March 15, 2007 | Comments: (0)
WellPoint's missing data shows up
Executives at WellPoint -- the nation's largest managed health care services provider -- are breathing a lot better today, and not just because they're keeping an eye on their diet and maintaining an optimal level of physical fitness.
Last week, the Indianapolis-based firm began the process of informing some 75,000 of its customers that it had lost a CD that carried unencrypted data including their health records and other personal data, however, the company claims it has now found the missing information.
In a statement released late Wednesday, the firm's New York-based Empire Blue Cross Blue Shield insurance unit said that the missing CD, which had been shipped to business partner Magellan Behavioral Health Services via UPS, by Health Data Management Solutions (HDMS), a third party vendor to Magellan, was discovered.
The company offered few details of the recovery other than to say that the CD had merely been misplaced in transit. Something tells me that WellPoint might swap overnight companies from Big Brown to FedEx, or fire some of its mailroom employees.
The incident highlights the challenges faced by corporations in meeting the increasingly strict terms of emerging data exposure reporting laws. As part of the statement on the misplaced -- and more importantly unencrypted -- CD the company couldn't help but give itself a little pat on the back saying that it "accelerated member notification as our members' security and trust are our highest priority."
Kudos to the firm for not actually losing the information, but it could have easily avoided the entire situation by somehow protecting the data. However, Empire Blue Cross said that it did have policies in place to prevent such incidents.
"The information was not transferred in accordance to our contractual terms with Magellan, who did not require HDMS to encrypt or password protect the data," the company said. "We are addressing these issues and we have made it clear to both HDMS and Magellan that their security practices with respect to the data transfer were unacceptable."
Magellan will now only transmit personal health information electronically over a secure network, eliminating CDs and the use of a delivery service, WellPoint said.
I'm betting that the employee who failed to follow said rules is somewhere considering their job options right now.
Posted by Matt Hines on March 15, 2007 05:39 PM
December 28, 2006 | Comments: (0)
Often it takes a high-profile disaster to get the wheels of government moving toward preventing a repeat.
Such appears to be the case with this year's infamous data-leak episode of millions of U.S. veterans' private information last May, which prompted the White House to issue a presidential mandate [PDF] requiring all agency mobile laptops and devices storing sensitive data to have fully encrypted hard drives.
Slowly but surely, the encryption-project ball is rolling, notes the Web site Full Disk Encryption: The government has posted RFPs (request for proposals), giving vendors a chance to line up and make their case for their respective encryption wares. "As with any other encryption product being used by Federal Government, the selected FDE product must have FIP 140-2 certification." (You can read the rest of the technical requirements here [Doc].)
Interested companies include Seagate, Mobile Armor, Pointsec, SafeNet, and Credant. According to Full Disk Encryption; the evaluation is expected to end in 90 days.
It will be interesting to see how much this encryption ends up costing, as well as just how effective it turns out to be. Hopefully it will help the Feds fare better than a D+ the next time its data security competence is assessed.
Meanwhile, perhaps more companies will follow the governments lead, given the rash of data leaks we've seen at corporations like Chevron, Boeing, Wells Fargo, Starbucks, and others over the past couple of years. If they're not sure where to start, they could check out InfoWorld's encryption special report from earlier this year.
Posted by Ted Samson on December 28, 2006 03:06 PM
September 06, 2006 | Comments: (0)
Wells Fargo leaks personal data
Wells Fargo has joined the unfortunate ranks of Chevron, AT&T, Williams-Sonoma, and the U.S. Department of Veteran Affairs, in suffering a recent leak of private data.
In this case, the financial insitution lost personal information about an unspecified number of its employees, according to reports. The company informed workers of the breach on Aug. 28.
The data was on a disk drive and/or a laptop, both of which were swiped from the trunk of a car. Whether they know it or not, the perpatrators got away with names, Social Security numbers, and presciption information.
There's a common thread in all these data-leak cases, one that I've alluded to previously: The data was being handled by third-party companies. Frustratingly, most of these companies won't disclose the name of their data-fumbling partners, which means they don't have to suffer embarrassing publicity and make promises to step up their security measures. Heaven forbid.
Third-party follies aside, maybe organizations aren't taking the problem seriously because courts have already set a precedent that relieves them of negligence if they lose customer data. Last March, U.S. District Judge David Doty in Minnesota ruled that Wells Fargo was not responsible for losing customers' personal data because said data was never misused by miscreants. The judge's general reasoning was, the people suing the company hadn't suffered any actual damages; they were just worried about future damages.
So there you have it. Companies have the luxury of saving money by being lax on security. If they spill your SSN, your address, your phone number, your health records -- info that could be used for identity theft or a targetted phishing scam -- they don't have to fret. That is, unless the data is abused in the aforementioned manner, in which case I expect the victims would then have to demonstrate that the perpatrators were using the data they'd harvested from said company.
It's a fascinating legal precedent, isn't it? Why are there strict government regulations and guidelines in HIPAA that protect patients' medical records, for example, but nothing to better ensure protection of customer data, which could be used just as maliciously?
Granted, I'd rather that companies and organizations take it upon themselves to enact better security measures, such as implementing encryption technology. But for the time being, there's no tangible ROI in that, I guess. It's cheaper to just e-mail out an apology and give victimized customers and employees a year of free credit monitoring.
Posted by Ted Samson on September 6, 2006 10:13 AM
August 16, 2006 | Comments: (0)
Chevron has a messy spill to clean up, but it's not an oil spill; it's a data leak.
The oil behemoth circulated an e-mail to its U.S. employees last Monday, cautioning them that a laptop "was stolen from an employee of an independent public accounting firm who was auditing our employee savings, health and disability plans," according to today's San Francisco Chronicle.
The laptop was swiped on Monday, Aug. 7, according to the report, and contained data such as Social Security numbers and other private data of potentially thousands of employees. The name of the public accounting firm was not disclosed.
According to the report, the e-mail, sent to "U.S. Payroll Employees" by Peter Robertson, Chevron's vice chairman, offered assurances to workers that "we believe it is unlikely that any Chevron benefit plans will be impacted by this theft with the security measures we have in place for those plans."
Nonetheless, the e-mail continues, "in order to mitigate any identity theft issues related to this event, we are offering a comprehensive set of services paid for by Chevron to affected plan participants."
Reports of data leaks are becoming regrettably common these days. In recent months, for example, government agencies such as the U.S. Department of Veteran Affairs have reported thefts of personal data. The VA announced earlier this week plans to invest $3.7 million in encryption technology in an effort to prevent future data leaks.
Posted by Ted Samson on August 16, 2006 09:53 AM
August 16, 2006 | Comments: (0)
Chevron has a messy spill to clean up, but it's not an oil spill; it's a data leak.
The oil behemoth circulated an e-mail to its U.S. employees last Monday, cautioning them that a laptop "was stolen from an employee of an independent public accounting firm who was auditing our employee savings, health and disability plans," according to today's San Francisco Chronicle.
The laptop was swiped on Monday, Aug. 7, according to the report, and contained data such as Social Security numbers and other private data of potentially thousands of employees. The name of the public accounting firm was not disclosed.
According to the report, the e-mail, sent to "U.S. Payroll Employees" by Peter Robertson, Chevron's vice chairman, offered assurances to workers that "we believe it is unlikely that any Chevron benefit plans will be impacted by this theft with the security measures we have in place for those plans."
Nonetheless, the e-mail continues, "in order to mitigate any identity theft issues related to this event, we are offering a comprehensive set of services paid for by Chevron to affected plan participants."
Reports of data leaks are becoming regrettably common these days. In recent months, for example, government agencies such as the U.S. Department of Veteran Affairs have reported thefts of personal data. The VA announced earlier this week plans to invest $3.7 million in encryption technology in an effort to prevent future data leaks.
Posted by Ted Samson on August 16, 2006 09:53 AM
TOP STORIES
ADDITIONAL RESOURCES
- Remote Access: Maintain Security and Decrease the Burden on IT
- Beyond AntiVirus: Symantec Endpoint Protection
- What Every Enterprise Needs to Know About VDI
- Disaster Recovery in Minutes
- Protecting Microsoft(R) Applications
- Reduce Recovery Times and Tape Costs
