No Excuse For Sloppy Security

11 03 2008

Data goes missing as laptop vanishes
HealthNow members may be at risk
By Jonathan Epstein
Updated: 03/11/08 6:53 AM

HealthNow New York has alerted 40,000 members in Western and Northeastern New York that they may be at risk for identity theft, after a former employee’s laptop computer went missing with confidential information several months ago.

The Buffalo-based parent of Blue- Cross BlueShield of Western New York sent letters late last week to the affected customers, even though officials are still not certain what, if anything, was on the computer.

Based on the company’s investigation, the potential information includes names, dates of birth, Social Security numbers, addresses, employer group names, and health insurance identifier numbers. However, there was no health or medical claims information involved, spokeswoman Karen Merkel-Liberatore said late Monday.

HealthNow has arranged for any affected member to receive a one-year free membership in Equifax Credit Watch, to monitor for identity theft. But the company has no plans to re-assign new health insurance identification numbers en masse, though it will do so at the request of any individual members, Merkel-Liberatore said.

“At this point, I don’t believe we’ve had any requests to do that,” she said. “If they feel more comfortable changing their identification number, we could certainly do that.”

She stressed, however, that it’s unlikely anyone could or would use the information to find out about a member’s health status or obtain healthcare in their name, since most doctors and hospitals ask for the membership card before providing care.

The laptop was not encrypted, but does have security features, including the requirement to enter the user’s identification number and passcode after 15 minutes of inactivity. Also, the company shut down the laptop’s access to the corporate network, and has not detected any activity from the laptop since the disappearance.

The employee is no longer with HealthNow, having accepted a position at another company out of state, but the insurer is still in contact. “We definitely have taken this matter very seriously,” Merkel-Liberatore said.

This is the latest example nationwide of a computer security breach involving confidential personal information that could be used to commit identity theft, although that doesn’t necessarily happen. Lost laptops and computer backup tapes or disks in transit have been a particular source of problems, as companies increasingly use such “mobile devices” and storage that often is not as secure as the primary in-house computer servers.

Tens of millions of U.S. consumers have been affected in recent years by breaches involving more than 100 million accounts at banks, merchants, health insurers, hospitals and government agencies in recent years. The biggest, involving retailer T.J. Maxx parent TJX Cos., hit 45.7 million people in late 2006.

In HealthNow’s case, the company is reconfiguring its claims software system, and the employee had downloaded some member information to his laptop while working on the project so he could work either in building or at home. The laptop was reported missing in late fall, but the company did not notify customers until now because officials wanted to make sure whether such action would be necessary.

Instead, officials first “spent an exhorbitant amount of time” to try and locate the laptop, which they still believe is in the company’s building, Merkel- Liberatore said. Only “when it was apparent we couldn’t find it” did officials try to narrow down what information might have been lost, she added.

Using the company’s shared drive and with the cooperation of the employee, officials retraced his path to determine what information he was working with. The company then set up the credit-monitoring, and began contacting members last Thursday and Friday.

“We didn’t want to have to reach out to our members and cause them unnecessary worry until we knew the potential of what we were dealing with,” she said. “With all of the factors and orchestrating credit monitoring, we do believe our response time has been reasonable.”

The company has also tightened its policies and procedures about use of laptops and other mobile devices “to ensure that the policies are more strict,” she said. She added that officials are also encrypting all information on laptops “to prevent this situation from recurring.”

I find this ridiculous that in this day where there are so many ways to lock down computers with encryption that its not being used. Hello whole drive encryption!!! This is what scares me is I don’t think the government has a good handle on computer security either. Its not that we don’t have the proper people to do the job it is that we plug the wrong people in those jobs. We need the hard core nerds that guzzle mountain dew and love writing code(code monkeys). Not some slubs that barely have handle on this stuff and went to probably a day coarse on computer security. Pay the money for people that are the hard core computer enthusiasts and you will have a force to be reckoned with.