Data Breaches

Credit Card Data Breach

The office supply chain Staples is investigating a potential breach of credit card data. According to Mark Cautela, Staples’ senior public relations manager, “Staples is in the process of investigating a potential issue involving credit card data and has contacted law enforcement. We take the protection of customer information very seriously, and are working to resolve the situation. If Staples discovers an issue, it is important to note that customers are not responsible for any fraudulent activity on their credit cards that is reported on a timely basis.”

Security specialists believe the hackers are using a form of the same malicious software, Backoff, used in the Target and Home Depot assaults, among others.

The malware, Backoff, made headlines this past summer. According to Crosman (2014), “One of millions of malware mutations out there, Backoff tries to break into point-of-sale networks and steal credit card data; 600 retailers have reportedly been hit.” Crosman adds that the concerns about Backoff surface as cyber-attacks against financial institutions and retailers are growing more frequent, more sophisticated, and more widespread. Many banks have recently fallen victim to “masquerading,” a combination of social engineering and confidence scam that uses high-tech tools and generally results in wire transfer fraud. Backoff-like malware is said to have been behind several recent high-profile retailer breaches, including those at Target, P.F. Chang’s, Neiman Marcus, Sally Beauty Supply and Goodwill Industries.

“Enterprises are now coming to the conclusion that they are either already compromised, or will soon be,” says Aviv Raff, CTO at APT defense firm Seculert. “It’s not a matter of ‘if,’ it’s a matter of ‘when.’ The breach shows the necessity of moving from trying to prevent an attack to try and detect and respond as quickly as possible.”

In August, the U.S. Secret Service warned that 1,000 U.S. businesses may have been infected by Backoff malware, although at that time, only a handful of related breaches had come to light. The same month, the Department of Homeland Security issued a warning to all businesses that use POS systems, urging them to scan their systems for signs that they’d been compromised.


Crosman, P. (2014). How ‘Backoff’ malware works and why banks care. Retrieved from

Schwartz, M.J. (2014). Staples launches breach investigation. Retrieved from

Weise, E. (2014). Staples in Northeast likely breached with ‘more to come’. Retrieved from


HIPAA and Data Breaches

Data security breaches - laptop firewall

This blog will address the many law suits that occurred because of HIPAA violations due to data security breaches. It will also take a look at the methods used by those who breach the data.

Due to the August 2009 Breach Notification Rule included in the Health Information Technology for Economic and Clinical Health Act, HIPAA-covered entities and associated businesses are required to provide notification following a data breach of protected health information. Groups reporting breaches that compromised the protected health information of 500 individuals or more must be posted by the Department of Health and Human Services. Since the 2009 rule, 489 HIPAA-covered entities have reported breaches involving 500 individuals or more.

New York Presbyterian Hospital (NYP) and Columbia University (CU) have recently agreed to settle charges that they potentially violated the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules by failing to secure thousands of patients’ electronic protected health information held on their network.  The monetary payments of $4,800,000 include the largest HIPAA settlement to date. It appears that with this judgment, many healthcare organizations are beginning to take patient identity management and security more seriously.

The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) initiated its investigation of New York Presbyterian Hospital (NYP) and Columbia University (CU) following their submission of a joint breach report, dated September 27, 2010, regarding the disclosure of the protected health information of 6,800 individuals, including patient identity, status, vital signs, medications, and laboratory results. 

NYP and CU are separate covered entities that participate in a joint arrangement in which CU faculty members serve as attending physicians at NYP.  The entities generally refer to their affiliation as “New York Presbyterian Hospital/Columbia University Medical Center.”  NYP and CU operate a shared data network and a shared network firewall that is administered by employees of both entities. The shared network links to NYP patient information systems containing protected health information.

The investigation revealed that the breach was caused when a physician employed by CU who developed applications for both NYP and CU attempted to deactivate a personally-owned computer server on the network containing NYP patient protected health information.  Because of a lack of technical safeguards, deactivation of the server resulted in the information being accessible on internet search engines.  The entities learned of the breach after receiving a complaint by an individual who found the information of the individual’s deceased partner, a former patient of NYP, on the internet.

In addition to the impermissible disclosure of protected health information on the internet, OCR’s investigation found that neither NYP nor CU made efforts prior to the breach to assure that the server was secure and that it contained appropriate software protections.  Moreover, OCR determined that neither entity had conducted an accurate and thorough risk analysis that identified all systems that access NYP health information.  As a result, neither entity had developed an adequate risk management plan that addressed the potential threats and hazards to the security of patients’ protected health information.  Lastly, NYP failed to implement appropriate policies and procedures for authorizing access to its databases and failed to comply with its own policies on information access management.

NYP has paid OCR a monetary settlement of $3,300,000 and CU $1,500,000, with both entities agreeing to a substantive corrective action plan, which includes undertaking a risk analysis, developing a risk management plan, revising policies and procedures, training staff, and providing progress reports.

WCT is in the business of Compliance, Identity & Security assurance. For more information, you can reach us on (


U.S. Department of Health and Human Services. (2014, May 7). Data breach results in $4.8 million HIPAA settlements. Retrieved from

Patient safety and Identity Management

Identity & Security in Healthcare

Identity & Security in Healthcare

This blog will address patient safety issues in healthcare and the importance of ID management. Issues regarding wrong distribution of medications, etc. have been a growing concern in healthcare facilities because providers to do not properly identify the patient first. This blog will also provide suggested methods to improve these issues.


According to various studies, over 195,000 deaths in the United States occur annually because of medical errors. Of those medical errors, about 60 percent were attributed to a failure to correctly identify the patient. Accurately identifying patients and linking them with their medical records are significant challenges today for hospitals, healthcare providers and payers, with the government representing one of the largest stakeholders in this industry. Improper patient identification can occur for many different reasons and cause errors in patient identity. Some of these reasons include common names, misspellings, numeric transpositions, fraud, as well as patient language barriers. These identity errors result in adverse financial and clinical issues for the hospital, provider, and patients.

In addition to the issue of misidentification, there is also the problem of “incomplete” patient medical records. Studies have shown that a considerable amount of duplicate medical records are created in hospitals. This means that portions of a patient’s complete medical record are spread across multiple records leading to continuity of care issues, potential delays in treatment and/or medical errors. Duplicate records can also lead to redundant or unnecessary testing, medical and billing errors, and bad claims. In smaller institutions (with patient databases of less than one million records), the duplication rate is typically between 5%–10%, and for larger institutions (with patient database greater than four million records), duplication rates can range from 15 to 40%. Correcting patient database records can be a substantial expense; for large hospitals this can add up to millions of dollars per cleanup every few years. Database record cleanup is a flawed approach since it addresses the problem only after it has occurred rather than dealing with the root cause of the problem, which is inadequate patient identification and record matching. Unfortunately, this problem grows exponentially as the number of institutions and medical providers for a single patient increases.

Patient identity management is also a critical function for healthcare-related federal and state government agencies. Federal and state government agencies pay over half of U.S. formal health-care costs as employers and through Medicare, Medicaid and state-level programs. Through policies, regulation, direct involvement and budget allocation, government agencies increasingly shape the U.S. health-care system. Central to all government agency healthcare activities are patients and the requirement to accurately and appropriately identify, handle, treat and track them. To accomplish this, patient identity management is critical to agencies’ ability to link all patient-related information within and across systems and the healthcare network. As the U.S. moves away from paper-based medical records that are controlled by physical access to buildings, rooms, and files, there is a need to have an infrastructure that supports strong identity and security controls. The issues with establishing identity are compounded as electronic medical records are used by many different organizations at the regional, state, and national levels.

A solid patient identity management foundation produces a range of benefits to patients, healthcare providers, payers, regulators and other stakeholders. These benefits include reducing the risk of medical errors, lowering healthcare costs, reducing fraud and limiting healthcare identity theft. For these reasons, a patient identity management infrastructure needs to become a foundational element of every patient-related information system.

WCT is in the business of Compliance, Identity & Security assurance. For more information, you can reach us on (


AHIMA. (2009, July). Managing the integrity of patient identity in health information exchange. Journal of AHIMA, 80(7), 62-69.

Rand. (2008). Identity crisis: An examination of the costs and benefits of a unique patient identifier for the U.S. healthcare system. Retrieved from

Smart Card Alliance. (n.d.). Healthcare identity management: The foundation for a secure and trusted national health information network. Retrieved from

Increasing Amount Of Data Breaches Resulting In Identity Fraud

An increasing number of consumer data breaches are resulting in identity fraud, and federal privacy advocates are looking to California policies for guidance.

The headlines before last Christmas were hard to miss. Retailer Target announced debit and credit card information of about 40 million of its customers had been compromised. A new report from the National Consumers League may give those customers more cause to worry. The report finds in 2013 nearly 1 in 3 data breaches resulted in fraud, that’s up from 1 in 9 in 2010.

The League’s John Breyault says federal breach notification legislation is needed so all consumers can protect themselves. And he says California’s law should serve as a model.

“Among other things, it requires prompt notification, there’s no cause of harm analysis before notification happens,” he says. “There’s a private right and the types of information that would trigger a notification is very broad.”

Joanne McNabb with the California Attorney General’s Office says the state was the first to create a data breach notification law in 2003. She says it’s been strengthened several times since then. It now requires people be notified if their email or Internet passwords have been breached.

“Both because that can put the information in people’s accounts at risk, but also because it’s unfortunately common that we use the same passwords over and over again,” she says. “So if one password is breached that can put all accounts at risk.”

In California, McNabb says, any data breach that affects more than 500 people must be reported to the state. She says 167 such breaches occurred in 2013, up 20 percent from the year before.



Orr, K. (10th July 2014). Increasing Amount Of Data Breaches Resulting In Identity Fraud. Retrieved from

What is Identity Management Technology?

In enterprise IT, identity management refers to the process of using emerging technologies to manage information related to identity of users or employers, and control access to the company’s resources. Identity management is employed to enhance security and productivity while keeping a tab of costs that come with managing users and identities. The current business environment demands new approaches to security through trends such as social media, cloud and mobile. An open enterprise has replaced the network perimeter, and users, data, and applications exist almost anywhere. By letting businesses enable and protect the open enterprise, identity management solutions typically serve to securely deliver new online services quickly, protect key assets from external attacks and internal threats, minimize the expenses of security and compliance management, and enable secure collaboration among employees and clients.

The list of technologies that fall under the identity management category include identity repositories, reporting and monitoring apps, security-policy enforcement applications, provisioning software and password-management tools. In the recent times, these technologies are being grouped into software suites with a number of added capabilities, such as digital-certificates management, automated smart-card, enterprise-wide credential administration etc. Identity management broadly refers to the management of individual identities within a system, such as a network, an organization, or even a country. The main objective of identity management in a corporate setting is providing one identity per individual. However, once this digital identity is established, it has to be managed, updates, and administered through what can be called the access lifecycle.

Different Users and Different Types of Identity Data

Many kinds of users can access the systems within an organization. Users include employees, customers, vendors, partners, and contractors. Almost every system and application identifies its own users, how they sign in, and what privileges they are entitled with. Privileges in simple terms refer to what users can see and do. This information about users has to be managed right from the time an employee is hired, during their tenure in the company when their identity information or business roles change, and also when they leave. Each of the systems are diverse and come with its own security management user interface, change request processes and administration rules. This complexity also affects the IT operation in terms of how the same user must be managed on different parts of the infrastructure, by different staff members. The complex nature also impacts users, and they are forced to memorize multiple login details and sign on processes. There are also different types of users in an enterprise scenario – insiders including employees and contractors, and outsiders including vendors, partners, and customers. There may also be more outsiders than insiders. Here is where identity management solutions contribute to simplify administration., identity management solutions equip administers with the technologies and tools essential for changing a user’s role, tracking a user’s activity, and enforcing rules on a continuous basis. The solutions are designed to typically provide a means of administering access across a network and ensure that corporate policies and government regulations are complied with.

Author: Henry James

About the Author
Check out Trewidm, that provide IDM implementation services to customers of leading organizations in finance, health care, manufacturing and more.

Forged Passports: Are Biometrics the Future?

In 2013, over one billion people were estimated to have travelled internationally, according to the UN’s World Tourism Organization.  With the massive number of travelers, security challenges are rising for airlines and airport security agencies. 

Malaysia Airlines flight MH370, which disappeared en route from Kuala Lumpur to Beijing on March 8, 2014, has yet to be recovered. Even worse, the revelation that two Iranian passengers on the flight were travelling on passports reported stolen has uncovered a lapse in airport security. Malaysian airlines and immigration officials have been subjected to intense condemnation over their alleged failure to detect the passengers travelling on false documents (Pearson & Ahmed, 2014). However, forging passports remains a major issue and Malaysia is just one of many countries that has difficulty in monitoring passport fraud.

After the terrorist attacks on September 11th, the International Civil Aviation Organization (ICAO) commenced a review of airline/airport security with the primary focus being on passports. In 2003, the conditions for biometric passports were established. The ICAO anticipates all of its members (192 countries) to introduce biometric passports by 2015, but there is currently no international deadline. If biometric passports are implemented in the future, perhaps the incidence of forged passports will virtually disappear.



  1. International Civil Aviation Organization. (2006). Machine readable travel documents (Report No. 9303). Quebec, Canada: International Civil Aviation Organization (ICAO) Printing.
  2. Pearson, M., & Ahmed, S. (2014, March 11). Who were the mystery men on missing Malaysia Airlines flight 370? Retrieved from
  3. World Tourism Organization UNTWO. (2013). International tourism demand exceeds expectations in 2013 (PR No. PR13048). Retrieved from



OCR Services Inc. is pleased to announce its participation and sponsorship of the “ITAR COMPLIANCE IN EUROPE 2014″ conference to be celebrated in Munich, Germany, on 11-12 June 2014.

Come and meet with OCR at this exciting event to learn about our broad range of products and solutions for Global Trade Management and Compliance for governments and private sector enterprises….or just to get answers to any questions you may have.

Who should attend?

  • Export compliance officers
  • Export control managers
  • International contract managers
  • Procurement managers
  • Purchasing directors
  • Sales and Marketing directors
  • Project management officers
  • In-house counsels

World Compliance Technologies sponsors eMerge Americas

World Compliance Technologies was proud to be a Silver sponsor at the eMerge Americas event held in Miami Beach from May 2-6, 2014. Armed with the latest technology within identity and security, WCT showcased SafeHandTM; a robust biometric pattern authentication solution based on the Palm Vein.

eMerge Americas is a large-scale technology conference that attracts the world’s leading technology companies and focuses on key trends driving growth in the Latin American IT market. eMerge attracted thousands of attendees from Latin America, North America and Europe with in-depth analysis of the key drivers impacting the IT sector in the Americas.

Over the course of two days, the WCT team met with IT decision makers, executives, and entrepreneurs, and received strong interest for SafeHandTM. From Healthcare to Education, WCT demonstrated unique capabilities in enhancing physical security and managing identity in an array of markets.