06-16-14 | Blog Post
Mom always said to choose your friends wisely. Maybe she was trying to protect you from a data breach.
AT&T learned that lesson the hard way. From a statement released by the company :
“We recently learned that three employees of one of our vendors accessed some AT&T customer accounts without proper authorization. This is completely counter to the way we require our vendors to conduct business. We know our customers count on us and those who support our business to act with integrity and trust, and we take that very seriously. We have taken steps to help prevent this from happening again, notified affected customers, and reported this matter to law enforcement.”
This breach was less nefarious than the recent credit card data theft at P.F. Changs, Target and other retailers. While the employees of the vendor had access to sensitive data (such as Social Security numbers), their intent reportedly was to find codes used to unlock mobile phones in the secondary market.
As Washington Post technology writer Brian Fung noted, the heavy restrictions mobile carriers place on unlocking your phone likely motivated the breach: “It’s clear there are people out there who will compromise our most sensitive information just to make it easier to recycle used devices.”
Regardless of the intent or the result, there’s one key sentence in the letter AT&T sent to affected customers: “Employees of one of our service providers violated our strict privacy and security guidelines by accessing your account without authorization.”
This isn’t the only breach in the news recently that harkens back to Mom’s advice mentioned above. In May, New York Presbyterian Hospital and Columbia University agreed to pay the Department of Health and Human Services $4.8 million to settle an alleged violation of the HIPAA Privacy and Security Rules. It’s the largest payment in history.
Tatiana Melnik, an attorney who focuses on data privacy and security issues, offered her thoughts on the case involving the affiliated, but separate, entities that operate a shared data network:
This settlement is a good reminder that covered entities, business associates, and subcontractors must choose their partners carefully. As more organizations implement data sharing agreements, form strategic healthcare IT partnerships (e.g., those involving big data, analytics, etc.), and otherwise store their data with vendors, data breach issues are inevitable. Healthcare providers and vendors must carefully review their agreements to ensure that each party bears the appropriate amount of risk. Provisions related to indemnification, limitation of liability, damages caps, and insurance requirements should be reviewed with special attention.
A lack of trust between business associates isn’t unusual when it comes to data breaches. A recent Ponemon Institute study revealed that 73 percent of organizations are either “somewhat confident” (33 percent) or “not confident” (40 percent) that their business associates would be able to detect, perform an incident risk assessment and notify their organization in the event of a data breach incident as required under the business associate agreement.
The good news: An iHT2 report presents data that indicates business associates are paying greater attention to data security. From 2009 to 2012, business associates were involved in 56 percent of large-scale data breaches of 500 records or more. In 2013, that number was reduced to just 10 percent of breaches.
What can you do to make sure your IT friends are an alliance for good in the battle to protect sensitive data?
MelnikLegal: OCR reminds covered entities to choose friends carefully
FierceWireless: AT&T confirms data breach as hackers hunted for codes to unlock phones
Washington Post: Carriers’ tight grip on cellphone unlocking seems to have resulted in a cyberattack
IHT2’s 10 Steps to Maintaining Data Privacy in a Changing Mobile World
Ponemon Institute’s Benchmark Study on Patient Privacy and Data Security