Disclosure of individually identifiable information can occur deliberately or accidentally and can occur within an organization or be the result of an external breach of security. Examples include:
A Michigan-based health system accidentally posted the medical records of thousands of patients on the Internet (The Ann Arbor News, February 10, 1999).
A Utah-based pharmaceutical benefits management firm used patient data to solicit business for its owner, a drug store (Kiplingers, February 2000).
An employee of the Tampa, Florida, health department took a computer disk containing the names of 4,000 people who had tested positive for HIV, the virus that causes AIDS (USA Today, October 10, 1996).
The health insurance claims forms of thousands of patients blew out of a truck on its way to a recycling center in East Hartford, Connecticut (The Hartford Courant, May 14, 1999).
A patient in a Boston-area hospital discovered that her medical record had been read by more than 200 of the hospital's employees (The Boston Globe, August 1, 2000).
A Nevada woman who purchased a used computer discovered that the computer still contained the prescription records of the customers of the pharmacy that had previously owned the computer. The pharmacy data base included names, addresses, social security numbers, and a list of all the medicines the customers had purchased. (The New York Times, April 4, 1997 and April 12, 1997).
A speculator bid $4000 for the patient records of a family practice in South Carolina. Among the businessman's uses of the purchased records was selling them back to the former patients. (New York Times, August 14, 1991).
In 1993, the Boston Globe reported that Johnson and Johnson marketed a list of 5 million names and addresses of elderly incontinent women. (ACLU Legislative Update, April 1998).
A few weeks after an Orlando woman had her doctor perform some routine tests, she received a letter from a drug company promoting a treatment for her high cholesterol. (Orlando Sentinel, November 30, 1997).
No matter how or why a disclosure of personal information is made, the harm to the individual is the same. In the face of industry evolution, the potential benefits of our changing health care system, and the real risks and occurrences of harm, protection of privacy must be built into the routine operations of our health care system.
A breach of a person's health privacy can have significant implications well beyond the physical health of that person, including the loss of a job, alienation of family and friends, the loss of health insurance, and public humiliation. For example:
A banker who also sat on a county health board gained access to patients' records and identified several people with cancer and called in their mortgages. See the National Law Journal, May 30, 1994.
A physician was diagnosed with AIDS at the hospital in which he practiced medicine. His surgical privileges were suspended. See Estate of Behringer v. Medical Center at Princeton, 249 N.J. Super. 597.
A candidate for Congress nearly saw her campaign derailed when newspapers published the fact that she had sought psychiatric treatment after a suicide attempt. See New York Times, October 10, 1992, Section 1, page 25.
A 30-year FBI veteran was put on administrative leave when, without his permission, his pharmacy released information about his treatment for depression. (Los Angeles Times, September 1, 1998)
Consumer Reports found that 40 percent of insurers disclose personal health information to lenders, employers, or marketers without customer permission. "Who's reading your Medical Records," Consumer Reports, October 1994, at 628, paraphrasing Sweeny, Latanya, "Weaving Technology and Policy Together to Maintain Confidentiality," The Journal Of Law Medicine and Ethics (Summer & Fall 1997) Vol. 25, Numbers 2,3.
Cases on Privacy
A privacy case on Google
Google settles FTC( Federal Trade Commission) privacy case for $22.5 million, agency’s largest penalty
Google and the Federal Trade Commission announced the company has agreed to a $22.5 million settlement — the agency’s largest penalty ever — on charges that Google misrepresented its actions to users of Apple’s Safari browser.
The FTC charged that Google had placed tracking cookies on users’ computers, in some cases working around the privacy settings of Apple’s browser. This, the agency said, violated a settlement Google made with the FTC over privacy issues with its Google Buzz social network. In that settlement, Google agreed not to misrepresent its privacy policies to consumers.
In a release, FTC Chairman Jon Leibowitz said that the penalty underscores the agency’s commitment to enforcing its orders on privacy.
“The record setting penalty in this matter sends a clear message to all companies under an FTC privacy order,” Leibowitz said. “No matter how big or small, all companies must abide by FTC orders against them and keep their privacy promises to consumers, or they will end up paying many times what it would have cost to comply in the first place.”
As The Washington Post reported, the settlement had been expected for more than a month, and concludes one of a growing list of legal conflicts Google faces from regulators in the U.S. and in Europe.
In addition to the civil penalty, the FTC ordered Google to disable all tracking cookies deemed to violate the settlement, something Google did shortly after researchers discovered the cookies.
In a statement, Google said, “We set the highest standards of privacy and security for our users. The FTC is focused on a 2009 help center page published more than two years before our consent decree, and a year before Apple changed its cookie-handling policy. We have now changed that page and taken steps to remove the ad cookies, which collected no personal information, from Apple’s browsers.”
A Privacy case on facebook
Facebook Loses Privacy Case in German Court Over Email
A German court ruled against Facebook Inc. for the way it uses members' email addresses to solicit new users, in an ongoing battle between the Menlo Park, Calif.-based social network and European privacy groups.
The Berlin regional court said on its website that some of Facebook's terms of service are invalid, but didn't provide specifics and couldn't be reached for comment.
It also ruled Facebook can't force users to grant the social network a comprehensive license to their content. The court held that users remain the owners of intellectual-property rights of their Facebook posts, pictures and other content posted on the site, according to Verbraucherzentrale Bundesverband, a government-backed consumer advocacy group that filed an October 2010 complaint that prompted the ruling.
Verbraucherzentrale, which doesn't have the legal authority to fine or stop Facebook, alleged in its lawsuit that the social network didn't adequately explain to users the workings of a feature called "Friend Finder."
Friend Finder imports users' contacts to ask their friends to join Facebook. Verbraucherzentrale alleged in its complaint that Facebook didn't sufficiently explain to users that the social network was obtaining all the contact information in their address books and using that information to solicit others to join Facebook.
Facebook began making changes to its disclosure terms for Friend Finder in early 2011, in part due to growing concerns from European countries over its privacy policies. The Irish Data Protection Commission began an audit into privacy issues stemming from Facebook that resulted in a December 2011 report calling on the social network to make a series of improvements to its privacy settings.
Facebook won't obtain a copy of the court's full ruling for three days. It is unclear if the ruling refers to Facebook's terms for Friend Finder as they were in 2010 when the complaint was filed, or as they currently stand.
The German consumer group, however, said that although Facebook has made slight modifications, they are not sufficient, according to a statement on its website.
A Facebook spokeswoman said, "We will take a close look into the details of today's court decision as soon as they are available and then decide on the next steps." Facebook "is committed to adhering to European data protection principles," she said.
Cases on Security
A security case on KT
Police arrest two in KT data leak case
In Seoul, Korea, Police said they have arrested two people for allegedly hacking into the network system of KT Corp., South Korea's No. 2 mobile carrier, and selling the data.
A 40-year-old suspect, identified only by his family name Choi, and another were accused of leaking personal information of about 8.7 million mobile phone subscribers from February until recently, the National Police Agency's cyber terror response team said.
Seven others were booked without physical detention on charges of buying the leaked data for telemarketing purposes.
The number of KT subscribers accounts for nearly half of the total mobile phone users in South Korea, one of the most wired countries in the world.
Police suspect the telemarketers used the data, which contained personal information on the subscribers, their phones and monthly plans, to contact customers whose contracts are close to expiration or considered likely to change phone plans. Officials estimate the suspects earned at least 1 billion won (US$877,000) from the illegal marketing.
"It took nearly seven months to develop the hacking program and (the suspects) had very sophisticated hacking skills," an official at the cyber response team said.
KT apologized over the hacking incident, saying it has restored the leaked personal information and taken necessary steps to prevent further leakage.
"In light of this incident, we will strengthen the internal security system and raise awareness of security among all employees to prevent causing inconvenience to customers," the carrier said in a statement.
Market watchers said that KT will not be able to evade criticism for its lax management of personal data, raising the possibility that some angry subscribers may lodge a class action suit against the company.
The KT case came amid mounted concerns about online security breaches following a spate of hacking attacks on local financial firms and a popular Internet portal since last year.
Hackers struck the consumer finance firm Hyundai Capital Services Inc. and the National Agricultural Cooperative Federation, or Nonghyup, early last year, stealing customers' personal data and crippling online transactions.
Personal information by 35 million users was leaked in August 2011, hit by hacking attacks on two popular portal Web sites operated by SK Communications Co., the worst ever online security breach in Korea.
A security case on HPA
A Lesson Learned from Heartland Payment Systems (HPS)
Heartland Payment Systems (HPS) became famous in January 2009 for something it didn't want to be famous for: it was the victim of one of the largest data security breaches in U.S. history, with tens of millions of cardholder records possibly lost - the actual number has never been determined. The malware that surreptitiously stole and stored the account numbers was active for an estimated four months at a time when HPS was processing 100 million transactions per month.
Now, nearly four years later, HPS Chairman and CEO Robert O. Carr is speaking publicly about his company's experience and the lessons learned. It's a fascinating and dramatic story. And it reinforces the adage that being compliant with the Payment Card Industry Data Security Standards (PCI DSS) doesn't mean you're secure.
Facts about the Data Security Breach:
The compromise came through a SQL injection attack on the company's website. Heartland immediately found out about it, and thought they had eradicated the malware.
Roughly six months later, in mid-May 2008, the malware made the leap from the corporate network to the payment processing network, but HPS didn't know that at the time.
Two weeks prior to the date the payment system was compromised, HPS was approved by their Qualified Security Assessor (QSA) as PCI compliant.
In late October 2008, HPS discovered they "might have a problem" based on information provided by one of the major card brands.
Three forensics firms hired by HPS analyzed their IT security network; all three said the HPS system was free of malware. In January 2009, HPS staff members found the malware.
What happened Next: Disclosure
The company's lawyers recommended a minimal level of disclosure about the breach, but Carr decided against that policy. HPS had a tradition of open communications with employees and customers, and Carr decided that he wanted to maintain that policy and share information as fully as possible. "We did a good job of damage control," he said during his October 16 speech.
The company paid a heavy price. The stock price fell 78% in the weeks after disclosure, and 5,000 of the company's 250,000 merchants left. HPS was delisted by Visa and MasterCard. Four months later, VISA reinstated HPS.
The Full Cost:
The company suffered a $170 million loss. Although $20 million was covered by insurance, their net loss was $150 million.
Lessons Learned, all from Carr:
"You can't just rely on firewalls."
"Knowledge of security threats should not be viewed as a competitive advantage." When it comes to threats, companies should share information with peers and collaborate.
HPS did not have an incident response plan in place at the time of the breach. It does now.
The malware was able to move from HPS's corporate network to its payment processing system because of "human error."
Positive Developments from the Breach:
HPS became very aggressive about data security as well as PCI compliance after the breach. It now pursues a policy of encrypting cardholder data from end to end - from the POS terminal to the end of the payment process.
HPS worked with a Taiwanese firm to develop a more secure POS terminal for its merchants with encrypting hardware built-in. Now HPS believes its data security technology and processes are a competitive advantage.
Carr helped initiate a new group within FS-ISAC to promote information sharing: the FS-ISAC Payment Processors Information Sharing Council.
The leader of the hacking group, Albert Gonzalez, pleaded guilty and is serving a 20-year prison sentence. It was the longest sentence ever given for a cybercrime, according to SC Magazine. (HPS was not the only victim of Gonzalez --- others included TJX, Hannaford and 7-Eleven.)
Heartland's stock price and market capitalization have recovered the levels they had prior to the breach.