Hacking in the Pharmaceutical Industry *Eli Lilly Settles FTC Charges Concerning Security Breach Company Disclosed E-mail Addresses of 669 Subscribers to its Prozac Reminder Service *Novartis India Website Hacked 4/9/2009 The website of the Indian arm of Swiss drug major Novartis was hacked on Tuesday. When contacted, a company spokesperson confirmed the report to PTI, saying "we will make all efforts to ensure that the website is up and running at the earliest.” GSK E-mail Database Hacked 4/11/2011 On April 4, 2011, we were informed by Epsilon, a company we have used to manage email communications on our product websites, that files containing the email addresses of some of our consumers were accessed by an unauthorized third party. You are receiving this message because you have registered on one of our product websites. For a list of our products, please visit our website, http://us.gsk.com/ *Anonymous hackers hit pharma giant, Bayer's website 6/27/2011 Bayer confirms "illegal interference" with Italian website after Anonymous-affiliated hackers make Twitter boast *Pfizer Facebook Page Hacked on 7/22/11 Pfizer has regained control of its corporate Facebook page after hackers temporarily defaced it earlier this week. Genentech Patients Suffer a Security Breach October 12, 2011 This includes such information as name; address; phone; date of birth; e-mail address; driver’s license number; Social Security number; medical information and health insurance information, according to a September 29 letter that the Roche unit wrote to the New Hampshire Attorney General Top 5 U.S. Government Web Sites Hacked in 2011 *The U.S. Senate Back in June, LulzSec claimed responsibility for a successful cyberattack on the U.S. Senate Web site. *The Pentagon In July, Deputy U.S. Secretary of Defense William Lynn admitted that a "foreign intelligence service" stole 24,000 sensitive defense department files in a single March operation *The CIA America's own Central Intelligence Agency saw its worst nightmare come true when www.cia.gov went down on July 15, with the hacker group LulzSec claiming responsibility. *NASA Hackers reportedly compromised page on NASA's Jet Propulsion Laboratory Web site. The online attack came just days before the final launch of NASA's shuttle Endeavor, which was scheduled for May 16. *FBI The month of June this year witnessed another high profile government agency falling prey to hackers. Security Breaches in the Health Care Industry Aetna named in security-breach lawsuit June 2009: Aetna Inc. is being sued for a data breach that allegedly exposed current, former and prospective employees’ personal information to the Web. Aetna also suffered a similar data breach in 2006 Fears over patient data as NHS computers are hacked June 9, 2011 Computer hackers have penetrated NHS systems, triggering fears that the security of highly sensitive patient records is at risk. Patient Data Losses Jump 32% The frequency of patient data losses at healthcare organizations has increased by 32% compared to last year, with nearly half (49%) of respondents citing lost or stolen computing devices such as laptops, tablets, and smartphones, according to recently published figures from the Ponemon Institute's second annual benchmark study on patient data security. Military Health Plan Threatens 4.9 Million Data Breach October 4, 2011 A data breach involving nearly 5 million people treated at military healthcare facilities over a 19-year period is raising questions about whether U.S. Federal Trade Commission (FTC) rules supersede Health Insurance Portability and Accountability Act (HIPAA) regulations. Massive Healthcare Security Breach in Puerto Rico November 29, 2010 A data breach at a managed care service provider in Puerto Rico may have exposed personal information on over 400,000 customers. "According to the disclosure, one or more employees of Puerto Rico's Medical Card System illegally accessed restricted areas of the organization's website until Sept. 30" Security Breaches on the Rise Health care costs on the rise due to increased Security Breaches * According to a study by the Digital Forensics Association; The medical industry reported 115 percent more data breach incidents in 2010 compared to 2009 *More than 58 percent of healthcare organizations have little or no confidence that their organization has the ability to detect all patient data loss or theft. Health Care Data Breaches Increase by 32 Percent: Ponemon Report December 1, 2011 The Ponemon Institute, a research firm that advises organizations on date security and privacy, has released a new survey of the health care industry showing a 32 percent increase in data breaches The Cost: * Data breach incidents cost U.S. companies $204 per compromised customer record in 2009, compared to $202 in 2008 * The average total per-incident costs in 2009 were $6.75 million, compared to an average per-incident cost of $6.65 million in 2008. * Financial impact of data breach incidents over a two-year period came out to approximately $2 million per organization * Total economic burden created by data breaches on US hospitals has climbed to almost $12 billion over the past two years * The most expensive data breach event included in this year's study cost a company nearly $31 million to resolve. The least expensive total cost of data breach for a company included in the study was $750,000 * Total economic burden created by data breaches on US hospitals has climbed to almost $12 billion over the past two years. Security Breaches The top three breaches reported in 2011 include: * Viruses and malware (46%) * Laptop or mobile hardware device theft (22%) * Phishing/Pharming (20%) Massive hack hit 760 companies October 28, 2011 A list of 760 organizations that were attacked was presented to Congress recently and published by security analyst Brian Krebs. Companies Included: *Abbot Laboratories *Cisco *Charles Schwab *Google *Freddie Mac *Facebook *Wells Fargo *Yahoo *Microsoft *Amazon *IBM *Intel *PriceWaterhouseCoopers 90% of companies say they've been hacked * In a recent survey by Ponemon Research on behalf of Juniper Networks, of 583 U.S. companies, 90% of the respondents said their organizations’ computers had been breached at least once by hackers over the past 12 months. * Nearly 60% reported two or more breaches over the past year. More than 50% said they had little confidence of being able to stave off further attacks over the next 12 months. * About 32% of the respondents said their primary security focus was on preventing attacks, but about 16% claimed the primary focus of their security efforts was on quick detection of and response to security incidents. * About one out of four respondents said their focus was on aligning security controls with industry best practices. HHS counts 200 data breaches October 30, 2010 The U.S. Department of Health and Human Services counts nearly 200 health information data breaches of records for 500 or more individuals. The breaches often occur at "highly respected and sophisticated healthcare providers," writes Michael Kline of the Fox Rothschild law concern. Security Breaches NIH Data Breach Triggers Compliance March 25, 2008 Who Breached: National Institutes of Health Number Affected: 2500 Information breached: clinical trial information How: laptop stolen A laptop containing medical information for 2500 people enrolled in a National Institutes of Health (NIH) clinical trial has been stolen, putting these patients at risk for medical identity fraud. The laptop was stolen from the trunk of a car on Feb. 23rd. The laptop contained clinical trial data going back 7 years, including names, medical diagnoses, and heart scans. The data was not encrypted, despite government policies that require this precaution. According to the NIH, the first attempt to encrypt the laptop failed, and the laboratory chief named Andrew Arai, who used the laptop, did not follow-up with IT *More than 58 percent of healthcare organizations have little or no confidence that their organization has the ability to detect all patient data loss or theft. * In 2011, 170 of 481 publicly disclosed breaches happened in the medical industry Cybersecurity Expert Hacked Medtronic Insulin Pump August 25, 2011 A cybersecurity expert and diabetic who recently showed that his insulin pump is vulnerable to hacking has revealed the maker of his device: Fridleybased Medtronic Inc. Jay Radcliffe, a 33-year-old Idaho man who hacked into his own pump at a cybersecurity conference earlier this month, said Thursday that he initially withheld the name of the manufacturer in an effort to work with the medical technology company on security issues. Nasdaq Confirms Servers Breached February 7, 2011 the public company that owns the Nasdaq Stock Market confirmed reports that its servers had been breached. "Through our normal security monitoring systems we detected suspicious files on the U.S. servers unrelated to our trading systems and determined that our Web facing application Directors Desk was potentially affected," according to a statement released by Nasdaq OMX Group. Security Breaches Hackers Break Into Virginia Health Professions Database, Demand Ransom May 4, 2009 Hackers last week broke into a Virginia state Web site used by pharmacists to track prescription drug abuse. They deleted records on more than 8 million patients and replaced the site's homepage with a ransom note demanding $10 million for the return of the records, according to a posting on Wikileaks.org, an online clearinghouse for leaked documents. "I have your [expletive] In *my* possession, right now, are 8,257,378 patient records and a total of 35,548,087 prescriptions. Also, I made an encrypted backup and deleted the original. Unfortunately for Virginia, their backups seem to have gone missing, too. Uhoh :(For $10 million, I will gladly send along the password.” Georgia man pleads guilty to hacking into Japanese drug maker's U.S. computer network ; August 16, 2011 A 37-year-old Georgia man pleaded guilty yesterday in Newark to hacking the computer system of a Japanese pharmaceutical company’s U.S. subsidiary and crippling the business for days after his friend and former supervisor lost his job with the drug-maker. Hacking into e-health records is too easy, group says September 17, 2007 Hackers can access many e-health records and modify them unbeknownst to the software's legitimate users, according to a new study by an organization concerned about EHR vulnerabilities. It found that a low level of hacking skills would suffice to get into a system, retrieve data and make changes, such as altering medication dosages or deleting records. The good news: The "risk of vulnerability exploitation can be dramatically reduced when vulnerabilities are known and appropriate security controls are in place," the report's executive summary states. UKRAINIAN HACKER TO FORFEIT $580,000 AFTER TRADING ON STOLEN INFORMATION March 31, 2010 After hacking into Thomson Financial’s computer network to obtain nonpublic financial information about pharmaceutical consultancy IMS Health, a Ukrainian man was ordered by a U.S. judge to pay $580,000 in penalties, according to Reuters News Agency. What’s Causing Security Breaches? * According to a joint study by Ponemon and Intel Corporation, the healthcare and pharmaceutical industry had the highest rate of laptop thefts *Most of the breach occurrences are unintentional employee action, lost or stolen computing devices and third-party errors * Forty-six percent of laptops contained confidential data; only 30 percent used encryption *Most organizations (two-thirds) don’t take advantage of security practices like encryption, which would keep data secure if a device the information resided on were stolen Most data breaches are caused by insiders: *Insiders were responsible for over 60% of data breaches of protected health information (PHI) *35% of the PHI breaches were due to insiders' snooping into medical records of fellow employees *27% due to improper access to records of their friends and relatives. Insider Threats, Misused Privileges are Leading Causes of Security Breaches December 7, 2011 Last week, Verizon Business released its 2010 Data Breaches and Investigations Report. According to the report, 48% of data breaches are caused by insiders, up from only 22% last year. Resolving Security Breaches? Healthcare Security Breaches Can Cause Headaches and Millions in Fines * It can take three to six months to resolve a data security breach incident April 19, 2011 HealthNet is a provider of managed health care services; and the hard drives that are missing from an IBM-operated datacenter in Rancho Cordova, California, contain some 1.9 million customer records, including information such as names, social security numbers, addresses, financial information, and, of course, health care records (PHI). Regardless of whether HealthNet and its vendors met DHHS’ HITECH requirements, Health Net faces $250 per record in fines, which may reach $1,200 per fine in the near future. At 1.9 million records potentially lost, this could definitely result in the maximum fine (could be as much as $5 million). Other penalties could include roughly $2 per customer notification ($3.8 million), identity theft insurance for customers that could be well in excess of $5 million and countless potential lawsuits in the years to come. * Many companies had to subscribe customers or employees to free credit monitoring services that ranged from $10 to $25 per month/customer or employee.