In more bad IT security news this week (see here and here, for instance), the Oklahoma State Department of Health (OSDH) announced yesterday that a laptop and 50 papers containing medical information on over 133,000 persons was stolen from an employee's car last week.
The press release at the OSDH web site says that:
"A database related to the Oklahoma Birth Defects Registry was on the computer. The Oklahoma Birth Defects Registry provides statewide surveillance of birth defects to reduce the prevalence of birth defects through prevention education, monitoring trends and analyzing data. The laptop was used to record data from hospital medical records."
The OSDH also said that, "We offer our apologies to those who may be affected," and that:
"We are reviewing our administrative policies to strengthen safeguards to better protect the confidentiality of the data we collect. We recognize our obligation to make any changes that will ensure a similar incident cannot happen again."
This article at NewsOK gives a bit more detail about what information was taken, which included "names, addresses, Social Security numbers, medical information on birth defects, birth weight, test results, tribal membership and limited medical diagnoses."
Furthermore, the NewsOK article says OSDH doesn't know what else was on the laptop, and is now trying to figure if any other sensitive information was also compromised.
In addition, the article states that the information on the laptop was not encrypted, which OSDH says is required. The OSDH is now looking into whether the employee involved should be fired.
In other IT security-related news, a hard drive containing 93,500 patient records at the Midstate Medical Center in Meriden, Connecticut was reported last week as being "misplaced" by an employee. The Medical Center's press release states that the drive was discovered as missing on 15 February 2011 and that:
"The information contained on the device consisted of names, addresses, dates of birth, marital status, Social Security numbers and medical record numbers."
It also says that the Center "... is in the process of reviewing their policies and are taking steps to help ensure that this type of incident does not happen in the future."
Midstate Medical Center further regrets "any inconvenience" this incident causes.
There was also news this week that the security firm Barracuda Networks was successfully penetrated by a hacker over the weekend.
According to this CNET news article, the hacker was able to gain access to several Barracuda databases that contained "... the names, phone numbers, and e-mail address of various Barracuda partners," as well as the "... e-mail addresses of different Barracuda employees along with their passwords."
There is more information on the hack at this blog post by Barracuda's Executive Vice President Michael Perone, who apologized "for the inconvenience."
And finally, the huge Epsilon email hack seems to be larger than Epsilon has admitted to. The latest list of companies confirming that they have had their customer emails stolen looks to have reached over 100. Epsilon has been insisting that it was more like 50.
Epsilon has not commented on the apparent discrepancy.
Robert N. Charette is a Contributing Editor to IEEE Spectrum and an acknowledged international authority on information technology and systems risk management. A self-described “risk ecologist,” he is interested in the intersections of business, political, technological, and societal risks. Charette is an award-winning author of multiple books and numerous articles on the subjects of risk management, project and program management, innovation, and entrepreneurship. A Life Senior Member of the IEEE, Charette was a recipient of the IEEE Computer Society’s Golden Core Award in 2008.
