IEEE Incident Leads Breach RoundupMember Passwords Exposed; Hospital Employee Sentenced
In this week's breach roundup, the Institute of Electrical and Electronics Engineers is notifying affected members that unencrypted log files containing their user IDs and passwords were accessible on its website. Also, a former employee at Howard University Hospital has been sentenced after selling patient information.
See Also: The Global State of Online Digital Trust
IEEE Member Passwords Exposed
The Institute of Electrical and Electronics Engineers is notifying affected members that unencrypted log files containing IEEE account user IDs and passwords were accessible on its website.
"We have conducted a thorough investigation and the issue has been addressed and resolved," a statement posted on the IEEE's site explains.
The institute isn't revealing how many members were affected. But Radu Dragusin, a teaching assistant at the University of Copenhagen in Denmark who says he discovered the exposure, explains on a website set up to describe the incident that about 100,000 user IDs and plaintext passwords were publicly available on the IEEE's FTP server, "for at least one month prior to my discovery." He also claims that affected individuals include employees from Apple, Google, IBM, Oracle and Samsung, as well as NASA researchers.
Former Employee Sentenced for Selling Patient Info
A former employee at Howard University Hospital has been sentenced to six months in a halfway house and ordered to perform 100 hours of community service after selling information about 40 patients, as well as blank prescription forms, to another individual, according to the Department of Justice.
Laurie Napper, a former medical technician in the hospital's general surgery department, pled guilty in June to the wrongful disclosure of individually identifiable health information.
On at least three occasions from August 2010 through December 2011, Napper sold the patient names, addresses, dates of birth and Medicare numbers, along with blank hospital prescription forms, and received a total of about $2,100, prosecutors say.
The person who acquired the information then forged prescriptions for oxycodone, a painkiller, and used Napper's contact information at the hospital for verification.
Insurer Notifies Employees of Record Misuse
Blue Cross Blue Shield of Massachusetts is notifying an undisclosed number of current and former employees after a contracted vendor inappropriately misused employee information.
No medical information about the employees was involved, nor was any data on members, employers or health provider, the insurer said in a statement.
The health plan did not specify what kind of information was misused. But it acknowledged that it's providing the current and former employees affected free credit protection services.