The U.S. Department of Health and Human Services Office for Civil Rights has submitted its mandated report to Congress on breach reports it has received. The report covers incidents reported between September 23, 2009 (the date the breach notification requirements became effective), and December 31, 2010. Here are some of the highlights of the report:…
Category: Commentaries and Analyses
North Carolina psychologist settles state charges for dumping patients’ records, agrees to pay $40,000
The following press release from North Carolina Attorney General Roy Cooper is a follow-up to a breach previously covered on PHIprivacy.net: Dr. Ervin Batchelor of the Carolina Center for Development and Rehabilitation in Charlotte has paid $40,000 for illegally dumping files containing patients’ financial and medical information, Attorney General Roy Cooper announced Wednesday. “Any business you entrust with your information has a…
(Update and Commentary): Why are states withholding the names of breached entities?
Yet another recent press release – this one from the U.S. Attorney’s Office in Connecticut – shields the name of the breached entity: David B. Fein, United States Attorney for the District of Connecticut, announced that NATASHA SMITH, 25, of Georgia, formerly of Far Rockaway, New York, waived her right to indictment and pleaded guilty yesterday,…
Breach Notification: Time for a Wake Up Call
Mark G. McCreary has an article on CIO Insight, “Breach Notification: Time for a Wake Up Call,” that discusses how the Epsilon breach produced a seismic change in what kinds of breaches now get reported. You can read his article here.
Data Breaches Harder to Understand
Brian Martin of the Open Security Foundation and DataLossDB.org project writes: On the off chance you missed any news outlet the last 30 days, an “anti security” movement has been reborn. Started in 1999, theAntisec Movement focused on encouraging security consultants and hackers not to disclose vulnerabilities to vendors. The recent resurgence of this movement has…
Hiding in Plain Sight: Post-Breach
Gunter Ollmann writes: The majority of network breaches begin and end with the installation of malware upon a vulnerable device. For the rest, once that initial malware beachhead has been achieved, the story is only just beginning. The breach disclosures that make the news are often confusing as they’re frequently compiled from third-hand reports, opinions…