By:
On:
In: *Connecting the Dots Blog*, Information Privacy, Information Security

  One of my last blogs discussed the risks of third-party contractors and their responsibilities for protecting information.  This blog will address yet another third-party risk – your janitors. A janitor was recently arrested for removing boxes of records from a Southern California health care clinic.  Interested only in getting money for the paper, the janitor sold 14 boxes of patient records to a recycling center for $40.  This janitor was not interested in identity theft, but the next one might be… In an earlier case, a janitor stole personal information from patient files at a Chicago hospital, participating in an identity theft ring thatRead More →

By:
On:
In: *Connecting the Dots Blog*, Information Privacy, Information Security, Legal, Regulatory Compliance

  A recent GAO report has revealed that federal agencies utilizing contracted workers are failing to implement contractual assurances with third-parties regarding the protection of sensitive information. GAO auditors examined the contracting practices of three of the largest federal agencies and of those three, only one (DHS) required third-party companies to sign standard contracts requiring the contractors to follow best practices in safeguarding sensitive information. In a recent data breach, a TSA contractor allegedly provided a Boston couple the social security numbers for more than a dozen TSA workers.  Third-parties are increasingly responsible for data breaches, but most often, the hiring agency or company willRead More →

By:
On:
In: *Connecting the Dots Blog*, Information Privacy, Information Security, Legal, Regulatory Compliance, Risk Management

  Dissemination vs. Implementation The Veterans Affairs Department recently announced they will be publishing monthly online accounts of data breaches and lost BlackBerrys and laptops in order to improve accountability and increase transparency. What was shocking to me was that from April through July of this year, the VA has lost 72 BlackBerrys and 34 laptops.  Patient information has been sent to the wrong address or mailed incorrectly 441 times.  There were 9,746 breach incidents involving notifications to patients and 2,501 incidents in which credit reporting was required. Almost 10,000 breach incidents in 3 months!  What is wrong with this picture?  Instead of just disseminatingRead More →

By:
On:
In: *Connecting the Dots Blog*, Incident Reporting, Information Privacy, Information Security, Regulatory Compliance

We have all heard the wise old saying….’One man’s trash is another man’s treasure’ and potentially we have yet another lesson learned for organizations who are obligated to protect their client’s personal information. In this lesson learned from Ohio, three large storage bins were stolen from outside of three different bank branches in three different cities.  Each of the three large storage bins contained paper that was waiting to be shredded and at least one of the storage bins contained personal documents of bank customers. A few questions this incident brings to mind: Should personal data be stored outside of buildings? Should trash/storage bins beRead More →

By:
On:
In: *Connecting the Dots Blog*, Human Resources, Incident Reporting, Information Privacy, Information Security, Legal, Risk Management

Did you see the story today involving CalOptima (a Medicaid managed care plan) who has notified 68,000 of their members of a potential loss of past medical claims information?  According to CalOptima, the information includes substantial identifying information, such as member names, home addresses, dates of birth, medical procedure codes, diagnosis codes and member identification numbers and even some Social Security numbers. Do you wonder how many other organizations are sending personally identifiable information (PII) and protected health information (PHI) in packages through parcel carriers? Do you wonder how many organizations are sending YOUR personal information through the mail? This story is one of hundredsRead More →

By:
On:
In: *Connecting the Dots Blog*, Information Privacy, Legal

Will Rep. Edolphus Towns (D-NY) introduce a bill to ban e-mail and phone software next? I was reading an article in the Washington Post that reported that online data-sharing technology has led to the disclosure of sensitive government and personal information.  According to the article some of the sensitive information included: FBI surveillance photos of a Mafia hit man Lists of people with HIV and social security numbers Motorcade routes and safe-house locations for then-first lady Laura Bush Names of people in government’s witness protection program Records with full psychological assessments of patients   In response to the news, the chairman of the House OversightRead More →

By:
On:
In: *Connecting the Dots Blog*, Information Security

Step 9 of President Obama’s 10-point action plan is: In collaboration with other Executive Office of the President entities, develop a framework for research and development strategies that focus on game-changing technologies that have the potential to enhance the security, reliability, resilience, and trustworthiness of digital infrastructure; provide the research community access to event data to facilitate developing tools, testing theories, and identifying workable solutions. I love the sound of Step 9!  It is like a great pre-game speech from a well respected coach talking about game-changing strategies and teamwork and relying and trusting each teammate to do their part in their goal to winRead More →