Showing posts with label data breach. Show all posts
Showing posts with label data breach. Show all posts
Sunday, 11 August 2019
Alleged data theft by HealthEngine leaves hundreds of thousands of Australians vulnerable
Perhaps now is the time for readers to check who owns the company they might use to make medical appointment online.
ABC News, 8 August 2019:
Australia's biggest medical appointment booking app HealthEngine is facing multi-million-dollar penalties after an ABC investigation exposed its practice of funnelling patient information to law firms.
The Australian Competition and Consumer Commission has launched legal action against the Perth-based company in the Federal Court, accusing it of misleading and deceptive conduct.
In June last year, the ABC revealed HealthEngine was passing on users' personal information to law firms seeking clients for personal injury claims.
The details of the deal were contained in secret internal Slater and Gordon documents that revealed HealthEngine was sending the firm a daily list of prospective clients at part of a pilot program in 2017.
The ACCC has also accused the company of passing the personal information of approximately 135,000 patients to insurance brokers in exchange for payments.
"Patients were misled into thinking their information would stay with HealthEngine but, instead, their information was sold off to insurance brokers," ACCC chairman Rod Sims said in a statement.
The information sold included names, phone numbers, dates of birth and email addresses.
The ACCC has not said how much money the company earned form the arrangement.
The ABC revealed last year that HealthEngine had also boasted to advertisers that it could target users based on their symptoms and medical conditions.
HealthEngine has also been accused of misleading consumers by manipulating users' reviews of medical practices.
"We allege that HealthEngine refused to publish negative reviews and altered feedback to remove negative aspects, or to embellish it, before publishing the reviews," Mr Sims said.
Among a range of examples, the ACCC alleges that one patient review was initially submitted as: "The practice is good just disappointed with health engine. I will call the clinic next time instead of booking online."
But when that review was made public, it was allegedly changed to simply read: "The practice is good."
HealthEngine is facing a fine of $1.1 million for each breach of the law, but the ACCC has yet to determine how many breaches it will allege....
Labels:
ACCC,
data breach,
data theft,
Health Services,
information technology,
Internet,
privacy
Wednesday, 22 May 2019
The Abbott-Turnbull-Morrison Federal Government still hasn't made personal health data secure
Since about 2014 it has been known that the personal details of Medicare
cardholders has been for sale on the dark web.
Despite an April
2014 report by the Australian
National Audit Office that the Consumer
Directory - which contains all Medicare customer records - was not secure
and that cardholder
details were for sale, the federal Liberal-Nationals
Coalition Government does not appear to have comprehensively acted act on
the issue of database security.
It was not
unknown that Medicare cardholder details were being used fraudulently.
When contacted
by the mainstream media in July 2017 the Liberal MP for Aston and then Minister for Human Services Alan Tudge denied
any prior knowledge of cardholder details being offered for sale.
It was not reported that at the time if he was asked about instances of Medicare cardholder details being used to commit fraud or identity theft.
In August 2017 eHealth Privacy Australia was telling
the Senate Finance and Public Administration Committee that:
•
There are fundamental weaknesses in both the HPOS (Medicare card data) and My Health
Records systems, which make them vulnerable to illegal access.
•
Those weaknesses mean that fraudulent users of the systems can assume the
identity of legitimate users to gain illegal access.
•
It is not sufficient to mitigate these weaknesses in the My Health Records system.
By 1 January
2019 IT
News was
reporting that Medicare cardholder details fraudulently obtained had been used to access an individual’s My Health Record:
The number of data
breaches involving the My Health Record system rose from 35 to 42 in the past
financial year, new figures show.
The Australian Digital
Health Agency (ADHA) said in its annual report [pdf] that “42 data breaches (in 28
notifications) were reported to the Office of the Australian Information
Commissioner” in 2017-18.
As with previous years,
the agency said that “no purposeful or malicious attacks compromising the
integrity or security of the My Health Record system” were reported in the
period.
Of the 42 breaches, one was the result of “unauthorised
access to a My Health Record as a result of an incorrect Parental Authorised
Representative being assigned to a child”, the agency reported.
A further two breaches were from “suspected fraud against
the Medicare program where the incorrect records appearing in the My Health
Record of the affected individual were also viewed without authority by the
individual undertaking the suspected fraudulent activity”, ADHA said.
In addition, 17 breaches were the result of “data
integrity activity initiated by the Department of Human Services to identify
intertwined Medicare records (that is, where a single Medicare record has been
used interchangeably between two or more individuals)”, the agency said. [my
yellow highlighting]
Despite this
knowledge the Abbott-Turnbull-Morrison
Government has still not grasped the nettle, because on 16 May 2019 The
Guardian reported:
Australians’ Medicare
details are still being illegally offered for sale on the darknet, almost two
years after Guardian Australia revealed the serious privacy breach.
Screenshots of the
Empire Market, provided to Guardian Australia, show the vendor Medicare Machine
has rebranded as Medicare Madness, offering Medicare details for $US21.
Other vendors charge up
to $US340 by offering fake Medicare cards alongside other fake forms of
identification – such as a New South Wales licence.
The Medicare Madness
listing suggests the Medicare details “of any living Australian citizen” have
been available since September 2018.
Guardian Australia first
reported patient details were on sale in July 2017, verifying the listing
by requesting the data of a Guardian staff member and warning that Medicare
card numbers could be used for identity theft and fraud.
The revelation
prompted a
review lead by former secretary of the Department of Prime Minister and Cabinet
Peter Shergold.
The report did not
identify the source of the Medicare data leak but suggested that people could
use publicly available information about healthcare providers – including their
provider number and practice location – to pass security checks and obtain a
Medicare card number through the Department of Human Services provider hotline.
The review panel warned
the “current security check for release of Medicare card information provides a
much lower level of confidence than the security requirements” for Health Professional
Online Services, the portal that allows providers to make rebate claims.
An IT industry source,
who refused to be named, said the re-emergence of the data breach brings into
question government assurances around the privacy of medical data “when those
responsible cannot even manage the security of Medicare cards”.
The source said there is
a “concerted effort at the moment by law enforcement to curtail darknet market
activity”.
“In reality the darknet
markets, while disrupted momentarily when their sites are brought down, easily
relocate and continue business.”
Darknet markets can
simply private message existing clients with a new link to resume business
elsewhere. [my yellow highlighting]
Thus far the federal government has failed to recognise where Medicare cardholder details may be being accessed unlawfully, as this 2 August 2018 ABC online article indicates:
Privacy experts have warned that the system
opens up health records to more people than ever before, thereby increasing the
threat surface — the number of vulnerabilities in a system — dramatically.
Dr Bernard Robertson
Dunn, who chairs the health committee at the foundation, says once the data is
downloaded into the health system, the My Health record system cannot guarantee
privacy.
"Once the data has
been downloaded to, for instance, a hospital system, the protections of the
hospital system apply, and then the audit logs apply to the hospital system —
not to My Health record.
"So there is no way
the Government would know who has accessed that data, and it is untraceable and
untrackable that that access has occurred."
Labels:
big data,
data breach,
information technology,
Medicare,
My Health Record,
privacy,
safety
Thursday, 2 May 2019
Dozens of Centrelink clients have had their names published on Facebook by a Commonwealth-funded work-for-the-dole provider
ABC
News, 26
April 2019:
Dozens of Centrelink
clients have had their names published online in what has been described as a
"shocking" abuse of privacy.
A Commonwealth-funded
work-for-the-dole provider uploaded lists of people who were required to attend
client meetings to a public Facebook page.
"We are at a loss
as to why anyone would post about workers' appointments online," union
official Lara Watson said.
"We were shocked at
the publication of names on a social media platform."
The incidents are the
latest to emerge from the Government's flagship remote employment scheme, the
Community Development Programme (CDP).
Nearly 50 people from
the Northern Territory community of Galiwinku, located 500 kilometres east of
Darwin, were affected.
The job service
provider, the Arnhem Land Progress Association (ALPA), established the social
media page apparently with the intention of uploading such lists.
"Welcome to our
Facebook page where we will be posting appointments, courses and CDP
information," it wrote last month.
The two sheets of names
were posted to the Galiwinku CDP page on March 11 and 12.
Both images were shared
to another local Facebook group titled Elcho Island Notice Board, which has
more than 2,000 members.
One CDP insider
denounced the online uploads, saying they were unprecedented and could have
placed job seekers at risk.
"If a person has a
family violence order in place to protect them, then perhaps the perpetrator
would know where she was," said the source, who requested anonymity.
"It advertised that
a person is accessing welfare services, and unfortunately in Australia there's
discrimination against people accessing welfare services.
"People can be
bullied for being unemployed."
The Galiwinku CDP page
appears to have since been removed from the internet but the organisation
denied any wrongdoing.
"We do not believe
that this is a breach of confidentiality," an ALPA spokeswoman said.....
"All ALPA CDP
participants give … media consent when they commence as a participant."......
Wednesday, 1 May 2019
Facebook spends more than a decade expressing contrition for its actions and avowing its commitment to people’s privacy – but refuses constructive action
“It is
untenable that organizations are allowed to reject my office’s legal findings
as mere opinions. Facebook should not get to decide what Canadian privacy law
does or does not require.” [Canandian Privacy Commissioner Daniel
Therrien, 25 April 2019]
Facbook Inc. professes that it has taken steps to ensure the intregrity of political discourse on its platform, but rather tellingly will not roll out transparency features in Australia that it has already rolled out in the US, UK, Eu, India, Israel and Ukraine.
The only measure it commits to taking during this federal election campaign is to temporarily ban people outside Australiabuying ads that Facebook determines are “political”.
So it should come as no surprise that Canada issued this three page news release…….
Office of the Privacy Commission of
Canada, news
release, 25 April 2019:
Facebook refuses to
address serious privacy deficiencies despite public apologies for “breach of
trust”
Joint investigation
finds major shortcomings in the social media giant’s privacy practices,
highlighting pressing need for legislative reform to adequately protect the
rights of Canadians
OTTAWA, April 25,
2019 – Facebook committed serious contraventions of Canadian privacy laws
and failed to take responsibility for protecting the personal information of
Canadians, an investigation has found.
Despite its public
acknowledgement of a “major breach of trust” in the Cambridge Analytica
scandal, Facebook disputes the investigation findings of the Privacy
Commissioner of Canada and the Information and Privacy Commissioner for British
Columbia. The company also refuses to implement recommendations to address
deficiencies.
“Facebook’s refusal to
act responsibly is deeply troubling given the vast amount of sensitive personal
information users have entrusted to this company,” says Privacy Commissioner of
Canada Daniel Therrien. “Their privacy framework was empty, and their vague
terms were so elastic that they were not meaningful for privacy protection.
“The stark contradiction
between Facebook’s public promises to mend its ways on privacy and its refusal
to address the serious problems we’ve identified – or even acknowledge that it
broke the law – is extremely concerning.”
“Facebook has spent more
than a decade expressing contrition for its actions and avowing its commitment
to people’s privacy,” B.C. Information and Privacy Commissioner Michael McEvoy
says, “but when it comes to taking concrete actions needed to fix transgressions
they demonstrate disregard.”
Commissioner McEvoy says
Facebook’s actions point to the need for giving provincial and federal privacy
regulators stronger sanctioning power in order to protect the public’s
interests. “The ability to levy meaningful fines would be an important starting
point,” he says.
The findings and
Facebook’s rejection of the report’s recommendations highlight critical
weaknesses within the current Canadian privacy protection framework and
underscore an urgent need for stronger privacy laws, according to both
Commissioners.
“It is untenable that
organizations are allowed to reject my office’s legal findings as mere
opinions,” says Commissioner Therrien.
In addition to the power
to levy financial penalties on companies, both Commissioners say they should
also be given broader authority to inspect the practices of organizations to
independently confirm privacy laws are being respected. This measure would be
in alignment with the powers that exist in the U.K. and several other countries.
Giving the federal
Commissioner order-making powers would also ensure that his findings and
remedial measures are binding on organizations that refuse to comply with the
law.
The complaint that
initiated the investigation followed media reports that Facebook had allowed an
organization to use an app to access users’ personal information and that some
of the data was then shared with other organizations, including Cambridge
Analytica, which was involved in U.S. political campaigns.
The app, at one point
called “This is Your Digital Life,” encouraged users to complete a personality
quiz. It collected information about users who installed the app as well as
their Facebook “friends.” Some 300,000 Facebook users worldwide added the app,
leading to the potential disclosure of the personal information of
approximately 87 million others, including more than 600,000 Canadians.
The investigation
revealed Facebook violated federal and B.C. privacy laws in a number of
respects. The specific deficiencies include:
Unauthorized access
Facebook’s superficial
and ineffective safeguards and consent mechanisms resulted in a third-party
app’s unauthorized access to the information of millions of Facebook users.
Some of that information was subsequently used for political purposes.
Lack of meaningful
consent from “friends of friends”
Facebook failed to
obtain meaningful consent from both the users who installed the app as well as
those users’ “friends,” whose personal information Facebook also disclosed.
No proper oversight over
privacy practices of apps
Facebook did not
exercise proper oversight with respect to the privacy practices of apps on its
platform. It relied on contractual terms with apps to protect against
unauthorized access to user information; however, its approach to monitoring
compliance with those terms was wholly inadequate.
Overall lack of
responsibility for personal information
A basic principle of
privacy laws is that organizations are responsible for the personal information
under their control. Instead, Facebook attempted to shift responsibility for
protecting personal information to the apps on its platform, as well as to
users themselves.
The failures identified
in the investigation are particularly concerning given that a 2009
investigation of Facebook by the federal Commissioner’s office also found
contraventions with respect to seeking overly broad, uninformed consent for
disclosures of personal information to third-party apps, as well as inadequate
monitoring to protect against unauthorized access by those apps.
If Facebook had
implemented the 2009 investigation’s recommendations meaningfully, the risk of
unauthorized access and use of Canadians’ personal information by third party
apps could have been avoided or significantly mitigated.
Facebook’s refusal to
accept the Commissioners’ recommendations means there is a high risk that the
personal information of Canadians could be used in ways that they do not know
or suspect, exposing them to potential harms.
Given the extent and
severity of the issues identified, the Commissioners sought to implement
measures to ensure the company respects its accountability and other privacy
obligations in the future. However, Facebook refused to voluntarily submit to
audits of its privacy policies and practices over the next five years.
The Office of the
Privacy Commissioner of Canada plans to take the matter to Federal Court to
seek an order to force the company to correct its privacy practices.
The Office of the
Information and Privacy Commissioner for B.C. reserves its right under
the Personal Information Protection Act to consider future actions
against Facebook.
Related documents:
* Note: my yellow highlighting
Nor should this alleged 'mistake' made by Facebook cause surprise.......
The
New York Times,
25 April 2019:
SAN FRANCISCO — The New
York State attorney general’s office plans to open an investigation into
Facebook’s unauthorized collection of more than 1.5 million users’ email
address books, according to two people briefed on the matter.
The inquiry concerns a practice
unearthed in April in which Facebook harvested the email contact lists of a
portion of new users who signed up for the network after 2016, according to the
two people, who spoke on condition of anonymity because the inquiry had not
been officially announced.
Those lists were then
used to improve Facebook’s ad-targeting algorithms and other friend connections
across the network.
The investigation was
confirmed late Thursday afternoon by the attorney general’s office.
“Facebook has repeatedly
demonstrated a lack of respect for consumers’ information while at the same
time profiting from mining that data,” said Letitia James, the attorney general
of New York, in a statement. “It is time Facebook is held accountable for how
it handles consumers’ personal information.”…
Users were not notified
that their contact lists were being harvested at the time. Facebook shuttered
the contact list collection mechanism shortly after the issue was discovered by
the press…..
Facebook Inc's rapacious business practices has been the death of online privacy and now threatens the democratic process.
Labels:
data breach,
data mining,
Facebook,
information technology,
Internet,
law,
privacy,
safety
Monday, 25 February 2019
Yet another Australian health data base compromised
The
Age, 20
February 2019:
A cyber crime syndicate
has hacked and scrambled the medical files of about 15,000 patients from a
specialist cardiology unit at Cabrini Hospital and demanded a ransom.
The attack is now the
subject of a joint investigation by Commonwealth security agencies.
Melbourne Heart Group,
which is based at the private hospital in Malvern, has been unable to access
some patient files for more than three weeks, after the malware attack crippled
its server and corrupted data.
The malware used to
penetrate the unit's security network is believed to be from North Korea or
Russia, while the origin of the criminals behind the attack has not been
revealed.
The online gang
responsible for the data breach demanded a ransom be paid in cryptocurrency
before a password would be provided to break the encryption.
The Age understands
that a payment was made, but some of the scrambled files have not been
recovered, among them patients' personal details and sensitive medical records
that could be used for identity theft.
Some patients were told
that their files had been lost but were not given any explanation. Others have
turned up for appointments for which the hospital had no record.
The Australian Cyber
Security Centre, which is part of the Australian Signals Directorate – the
government agency responsible for Australia's cyber warfare and information
security – said it was assisting the hospital with cyber security advice.
The Australian Federal
Police has also been briefed.
A Melbourne Heart Group
spokeswoman said it was working with government agencies to resolve the issue.
Labels:
cyberspace wars,
data breach,
Health Services
Wednesday, 19 December 2018
Facebook Inc still getting caught out spreading fake news and breaching users' privacy
The
Guardian, 13
December 2018:
Journalists working as
factcheckers for Facebook have
pushed to end a controversial media partnership with the social network, saying
the company has ignored their concerns and failed to use their expertise to
combat misinformation.
Current and former
Facebook factcheckers told the Guardian that the tech platform’s collaboration
with outside reporters has produced minimal results and that they’ve lost trust
in Facebook, which has repeatedly refused to release meaningful data about the
impacts of their work. Some said Facebook’s hiring of a PR firm that used
an antisemitic
narrative to discredit critics – fueling the same kind of propaganda
factcheckers regularly debunk – should be a deal-breaker.
“They’ve essentially
used us for crisis PR,” said Brooke Binkowski, former managing editor of
Snopes, a factchecking site that has partnered with Facebook for two years. “They’re
not taking anything seriously. They are more interested in making themselves
look good and passing the buck … They clearly don’t care.”….
“Why should we trust
Facebook when it’s pushing the same rumors that its own factcheckers are
calling fake news?” said a current Facebook factchecker who was not authorized
to speak publicly about their news outlet’s partnership….
“Working with Facebook makes us look bad,”
added the journalist, who has advocated for an end to the partnership…..
ABC
News, 15
December 2018:
Facebook said a bug had
exposed private photos of up to 6.8 million users, the latest in a string of
glitches that have caused regulators around the world to investigate the social
media giant's privacy practices.
The bug allowed some
1,500 applications to access private photos for 12 days ending September 25,
Facebook said.
"We're sorry this
happened," it said in a blog targeted at developers who build apps for its
platform.
Facebook said the bug
was now fixed.
The problem is the
latest in a string of security and privacy issues that have caused complaints
from users and led to investigations by regulators and politicians.
The issues include the
massive Cambridge Analytica scandal and a security breach that affected nearly 30 million users.
The company said it
would send an alert through Facebook to notify users whose photos may have been
exposed by the latest issue.
The alert will direct
them to a link where they will be able to see if they have used any apps that
the bug allowed to access private photos.
Facebook shares fell 1.2
per cent early trading, compared to a 0.9 per cent decline in the Nasdaq
composite index......
Labels:
data breach,
ethics,
Facebook,
fake news,
Social media
Monday, 23 July 2018
Clifton Gardens-Mosman residents, you have a data breach......
looks like apple got access to a bunch of Australian business regos and just dumped them into maps without validation. Now everyone’s ‘retirement trusts’ (SMSFs) are showing up... pic.twitter.com/2etZKaTYMA— Maxwell Swadling (@mxswd) July 21, 2018
I spy with my little eye a former "young broker of the year", a number of Self-Managed Superannuation Funds and a slew of private corporations whose registered addresses are not so private anymore.
Labels:
data breach,
information technology,
Internet
Sunday, 15 July 2018
"Bad actor" Facebook Inc given £500,000 maximum fine - any future breach may cost up to £1.4bn
The
Guardian, 11
July 20018:
Facebook is to be fined
£500,000, the maximum amount possible, for its part in the
Cambridge Analytica scandal, the information commissioner has announced.
The fine is for two
breaches of the Data Protection Act. The Information Commissioner’s Office
(ICO) concluded that Facebook failed
to safeguard its users’ information and that it failed to be transparent about
how that data was harvested by others.
“Facebook has failed to provide the kind of
protections they are required to under the Data Protection Act,” said Elizabeth
Denham, the information commissioner. “Fines and prosecutions punish the bad
actors, but my real goal is to effect change and restore trust and confidence
in our democratic system.”
In the first quarter of
2018, Facebook took £500,000 in revenue every five and a half minutes. Because
of the timing of the breaches, the ICO said it was unable to levy the penalties
introduced by the European General Data Protection (GDPR), which caps fines at
the higher level of €20m (£17m) or 4% of global turnover – in Facebook’s case,
$1.9bn (£1.4bn). The £500,000 cap was set by the Data Protection Act 1998.
As one of the IT whistleblowers described the situation...
Just to sum up. 1) Facebook broke the law. 2) Cambridge Analytica broke the law. 3) Vote Leave broke the law. 4) LeaveEU broke the law. 5) Brexit and Trump were both won through breaking the law. 6) Facebook let it all happen and covered it up. https://t.co/CAOrP5rKry— Christopher Wylie 🏳️🌈 (@chrisinsilico) July 11, 2018
Labels:
data breach,
Facebook,
law,
privacy,
safety
Sunday, 1 July 2018
Oi! Malcolm Bligh Turnbull and every dumb-witted member of his federal government as well as every premier and member of a state or territory government – when are you all going to wake up to the fact that digital is bloody dangerous?
For literally hundreds of years now, first in colonial, then in dominion and later in federation periods, Australia has relied on a 'paper and ink' processes to decide major political votes by its eligible citizens.
By and large this system has produced reliable results with regards to the people's will.
This is evidence of just the
latest red flag that Australian governments have ignored ……
The Mercury online, 30 June 2018:
The personal information
of about 4000 Tasmanian voters has been leaked after a data breach on a
third-party website linked to express votes, the state’s Electoral Commission
has revealed.
Tasmanian Electoral
Commissioner Andrew Hawkey said hackers had access to the names, dates of
birth, emails and postal addresses of those who applied for an express vote at
the recent state and Legislative Council elections.
“Early today, the
Tasmanian Electoral Commission was informed by the Barcelona-based company
Typeform, that an unknown third party had gained access to one of their servers
and downloaded certain information,” he said.
“Typeform online forms
have been used on the TEC website since 2015 for some of its election services.
The breach involved an unknown attacker downloading a backup file.
“Typeform’s full
investigation of the breach identified that data collected through five forms
on the TEC website had been stolen.”
The breach was
identified by Typeform on June 27 and shut down within half an hour of
detection, Mr Hawkey said.
“The Electoral
Commission will be contacting electors that used these services in the coming
days to inform them of the breach,” Mr Hawkey said.
“The Electoral
Commission apologises for the breach and will re-evaluate its collection
procedures and internal security elements around its storage of electoral
information for future events. The breach has no connection to the national or
state electoral roll.”
Mr Hawkey said some of
the stolen information had previously been made public, such as candidate
statements for local government by-elections.
Typeform said it had
responded immediately and had fixed the source of the breach to prevent further
hacks.
“We have since been
performing a full forensic investigation of the incident to be certain that
this cannot happen again,” a statement on the Typeform website read.
“The results that were
accessed are from a partial backup dated May 3, 2018. Results collected since
May 3 are therefore safe and not compromised.’
Typeform reportedly
provides services for some pretty big names, including Apple, Uber, Airbnb and
Forbes.
The hack comes after up
to 120,000 Tasmanian job seekers may have had their personal information
compromised following a data breach reported by human resources company PageUp
in early June.
That site was linked to
the Tasmanian Government and the University of Tasmania.
The State Government is
still waiting for a further response from PageUp but it is believed the breach
was limited to names, addresses, emails and phone numbers.
Subscribe to:
Posts (Atom)