HispanicBusiness

Compromised email addresses and names may seem innocuous to some, but victims may fall prey to spear phishing. Spear phishing occurs when a criminal sends an email that sounds and looks like it's from a company the recipient has an account with because it addresses him or her by name. A spear-phishing message might say, "Hello Mr. Anderson, Because of the recent hacking incident affecting some Acme customers, we are asking you to visit this website (URL provided) and update your security settings." The email tries to convince trusting readers to "bite" on the bait and go to that website, and then divulge other information like Social Security numbers and credit card numbers. The result could be as serious as identity theft.

The Epsilon breach is also significant because it highlights the risk of cloud-based computing systems and the need for greater cloud security measures.

3. Sutter Physicians Services (SPS) and Sutter Medical Foundation (SMF) (Nov. 16) -- A company-issued desktop computer was stolen from SMF's administrative offices in Sacramento, California, during the weekend of Oct. 15. Although the data was password protected, it was not encrypted. Approximately 3.3 million patients whose health care provider is supported by SPS had their names, addresses, dates of birth, phone numbers, email addresses, medical record numbers and health insurance plan name exposed. An additional 934,000 SMF patients had dates of services and description of medical diagnoses and/or procedures used for business operations, bringing the total to 4.2 million patients. At least two lawsuits have been filed against Sutter Health. One class-action suit alleges that Sutter Health was negligent in safeguarding its computers and data, and then did not notify the millions of patients whose data went missing within the time required by state law.

The security lapse occurred on two levels: both the data itself (being unencrypted) and the physical location (stored in an unsecure location). Although no Social Security numbers or financial information was apparently exposed, all the data elements needed for medical identity theft were included in the stolen records.

4. Texas Comptroller's Office (April 11) -– Information from three Texas agencies was discovered to be accessible on a public server. Sometime between January and May 2010, unencrypted data was transferred from the Teacher Retirement Center of Texas, the Texas Workforce Commission (TWC) and the Employees Retirement System of Texas. It ended up on a state-controlled public server as early as April 2010 and was not discovered until March 31, 2011. Sensitive information such as names, Social Security numbers, addresses, dates of birth and driver's license numbers could have been exposed.

A spokesperson from the Texas Comptroller's Office claims that the breach occurred because numerous procedures were not followed. Some employees were fired for their roles in the incident. Approximately two million of the 3.5 million individuals possibly affected were unemployed insurance claimants who may have had their names, Social Security numbers and mailing addresses exposed. The birth dates and driver's license numbers of some of these people were also exposed. Two class action lawsuits have been filed on behalf of the 3.5 million Texans affected by the breach. One such lawsuit seeks a $1,000 statutory penalty for each individual.

Although all breaches of sensitive personal information are serious, the Texas Comptroller breach is particularly significant because individuals generally do not have a choice when providing personal information to a government agency. It is therefore vitally important that government agencies act as responsible stewards of personal data.

5. Health Net (March 15) -- Nine data servers containing sensitive health information went missing from Health Net's data center in Rancho Cordova, Calif. The servers contained the personal information of 1.9 million current and former policyholders, compromising their names, addresses, health information, Social Security numbers and financial information.

Not only was Health Net the first massive medical breach of the year, but the company waited three months before notifying affected individuals. The servers were discovered missing in January, but policyholders were not notified until March. The breach highlights the importance of timely notification.

6. Tricare Management Activity, Science Applications International Corporation (SAIC) (Sept. 30) -- The car theft of backup tapes resulted in the exposure of protected health information from patients of military hospitals and clinics. Uniformed Service members, retirees and their families were affected. Patient data from the military health system dating from 1992 to September 2011 could have been compromised. It included Social Security numbers, addresses, phone numbers, clinical notes, laboratory tests, prescriptions, and other medical information. Four people have filed a $4.9 billion lawsuit over the improper disclosure of active and retired military personnel and family data. The lawsuit would give $1,000 to each of the affected individuals. SAIC reported that 5,117,799 people were affected by the breach.