in

This Blog

Syndication

Tags

News

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Archives

AlertBoot Endpoint Security

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Cost Of A Data Breach: HealthNet Settles With Vermont AG, Files Were in TIFF Format

It looks like HealthNet's troubles weren't over when they settled with the Connecticut Attorney General back in July 2010.  According to databreaches.net, HealthNet has now settled with Vermont's Attorney General's office, adding an extra $55,000 on top of their previous fines.  It looks like, contrary to what I had reflected before, that perhaps the use of hard drive encryption like AlertBoot would have been warranted.

Files were in Image Format

This latest settlement has revealed an additional detail to HealthNet's data breach.  To recap the situation so far: a portable drive (not protected with encryption software) that contained sensitive information like SSNs was lost in May 2009.  Affected people were not alerted until 6 months later, prompting various state Attorney Generals to look into the situation.  In July 2010, HealthNet settled with Connecticut's AG.

HealthNet had reassured people that the risk of harm was low.  Databreaches.net has the following quote:

When it did notify Vermont residents, Health Net told them that it believed their risk of harm was "low" because "the files on the missing drive were not saved in a format that can be easily accessible."

It turns out that this "not easily accessible" format is actually a TIFF file, a common image format.  In fact, this is what Wikipedia has to say on the matter:

... the TIFF format is widely supported by image-manipulation applications, by publishing and page layout applications, by scanning, faxing, word processing, optical character recognition and other applications. [my emphasis]

Let me put it this way: I can open TIFF files just fine in my web-browser.  How's this not easily accessible?  It's about as accessible as it gets!  Furthermore, free image viewing software applications like Google's Picasa will show TIFFs in slideshow format; you don't even have to open the files one by one.

While I'm not going to go as far as accuse HealthNet (or, rather, its lawyers or PR department or both) of lying, it seems to me that they should have paid more attention to what they were writing.  I mean, if I showed TIFF files opening up in a web browser to a jury, would it pass muster that it's low risk?  I'd think not.

Vermont's First Enforcement of the Security Breach Notice Act

This is Vermont's first case when it comes to the enforcement of their Security Breach Notice Act.  A cursory glance of the law shows that "personal information" is defined as names and other data elements that are not encrypted.  Had HealthNet used a cryptographic solution like portable disk encryption, it would mean that, under the legal definition, the loss of their hard disk wouldn't be a data breach.

A total of 535 Vermont residents were affected.

I had covered HealthNet's data breach earlier, here and here.  When I guesstimated HealthNet's potential costs due to the breach, I noted that it would perhaps makes sense, from a financial perspective only, to risk a data breach when taking into account the costs associated with encrypting all computers for its employees.

However, considering that Vermont is also extracting monetary penalties, plus the fact that the breach also affected residents of Arizona, New Jersey, and New York, perhaps I might have to reconsider that decision.  Breach notification laws for New York and New Jersey do not specify monetary penalty amounts, but neither did Vermont's.  Arizona's legislation limits civil penalty amounts to no more than ten thousand dollars.


Related Articles and Sites:
http://www.databreaches.net/?p=16441

 
<Previous Next>

Second Chance For California Data Breach Law Update Bill?

Data Encryption Software: Remembering To Lock Out People Is As Important As The Crypto

Comments

No Comments

About sang_lee

Sang Lee is a Senior Account Manager and Security Analyst with AlertBoot, Inc., the leading provider of managed endpoint security services, based in Las Vegas, NV. Mr. Lee helps with the deployment and ongoing support of the AlertBoot disk encryption managed service. Prior to working at AlertBoot, Mr. Lee served in the South Korean Navy. He holds both a B.S. and an M.S. from Tufts University in Medford, Massachusetts, U.S.A.