In data leaks and data loss news this week, we saw a government official e-mailing private information in the clear, private information blowing in the wind, a hospital employee fired for violating HIPAA on her own, personal Facebook account, from her own home, on her own time, and more.

Hingham, Mass., to inform 1,300 employees of compromised personal data. A town official inadvertantly sent a document containing names and social security numbers of everyone who worked for the town last year. The town is notifying affected employees by email and First Clas mail. (Office of Inadequate Security.)

Rockland town employees’ old payroll info scattered in street. The town of Rockland, Mass., loaded cancelled employee checks onto recycling truck to be hauled away, and then a wind scattered the checks on the road. The checks contained Social Security and bank account information of an unknown number of current and former employees. (The Patriot Ledger.)

Are data backups unintentionally expanding your PCI scope? To maintain PCI compliance, you don't just need to know where you're storing credit card numbers, you need to know where they're backed up. (StorefrontBacktak.)

Data leak puts Idaho hospital employees in danger. "A backup tape containing the private and sensitive data more than 1,000 current and former employees at Saint Alphonsus Regional Medical Center in Boise, Idaho, was recently lost." (Messaging Architects)

HIPAA Expands: Proposed rules extend scope of healthcare privacy regulations. The proposals would change the definition of business associate, and privacy restrictions. (Nelson Mullins)

Break’s over: after decline in 2009, breach reports appear to rise in 2010. The number of breaches is up, but the number of disclosed records seems to have declined significantly. (Office of Inadequate Security)

HHS quietly withdraws HIPAA breach-notification rule. Opponents said it gave too much discretion to healthcare organization on whether they disclosed privacy breaches. (FierceHealthIT.) Also, see the report on our blog: "HHS Withdrawing Proposed Breach-Alert Rule."

How to fail at Data Loss Prevention. "If you erect barriers to stop employees from sending protected, private information over the Internet, employees will simply work around those barriers. Instead, security managers need to educate users why sending unprotected information is a bad idea." (On our blog.)

Data Breach at Philly Hospital Impacts Thousands. Officials at Thomas Jefferson university Hospital in Philadelphia "said the names, birth dates, social security numbers, insurance information and other internal and administrative coding data, for approximately 21,000 patients was exposed after a laptop was stolen from an office in the hospital." (eSecurity Planet)

Hospital employee fired after posting patient information to Facebook. Cheryl James was sacked from her job at Oakwood Hospital in Michigan after posting a negative remark about an accused cop-killer who was brought in for treatment. She posted, on her own, private Facebook account, in her home, while off-duty, that she hoped he rotted in hell. The hospital said the post was a HIPAA violation, and canned her. (myFOXdetroit.com)

And for all the latest news and links about data breaches and privacy regulation, tune in to @PalisadeDLP on Twitter. We post links to relevant, interesting articles every business day between 9 am and noon CT.

The expression "you catch more flies with honey than vinegar" applies to Data Loss Prevention (DLP). If you erect barriers to stop employees from sending protected, private information over the Internet, employees will simply work around those barriers. Instead, security managers need to educate users why sending unprotected information is a bad idea.

Companies that fail at DLP see the technology as "an enforcement tool and not an awareness tool," writes Andreas M. Antonopoulos. "When DLP is implemented as an enforcement tool, the controls are strict and run the risk of disrupting business."

He adds, "[I]f Iran can't stop leaks with the threat of massive violence, what makes you think you can do it?"

The thing that really made me take notice of this article was something I've observed in my conversations with our customers: When we think about security threats to companies, most of us think of outside attackers. People with more sophistication about security know that insiders are a threat too; these are employees who are dishonest, disgruntled, or just plain dumb.

But your best employees are also a big threat, if they don't know the right way to do things. One of our customers told me about how our PacketSure™ solution helped find a helpful customer service rep in his company who wanted to be sure that customers verified their credit card numbers correctly. The customer service rep sent the credit card numbers back to the customers for confirmation. Over e-mail. Unencrypted. Whoops.

Another customer talked about how PacketSure™ helped reveal that doctors were sending electrocardiogram results back and forth over unencrypted FTP.

These are not bad employees. They might even be your best employees. And they're not stupid. They just don't know better. It's not their job to know better. It's IT's job to teach them.

An accounting manager needs to send the latest quarterly numbers to an external accounting or audit firm. He doesn't have encrypted e-mail, encrypted FTP or PGP. So he sends it by e-mail. Crude DLP only makes this problem worse: you stop the e-mail, they try gmail; you stop gmail, they try IM or facebook or whatever else they know. Whose fault is it if they don't have encrypted e-mail or SFTP or some better way of doing this? Not the user's fault -- IT is to blame.

One of the advantages of PacketSure™ is that it's your choice whether to block violations, route the violations to a third-party encryption solution, or just notify managers about the violation. That way, your users aren't driven to try to defeat PacketSure™; instead, we drive them to you, so you can find a solution to the problem that allows users to get the job done without creating security and regulatory violations.

The U.S. Department of Health and Human Services has withdrawn the proposed final version of a rule that requires organizations that handle medical records to notify patients in the event their personally identifiable health information is exposed in a data breach.

The proposed rule included a controversial proposal that would have allowed organizations to perform a self-audit in case of data breach, and decide for themselves if the breach is serious enough to warrant notifying the people whose records were breached, according to a report on ModernHealthcare.com

"This is a complex issue and the Administration is committed to ensuring that individuals’ health information is secured to the extent possible to avoid unauthorized uses and disclosures, and that individuals are appropriately notified when incidents do occur," HHS said in a public notice on its Web site. "We intend to publish a final rule in the Federal Register in the coming months."

Six members of the U.S. House of Representatives, led by Energy and Commerce Committee Chariman Rep. Henry Waxman (D-Calif.) and the committee's ranking member, Rep. Joe Barton (R-Texas), opposed the proposed rule.

The withdrawal doesn't affect the interim final rule on breach notification that went into effect last fall.

The new, proposed rule was part of the Health Insurance Portability and Accountability Act (HIPAA).

The Patient Privacy Rights Foundation was "thrilled" by the decision, according to FierceHealthIT:

Under the interim final rule, healthcare organizations only had to report HIPAA privacy and security breaches to OCR if the covered entity itself determined that the breach caused direct harm to the affected patients. "Put simply, the proposed final rule granted the power to decide whether to report breaches or not to the businesses that failed to protect sensitive health data, and would not want to disclose breaches," Patient Privacy Rights says in a press release. "Talk about letting the fox guard the hen house."

Rite Aid Corp. agreed to pay $1 million to settle potential HIPAA violations that occurrred when the pharmacy chain dumped prescriptions and pill bottles in trash containers. TV news videotaped Rite Aid employees throwing pill bottles with individuals' health information on the labels into dumpsters that were accessible to the public. ("Rite Aid will pay $1M for HIPAA privacy abuses," Government Health IT.)

Hackers are using configuration problems and programming errors rather than software vulnerabilities to steal information from computer users, according to the latest in an annual study from Verizon. Also, organized crime gangs are becoming a major force in data breaches, the study found. ("Verizon: Data breaches often caused by configuration errors," Computerworld.)

That same study found that insider breaches are on the rise. Malicious insiders were involved in 48% of cases, up 26% over last year, and in some cases freely revealed administrative passwords. ("Verizon data breach report 2010: Insider breaches on the rise," SearchSecurity.com.)

A privacy advocate has a legal right to post government officials' Social Security numbers online, as a means of protesting Virginia government computers that post Social Security numbers of private citizens, a court ruled. ("Privacy Advocate Can Post SS Numbers Online," Courthouse News Service.)

The South Shore Hospital in Massachusetts reported personal information for 800,000 people may have been lost when they were shipped to a contractor to be destroyed, and the hospital failed to receive notification that the job was done. The hospital was later informed that only part of the materials had been received and destroyed. There's no actual evidence of abuse, the hospital said. ("Hospital files with data of 800,000 are missing," Boston.com.)

Schools are putting children at risk of identity fraud by getting Social Security numbers when it's not required by law and often unnecessary, says the Social Security Administration's Office of Inspector General. ("Schools risk theft of SS numbers of children," The Washington Times.)

On our blog: The federal Heath Information Technology Policy Committee is considering regulations governing how patient privacy should be protected as when healthcare providers share electronic health records nationally. ("Federal 'Tiger Team' Mulls Patient Privacy Recommendations.")

Want to learn more about how Palisade Systems can help protect you against data leaks? Come to our weekly free Webinar on Thursday. Also, watch our two-minute video explaining what is Data Loss Prevention.

The federal Heath Information Technology Policy Committee is considering regulations governing how patient privacy should be protected as when healthcare providers share electronic health records nationally.

Healthcare providers should be "ultimately responsible for maintaining privacy and security of patient records," but may delegate some decisions to others, including IT partners such as health informaiton exchange organizations and IT vendors, according to recommendations sent to the committee, as reported by ModernHealthcare.com.

The committee also received a recommendation "that 'patient expectations' be considered when developing policies about how personal healthcare information will be used and shared so that patients will 'not be surprised to learn what happens to their data,'" ModernHealthcare.com said.

The committee received its recommendations from its privacy and security "tiger team," formed in June when Office of the National Coordinator of Health Information Technology at the U.S. Department of Health and Human Services furloughed two privacy and security working groups, in favor of one smaller, and hopefully more nimble privacy and security tiger team.

The tiger team was split on whether to adopt an opt-in or opt-out model for patients sharing records with health information exchanges. Under the opt-in model, patient information would be withheld from the exchanges unless patients gave their explicit permission. The reverse would be true under the opt-out model; the exchanges would get patient information by default, but information could be withheld if patients actively opt out, ModernHealthcare.com said.

The issue of opt-in vs. opt-out may not be settled, according to Government Health IT.

Ultimately there may not be a default policy, said Deven McGraw, tiger team chair and director of the Health Privacy Project at the Center for Democracy and Technology. Instead, the committee may consider “endorsing choice in certain circumstances as a requirement and that the choice fulfill certain elements and, from there, there just may be some judgment calls that the agency may have to make given all the rich discussion that we’ve had,” she said.

What the heck is Data Loss Prevention (DLP), and why should you care? Palisade Systems CEO Christian Renaud explains in this two-minute video.

The short version, for those of you too busy to even take 107 seconds to watch a video: Your business is entrusted with private customer information that you need to protect. This information includes Social Security numbers, credit card numbers, Personal Health Information (PHI) and personal financial information belonging to your customers. You also need to protect your company's trade secrets from getting out.

You need to protect that information. That's dictated by laws such as the Health Insurance Portability and Accountability Act (HIPAA), Gramm-Leach-Bliley Act (GLBA), and privacy laws in California, Massachusetts and other states. Credit card information is protected by the Payment Card Industry Data Security Standard (PCI DSS). If that information gets out, you can be subject to fines, litigation, lost business and customer litigation.

Data loss is what happens when that information gets out. Data loss is also called data leakage. And Data Loss Prevention is ... well, I think you can take it the rest of the way on your own.

Palisade's PacketSure™ solution provides data loss prevention by sitting at the edge of your corporate network, and filtering information as it goes out onto the public Internet, watching for protected information and protecting it without disrupting your business processes. It's available as an appliance that installs in your company server room in less than an hour, or as a service from our Managed Service Provider (MSP) partners. View a video demo, or get a live demo, or get a free Secure Assessment.

Come to our free, weekly Webinar to learn how you can protect your company network against data leaks. We hold them every Thursday -- hope to see you there!

A data leak is what happens when one of your users utilizes the public Internet to send out unprotected customer Social Security numbers, credit card numbers, Patient Health Information (PHI), financial information, proprietary business knowledge, and other data that should be kept confidential. This kind of data is protected by an alphabet soup of federal and state regulations and business rules, including the Health Insurance Portability and Accountability Act (HIPAA), Gramm-Leach-Bliley Act (GLBA), state privacy laws in California, Massachusetts, and elsewhere, as well as the Payment Card Industry Data Security Standard (PCI DSS). Violating these rules can damage your reputation, cost business, and result in massive fines.

Palisade Systems can help. Our PacketSure™ solution stands guard at the perimeter of the network, watching outgoing traffic for protected information. PacketSure™ alerts you when employees are trying to send protected information over the public Internet and can optionally automatically route the data through third-party encryption tools, or block the information outright. PacketSure™ works without disrupting your business processes. It comes in two ways: As a rack-mounted appliance, which installs on your premises in under 45 minutes, or as a service from our Managed Service Provider (MSP) partners.

Find out more about why Data Loss Prevention (DLP) is important, to you, and how PacketSure™ can protect you, at our free Webinar.

WHEN: Thursdays, 4 pm CDT.

To sign up and get instructions for logging in, send an e-mail to p8-webinar@palisadesystems.com.

Can't make it this week? You can catch us next week, and afterward; same time every Thursday.

Are you worried about protecting proprietary information, such as customer Social Security numbers, credit card numbers, private health information and private financial information? Join our free webinar Thursday and find out how Palisade Systems' PacketSure™ solution can help.

PacketSure™ is an easy way for small- and medium-sized enterprises to guard the perimeter of their networks, to prevent data leaks of protected information onto the public Internet. PacketSure™ is available as an easy-to-install appliance that runs in your company data center, or from Managed Service Provider (MSP) partners. Coming soon: Data Loss Prevention (DLP) as a service on the Internet.

DLP is good business. If proprietary customer information gets leaked onto the Internet, it damages your brand and drives away business. It's also the law: Companies are required to protect customer data under an alphabet soup of rules and regulations: The Health Insurance Portability and Accountability Act (HIPAA), Gramm-Leach-Bliley Act (GLBA), Payment Card Industry Data Security Standard (PCI DSS), and privacy laws in California, Massachusetts, and elsewhere.

Find out more about why DLP is important, data leaks are dangerous, and how Palisade can help.

WHEN: Thursday, July 15, 4 pm CDT.

To sign up and get instructions for logging in, send an e-mail to p8-webinar@palisadesystems.com.

Can't make it this week? You can catch us next week, and afterward; we have them at the same time every Thursday.

Dark Reading looks at the record for database breaches in 2010 to date, and it's not pretty. Institutions have already been hit by six major breaches, and the second half of the year is just starting.

What's interesting to me at Palisade is that half of these breaches involve holes that our PacketSure™ technology helps protect.

One of the breaches involved unencrypted confidential data stored on a laptop. "An Arkansas soldier caused the Arkansas Army National Guard a lot of embarrassment earlier this year when he brought home an external hard drive containing a copy of the Guard's entire personnel database with the personal information of more than 32,000 current and former Guardsmen.," Dark Reading reports. PacketSure™ monitors endpoints to be sure secure data is encrypted.

Two breaches involved confidential data being sent unprotected over the Internet: "A staff doctor who set up a Web application that tapped into a University of Louisville database of dialysis patients put hundreds of patient records at risk by failing to use password protection to prevent unauthorized access to the application." Also, "a business logic flaw in a Web application that was tied to a database of individual insurance customers of health giant WellPoint allowed unauthorized users to potentially access any of 470,000 customer records. The vulnerability was discovered by a WellPoint customer who found that a simple URL manipulation could give her access to other customers' personal data."

PacketSure™ monitors Web traffic leaving your organization's network to watch for patient health data and other confidential information.

We're not going to claim that PacketSure™ is all the protection you need. (What's the old expression? No system is foolproof because fools are so ingenious.) But PacketSure™ from Palisade can be an important part of your organization's data protection regime. To find out more about why DLP is important and how Palisade Systems can help, join us for a free Webinar this afternoon and every Thursday at 3 pm CDT. Or get a live demo, or free Secure Assessment.

Find out why it's important to protect your network against leaks of confidential information, including customer credit cards numbers, Social Security numbers, private health and financial information and more. Sign up for the latest in our series of free Webinars.

We'll show you why Data Loss Protection (DLP) is important, and how PacketSure™ from Palisade Systems is a fast and easy way to help protect your network against harmful data leaks.

You're required to protect your data, under regulations including the Health Insurance Portability and Accountability Act (HIPAA), the Gramm-Leach-Bliley Act (GLBA), Sarbanes-Oxley, Payment Card Industry Data Security Standard (PCI DSS) rules, and state laws in California, Massachusetts and elsewhere. Find out how we can help at our free Webinar.

WHEN: Thursday, July 8, 3 pm CDT.

To sign up and get instructions for logging in, send an e-mail to p8-webinar@palisadesystems.com

Can't make it this week? Don't worry, we have them at the same time every Thursday.