Here’s a roundup of this week’s data breach news:
Healthcare.Gov – The drama over the Healthcare.Gov website continues. On Thursday, the Wall Street Journal broke the news that the government healthcare website had been hacked. Federal employees first noticed the breach on August 25, and no personal information was accessed in the breach because it only affected test servers, Medicare spokesperson Aaron Albright told the New York Times. What’s more concerning is the security vulnerabilities that led to the breach: the manufacturer’s default password on the server had never been changed, the server was not subject to security scans, the test servers were mistakenly connected to the internet. The attack did not appear to be targeting healthcare.gov specifically—instead malware was downloaded onto the server as part of a larger DDoS attack. There are always going to be cyber threats that a company cannot anticipate, but at this point, changing passwords and using basic security scans should be common sense, especially for a government website containing healthcare information.
Bartell Hotels – As many as 55,000 guests who stayed at San Diego hotel chain may have had their credit card data and names compromised. Bartell Hotels’ investigation revealed that an attacker compromised the payment card processing system at five of Bartell’s seven hotel locations between February 16 and May 13, 2014. While the investigation is ongoing, the hotel is urging its customers to check their credit reports and monitor for fraud.
Memorial Hermann Health Systems – For more than six years, an employee at Memorial Hermann Health Systems in Texas improperly accessed health records belonging to 10,604 patients. In a press release on their website, the hospital said it discovered that an employee was accessing electronic medical records on July 7, 2014—and that this had been going on since December 2007. The information breached included health insurance information and some social security numbers. After an investigation, the employee’s access to medical records was suspended. Memorial Hermann says it has privacy training in place for all employees, but the hospital’s privacy policies are now under review.
California State University East Bay – Approximately 6,000 faculty and students at CSU East Bay were notified that their personal information may have been accessed in a website breach a year earlier. On August 11, 2014, the university discovered that faculty and student information had been accessed nearly a year earlier. An investigation revealed that an “unknown third-party broke into a University web server using an overseas IP address and a software tool designed to secretly access information on the server.” Names, addresses, Social Security numbers, and dates of births were accessed from the server which contained employment records and course information.