The Secure Times

An online forum of the ABA Section of Antitrust Law's Privacy and Information Security Committee

Leave a comment

PHI Whack-a-Mole

Well, the newest Ponemon Study confirms what the news keeps reporting:  health care organizations continue to be plagued by PHI security incidents.  In fact, 90 percent of healthcare organizations surveyed reported experiencing breaches.  And 45 percent agree that they have inadequate policies and procedures in place to effectively detect or prevent PHI security incidents.  


So what’s causing these breaches?  According to the Ponemon Institute’s fourth annual Patient Privacy & Data Security Study, patient data security and privacy threats are new and expanding.  For the health care organizations, it is a bit like playing whack-a-mole. First place for types of actual PHI breach goes to lost or stolen computing devices (49 percent), followed by employee error (46 percent), and third-party mishap (41 percent). The rate of data breaches caused by a malicious insider or hacker has doubled from 20 percent of all incidents to 40 percent since the first Ponemon Institute study four years ago.  This last statistic is of special concern to Dr. Ponemon:  “The latest trend we are seeing is the uptick in criminal attacks on hospitals…. With millions of new patients entering the U.S. healthcare system under the Affordable Care Act, patient records have become a smorgasbord for criminals.”  The problem, of course, is that the cybercriminals are becoming more and more sophisticated with their malicious tactics and this is a huge challenge to address for the often financially strapped healthcare organizations.


What’s keeping the healthcare executives up at night?  75 percent worry the most about employee negligence; in particular, BYOD.  While 88 percent of the organization allow employees and medical staff to use their own devices, more than half are not confident that the BYOD are secure and 38 percent have no procedures to secure the devices or prevent them from accessing sensitive information. 


Business associates (BA) are worrying these executives as well.  As the healthcare environment expands with more healthcare organizations reliant on BA’s for services such as IT, claims processing and benefits management, greater risks emerge.  Less than one-third of those surveyed expressed confidence that their BAs are protecting patient data in ways mandated by the HIPAA Final Rule.


So, is there any good news?  Are any moles actually getting whacked?  Fortunately, more than half of the health care organizations surveyed (55 percent) believe they do have effective policies and procedures in place to prevent or quickly detect unauthorized patient data access, loss or theft.  This is not unfounded as the actual number and cost of data breaches has slightly declined from prior study results.  Further, while the 2013 Report noted that 45 percent of the healthcare organizations state they have had more than five incidents in the last two years, this year that percentage declined to 38 percent.  So, slow but steady progress. The challenge, according to Ponemon, is that organizations need to imbed a culture of compliance to stem the security risks.  Healthcare organizations must implement tools, processes and software that automate and streamline the practice of protecting PHI—these are the mallets health care organizations need to whack those data security moles. 

The Most Popular Flashlight App Kept Consumers in the Dark about Tracking Them.

Have you ever downloaded a flashlight app?

Well, if you have and use it on an Android, you might want to check out which one it is. If it’s “Brightest Flashlight Free,” there’s some big news for you, along with more than 50,000,000 other users!

On December 5, 2013, the Federal Trade Commission (“FTC”) issued a settlement package with the app’s developer – Goldenshores Technologies, LLC – claiming that the company violated Section 5 of the FTC Act with its deceptive practices. The FTC alleges that, not only did the company omit material information about sharing sensitive user data with advertising networks and other third parties, but it also failed to ensure that the privacy disclosures it did make were accurate and sufficiently prominent. So, just think, if you have Brightest Flashlight Free, your precise location data has been shared with third parties without your consent, and they could be using that data to track your whereabouts.

How did Goldenshores Technologies do it? Well, according to the FTC charges, the company deceptively failed to disclose to consumers that the app transmitted users’ precise geolocation and unique device identifier – information the FTC considers sensitive – to third parties. Furthermore, the privacy policy, found only in the End User License Agreement and not in the app’s promotional page on the Google Play store, listed some information that the company might collect, but failed to mention the inclusion of sensitive information. The privacy policy also stated that only Goldenshores would use the information listed, not third parties.

But wait! There’s more! Even if you downloaded Brightest Flashlight Free but never used it, the FTC alleges that you could still have been tracked. According to the proposed settlement, if users downloaded the app, viewed the End User License Agreement but then chose to reject it, the user’s precise geolocation information and Device ID was already being transmitted. So even if you never used the downloaded app, your sensitive data was already on its way. How many of us remember whether we downloaded an app that we never used?

So what’s the big deal? Well, with location data and device IDs, an advertising company can pull together your information across several apps, enabling a marketer to follow you throughout your day. And if you downloaded Brightest Flashlight Free, you weren’t given a choice about it.

The FTC’s proposed settlement package has a number of elements. Even though Brightest Flashlight Free has been accused of improperly collecting and sharing sensitive information, because the app was free, the settlement does not include a fine against the company. It does, however, require Goldenshores to clean up its act and stop misrepresenting how consumer information is collected and shared, and how much control consumers have over the way that their information is used. Goldenshores must also provide a just-in-time disclosure that fully informs consumers when, how, and why their geolocation information is being collected, used, and shared, as well as obtains their affirmative express consent before doing so. And, fortunately, the company must delete all of the sensitive information Brightest Flashlight Free nefariously collected. So that’s the good news. But what about the sensitive data already sent to third parties? No mention of that being deleted, unfortunately.

The commission is accepting comments on the proposed consent agreement package through January 6, 2014. Maybe someone will ask them what will happen to all the sensitive data those third parties already have.

1 Comment

Online Privacy Is Getting Interestinger and Interestinger!

In case you haven’t heard, online privacy is getting very complicated and Internet users are worried.  It’s no wonder given all the activity in the industry, with daily stories on stolen identities and data breaches, companies you’ve never even heard of collecting information about you and even mobile game applications knowing about your physical whereabouts. (Let’s not even get into the recent NSA PRISM disclosures!)  So different than in the 1990s when online privacy was pretty much an “Opt-in” or “Opt Out” proposition or people didn’t even know to worry about it.   Today, things are much more complex.  Pew Research Center’s recently published survey, Anonymity, Privacy, and Security Online, confirms that not only do most users want control over their online personal information but fear that this is no longer possible. 

It isn’t just government surveillance that people are worried about; in fact, users are more intent on masking their personal information–things like email and download content, contacts and their online presence–from hackers and advertisers to even friends and family members.  How hard are they trying to hide?  Well, the study reports that 64 percent of users clear their browser history or disable cookies while 14 percent have resorted to setting up anonymous browsing capabilities.  And, 13 percent actively misidentify themselves in their efforts to “hide.”  It’s not that individuals want to be completely hidden online, they just want to decide when they are unseen based on what kind of data is at issue, who might be watching, and what they think might happen if they don’t hide.  Not surprisingly, the younger and more sophisticated users are more likely to “bounce” back and forth between disclosing who they are and remaining anonymous depending on what they are doing online.


Personal photos top the list of key pieces of personal information users know are available online.  Next come birthdates, phone numbers (both cell and home), home addresses and group affiliations.  Over one third of online users avoid websites that ask for their name, and 41 percent have deleted or modified a prior posting.

Perhaps users are more aware of what information about them is floating around out there in cyberspace because cybersecurity is having a hard time keeping up with the sophisticated methods of hackers.  21% of online adults report having had an email or social media account hijacked and 11% having had vital information like Social Security numbers, bank account data, or credit cards stolen.  With all this complexity and increasing numbers of identify theft, it is not surprising then that 68% of those surveyed do not believe current laws are sufficient to protect individual online privacy.  So what’s to be done?  Industry groups are racing to pull together self-regulatory measures and codes of conduct in an effort to avert what they fear could be cumbersome and over-reaching legislation and regulations in both the security and privacy spheres—whether or not they succeed in time remains to be seen. And, of course, the government is keeping a careful watch over the whole issue (pun intended)!