Hackers continue to steal data from companies the world over, with a recent victim in Sony. In that case, Sony apparently delayed reporting the loss to the 77 million users whose data was compromised, including dates of birth and possibly credit card numbers.
In late March, Epsilon reported that hackers had stolen the names and email addresses of individuals who receive business newsletters from Epsilon’s clients, which include a number of well known companies such as Best Buy and Robert Half International. Considering that Epsilon delivers over 40 billion emails a year for its clients, the chances have gone up of improved, targeted phishing attacks as a result of this breach, particularly for banking customers of banks that have used Epsilon for email marketing.
There should be no surprise that the regulatory penalties for data breaches continues to escalate. Security breach notification procedures were codified into the 2009 ARRA legislation for health care providers. ARRA Health Tech Initiatives Section 13402 of the ARRA legislation (on page 17 of the linked pdf file) puts the responsibility on a covered entity to notify its customers of a data breach where unauthorized access is gained to “unsecured” protected health information. In laymen’s terms, “unsecured” PHI is data that is not encrypted. So, for example, a typical relational database stores its data in physical files on a computer hard drive or array. Some database systems encrypt these files so that you could not just open up the file in notepad and read its contents. If a hacker were to gain physical access to the server where these files were located, he or she might not be able to read them without further access (for example, with an administrator-level username and password to directly query the database). Notification to patients would not likely be required in this circumstance if you could show the hacker gained physical access but not database-level access.
Does your database encrypt its stored data files? Not all database software, and not all versions of specific database software, provide for native encryption. For example, the data files of your Microsoft Access database are not likely to be encrypted. For performance reasons, data files for MS SQL Server databases may also not be encrypted. But, even if your database file is encrypted, if the administrator password to the database itself is blank or easy to guess (like “admin”), you may still have trouble brewing back at the server room.
Here is a list published by HHS of data breaches reported to it under ARRA’s notification requirements. Do you see your physician on this list? If things continue, you may sooner rather than later!