Thursday, July 1, 2010

Data Breaches du Jour

Information regarding the latest reports of data breaches -- common thread: it is taking a startingly long time for entities to (a) discover that they have been breached, and (b) to then take action to notify affected customers of potential compromises to personal information.

Update on Major Data Breach at California Health Insurer

Updating a previous blog post (link) from Monday, WellPoint, the country's largest health insurer, has now sent notice to 470,000 members and applicants for individual health insurance nationwide informing them of a breach to a web site used by individuals to apply for insurance and track the status of their applications. The web site system run by WellPoint subsidiary Anthem Blue Cross of California was allegedly manipulated by attorneys looking to bolster a class action lawsuit against the insurer. WellPoint indicated that although the breach may have affected 230,000 California customers as previously reported, data for other applicants could have been obtained and accessed by anyone merely by altering the URL, thus prompting the additional notices.

While initially saying that personal information was unsecure for "a relatively short period of time," WellPoint now explains that five months passed before the company learned in March that a failed security update to the Anthem web site left customers' data vulnerable.

Related Link:
http://www.govinfosecurity.com/articles.php?art_id=2690


Unencrypted Patient Information Goes Missing from NY Hospital

A New York hospital is notifying some 130,000 patients that their personal information may have been compromised. Patient information stored on seven CDs belonging to New York's Lincoln Medical and Mental Health Center was lost in transit after a hospital contractor shipped them, Bloomberg reports. The unencrypted data includes Social Security numbers, dates of birth, drivers' license numbers and procedure information. In a letter sent to victims earlier this month, the hospital suggested the CDs may have been displaced at a shipping facility and destroyed.

Yet another good example for encryption of all PHI and PI in transit.

Related Link:

http://www.businessweek.com/idg/2010-06-29/new-york-hospital-loses-data-on-130-000-via-fedex.html

Continuing Data Breach Over Eight Year Period Exposes Personal and Medical Records of Students at University of Maine Counseling Center

According to the Auburn-Lewiston Sun Journal, the University of Maine Police Department is investigating a data breach that exposed nearly 5,000 students' personal and medical information. Starting in 2002 and spanning eight years, hackers accessed the UMaine counseling center database, the Sun Journal reports. The database stored information including names, Social Security numbers and clinical information. The university has hired a company to monitor the credit of those potentially affected, though there is no indication the hacked data has been viewed or used. "This is a serious breach and we are profoundly sorry that this has happened," said a university spokesman.

Related Link:
http://www.sunjournal.com/state/story/870870