1.5 Million Medical Files At Risk In Health Net Data Breach
November 19, 2009 | Leave a Comment
A hard drive with seven years of personal and medical information on about 1.5 million Health Net customers, including 446,000 in Connecticut, was lost six months ago and was first reported Wednesday, state and company officials said.
The insurance company informed the state attorney general’s office and the Department of Insurance Wednesday of the security breach that puts personal medical records at risk in a historic lapse, the first of its kind to be publicly reported.
A portable, external hard drive with Social Security numbers and medical records “disappeared” and is still missing from the insurer’s Northeast headquarters in Shelton, a Health Net spokeswoman said Wednesday.
The hard drive contains Social Security numbers, medical records and health information dating to 2002 for 1.5 million customers — past and present — in Arizona, Connecticut, New Jersey and New York, the spokeswoman said.
The data were compressed, but not encrypted. The information is formatted as images and requires a special computer program to be read, state and company officials said. Health Net plans to send out letters to its customers notifying them of the breach.
Attorney General Richard Blumenthal and Insurance Commissioner Thomas Sullivan each said he is investigating what happened, and why the company waited six months to report the incident.
The data breach is another in a series of information security lapses involving Connecticut residents in recent months. Most, including a large breach of People’s United Bank customer information, have included bank records or Social Security numbers. The missing hard drive at Health Net is the first publicly reported, widespread release of patients’ medical records, at least in recent state history.
“Health Net’s incomprehensible foot-dragging demonstrates shocking disregard for patients’ financial security, as well as loss of their highly sensitive and confidential personal health information,” Blumenthal said in a prepared statement.
Sullivan said his office is requiring Health Net to offer credit protection monitoring through Debix, a company that provides identity-theft protection services.
“My main concern is protecting the members and participating providers,” Sullivan said. “We are currently working with Health Net to ensure adequate notification and protections for all involved.”
Health Net suggests that customers with questions call the company phone number on the back of their benefits card, said Alice Chaves Ferreira, a spokeswoman for Health Net of the Northeast Inc.
“Health Net will provide credit monitoring for over two years — free of charge — to all impacted members who elect this service, and will provide assistance to any member who has experienced any suspicious activity, identity theft or health care fraud between May 2009 and their date of enrollment with our identity protection service,” Chaves Ferreira said.
The company didn’t know what information was on the hard drive, which is why the information wasn’t reported sooner, Chaves Ferreira said. Health Net conducted a lengthy investigation, including a forensic review by computer experts, she said.
It was only then that the company concluded the lost data included a vast trove of information.
Earlier this month, Anthem Blue Cross and Blue Shield of Connecticut reported that a laptop was stolen this summer in the Chicago area, compromising personal information of nearly 850,000 doctors, therapists and other health care providers in 50 states, including 19,000 in Connecticut.
Last year, Bank of New York Mellon lost computer tapes that jeopardized information on more than 600,000 state residents, including many account holders at People’s United Bank.
By MATTHEW STURDEVANT
Source: The Hartford Courant
Data breach could affect 60,000 GIs, civilians
November 17, 2009 | Leave a Comment
The Corps of Engineers is investigating the recent loss of an external hard drive that could pose identify theft problems for as many as 60,000 soldiers and Army civilians.
Maj. Mark Young, a Corps of Engineers spokesman in Washington, said the security breach occurred in the command’s Southwestern Division, which is headquartered in Dallas, in early November.
“Right now the focus is on investigating [the incident], alerting people who may be affected, and taking measures to make sure it doesn’t happen again,” he said.
Information stored on the missing hard drive includes personal data, such as names and Social Security numbers, on a number of current and former soldiers and some civilian employees, according to information provided by the Southwest Division.
Most of the affected population includes soldiers whose files went before the Fiscal 2008 sergeant first class and 2008 master sergeant promotion boards, and the 2007 colonel promotion board and the 2009 lieutenant colonel command board.
“Those who may be impacted by this incident will be notified electronically through the Army Knowledge Online Web site, or by mail,” according to a statement issued by Southwest Division Nov. 13.
Officials said that as of that date, there were no known cases of identify theft associated with the lists.
This is not the first time that the personal information on the 30,812 soldiers considered by the 2008 sergeant first class board has been compromised.
Just weeks after the board adjourned in February 2008, the Army’s Criminal Investigation Command determined that an advance version of the list made available to commanders and their designated representatives had been improperly posted on the Internet.
Within days of that finding, CID officials also determined that a listing of 20,048 soldiers considered by the 2005 master sergeant board had been compromised.
Those findings were particularly troubling because until last year, commander copies of lists not only included the names of all soldiers selected and not selected by a board, but their Social Security numbers.
The Army continues to allow designated commanders access to select and non-select lists, but does not include any part of a soldier’s Social Security number on the lists.
Database security and the threat of identify theft is a major problem in both the government and private sector, according to the Open Security Foundation.
According to data maintained by this nonprofit organization, there have been 363 major incidents this year of data breaches involving personal identifying information.
Included are the compromise of personal data in 6,675 files maintained by the Boston University Army ROTC battalion, and 130,000 soldier files maintained by the Army National Guard.
The Federal Trade Commission identity theft Web site provides helpful information for people who believe their personal information has been compromised.
By Jim Tice - Staff writer
Source: Army Times
Is it time for a national data breach notification law?
November 16, 2009 | Leave a Comment
Federal lawmakers are again considering legislation that would create nationwide rules for notifying potential victims of identify theft when organizations improperly expose their sensitive information.
The Senate Judiciary Committee approved two bills this month that would impose data breach notification requirements on businesses, and a bill with notification requirements is making its way through the House.
It’s not the first time lawmakers have pushed for such federal requirements. However, previous efforts stalled in the legislative process. In the absence of federal requirements, most states have promulgated their own laws, creating a complicated legal patchwork.
Gail Hillebrand, senior attorney at the West Coast Office of Consumers Union, a nonprofit organization that publishes Consumer Reports, said some states have requirements that are more stringent than the ones that Congress is proposing. Hillebrand said consumers are already receiving proper notifications from businesses and that companies tend to follow the requirements of the state with the highest standards when there is a breach that affects people nationwide.
She said it was a positive sign that the bill proposed by Sen. Patrick Leahy (D-Vt.) dealt with data brokers, or businesses that get paid for collecting, transmitting or providing sensitive personal data.
Hillebrand said her group supports both bills that recently made it through the Senate Judiciary Committee and supports the notice of breach approach in the House bill. However, for the House measure, the group has concerns about the scope of the pre-emption of state laws that address data safeguards.
Meanwhile, Enrique Salem, CEO of Symantec, said in an e-mail that the Leahy bill was “a major step forward towards enacting a comprehensive, uniform national framework to better prevent breaches of sensitive consumer information as well as setting a clear standard for effective notification should a breach occur.” Salem said Symantec believes the United States urgently needs to pass a national data breach law.
By Ben Bain
Source: Federal Computer Weekly
