The Identity Theft Resource Center (ITCR) has been tracking security breaches since 2005, looking for patterns, new trends and any information that may better help us to educate consumers and businesses on the need for understanding the value of protecting personal identifying information.
ITCR reports that within a ten-year period from 2005 to December 2015, there has been 5,810 data breaches reported.
For 2015, ITCR reported an increase for reported breaches over 2014. The Business sector again topped the ITRC 2015 Breach List with nearly 40 percent of the breaches publicly reported in 2015, an increase of 8.1 percent from 2014 figures. In second place was the Health/Medical sector with 35.5 Health/Medical sector was at 35.5 percent of the total overall breaches.
The number of breaches involving Social Security numbers totaled 338 in 2015, a modest increase of 1.8 percent over the 325 reported in 2014. Those breaches, however, involved more than 164.4 million records.
“With ongoing support from IDT911, the ITRC continually tracks and monitors the ever growing number of U.S. breaches in an effort to understand the complex issues behind them," said Eva Velasquez, President and CEO, ITRC.
Business partner IDT911, provides solutions for preventions, protection services and incident remediation for individuals and businesses complete Identity and Data Breach Defense Services.
“While the overwhelmingly prevalent motive for data breaches remains financial gain for the thieves, we saw a shift in new motives for obtaining sensitive and private personal data this year. This compromised data can now be used to compel behavior changes in breached individuals and groups. This data is also being used for social justice purposes, and even to embarrass our nation. As the motives for obtaining this data shift, so must our mindset about what we need to keep private, protect, and potentially cease capturing or creating,” Velasquez continued.
How long is the life span from the impact of a person’s private information being a part of a breach?
Those who have experienced a breach, similar to this writer, a minimum of a year. Then hold your breath and hope the person or person(s) who have your personally identifiable information (PII) has not been arrested, or have any warrants out against the individual, especially for violent crimes. Should you be stopped for a traffic violation and your name appears on a police computer screen, you will be explaining, once again, how you have been violated and that you are a victim of identity theft!
January 29th, I published a blog on Ransomware attacks and discussed the comparison of the TV show The Good Wife with a clients’ experience. Both attackers requested $50,000 ransom for the decryption key.
Officials at the Hollywood Presbyterian Medical Center stated that they paid $17,000 in ransom to gain control of their data.
In a letter posted online by hospital CEO Allen Stefanek, the executive said, "The quickest and most efficient way to restore our systems and administrative functions was to pay the ransom and obtain the decryption key," he wrote. "In the best interest of restoring normal operations, we did this.” Stefanek said the hospital on Monday had regained control over its electronic health record systems. The CEO said there is no evidence that any patient data was accessed by the hackers.
The client I referenced had a difference outcome. She hired a company to decrypt her data files without paying the ransom. During the discovery process, it was determined that the outsourced IT company had not regularly backed up the data in order to restore the systems.
What happen to Hollywood Presbyterian Medical Center’s data back-up? I am sure that there will be an investigation by the Office for Civil Rights. It appears that there were deficiencies in the required Safeguard Principles of the Privacy and Security Framework of HIPAA. These principles emphasize that the trust in electronic health information can only be achieved if reasonable administrative, technical, and physical safeguards are in place.
Hollywood Presbyterian is a covered entity and as so, is required to implement appropriate administrative, technical, and physical safeguards to protect the privacy of protected health information (PHI). 45 C.F.R. § 164.530(c).
Judith Lindsay, CHP and CEO of JAL Consult tackles all the elements of HIPAA compliance puzzle. Successfully assisting organizations to make sense of it all by implementing the correct policies and procedures that are reasonable and appropriate for their entity. Judith provides consulting, training and is available for speaking engagements. To read more about the world of compliance subscribed to JAL’s insightful newsletter at www.jalconsultantsaz.com OR follow JAL on Twitter @ judithconsult
Personal Information Collected Online
•Personal Information means personally identifiable information such as information provided via forms, surveys, applications or other online fields including name, postal or email addresses, telephone, fax or mobile numbers, or account numbers.
•Before or at the time of collecting personal information, JAL will identify the purposes for which the information is being collected.
•JAL will collect and use personal information solely for the purpose of fulfilling specific contracted engagements or for other compatible purposes, unless consent is obtained from the company and/or individual concerned or as required by law.
•JAL will retain personal information as long as necessary for the fulfillment of a specific contract or for a specific purpose.
•JAL will collect personal information as deemed lawful and where appropriate with the knowledge and/or the consent of the individual or company.
•Personal data should be relevant to the extent of necessary purposes and should be accurate, complete and up-to-date.
•JAL will protect personal information by reasonable safeguards against loss or theft, as well as unauthorized access, disclosure, copying, use or modification.
•JAL will make readily available to customer’s information about our policies and practices relating to the management of personal information. Terms and Conditions
JAL is committed to conducting our business in accordance with these principals in order to ensure that the confidentially of personal information is protected and maintained. By accessing this website, you are agreeing and bounded by these Website Terms and Conditions of Use, all applicable laws and regulations. If you do not agree with these Terms and Conditions, you are prohibited from using or accessing this website. The materials contained in this Web Site are protected by all applicable copyright and trade mark laws.
Our Online Notices are subject to change. Please review it periodically. If we make changes, we will revise the “Last Updated” date at the top of this Notice. Any changes will become effective the date the revised Notice is posted on the Site.