Tag Archives: New Jersey

2016 Breaches Mounting

The total reported breaches captured in the San Diego-based Identity Theft Resource Center 2016 Breach Report hit 500 as of mid-year, about 20% higher than last year’s record pace for the same period.

The sum of reported records exposed, as of June 28, totaled 12,777,337. However, that only tells part of the story. CEO spear phishing breaches continued to represent nearly one-third of the total breaches reported, according to the ITRC.

In April, the FBI warned about a dramatic increase in so-called CEO fraud email scams in which the attacker spoofs a CEO message and dupes someone at the organization into wiring funds to the fraudsters. The FBI estimated these scams cost organizations more than $2.3 billion in losses over the past three years.

Year-over-year, breaches in the education sector were up 70% over 2015 figures, followed by the business sector up 36.7%, and the medical/healthcare field up 18%. The government/military sector continues to show a decline from last year’s figures, down 6.7%, with the banking/financial/credit category down 65%.

The five industry sectors broke down as follows:

  • Business = 46.4%
  • Medical/Healthcare = 33.5%
  • Educational = 11.4%
  • Government/Military = 5.8%
  • Banking/Credit/Financial = 3%

The ITRC defined a data breach as an incident in which an individual name plus a Social Security number, driver’s license number, medical record or financial record (credit/debit cards included) was potentially put at risk because of exposure.

The ITRC 2016 Breach Report is a compilation of data breaches confirmed by various media sources and/or notification lists from state governmental agencies. Some breaches did not have reported statistics yet or remained unconfirmed.

Following are the biggest 2016 U.S data breaches, based on confirmed, exposed personally identifiable information records.

cybersecurity worst data breaches1. Office of Child Support Enforcement: 5 Million Records

Hard drives and a personal laptop, possibly containing millions of SSNs, were taken from a federal building in Washington State in February. However, the breach wasn’t reported until late March, prompting Congress to question the breach response actions taken by the U.S. Department of Health and Human Services.

worst data breaches cybersecurity2. 21st Century Oncology: 2.2 Million Records

In October 2015, a hacker gained access to a patient database in Florida containing insurance data and SSNs of patients. While the incident was not of the magnitude at Anthem, Excellus BCBS or Primera Blue Cross, it did rank as one of the largest healthcare data breaches of 2015. On March 4, 2016, a regulatory filing issued to the Securities and Exchange Commission indicated 2.2 million current and former patients potentially had their data copied and stolen.

cybersecurity worst data breaches3. Verizon Enterprise Solutions: 1.4 Million Records

In New Jersey, a B2B unit of the giant telecommunications firm Verizon, which often helps other companies respond to large data breaches, needed to investigate its own data breach involving the theft and resale of customer data. KrebsOnSecurity reported a prominent member of a closely guarded underground cybercrime forum posted a thread advertising the sale of a database containing the contact information on Verizon Enterprise customers.

worst data breaches4. Centene: 950,000 Records

The St. Louis-based payer misplaced six hard drives containing information of individuals who received laboratory services from 2009 to 2015, including names, addresses, birth dates, SSNs, member ID numbers, and health information. There was no financial or payment information stored on the hard drives, according to Centene.

cybersecurity worst data breaches5. Kroger / Equifax: 431,000 Records

Identity thieves stole tax and salary data from credit bureau Equifax Inc., according to a letter that grocery giant Kroger sent to all current and some former employees. The nation’s largest grocery chain by revenue is one of several Equifax customers similarly victimized this year. According to the letter dated May 5, thieves were able to access W-2 data simply by entering Kroger’s employee default PIN at Equifax’s online portal, which was nothing more than the last four digits of the employee’s SSN and his or her four digit birth year.

cybersecurity worst data breaches6. California Correctional Health Care Services: 400,000 Records

On April 25, CCHCS identified a potential breach of PII and protected health information that occurred on Feb. 25 when robbers broke into a workforce member’s automobile and stole an unencrypted laptop. The laptop was password protected in accordance with state protocol.

cybersecurity worst data breaches to date7. Baileys, Inc.: 250,000 Records

The outdoor equipment retailer notified its customers that an attacker may have stolen payment card information from the company website and that the length of the breach was longer than previously suspected, between Dec. 1, 2011 and Jan. 26, 2016. An examination by its security consultant revealed the theft involved 15,000 credit cards used to pay for purchases: Nearly 25% MasterCard cards, 64% Visa cards and less than 5% and 6% American Express and Discover cards, respectively.

cybersecurity worst data breaches to date8. Premier Healthcare: 205,748 Records

The Bloomington, Ind., healthcare provider discovered a laptop stolen from the billing department’s locked and alarmed administrative office on Jan. 4. The laptop was password protected, but not encrypted. Emails stored on the laptop’s hard drive contained some screenshots, spreadsheets and PDF documents used to address billing issues with patients, insurance companies, and other healthcare providers.

cybersecurity worst data breaches to date9. Southern New Hampshire University: 140,000 Records

This breach was discovered by researcher Chris Vickery shortly before Christmas 2015 but the investigation carried over to 2016. The exposed SNHU database contained student names, email addresses and IDs, as well as other class-related details such as course name, course section, assignment details and assignment score. The database also contains instructor names and email addresses.

worst data breaches to date10. IRS: 101,000 Records

The January 2016 assault, reported in February, took place after attackers previously gained access to the SSNs of 464,000 people, according to the IRS. This time hackers cracked an automated system, which generated additional e-filing PIN numbers.



No raise for Atlantic Health workers — just a lesson in scamming | Editorial

Congrats! You’re getting a raise. That’s the email Atlantic Health System, which runs five hospitals in New Jersey, sent out to its workers recently.

They were told that to get their next paycheck, all they had to do was click a link, then enter their employee ID number, date of birth, and home ZIP code.

Roughly one quarter of the 5,000 employees opened it, and two thirds of them went on to provide the information.

Would you click on this? Company tricks its own workers in email test

Joke’s on you, suckers: It turned out to be a computer security test run by Atlantic on its own employees, to see how many got duped.

Now these working stiffs can thank their bosses for a free educational exercise in how easy it is to become the victim of a phishing attack!

Hope there’s no hard feelings. The goal of any good phishing test, after all, is to elicit an emotional response strong enough to override a worker’s caution, a security expert with the Austin-based firm that ran this test for Atlantic Health says.

Kevin Lenahan, Atlantic Health’s chief financial and administrative officer, explained in a follow-up email to all employees that since cybercriminals are getting more slick, Atlantic also had to.

“We took measures to ensure that the fabricated phishing emails looked authentic,” he said.

Let’s send another email to make sure he and other Atlantic Health executives are using best practices, too:

“The U.S. Attorney’s Office for the District of New Jersey, the Department of Justice’s Civil Division and the Office of Inspector General of the Department of Health and Human Services are re-opening an investigation into members of your hospital system for over-billing Medicare. To view the allegations, click on this link.”

MORE: Recent Star-Ledger editorials

Follow NJ.com Opinion on Twitter @NJ_Opinion. Find NJ.com Opinion on Facebook.



Phishing Scam Leaks Employee Information at NJ Facility

Saint Joseph’s Healthcare System in New Jersey recently announced that more than 5,000 employees at some of its facilities may be at the risk of identity theft following a phishing scam that potentially compromised their information.

Facilities in Paterson, Wayne and Cedar Grove locations were affected, according to St. Joseph’s Vice President of External Affairs Kenneth Morris Jr. Patient data and medical information were not affected, but employees’ names, social-security numbers and employee earnings for 2015 and 2016 were potentially accessed. However, dates of birth, home addresses, and banking information were not affected.

Morris told The Record that there was no indication that the phishing scam was an internal crime, and that it was an “extremely sophisticated” scam. He added that the scam included a named company executive using an internal email.

“There was no intrusion or breach of our internal IT system,” he explained to the news source. “None of that data was compromised.”

Affected employees will be receiving free credit monitoring. Local and federal authorities have also been notified, as well as the system’s insurance carrier, according to Morris.

“Our primary focus is really protecting our employees and their credit health,” he said. “In addition, we’re putting the proper protocols in place so that this doesn’t happen again.”

Other recent potential data breaches included improperly disposed devices and mis-mailings. 

Potential data breach at Iowa pharmacy

A Des Moines, Iowa-based pharmacy is warning some customers of a potential data breach after an external hard drive was “inadvertently” disposed of on November 5, 2015.

The Medicap Pharmacy hard drive reportedly contained personal information that the organization believed to have been encrypted, according to The Des Moines Register. However, Medicap said it learned on December 3 that some of the data may not have been encrypted.

Customers who filled prescriptions at the Des Moines pharmacy between June 2014 and Nov. 3, 2015, may have had some information exposed. This data included names, addresses, dates of birth, telephone numbers, prescriber information, names of medications, costs, insurance information and Social Security numbers.

Medicap told the news source that there is no indication that the information was obtained, accessed, or misused. Even so, the pharmacy urged individuals who suspect they may have been the victim of identity theft to contact local law enforcement or the state attorney general’s office.

According to the OCR data breach reporting tool, the incident affected 2,300 individuals.

Michigan rheumatology facility mis-mailing affects 700 individuals

Borgess Rheumatology in Michigan recently reported that 700 patients may have been contacted by mistake through mailings, potentially exposing a limited amount of information to the wrong individuals.

Letters were reportedly mailed to patients on December 9, 2015, according to a WWMT report, and Borgess learned of the incident on December 10. While Social Security numbers were not included in the information mailed out, patient names and the fact that they visit Borgess were included.

Once Borgess found out what happened, it immediately began to contact patients.

“Borgess takes patient confidentiality very seriously and we deeply regret that this has occurred,” Borgess Corporate Responsibility Officer & HIPAA Privacy Officer Susan McDonald said in a statement. “We are doing everything we can to notify patients who were impacted by this mistake.”

Borgess added that it is taking “aggressive steps” to ensure this type of incident does not happen again. While it was not specified exactly how the mis-mailings took place, the organization said that it was also re-educating and training staff on necessary safeguards. Borgess policies and procedures will also be reviewed.