Wednesday, March 14, 2007

FCW.com News - Bill would protect information about students from recruiters An amendment to the No Child Left Behind (NCLB) Act seeks to keep military recruiters from accessing secondary students' personal data by requiring parents to choose to share that information rather than having to opt out of sharing it. Rep. Mike Honda (D-Calif.) introduced the legislation March 6. The Student Privacy Protection Act would require local school systems to obtain written consent before releasing information on secondary school students to military recruiters or their agents. The measure will next be referred to the House Education and Labor Committee sometime during this session, said a spokesperson for Honda. That committee's chairman, Rep. George Miller (D-Calif.), is a co-sponsor of the bill. Because of a provision in the NCLB, school districts are directed to give information about students to military recruiters unless parents explicitly request that their children's data remains private. Since the enacting of NCLB, secondary schools have been supplying the names, addresses and telephone numbers of students to recruiters sponsored by the military services. However, schools often failed to make parents aware of the option to keep that information private, Honda said. 3:54:06 PM

Dispute surfaces over certification for personal health records n a rare instance of public dissent, an American Health Information Community AHIC) workgroup has split over whether to recommend that product certification be available for personal health record software. AHIC, a high-level advisory committee to the Department of Health and Human Services, sided with the majority on its Consumer Empowerment Workgroup and voted unanimously in favor of the certification recommendation. A minority -- five members of the 23-person workgroup -- took the position that certification would be premature and the top priority should be privacy and security policies for PHRs. "The risks [of certification now] outweigh any potential benefits," the dissenters said in a letter to AHIC. The workgroup's task is to foster widespread adoption of PHRs. One of its leaders, Dr. Rose Marie Robertson, told AHIC that the group believes PHRs will be more widely used if consumers do not have to sit at a computer and enter all their health information. Instead, the PHRs could be populated by data from doctors, health plans, drug stores, or elsewhere. 3:51:04 PM

Medical data on Blue Cross members may be lost | CNET News.com WellPoint, one of the nation's largest health insurers, has begun notifying 75,000 members of its Empire Blue Cross and Blue Shield unit in New York that a CD holding their vital medical and other personal information has disappeared. The information was on an unencrypted disc that a subcontractor recently sent to Magellan Behavioral Services, a company in Avon, Conn., that specializes in monitoring and coordinating mental health and substance abuse treatments for insurance companies. Empire began notifying the affected consumers by mail on Saturday that their records--including their names, Social Security numbers, health plan identification numbers and description of medical services back to 2003--had been lost. [...] Before shipping the information to Magellan, the coding and passwords that protect the privacy of the information was removed by a Magellan subcontractor, Lisa Ann Greiner, an Empire spokeswoman, said Tuesday. Janlori Goldman, the director of the Health Privacy Center, a nonprofit organization in Washington, said the error was an "egregious breach of privacy." She said that insurance companies were responsible under a federal privacy law for ensuring that their contractors use adequate security procedures. Greiner said that the subcontractor, Health Data Management Services, worked for Magellan, not Empire. "If any contract was breached, we are going to take direct action," she said. 3:45:41 PM

Tracking the Password Thieves. Tracking the Password Thieves. The Washington Post today ran a story I wrote about an epidemic of data theft being fueled by password-stealing viruses and phishing attacks. In some ways, the story behind the reporting that went into the piece is just as interesting, so I'd like to share a few of those details. I based the story in part on a cache of stolen data I found online (more on how I obtained it in a bit). The data was being compiled by a password-stealing virus that had infected many thousands of computers worldwide; the particular text file that I found included personal information on 3,221 victims scattered across all 50 U.S. states. Using a custom-built application that makes use of the Google Maps API, I was able to chart the approximate locations of the victims. This was possible because at the beginning of each record was the virus's best guess of the longitude and latitude of the infected computer's Internet address. This so-called "geo-IP" process is far from perfect: Sometimes these automated guesses are disturbingly accurate, and other times they are miles wide or completely wrong. The approximate location of the 3,221 U.S. residents victimized by this virus (Data gathered by washingtonpost.com; image courtesy Secure Science Corp. and Google). Scammers collect information about the location of their victims because it becomes useful when they want to conduct fraud with a hijacked credit or debit card account. The idea here is to evade a key component of fraud detection in the financial industry -- transaction location tracking. If Joe in Georgia starts suddenly withdrawing money or making purchases in Nigeria or Europe when his last transaction was an hour earlier in Atlanta, Joe's bank is going to flag the transactions as fraudulent and in all likelihood cancel the card. [Security Fix] 11:30:56 AM

© Copyright 2007 Paul Hardwick. Last update: 3/18/07; 5:15:50 PM.