Billing Error Leads Breach Roundup

Incorrect Information Mailed to Patients
Billing Error Leads Breach Roundup

In this week's breach roundup, a third-party billing error led to a breach at the University of Pennsylvania Health System. Also, a former employee for a cloud-computing services provider pleaded guilty to hacking.

See Also: Why Active Directory (AD) Protection Matters

Patient Info Compromised in Mailing Error

The University of Pennsylvania Health System reports that one of its billing vendors, RevSpring of Wixom, Mich., had a malfunction in its printing operation that resulted in some patients receiving bills containing their correct information on one side and unrelated patient information on the reverse side of the statement.

More than 500 erroneous statements, affecting more than 1,000 patients, were mailed, a spokesperson for the health system told the Philadelphia Inquirer.

Compromised information includes the unrelated patient's name, physician, types of services and tests, and amount owed, the news report says.

The vendor discovered the issue and reported it to the health system on Dec. 5. It's working to investigate the cause and notify patients.

The health system did not reply to a request for comment.

Guilty Plea in Sabotage Case

A former employee for a cloud-computing services provider based in Virginia pleaded guilty to intentionally causing damage to a protected computer.

Jonathan Hartwell Wolberg, 31, of Tucson, Ariz., was indicted on Aug. 22, 2013, by a federal grand jury on charges related to computer hacking, according to a statement from the U.S. Attorney's Office for the Eastern District of Virginia.

Prosecutors withheld the name of the cloud provider. The U.S. Attorney's Office did not reply to a request for further information.

Wolberg continued to enter the network of his former employer after he resigned for the purpose of damaging its servers, reputation and business, the U.S. attorney's office says.

From March 16, 2012, to August 1, 2012, Wolberg secretly logged into the company's servers to issue a shutdown command to a key data server, the statement says. He then shut down the company's customer networks, making key information, including hospitals responsible for surgery and other urgent patient care, unavailable for at least several hours, according to prosecutors.

As a result, Wolberg caused hundreds of thousands of dollars of damage, the statement says. He faces a maximum penalty of 10 years' in prison when he is sentenced on April 11.

Phishing Hits Boston University

Fraudsters gained log-in information to the online accounts of 78 Boston University employees and changed the direct deposit routing information for the paychecks of 10 of them.

The employees most likely fell for a sophisticated phishing message, Quinn Shamblin, BU executive director of information security, told the university's publication, BU Today.

The University alerted the Massachusetts attorney general and the state's Office of Consumer Affairs and Business Regulation, according to the news report.

BU learned of the attack when several employees reported that they hadn't received their direct deposit paychecks for December, the news story says. The Boston University Police Department and technology personnel at the institution are working with federal investigators on the case.

The University is investigating whether the other 68 accounts were compromised.

Ireland Investigating Adobe Breach

Ireland's Data Protection Commissioner is investigating the massive Adobe breach in October 2013 that affected more than 38 million customer accounts.

"The office immediately launched an investigation into the matter, which is still ongoing," a spokesperson for the commissioner told Information Security Media Group.

The Data Protection Commissioner's office has received a number of complaints from individuals regarding the breach.

"The office would advise individuals to be vigilant of any unsolicited e-mails they receive and not click on links contained within or download files from any e-mail where they are not familiar with the sender," the spokesperson says.

According to an Adobe spokesperson, approximately 38 million active users had their IDs and encrypted passwords exposed (see: Adobe Breach Update Leads Roundup). Customer order details, including credit card information, for 2.9 million customers were affected.

Adobe notified the customers that their personal information, including encrypted payment card numbers, were compromised when the company's network was breached by unidentified intruders. Source code for numerous products was also illegally accessed, Adobe confirmed in a blog.

About the Author

Jeffrey Roman

Jeffrey Roman

News Writer, ISMG

Roman is the former News Writer for Information Security Media Group. Having worked for multiple publications at The College of New Jersey, including the College's newspaper "The Signal" and alumni magazine, Roman has experience in journalism, copy editing and communications.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.