Tag Archives: national data breach notification standard

ALERT! CareFirst Health Insurance Hacked…Last June ALERT!

carefirstbcbs2color_2According to a Wall Street Journal report Washington, D.C.-based not-for-profit health insurer CareFirst BlueCross BlueShield announced Wednesday it had suffered a major data breach…last June! 

The data breach was announced Wednesday, following cyber security firm FireEye completed review of the attack late last week.

Hackers targeted and gained access to the personal information including birth dates, names, email addresses and subscriber information of over one million of its customers. 

“This breach provides further evidence that cyber security defenses in the healthcare industry are still one step behind sophisticated hackers. The first question to ask is: was the compromised database properly encrypted? Encryption is widely recognized as a best practice and it is vitally important for a company like CareFirst, which is handling sensitive patient information. Healthcare companies are prime targets for hackers,” Greg Kazmierczak, CTO of Wave Systems, told DC Inno.

CareFirst, along with Anthem Insurance and Primera BlueCross, becomes the third major health insurer this year to report a data breach. CareFirst has hired FireEye to investigate the breach and mitigate the damage.

“The intrusion was orchestrated by a sophisticated threat actor that we have seen specifically target the health-care industry over the past year,” FireEye said in a statement.

A representative of CareFirst stated that the compromised database “contained no member social Security numbers, medical claims, employment, credit card or financial information.” The insurer also stated that when they first detected the attempted attack last April, they believed they were successful in deflecting the infiltration.

But criticism of CareFirst has already begun. “Not only should the database have been encrypted, but access to the database should have been protected by 2-factor authentication. By having multiple identifying factors, it is dramatically harder for a hacker to gain entry into this type of database. While CareFirst stated that social security numbers and credit cards were not held in the database, access to names, birth dates, and email addresses can lay the groundwork for future intelligence gathering and cyber intrusions. Without strong encryption and access management, expect medical fraud and identity theft to run unchecked,” Kazmierczak said.

Breaking It Down

This is simply another sign of sloppy data handling by a major company. This should have never happened to CareFirst. But what do you expect when you have absolutely poor data security standards in the health care industry. Another sad fact is that the company experienced this data breach last year but is just announcing it now. Thats why we have to have a national data breach standard law and we need it now! CareFirst is trying to make its customer feel better by saying no information such as social security numbers, medical claims, employment, credit card or financial information was in the data base. So what! The information that was there is enough for a cyber criminal to use to hijack an email account, launch a phishing campaign, or even steal an identity. With the information they did get they can get the rest.  As for black people who ask “what does that mean to me?” I just told you.

Obama; The First Cyber President

Official_portrait_of_Barack_ObamaPresident Obama can lay claim to the title of America’s first cyber president. Since his first election victory as our Commander-in-Chief the president has demonstrated the power of cyber space and using social media to connect with voters, raise money and address issues. As president he has stepped up to address cybersecurity issues facing the nation.

Beginning with his first presidential campaign the Obama camp seized cyber space high ground by using social media to connect with younger voters and spark grass root movements.

 The Obama campaign had the advantage from the beginning by hiring 24 year old Chris Hughes, co-founder of Facebook,  as a key social media strategist.  Hughes’ social media strategy was simply unstoppable from social networking sites to podcasting and mobile messaging.

Candidate Obama was rarely seen without his BlackBerry throughout the campaign. The Obama campaign leveraged every possible social media platform including Facebook, YouTube, MySpace, Twitter, Flickr, Digg, BlackPlanet, LinkedIn, AsianAve, MiGente, Glee, and many others. In the new era of cyber and social media campaigns McCain never had a chance.

Against Romney the Obama campaign had an established social media machine. The Romney campaign was not as inept as McCain’s but they could not achieve the traction that the Democrats had. The Romney campaign required as many as 22 approvals for a single Twitter message. Contrast that with the Obama campaign that used Twitter quickly and creatively.

In his first administration President Obama stepped up to the plate to recognize the need for cybersecurity and protection of American prosperity. In his May 2009 speech the president showed he was solidly focused on cyber security.  

“America’s economic prosperity in the 21st century will depend on cybersecurity.”

President Obama-2009

Under the president’s leadership the administration has moved the nation toward enhancing cybersecurity through the following initiatives;

  • 2009, 60-day Cyberspace Policy Review, spearheaded by Melissa Hathaway, who recommended a number of ways to enhance U.S.cybersecurity efforts. One of which was the creation of a Cybersecurity Coordinator position within the White House.
  • 2009, Obama  named Howard Schmidt to the position.
  • U.S. Cyber Command was established in June of 2009. U.S. Cyber Command (CYBERCOM) is responsible for America’s defensive and offensive cyberwar capabilities. Under President Obama the unit is expected to see a 500% manpower increase from 2014 through 2016.
  • The FBI has started to embed cyber investigators abroad with foreign police units in the Ukraine, Estonia, and Holland.
  • 2009, President Obama initiated a 60-day interagency cyber security review to develop a strategic framework to ensure the Comprehensive National Cybersecurity Initiative (CNCI) is being appropriately integrated, resourced, and coordinated with Congress and the private sector.
  • 2009, Homeland Security Department released a draft of a government plan to designate the roles and responsibilities of agencies and industry in responding to cyber incidents.
  • 2010 Senator Joe Lieberman (D, CT) introduced the Cyberspace as a National Asset Act. It became known as President Obama’s Internet kill switch. The bill would permit President Obama, at his discretion, to declare a “national cyber-emergency.”  This authority would include limiting or even cutting off connections to the World Wide Web for up to 30 days. The bill is extremely controversial and has not been signed into law even though it has bi-partisan support.
  • 2013 President Obama signs Executive Order 13636, Improving Critical Infrastructure Cybersecurity.
  • 2014 President Obama signs five cyber security bill into law
    • Federal Information Modernization Act
    • Border Patrol Agent Pay Reform Act.
    • Cyber Security Workforce Assesement Act.
    • National Cybersecurity Protection Act.
    • Cybersecurity Enhancement Act.
  • 2015 President Obama establishes the Cyber Threat Intelligence Integration Center to combat cyber attacks. Its mission will be to fuse intelligence from around the government when a crisis occurs.

Just last week President Obama gave the keynote address at the White House Summit on Cybersecurity and Consumer Protection at Stanford University. The president called cybersecurity the most serious economic national security challenge the country faces today.

President Obama presented his basic principles for dealing with threats to cybersecurity, consumer privacy and emphasized the importance of the government and private sectors working together to eliminate the threat.

The President presented a number of policy proposals and asked Congress to pass legislation including finally establishing a national data breach notification standard. If passed Americans will be notified within 30 days if their information has been stolen. He also proposed the Student Digital Privacy Act and a Consumer Privacy Bill of Rights that would give Americans a baseline of protections, like the right to decide what personal data companies collect and the right to know how companies are using that information. Finally the President signed an Executive Order Promoting Private Sector Cybersecurity Information Sharing.  

From his first day on the presidential campaign trail to last week’s cyber summit President Obama has shown he understands the incredible impact of the Internet as a communications and economic tool. There is no doubt that his campaign strategy will be studied by political strategist far into the future.Historians will also consider his election the turning point of election communications.  History will remember him as not only the first African-American president but also the first cybersecurity president. 

Now you know

See also; President Obama Launches Cyber Offensive , Part 2 & Part 3