Category Archives: Data Destruction Services

Maxxum Helps Mitigate Risk When Disposing Medical Equipment

March 27, 2017

Blog Picture - Dispose Medical Equipment

How Maxxum Helps You Mitigate Risk When Disposing Medical Equipment

“The dirty little secret is that most (medical) manufacturers did not anticipate the cybersecurity risks when they were designing them a decade ago, so this is just scratching the surface really.”

That statement is a sobering reality for the medical profession. It’s from a CNBC interview with Kevin Fu, who directs the University of Michigan’s Archimedes Center for Medical Device Security. “There is no [impervious] device; pretty much every device that has a computer in it is breakable,” Fu told CNBC’s “On the Money.”

In this day and age almost all medical devices contain some type of information that is susceptible to thieves, not only when they’re active, but even after the devices are taken off-network. The truth is, data lingers even when equipment is done being used and a hospital or doctor’s office thinks they’ve removed all of the information.

So how can Maxxum help mitigate risk in the medical device industry? Here’s a great example of a recent success story: Maxxum was provided with a pocket-sized, battery-operated device for measuring lung volume (a spirometer). It was thought to be “clean” but Maxxum’s forensic process uncovered 2,200 unique patient records that included patient name, birthdate, sex, test dates, test results and more.

The success of your business is contingent on the integrity of your intellectual property. Maxxum has extensive experience removing all traces of information from technology assets before they go downstream. We protect your sensitive information and ensure compliance with all regulatory requirements, indemnifying you from liability.

Maxxum works with a variety of companies to ensure that their medical devices have had all traces of information and data removed before downstream destruction of equipment is completed.

Maxxum is your partner in risk mitigation. We’re with you through the entire lifecycle of your computers, electronics and all technology, providing valuable support and guidance during acquisition, disposal, and during any custody change.

Learn more on how Maxxum can help you alleviate that risk.

4 Questions to Ask Your Technology Disposal Company

November 3, 2015

technology disposal company

When you’re ready to dispose of your old technology assets, do so with the support and guidance of people whose job it is to stay on top of the ever-evolving regulatory and security requirements: a certified compliant and dependable technology disposal company.

4 Things You Need to Know About Your Technology Disposal Company

We’ve outlined a few questions to ask your technology disposal company:

1. Are they certified for data destruction and environmental compliance?

With so many stories about data breaches and information leaks dominating the news over the last few years, most organizations are a little spooked about how they’re disposing of their used technology assets.

You may be vulnerable to legal ramifications if you don’t dispose of your data and drive assets properly. If your sensitive data leaks, you’ll have to answer to the law and your customers. Financial penalties can be quite harsh, and a tarnished reputation can have long-term ramifications.

Environmental compliance laws have become far more strict over the last decade, and getting hit with environmental penalties is a bad “look” for any organization. Now more than ever, it’s important to vet a technology asset disposal company to ensure they have industry certifications for both security and environmental compliance.

2. Do they understand the resale market?

Your technology asset disposal company should know the resale market inside and out in order for your organization to get the best return on the equipment it’s retiring.

PCs, laptops, and servers that are less than three to four years old retain value, even if they’re no longer of use to your company. If you’re ready to dispose of your technology assets, why not recover that value? Remarketing your technology assets is an opportunity to recoup some of the initial investment or cover some or all of the disposal costs.

Your technology asset disposal company should understand price trends on the resale market and help your organization plan ahead and determine when your assets will turn from revenue generators to cost creators. They should help you plan to refresh your technology cycles to ensure that you get the optimum value on your old equipment.

3. How do they document data destruction and disposal?

Find out from any potential provider how they document their full process. There are too many factors along the way during the disposal process that could find your organization liable for mistakes made by your provider.

Disposing of data can have security, financial, and software asset management implications. Proper documentation can shield your company from financial and legal penalties. You should be provided with a Certificate of Data Destruction and a detailed inventory report, as well as a report to show the environmental impact that your responsible recycling is having.

4. Can they serve all of your locations?

Technology asset disposal can be a pretty complicated matter. From drive sanitization to environmental compliance, there are numerous reasons to rely on a proven and trusted technology disposal company.

Don’t forget to ask about logistics. Your vendor has to have experience that allows them to serve all of your sites and the logistical capability to properly handle all of your assets.

If you have multiple locations, make sure you hire a disposal company that can handle your work load and that understands the different regulations that might be in play in each of your locations.

 

Copiers Could be Putting Sensitive Information at Risk

February 26, 2015

Updated: 02/23/2015 11:33 AM
Created: 02/19/2015 8:46 PM KSTP.com
By: Josh Rosenthal

Copy machines are in nearly every office around the world. Most of us use them without thinking twice, which is exactly what identity thieves are counting on.

Almost every time you make a copy, so does your copier.

Back in October, we got a tip. A computer expert told us nearly every copier has a hard drive, just like a computer, and it stores images of everything. So we responded to a Craigslist ad and got a copier for free. Then we took it to a computer forensics expert at LuciData in downtown Minneapolis.

What he found in less than 15 minutes shocked us all: sensitive information belonging to more than a dozen people, including names, addresses, social security numbers, W2s, credit reports, and thousands of dollars in copied checks.

“With the documents I found, a criminal could easily perpetrate some sort of identity theft against that person,” explained LuciData’s Chris Schulte.

The copier belonged to a financial company, based in Minneapolis. The owner refused to talk to us. He also expressed zero interest in telling his clients about the data breach.

When asked how often something like this happens, Schulte said, “well, how many copiers are in use?”

From there, we reached out to three major copier manufacturers. They said their copiers all have built-in security features. A spokesperson from Konica Minolta told us for some companies the security features started in 2010, when a national media report alerted many customers to the problem.

“After that story broke, customers were asking for hard drive security kits, and companies were scrambling to find (them),” Konica Minolta said.

Five years later, we wanted to see just how many Minnesotans knew about the problem. We got four more copiers off Craigslist, all from local businesses.

“I don’t think anybody even considers it,” said Tony Borner of Tony’s Appliance Inc. We didn’t find any data on Borner’s copier, but we were able to pull sensitive data off of two others, bringing our total to three data breaches from five copiers.

“If an identity thief ended up with these exact same five copiers, they would have literally hundreds and hundreds and hundreds of documents containing personal information,” Schulte said.

The fifth copier led to the largest haul: 662 documents, including 25 social security numbers and more than $130,000 in copied checks. We bought it from another financial company. The owner said he’s just too shocked and too embarrassed to comment.

So, here’s what you can do to protect your information: Schulte says if you’re going to get rid of an old copier, remove the storage device first. It could be a hard drive or a compact flash card. Either way, it’s replaceable so you could sell your copier without one. Also, if you’re in an office setting, talk to whoever services your copier. There’s a good chance it has security features that may just need to be turned on.

View original article…

$10 Million Fine in Improper Disposal Case

January 15, 2015

Safeway Cited in Handling of Pharmacy Records, Waste

By , January 14, 2015.

The grocery store chain Safeway has been ordered to pay a $9.87 million penalty as part of a settlement with California prosecutors related to improper disposal of confidential pharmacy records and hazardous waste in dumpsters.

The settlement resolves allegations that Safeway unlawfully disposed of customer pharmacy records containing private medical information in violation of California’s Confidentiality of Medical Information Act.

Prosecutors in California also alleged Safeway unlawfully disposed of various hazardous materials over a period of longer than seven years. Those materials included over-the-counter medications, pharmaceuticals, aerosol products, ignitable liquids, batteries, electronic devices and other toxic, ignitable and corrosive materials, according to a statement from the Alameda County District Attorney’s Office. That office took the lead on the civil enforcement lawsuit filed on Dec. 31 by a coalition of 43 California district attorneys and two city attorneys.

Safeway operates about 500 stores and distribution centers in California under a number of brand names, including Von’s, Pavilions and Pak ‘n Save, and is in the process of merging with another large grocery chain, Albertsons, which operates stores in several states under brands that include ACME, Albertsons, Jewel-Osco, Lucky, Shaws, Star Market and Super Saver.

The case against Safeway by the California district attorneys was based on a series of waste inspections of dumpsters belonging to Safeway facilities conducted by state environmental regulators and other inspectors during 2012 and 2013.

Kenneth Mifsud, Alameda County assistant district attorney, tells Information Security Media Group that the inspections were conducted at dozens of Safeway stores about once a month during an 18-month period. Investigators – who examined retail store waste taken to landfills – found violations in about 40 percent of the stores inspected. In some cases, pharmacy documents, such as store summaries listing medical and personal information on dozens of patients, were found among the waste, he says.

“The inspections revealed that Safeway was routinely and systematically sending hazardous wastes to local landfills, and was failing to take measures to protect the privacy of their pharmacy customers’ confidential medical information,” says the Alameda County district attorney’s statement. “Upon being notified by prosecutors of the widespread issues, Safeway worked cooperatively to remedy the issue, enhance its environmental compliance program and train its employees to properly handle such waste.”

The case against Safeway spotlights the importance of retail pharmacy chains, hospitals and other healthcare entities properly shredding or “making indecipherable” patient and other consumer personal information before disposing it, Mifsud says.

“There’s a risk of identity theft committed by dumpster divers, and unfortunately by some employees,” he says.

Settlement Terms

According to settlement documents filed in the Superior Court in Alameda County on Dec. 31 – the same day the suit was filed by the district attorneys against Safeway – the $9.87 million in civil penalties and costs Safeway agreed to pay are mainly related to the environmental and unfair business claims against the company. The unfair business claims encompass the violations of California’s medical confidentiality laws, Mifsud says.

Read full article…

Maxxum Recertified as a NAID® AAA Information Destruction Operations Provider

August 4, 2014

NAID-AAA-CertLOGO

 

Recertification and new leading-edge service offerings help organizations satisfy rigorous electronic information protection and data destruction requirements

Minneapolis / St. Paul., MN – Maxxum Inc., a leading IT asset disposition solutions provider, has been recertified as a NAID® (National Association for Information Destruction) AAA Certified provider of Asset Disposition services – namely computer hard drive sanitization, as well as mobile and plant-based physical destruction of hard drives. The NAID AAA Certification Program establishes stringent standards for a secure information destruction process, including such areas as operational security, employee hiring and screening, documented processes responsible disposal and insurance. Working with a NAID AAA certified vendor gives organizations peace of mind know that all of their information destruction legal requirements are satisfied.

“Data protection and destruction is an increasingly significant and complex issue for our clients, and with NAID AAA Certified asset disposition services and other leading edge data security services Maxxum is well positioned to help these organizations protect their sensitive information while satisfying rigorous regulatory requirements,” says Rich Woodward, president and owner, Maxxum.

The enforcement of data privacy laws, often accompanied by significant fines, is becoming more prevalent, and over the past two years Maxxum’s client base has grown some 30 to 40 percent as organizations look for help not just with satisfying data destruction requirements, but establishing sound policies and procedures to keep sensitive data secure throughout the IT lifecycle.

“Where two years ago most of our clients were based in the Upper Midwest, today we work with organizations throughout the United States and even into Canada, providing a variety of value-added services to help them efficiently and effectively solve diverse data and IT equipment protection needs,” says Woodward. “We’ve also hired additional personnel to help keep pace with the growing demand for service.”

About NAID

NAID is the non-profit trade organization of the secure destruction industry. Founded in 1994, its mission is to promote proper destruction of all forms of discarded media containing personal and proprietary information. NAID has forged strong relationships internationally with policymakers and regulators, produces an extensive catalog of guidance publications, and enforces security standards for the secure destruction industry around the world.

About Maxxum

With secure, modern facilities located near Minneapolis/St. Paul, Minnesota, Maxxum is an IT lifecycle management consulting firm that works with a strong network of clients, suppliers, and recyclers to provide cost effective IT Asset Disposition solutions throughout North America.

As a NAID AAA Certified entity, Maxxum is committed to providing the best customer service in the industry. As IT lifecycle management consultants, every program Maxxum creates is fully customized to meet the specific needs of each client. Maxxum uses industry best practices to sanitize computers and information hearing devices, complete with Certifications of Destruction, as outlined by the Department of Defense Data Security Standard and the National Institute of Standards & Technology (NIST) Guidelines. Maxxum has a strict no-landfill policy.

Maxxum Inc., 1350 South Field Avenue, Rush City, MN 55069; 651-674-2715; www.maxxuminc.com.

Laptop Stolen from Hospital

June 1, 2014

LucilePackardChildrensHospitalLogo

The incident was reported to the hospital by an employee on May 8, 2013. A password-protected, non-functional laptop containing limited medical information on pediatric patients was stolen from a secured, badge-access controlled area of the hospital. Immediately following discovery of the theft, Packard Children’s launched an aggressive and ongoing investigation with security and law enforcement.

To date, there is no evidence that any pediatric patient data has been accessed by an unauthorized person or otherwise compromised.

The computer was outdated and damaged, thus on a schedule for collection by information technologists. Despite a law enforcement investigation, in collaboration with the Stanford Department of Public Safety and Hospital Security, the laptop has not been recovered yet.

The information that could potentially have been on the stolen computer relates to some operating room schedules over a three-year period beginning in 2009. Although Packard Children’s is not certain which operating schedules would have been on the computer, out of an abundance of caution, 12,900 potentially affected patients are being notified by mail, though there is no indication any patient information has been accessed or compromised.

The information did not include financial or credit card information, nor did it contain Social Security numbers, insurance numbers or any other marketable information. The information on the operating room schedule that potentially could have transferred to the computer would have been patient name, age, medical record number, telephone number, scheduled surgical procedure, and names of physicians involved in the procedure.

The hospital is offering a year of identity theft protection at no cost to potentially-affected families that wish to have it, and is establishing a call center to answer questions from families. The toll-free number is (855) 683-1168, and is available Monday through Saturday from 6 a.m. to 6 p.m. PST.

Lucile Packard Children’s Hospital strives to be an industry leader in the area of medical information security. As a result of this incident, we are taking additional steps to further strengthen our policies and controls surrounding the protection of patient data to reduce the chance that an incident of this type will happen again.

Avoid Data Privacy Breaches with End-to-End Disposal Services

March 4, 2014

Experience the difference of end-to-end asset disposal services.

Nearly 90 percent of companies do not have a data destruction plan in place or understand how to destroy their data securely, according to a new study released by AERC Recycling Solutions. Here are examples of companies and organizations that failed to select the proper IT Asset Disposal vendor and or elected to dispose of important assets using their own employees without following the proper practices and procedures.

For anyone who doubts the extensiveness of how often data privacy breaches occur, or the dangerous exposure such breaches create, there are several up-to-date resources available to research organizations that have exposed their clientele and/or employee base as a result of unnecessary data privacy breaches.
Maxxum recommends:

National Association for Information Destruction (NAID) News Room – This resource lists recent data breaches, as well as webinars and other resources available for staying current with regulatory news and changes. More.

Privacy Rights Clearinghouse – An extremely comprehensive site that includes not only a chronological timeline of data privacy breaches, but also links to other sites with breach information.
More.

Department of Health and Human Services – The DHHS publishes a list of all organizations that have experienced a HIPAA breach. More

At Maxxum, we’re committed to smart, strategic partnership with our clients. We stay up-to-date on laws and regulations regarding data privacy and environmental responsibility. We develop and support industry best practices in compliance, remarketing, recycling and reporting.

NASA sold computers with sensitive data, report says

January 1, 2014

(Reuters, 2010) – NASA failed to delete sensitive data on computers and hard drives before selling the equipment as part of its plan to end the Space Shuttle program, an audit released on Tuesday shows.

NASA is getting rid of thousands of surplus items as it prepares to end the space shuttle program next year.

The Office of Inspector General found what it termed “serious” security breaches at NASA centers in Florida, Texas, California and Virginia.

“Our review found serious breaches in NASA’s IT (information technology) security practices that could lead to the improper release of sensitive information related to the Space Shuttle and other NASA programs,” NASA Inspector General Paul Martin said in a statement. “NASA needs to take coordinated and forceful actions to address this problem.”

The report cites 14 computers from the Kennedy Space Center that failed tests to determine if they were sanitized of sensitive information, 10 of which already had been released to the public. It also found that hard drives were missing from Kennedy and from the Langley Research Center in Virginia. Some of the Kennedy hard drives were later found inside a dumpster, where they were being stored before sale, that was accessible to the public, the audit says.

Investigators also found several pallets of computers being prepared for sale that were marked with NASA Internet Protocol addresses, which the report said could help hackers gain access to the NASA internal computer network. (Editing by Greg McCune)

Don’t allow your data to fall into the wrong hands. Demand certified drive sanitization and destruction. Demand Maxxum. We can help you build a comprehensive, cost-effective risk-management program that:

  • Eliminates potential data and environmental breaches, and
  • Offers a secure, documented chain of custody that mitigates liability

Maxxum Receives NAID® AAA Certification for Information Destruction Operations

December 11, 2013

Organizations who work with a NAID AAA Certified vendor have peace of mind knowing that all of their information destruction legal requirements are satisfied

RUSH CITY, MN – Maxxum Inc., a leading Midwest IT asset disposal solutions provider, has received NAID® AAA Certification for the company’s  asset disposal operations. The NAID (National Association for Information Destruction, Inc.) AAA Certification Program establishes standards for a secure information destruction process, including such areas as operational security, employee hiring and screening, responsible disposal and insurance.

Most developed nations have information protection laws and regulations that require written information protection procedures – including a written process for selecting a qualified and reputable data destruction vendor. Specifying a NAID AAA Certified information destruction vendor necessarily establishes that criteria, effectively satisfying that legal requirement. Where regulations require ongoing verification of vendor compliance, NAID AAA Certification satisfies that requirement too. Choosing to work with a non-NAID AAA Certified information destruction provider requires the organization to develop some other written and verifiable criteria from scratch.

“It’s not enough to simply obey government regulations – organizations have to prove compliance, which is the Achilles heel of most company’s data destruction, IT disposal, and recycling plans. Maxxum works with corporations, educational organizations, and governmental entities to provide customized data sanitization and IT asset disposal services in accordance with NAID AAA certification. Maxxum assures clients remain fully compliant with all laws and regulations, and provide them with the information to prove compliance.”

NAID AAA Certified service providers subject themselves to intense scrutiny and system verification because they are committed to their customers’ peace of mind. An organization that makes a single mistake in disposing of its PC’s and other electronic assets can easily cost millions of dollars in legal fees, penalties, and lost business, as well as severely tarnish the reputation of the organization. As a NAID AAA Certified service provider, Maxxum tailors hassle-free IT life-cycle management programs that maximize return-on-investment and minimizes cost, and indemnifies the company’s clients against liability.