Data Breach Case Settlement with Feds

Monday, August 8, 2016 @ 05:08 PM gHale


A series of data breaches where a company failed to properly assess risks, didn’t reasonably safeguard an encrypted laptop, and not adequately limiting access to its information systems, led to a $5.5 million settlement with the federal government.

While this settlement is about a health care organization, it is an example of how the federal government is getting closer to clamping down on companies that violate basic security principals.

RELATED STORIES
FTC Ruling Puts ICS Firms on Alert
FTC Can Sue for Bad Cyber Security
Complexity Halts Security: Report
Cyber Insurance Debate Heating Up

One year ago, an appellate court ruled the Federal Trade Commission (FTC) had the legal right to sue companies that fail to protect their customers’ data with proper cyber security measures.

While the ruling was the result of a legal complaint and lawsuit by the FTC against Wyndham Hotels for failing to protect customer details, the affects could end up felt in the manufacturing automation sector along with other industries where companies blatantly ignore security safeguards.

This decision from the Third U.S. Circuit Court of Appeals is a legal confirmation of the FTC’s power over cyber security issues, and not “government overreach” as Wyndham claimed.

Wyndham holdings suffered hacks three times in two years and the company failed to put security measures in place after each incident.

“I think this will be seen and acted upon by the corporate sector first, but I think it will eventually move into the ICS (Industrial Control System) space,” Graham Speake, now the CSO at Berkana Resources Corp., said at the time. “I am seeing more and more companies actually performing assessments of the ICS environment. While some of this is due to NERC CIP and NRC regulation, I am seeing more and more companies using the NIST framework as a basis for good security practices in this space. As auditors come to grips with the FTC ruling, they will start to want to ensure that all parts of the business are adhering to it.”

The Advocate settlement with the federal government follows an investigation that began in 2013 when the medical company reported three separate data breaches involving its physician-led medical group subsidiary, Advocate Medical Group.

The breaches involved the electronic health information of 4 million people, including medical information, names, credit card numbers and birthdays, among other things.

In July 2013, four unencrypted laptops with personal health information ended up stolen from an administrative office in Park Ridge, IL. Also that summer, an unauthorized third party accessed the network of an Advocate business associate, potentially compromising the information of more than 2,000 patients. In November, Advocate told the U.S. Department of Health and Human Services’ (HHS) Office for Civil Rights that an unencrypted laptop with personal information of more than 2,200 individuals ended up stolen from the vehicle of an Advocate Medical Group employee.

HHS’ Office for Civil Rights investigated the breaches and found Advocate failed to properly assess the risks related to the data. It also found Advocate didn’t reasonably safeguard an encrypted laptop left in an unlocked vehicle overnight and it didn’t adequately limit access to its information systems.

Downers Grove, IL-based Advocate, which did not admit any liability, said “while there continues to be no indication that the information was misused, we deeply regret any inconvenience this incident has caused our patients.

“As all industries deal with the ever-evolving digital landscape and the impact it has on security, we’ve enhanced our data encryption measures to prevent this type of incident from reoccurring.”

Jocelyn Samuels, HHS’ Office for Civil Rights director, said she hopes the settlement “sends a strong message” about the importance of comprehensive risk analysis and management to ensure electronic health information is secure.