical providers, as well as the recent Health Net data breach affecting over 1.5MM individuals.

So with great anticipation I visited the HHS website where there is a section on the Breach Notification Rule and clicked on the following link:

“View Breaches Affecting 500 or More Individuals. OCR must post a list of breaches that affect 500 or more individuals.  View a list of these breaches.”

And surprisingly, there was nothing there. Now, it is very hard to imagine that no data breaches have been detected since September 23rd that affected over 500 individuals and would have had the potential to lead to harm for the affected population. So, I’m perplexed as to why there aren’t any data breaches over 500 individuals yet listed by HHS.

I guess it is possible that some healthcare providers may still be unaware of the reporting mandate, but it would seem unwise of others that are aware of the breach notification provisions and have experienced a sizable data breach to neglect to comply with the mandatory HHS reporting requirement. If anyone can shed light on the lack of content on the HHS data breach notification site, I think it would be of interest to all of us who are watching to see whether the public reporting provisions of the HITECH Act will result in more responsible behavior by entities to expose our protected health information (PHI).

Posted in data breach, data breach notification, hhs, hitech act | No Comments »

Protecting Patient Privacy

Healthcare organizations arguably hold the most personal and sensitive information that we possess. While HIPAA has provided for protection of the privacy of this information for a number of years, there appears to have been little in the way of enforcement of HIPAA during this period. With the passage of the HITECH Act, this is likely to change.

With fines now authorized for up to $1.5 million for data breach incidents, there is even more reason for hospitals, clinics, pharmaceutical and life sciences companies, and health insurers to evaluate whether they are using best practices for protecting patient privacy.

A recently published article titled “Staying HITECH-Healthy: How Healthcare Can Protect Patient Privacy” is instructive in terms of how to reduce risks while ensuring effective preparation for data breach incidents. It also outlines how organizations can treat a data breach incident as an “opportunity” to do the right thing and potentially find the silver lining in such situations by providing a caring, helpful hand to their patients.

Most of us have a choice as to where we receive our healthcare. How organizations handle, respond to, communicate with and help us with the loss of our patient data, when it occurs, can significantly effect our desire to continue to receive medical services from that institution.

Posted in Data Breach Resources | No Comments »