We continue to hear about security breaches through the newspapers however it's important that consumers understand that each state has instituted policies that provide information about when notification must be made to consumers. You may have thought you would be notified if and when your data is lost, but depending on where you live and how many records were lost you may not be notified.
Just this year alone 32 states have introduced legislation related to improving breach notification including the protection of student data and health information. Residents of Virginia benefit from HB 2350 signed into law on March 23, 2015 which requires schools to implement policies and procedures to protect student data and systems. It also requires that a Chief Data Security Officer be designated to assist the schools. However, HB 2362 failed which required the Chief Information Officer to develop policies and procedures to ensure prompt breach notification when the responsible party is the state.
Read more about how your state is working to try to protect you at: http://www.ncsl.org/research/telecommunications-and-information-technology/2015-security-breach-legislation.aspx
Sunday, November 1, 2015
Sunday, September 20, 2015
Protecting Your Healthcare Data
Healthcare providers are required to protect your medical information. The problem is that many people have their hands on your information... some of them are careless (based on other breaches we know about) and some of the controls protecting the information could fail. So what can you do to be proactive about protecting your medical data (or medical identity)?
If you discover that your medical identity has been used by someone other than yourself you must take action.
Medical identity theft could be a serious issue for you! If you are in a situation where you are unable to speak for yourself (for example if you are the victim of an accident) erroneous information in your medical files could cause serious problems with your care. Protect the health information to the best of your ability then monitor your insurance records and finally take steps to remedy issues with your medical identity if you discover issues.
- Review your insurance statements. If you get them through the mail, read them. If you access them online, check regularly to be sure that your records reflect accurate services provided to you and your family.
- Many providers allow patients to access healthcare information electronically. If you use this option, be sure that you safeguard your access information (username/password).
- Be leery of "free" health services or product offers that require you to provide your health plan identification information. If it's truly free, there is no reason anyone needs your insurance information.
- Never provide your health plan identification information to callers unless you initiated the contact.
- Keep your health care information in a safe place. Shred old/unnecessary information.
- Be mindful that it may be possible to use your medical identity without your insurance information. If asked to provide your social security number, be sure to ask why it's needed, how it will be safeguarded, whether the information will be shared and if it is shared - with whom. Also, read the Privacy Policy if the request is made on a website.
If you discover that your medical identity has been used by someone other than yourself you must take action.
- Request copies of your medical records for treatment, etc.. Federal law provides you the right to know what is in your medical records. Scrutinize your files for errors.
- Contact the healthcare professionals that provided services to the thief (physician, clinic, hospital, pharmacy, laboratories and other providers). Request that the records and details regarding the service from the individual who provided services be provided to you in writing.
- If the provider refuses to provide you the information in writing, contact the person listed in the Notice Privacy Practices, Patient Representative or ombudsman for the organization. Contact the U. S. Department of Health and Human Services' Office for assistance.
| Image source: http://oig.hhs.gov/fraud/medical-id-theft/OIG_Medical_Identity_Theft_Brochure.pdf |
- Contact your health insurance company to notify them that your medical identity has been compromised. Provide specific details including the medical records and what information is incorrect. Provide them information that demonstrates that the information is incorrect. Direct them to remove the information and notify the providers. If you do this over the phone document the conversation (date, time, who you spoke with, what was said). Back up the phone call with written documentation to the insurance company. Send all written correspondence with certified mail with a return receipt.
- Contact medical professionals involved in the fraudulent care. Tell them that the patient was not you. Direct them to remove the information from your medical records. Back everything said on the phone up with a paper request. Send certified mail.
- The insurance company and health care provider MUST respond to your written correspondence within 30 days.
- Retain all documentation in a safe place.
Medical identity theft could be a serious issue for you! If you are in a situation where you are unable to speak for yourself (for example if you are the victim of an accident) erroneous information in your medical files could cause serious problems with your care. Protect the health information to the best of your ability then monitor your insurance records and finally take steps to remedy issues with your medical identity if you discover issues.
Friday, June 5, 2015
The Newest Federal Breach
It was announced on Thursday, June 4, 2015 that a massive
breach at OPM compromised personal information from 4 million
current and former federal employees.
CNN reported that this may be the largest breach ever. Details about how the breach occurred, whose
personal information was compromised and what information was retrieved is not known yet. The only thing we know for sure is that individuals whose personal information was compromised will receive a letter or
email message between June 8 and June 19.
As a federal employee I hope this is your first experience as a potential victim
of a cyber-breach. Based on information
shared with me from victims of other breaches (IRS, Home Depot, Target and
Blue Cross Blue Shield etc) there are a few things you need to know:
- If you receive a letter saying that your personal information was compromised take immediate action to request credit monitoring from CSID. Do not wait! Complete all steps so that you can take full advantage of all remedies available to you.
- Place a fraud alert at the credit bureaus (Experian, TransUnion or Equifax). An Initial Fraud alert on your credit file lets creditors know that you believe you may have been a victim of fraud or are at risk of being a victim. The alert is FREE and lasts 90 days. The fraud alert requires creditors to check with you before opening a credit account in your name, increasing the credit limit on an existing account, or issuing a new card on an existing account. You only need to contact one credit bureau. The bureaus automatically transmit a request to the other two bureaus on your behalf.
- Be suspicious of email messages, telephone calls, or other communications requesting account information. Do not follow links in email messages that ask for a username, password, credit card or social security number. Call the organization using a trusted phone number.
- Check your credit report regularly. The Fair Credit Reporting Act (FCRA) requires each of the nationwide credit reporting companies — Equifax, Experian, and TransUnion — to provide you with a free copy of your credit report, at your request, once every 12 months.
- Consider all the ways someone might use your personal information to access other systems. Your personal information could be used to file a fraudulent tax return or to get medical treatment.
Keep your head up and be alert to potential scams.
The agencies that were impacted by the breach should be talking to their employees to ensure they are following polices and best practices. This breach won't be the last one, so the smartest thing to use it as an opportunity to emphasize the importance of IT Security.
Tuesday, May 26, 2015
We should have been able to predict this....
The Associated Press revealed that thieves gathered information from 100,000 US taxpayers between February through May of this year. They used an IRS system called "Get Transcript" where tax returns can be downloaded from the IRS by simply providing a social security number, birth date, tax filing status and street address. With all the recent breaches I can't help but wonder if the stolen health care data from Primera and BlueCross BlueShield or even the data from the Target or Home Depot breaches was used with the IRS system to get the tax data...
If the thieves already know your name, birth date, social security number and address the only thing they have to guess is whether a person filed as married, single or head of household. It's a wonder that this didn't happen sooner. It's possible that the thieves will use this data to open credit cards or to this information to file a fraudulent tax return in the future.
We're all vulnerable here. If you haven't done it already, please lock down your credit. Each of the 50 states have enacted legislation that allows consumers to lock down our credit records at the three credit bureaus: Experian, Equifax and Transunion. Please go to the URLs to learn how to lock down your credit:
Experian: https://www.experian.com/freeze/center.html
Equifax: https://www.freeze.equifax.com/Freeze/jsp/SFF_PersonalIDInfo.jsp
Transunion: http://www.transunion.com/personal-credit/credit-disputes/credit-freezes.page?
In the theme of thinking about what is logically next based on these breaches, think of medical identity theft. This is a fairly new type of fraud targeting your medical identity. In this case, someone other than you uses your identity for their health care. When someone other than you uses your identity for health services, their information is tied back to you. I read about a young girl whose medical identity was used for AIDS treatment by someone other than her. The young girl learned that something was wrong when she tried to donate blood. Imagine if she had been in an accident or if that incorrect data was provided to an employer, school or some other person or institution that made decisions about her future.
Insurance companies are also going to be left holding the bag for services and procedures given to someone other than the person paying for the insurance.
It's time to consider your health identity. Next time you visit your health care provider verify that the information in your records is correct and consistent with the services you receive. I predict that we will see additional steps taken by health care providers to ensure we are who we say we are. Something like a providing picture identification might be required.
Legislation needs to be enacted to mandate that the health care industry protect our sensitive information. (Currently the health care industry is not as well regulated as the financial industry.)
The bottom line is that we need to think about how these breaches might impact other parts of our lives. The IRS should have has a system in place that evaluated requests to uncover the fraud sooner so that a quicker response could have been made.
What other systems can be used to violate the privacy and security of our data? These systems need to be identified and evaluated consistently, breach notification needs to be made sooner so that future issues can be prevented.
If the thieves already know your name, birth date, social security number and address the only thing they have to guess is whether a person filed as married, single or head of household. It's a wonder that this didn't happen sooner. It's possible that the thieves will use this data to open credit cards or to this information to file a fraudulent tax return in the future.
We're all vulnerable here. If you haven't done it already, please lock down your credit. Each of the 50 states have enacted legislation that allows consumers to lock down our credit records at the three credit bureaus: Experian, Equifax and Transunion. Please go to the URLs to learn how to lock down your credit:
Experian: https://www.experian.com/freeze/center.html
Equifax: https://www.freeze.equifax.com/Freeze/jsp/SFF_PersonalIDInfo.jsp
Transunion: http://www.transunion.com/personal-credit/credit-disputes/credit-freezes.page?
In the theme of thinking about what is logically next based on these breaches, think of medical identity theft. This is a fairly new type of fraud targeting your medical identity. In this case, someone other than you uses your identity for their health care. When someone other than you uses your identity for health services, their information is tied back to you. I read about a young girl whose medical identity was used for AIDS treatment by someone other than her. The young girl learned that something was wrong when she tried to donate blood. Imagine if she had been in an accident or if that incorrect data was provided to an employer, school or some other person or institution that made decisions about her future.
Insurance companies are also going to be left holding the bag for services and procedures given to someone other than the person paying for the insurance.
It's time to consider your health identity. Next time you visit your health care provider verify that the information in your records is correct and consistent with the services you receive. I predict that we will see additional steps taken by health care providers to ensure we are who we say we are. Something like a providing picture identification might be required.
Legislation needs to be enacted to mandate that the health care industry protect our sensitive information. (Currently the health care industry is not as well regulated as the financial industry.)
The bottom line is that we need to think about how these breaches might impact other parts of our lives. The IRS should have has a system in place that evaluated requests to uncover the fraud sooner so that a quicker response could have been made.
What other systems can be used to violate the privacy and security of our data? These systems need to be identified and evaluated consistently, breach notification needs to be made sooner so that future issues can be prevented.
Monday, March 30, 2015
Social Media & the Employer
Can a potential employer legally require you to provide your social media username and password? In a word,
State lawmakers began creating legislation to prevent employers from legally requiring you from providing your social media account information in order to get a job. The National Conference of State Legislators website provides information about enacted or proposed legislation in the US at http://www.ncsl.org/research/telecommunications-and-information-technology/employer-access-to-social-media-passwords-2013.aspx. Check out the website to see your states progress.
Great! That should solve the problem, right?
Not really. Your employer might be able to see what you have posted without asking for your password. Have you configured your social media account to restrict who can see the information you post? Kim Kommando has a great set of guides. This link will take you to a page full of documents that will help you get started.
With regard to Facebook, locking won't prevent everyone from seeing what you post (people who post on your page will have a copy of what they posted on their page). Again securing your account will go a long way in preventing someone who doesn't have social media ties to you from accessing your pictures or information.The best thing you can do is think before you post. Do not post anything that might embarrass you or tarnish your reputation. If in doubt, don't post it.
State lawmakers began creating legislation to prevent employers from legally requiring you from providing your social media account information in order to get a job. The National Conference of State Legislators website provides information about enacted or proposed legislation in the US at http://www.ncsl.org/research/telecommunications-and-information-technology/employer-access-to-social-media-passwords-2013.aspx. Check out the website to see your states progress.
Great! That should solve the problem, right?
Not really. Your employer might be able to see what you have posted without asking for your password. Have you configured your social media account to restrict who can see the information you post? Kim Kommando has a great set of guides. This link will take you to a page full of documents that will help you get started.
With regard to Facebook, locking won't prevent everyone from seeing what you post (people who post on your page will have a copy of what they posted on their page). Again securing your account will go a long way in preventing someone who doesn't have social media ties to you from accessing your pictures or information.The best thing you can do is think before you post. Do not post anything that might embarrass you or tarnish your reputation. If in doubt, don't post it.
Wednesday, March 18, 2015
Social Security Numbers ... When to Provide and When to Say NO
Social Security numbers were first issued in 1935 by the Social Security Administration for the purpose to track individuals and activity within the Social Security system. Our social security numbers were not originally designed to be used for identification purposes but as time has gone on, the numbers are used along with other information to validate a persons identity outside of the social security system.
The recent major health care breaches (Anthem followed by the Premera) are good examples of why we must all be cautious about providing social security numbers. These breaches involved the loss of social security numbers as well as other personal information. It makes me wonder why they are asking for this information in the first place.
Are consumers required to provide a social security number when visiting a medical professional? The answer is no, according to very old article on NBC news (source: http://www.nbcnews.com/id/12137393/ns/business-consumer_news/t/who-can-ask-your-social-security-number/#.ToKEfdTa9Bk). The exception is when your health care provider is Medicare, Medicaid or the Military.
There are conflicting reports that providers might be required to have your SSN on file. I'm not sure I"m buying it though. I believe it is prudent that you do NOT provide your SSN to any health provider as long as you have have insurance.
Let's face it, there are lots of ways to get another person's social security number. The easiest way is to pay for it from Internet providers that sell you that information for a fee. Another way is in the trash. It's amazing how many people throw away sensitive information. Finally, some people steal sensitive information from the people they work with.
How can you protect yourself? Every state in the US allows consumers to freeze their credit through the 3 credit bureaus (Experian, Equifax and TransUnion). Reference this site to review the legislation for your state. It's important for consumers to know that freezing your credit will definitely cause delays in obtaining new credit. Another option is to pay for a service (much like we all pay for car insurance) to protect our identity. This isn't foolproof, as you will be notified after someone has your information. The service can't prevent someone from using your information, they simply help you clean up after it's detected. Your best bet is to freeze your credit and protect the information you use to open your credit temporarily.
The bottom line is that we all must be very careful about who we provide our social security number. I'm in the just say "no" camp.
Tuesday, March 3, 2015
EMV Credit Cards
What does the EMV do for us? EMV provides a more secure way to process credit card transactions. Transactions are processed in a way that protects data and eliminates any potential for the transaction data to be used to create a new transaction.
EMV also prevents counterfeit fraud, a process where the magnetic strip on a credit card is (covertly) copied and duplicated onto a new card. The counterfeit card has your credit card number and magnetic stripe information. Purchases made with the counterfeit card are billed to you.
It's important to remember that many of our new credit cards with the EMV chip still have a magnetic stripe. For that reason it's important to watch the salesperson complete your transaction (especially important in restaurants where transactions are generally done away from your table). In addition, monitor your credit card transactions regularly.
What the EMV card can't do is prevent all types of credit card fraud. The fraud it can't eliminate is the ability for someone other than you from using your credit card online in what is known as a card-not-present (CNP) transaction. CNP transactions are electronic transactions usually completed online (with an etailer, or electronic retailer) but they can also come from a transaction that you (or someone authorizes via telephone. For this reason it is very important that each of us physically protect our credit card(s), credit card statements and any records containing credit card data.
Both credit cards and (modern) passports have electronic chips in them. These chips are similar but not the same. The chip on our credit card is only readable by a specific smartcard reader. This lessens the likelihood that our card data be captured by a hacker, however note that it's not impossible. In my opinion, it makes sense to add protection to make it impossible to read the data. Add a small sheet of aluminum foil in your wallet or billfold to shield your EMV chip card from an electronic reading device.
Are you concerned about the protection of your card? What are you doing to protect our financial privacy?
Monday, January 19, 2015
Do you have Sensitive Information on your Computer?
It is very possible that you have your own (PII) and/or sensitive information on your computer right now (and other peoples too!). I have come up with a process to find files containing PII or sensitive information on your computer. (Caveat: My process will find PII in many programs including Microsoft products but it may not find all PII or sensitive data. Also, my process will not find PII in your email or .PDF files -- this is not the holy grail, but it's a good start.)
The process I recommend is a manual one. (This works on a Windows operating system
Step 1:
Search for YOUR sensitive information:
- Close all open applications on your Windows 7 computer.
- Click Start.
- In the search box enter the last 4 digits of your social security number.
- A partial list of potential matches will appear in the window. Don't click the items from the list, click the blue bar with the magnifying glass that says "See more results". This will open a new window displaying all possible hits. You can easily review the hits without performing the search again.
Review each document or file individually by opening each file, look for your SSN and other sensitive information. Some files could be unreadable (such as zip files) - if they don't open, it might be that the file was not designed to be opened. Once you have reviewed the file take appropriate action. Do not delete files you can't open! If you don't need the file after you have reviewed it, delete it. If you need the file but don't need the sensitive data to be listed within it, remove the sensitive information then re-save it. The list will certainly include false positives but you will probably discover some 'PII gold'.
Step 2:
You might have other peoples PII (or sensitive data) on your computer. Search for the last 4 digits of your spouse or children's SSN. If you process family member's information, check for the last 4 of their SSN too. Also search for people's names (first or last).
- Close any open windows.
- Click Start.
- In the search box enter the last name (or first name).
- A partial list of potential matches will appear in the window. Don't click the items in the list, click the blue bar with the magnifying glass that says "See more results". This will open a new window with possible hits.
Saturday, January 3, 2015
Protecting your Privacy at Home
Privacy breaches are becoming more common. We ended 2013 with a major breach at Target, Neiman Marcus, Michael's and Sally Beauty; a hacker group compromised 250,000 twitter accounts in 2013; Facebook revealed that a bug had exposed 6 million users' personal data between 2012 and 2013; New York announced that millions of their resident's records were exposed over a period beginning 8 years prior in 2014; and PF Changs revealed a breach that affected customers in 16 states who used credit and debit cards in the stores in 2013 and 2014. I could go on. We get it, our information isn't being handled by the organizations we patronize. I hate to be the one to break it to you, but you might be guilty of not protecting your information too.
Your home holds a treasure trove of data (credit card data, banking information, work related information, tax records, etc.) that may not be properly protected. A savvy intruder might be able to get in and leave with nothing more than his camera full of information or even a handful of statements from your filing cabinet that you might never miss.
We all must protect our information. A few things to consider:
Keep a shredder near the place where you sort your mail. If you still receive paper bills consider purchasing a cross-cut shredder to shred mail that you do not need to keep long term. I shred envelopes with my name on them. I usually shred just my name unless I get a letter from a relative, then the whole envelope goes through. Shred anything that someone else could use to piece together information about you.
Purchase a home safe. We all have documents that we must retain (birth certificates, documents related a major purchase, education information, etc). These documents must be safe from unauthorized access and unintentional destruction (water, fire, etc.). Storing these documents in a locked fire-proof safe that is bolted to the wall or floor will provide you peace of mind. Store the key someplace that is not obvious and not near the safe.
Create and use a password on your home computer. Regardless of whether you have a laptop or desktop, create and use a password. Don't leave the computer on unless you log off. (You can configure it to log you off after X number of minutes if you don't want to remember to press Windows + L.) Create a good password, don't use "Password", your name or something that could be easily guessed.
Evaluate the information stored on your computer. Think hard about the information you might have on your home computer. Do you routinely store your tax information on your computer? How about password lists? Do you store any documents that list your social security number? Evaluate what you have stored on the computer and delete anything you don't want exposed. It might be a fun exercise to review the documents, spreadsheets and images on your computer.
Secure your Internet access. Every broadband connection should be protected with a hardware router that is properly configured. RTFM (read the friendly manual) or even search YouTube. Many router manufacturers have made the installation simple for anyone who can read. Don't just plug the device in - read ALL the words. Write down the admin password you create and put it in a safe place. Be sure that your WiFi password is complex (with upper and lower case, special characters and numbers) and use WPA2. I've heard interesting conversations about neighbors who leave their WiFi networks wide open. Don't do it, even if someone tells you it's fine. It's NOT!
Know your neighbors. It's amazing how many people don't know their neighbors. Get to know them and invite them to get to know you. Watch out for each other. Exchange email addresses or phone numbers for a lifeline in an emergency and so you can keep an eye out for unusual activity.
Check your credit report and consider locking down your credit. Experian, Trans Union and Equifax must provide you an annual credit report when requested. Space out your requests so that you get a report every 4 months. Consider getting a credit monitoring service or locking down your credit. It's a huge pain to lock down your credit but it might save you from an expensive and heartbreaking experience.
Consumers cannot protect themselves from the bad business practices at the organizations they patronize but we can protect the information we store in our homes.
We all must protect our information. A few things to consider:
Keep a shredder near the place where you sort your mail. If you still receive paper bills consider purchasing a cross-cut shredder to shred mail that you do not need to keep long term. I shred envelopes with my name on them. I usually shred just my name unless I get a letter from a relative, then the whole envelope goes through. Shred anything that someone else could use to piece together information about you.
Purchase a home safe. We all have documents that we must retain (birth certificates, documents related a major purchase, education information, etc). These documents must be safe from unauthorized access and unintentional destruction (water, fire, etc.). Storing these documents in a locked fire-proof safe that is bolted to the wall or floor will provide you peace of mind. Store the key someplace that is not obvious and not near the safe.
Create and use a password on your home computer. Regardless of whether you have a laptop or desktop, create and use a password. Don't leave the computer on unless you log off. (You can configure it to log you off after X number of minutes if you don't want to remember to press Windows + L.) Create a good password, don't use "Password", your name or something that could be easily guessed.
Evaluate the information stored on your computer. Think hard about the information you might have on your home computer. Do you routinely store your tax information on your computer? How about password lists? Do you store any documents that list your social security number? Evaluate what you have stored on the computer and delete anything you don't want exposed. It might be a fun exercise to review the documents, spreadsheets and images on your computer.
Secure your Internet access. Every broadband connection should be protected with a hardware router that is properly configured. RTFM (read the friendly manual) or even search YouTube. Many router manufacturers have made the installation simple for anyone who can read. Don't just plug the device in - read ALL the words. Write down the admin password you create and put it in a safe place. Be sure that your WiFi password is complex (with upper and lower case, special characters and numbers) and use WPA2. I've heard interesting conversations about neighbors who leave their WiFi networks wide open. Don't do it, even if someone tells you it's fine. It's NOT!
Know your neighbors. It's amazing how many people don't know their neighbors. Get to know them and invite them to get to know you. Watch out for each other. Exchange email addresses or phone numbers for a lifeline in an emergency and so you can keep an eye out for unusual activity.
Check your credit report and consider locking down your credit. Experian, Trans Union and Equifax must provide you an annual credit report when requested. Space out your requests so that you get a report every 4 months. Consider getting a credit monitoring service or locking down your credit. It's a huge pain to lock down your credit but it might save you from an expensive and heartbreaking experience.
Consumers cannot protect themselves from the bad business practices at the organizations they patronize but we can protect the information we store in our homes.
Subscribe to:
Posts (Atom)