No Excuse For Sloppy Security

11 03 2008

Data goes missing as laptop vanishes
HealthNow members may be at risk
By Jonathan Epstein
Updated: 03/11/08 6:53 AM

HealthNow New York has alerted 40,000 members in Western and Northeastern New York that they may be at risk for identity theft, after a former employee’s laptop computer went missing with confidential information several months ago.

The Buffalo-based parent of Blue- Cross BlueShield of Western New York sent letters late last week to the affected customers, even though officials are still not certain what, if anything, was on the computer.

Based on the company’s investigation, the potential information includes names, dates of birth, Social Security numbers, addresses, employer group names, and health insurance identifier numbers. However, there was no health or medical claims information involved, spokeswoman Karen Merkel-Liberatore said late Monday.

HealthNow has arranged for any affected member to receive a one-year free membership in Equifax Credit Watch, to monitor for identity theft. But the company has no plans to re-assign new health insurance identification numbers en masse, though it will do so at the request of any individual members, Merkel-Liberatore said.

“At this point, I don’t believe we’ve had any requests to do that,” she said. “If they feel more comfortable changing their identification number, we could certainly do that.”

She stressed, however, that it’s unlikely anyone could or would use the information to find out about a member’s health status or obtain healthcare in their name, since most doctors and hospitals ask for the membership card before providing care.

The laptop was not encrypted, but does have security features, including the requirement to enter the user’s identification number and passcode after 15 minutes of inactivity. Also, the company shut down the laptop’s access to the corporate network, and has not detected any activity from the laptop since the disappearance.

The employee is no longer with HealthNow, having accepted a position at another company out of state, but the insurer is still in contact. “We definitely have taken this matter very seriously,” Merkel-Liberatore said.

This is the latest example nationwide of a computer security breach involving confidential personal information that could be used to commit identity theft, although that doesn’t necessarily happen. Lost laptops and computer backup tapes or disks in transit have been a particular source of problems, as companies increasingly use such “mobile devices” and storage that often is not as secure as the primary in-house computer servers.

Tens of millions of U.S. consumers have been affected in recent years by breaches involving more than 100 million accounts at banks, merchants, health insurers, hospitals and government agencies in recent years. The biggest, involving retailer T.J. Maxx parent TJX Cos., hit 45.7 million people in late 2006.

In HealthNow’s case, the company is reconfiguring its claims software system, and the employee had downloaded some member information to his laptop while working on the project so he could work either in building or at home. The laptop was reported missing in late fall, but the company did not notify customers until now because officials wanted to make sure whether such action would be necessary.

Instead, officials first “spent an exhorbitant amount of time” to try and locate the laptop, which they still believe is in the company’s building, Merkel- Liberatore said. Only “when it was apparent we couldn’t find it” did officials try to narrow down what information might have been lost, she added.

Using the company’s shared drive and with the cooperation of the employee, officials retraced his path to determine what information he was working with. The company then set up the credit-monitoring, and began contacting members last Thursday and Friday.

“We didn’t want to have to reach out to our members and cause them unnecessary worry until we knew the potential of what we were dealing with,” she said. “With all of the factors and orchestrating credit monitoring, we do believe our response time has been reasonable.”

The company has also tightened its policies and procedures about use of laptops and other mobile devices “to ensure that the policies are more strict,” she said. She added that officials are also encrypting all information on laptops “to prevent this situation from recurring.”

I find this ridiculous that in this day where there are so many ways to lock down computers with encryption that its not being used. Hello whole drive encryption!!! This is what scares me is I don’t think the government has a good handle on computer security either. Its not that we don’t have the proper people to do the job it is that we plug the wrong people in those jobs. We need the hard core nerds that guzzle mountain dew and love writing code(code monkeys). Not some slubs that barely have handle on this stuff and went to probably a day coarse on computer security. Pay the money for people that are the hard core computer enthusiasts and you will have a force to be reckoned with.







3 responses

12 03 2008
Michael Veni

I came a ccross your article and couldn’t help but notice that we could have prevented any potential harm arising from the theft of the laptop mentioned above.
Once a laptop is stolen or lost, SONAR, uniquely, does four things that are absolutely vital:
1. SONAR allows you to remotely retrieve a directory listing of all files and folders on the stolen or lost laptop, and then retrieve all critical lost files.
2. SONAR allows you to delete safely any or all files, or wipe the entire hard drive of all its contents.
3. SONAR creates a record of all activity on the computer after it’s been lost or stolen.
4. SONAR’s recovery team has been extremely successful in being able to return the physical property to the rightful owner.
Please feel free to contact me directly should you like to learn more about our products.
Michael Veni
Awareness Technologies
888-224-1288 x 404

12 03 2008

Thanks for the post I will look into your product. Your post goes to prove my point that there are many solutions to prevent the theft of critical data.

12 03 2008

There may be no excuse for it, but people and companies are just lazy. There usually has to be a loss for anyone to take the issue seriously.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: