Americhoice, Lost CD, 67000 Affected
Technorati Tag: Security Breach
Date Reported:
9/11/07
Organization:
State of Tennessee
Contractor/Consultant:
Americhoice Inc.
Victims:
TennCare enrollees*
*TennCare is a State of Tennessee health care program comprised of TennCare Medicaid,which is for persons who are Medicaid eligible, and TennCare Standard, which is for persons who are not Medicaid eligible but who have been determined to meet the state’s criteria as being either uninsured or uninsurable
Number Affected:
67,000
Types of Data:
Name, Social Security number, birth date, and address
Breach Description:
A compact disc (CD) containing confidential member information was shipped from the Americhoice office in Nashville to another Americhoice office in Knoxville. The CD was lost in transit and the data on it was not encrypted.
Reference URL:
http://www.wate.com/global/story.asp?s=7054941&ClientType=Printable
http://www.newschannel9.com/articles/americhoice_15412___article.html/says_information.html
Report Credit:
Erica Estep, WATE Channel 6 News (Knoxville, TN)
Response:
From the online references above:
"On September 4, Americhoice Inc., a TennCare provider, sent a letter to all 67,000 enrollees across the state of warning them about what happened."
"Customers in all 18 East Tennessee counties are affected"
"According to AmeriChoice, on July 19 a single CD was sent overnight by UPS from its office in Nashville to Knoxville. But it didn't make it."
"We regret that this occurred, certainly, and we do take the privacy and security of our member's personal information very seriously. And we have taken steps that we believe will prevent this kind of occurrence from happening again," AmeriChoice Vice President of Public Relations Steven Matthews explains."
"Matthews says all AmeriChoice employees have been re-trained and their policies gone over. He admits a new employee did not follow policy."
[Comfyllama] Was the new employee trained? It is good secure business practice to provide information security training to employees on day one. Some policies (including many that I have written) specify that NO access is given to systems prior to taking approved information security training and passing an associated examination (quiz). Today, information security training needs to be part of the HR new-hire process and is at least as important as other HR training.
"The data should not have been put on a CD in an un-encrypted form. It should have been transmitted either in an encrypted form or via a secure email system. That's normally how it was done," Matthews says.
[Comfyllama] Amen to that brother!
"He also says the CD didn't contain any medical or health information."
[Comfyllama] Would have been better if it wouldn't have had Social Security numbers, eh?
Americhoice is offering 12 months of free ID theft protection to victims, call 1-.
A Victim's Response:
Ellen Schellmer's eight-year-old son's information was lost. "I think they are very irresponsible and I wonder how they'd feel if it were them?"
In a few years, he's eligible for credit cards, all kinds of credit, people could steal his identity, ruin his credit, ruin his life."
"I'm pretty disgusted. I think they need to come up with a better idea than one year of identity theft,"
Commentary:
Was this inadequate training of a new employee that led to this breach or simply a mistake? If the new employee had not yet been trained, then this is an area of improvement required by Americhoice.
You can sense the frustration of the victim mentioned and quoted in the article. People are getting fed-up with lax security around their personal information as they should!
The role of an organization with respect to personal data is "custodian", and the role of the customer is "owner". As the "owner" of data, customers choose how data is to be protected. A "custodian" cares for the data at the discretion of the "owner". Data owners (you and me) need to demand better protection of our data, period.
Past Breaches:
None
Date Reported:
9/11/07Organization:
State of Tennessee
Contractor/Consultant:
Americhoice Inc.
Victims:
TennCare enrollees*
*TennCare is a State of Tennessee health care program comprised of TennCare Medicaid,which is for persons who are Medicaid eligible, and TennCare Standard, which is for persons who are not Medicaid eligible but who have been determined to meet the state’s criteria as being either uninsured or uninsurable
Number Affected:
67,000
Types of Data:
Name, Social Security number, birth date, and address
Breach Description:
A compact disc (CD) containing confidential member information was shipped from the Americhoice office in Nashville to another Americhoice office in Knoxville. The CD was lost in transit and the data on it was not encrypted.
Reference URL:
http://www.wate.com/global/story.asp?s=7054941&ClientType=Printable
http://www.newschannel9.com/articles/americhoice_15412___article.html/says_information.html
Report Credit:
Erica Estep, WATE Channel 6 News (Knoxville, TN)
Response:
From the online references above:
"On September 4, Americhoice Inc., a TennCare provider, sent a letter to all 67,000 enrollees across the state of warning them about what happened."
"Customers in all 18 East Tennessee counties are affected"
"According to AmeriChoice, on July 19 a single CD was sent overnight by UPS from its office in Nashville to Knoxville. But it didn't make it."
"We regret that this occurred, certainly, and we do take the privacy and security of our member's personal information very seriously. And we have taken steps that we believe will prevent this kind of occurrence from happening again," AmeriChoice Vice President of Public Relations Steven Matthews explains."
"Matthews says all AmeriChoice employees have been re-trained and their policies gone over. He admits a new employee did not follow policy."
[Comfyllama] Was the new employee trained? It is good secure business practice to provide information security training to employees on day one. Some policies (including many that I have written) specify that NO access is given to systems prior to taking approved information security training and passing an associated examination (quiz). Today, information security training needs to be part of the HR new-hire process and is at least as important as other HR training.
"The data should not have been put on a CD in an un-encrypted form. It should have been transmitted either in an encrypted form or via a secure email system. That's normally how it was done," Matthews says.
[Comfyllama] Amen to that brother!
"He also says the CD didn't contain any medical or health information."
[Comfyllama] Would have been better if it wouldn't have had Social Security numbers, eh?
Americhoice is offering 12 months of free ID theft protection to victims, call 1-.
A Victim's Response:
Ellen Schellmer's eight-year-old son's information was lost. "I think they are very irresponsible and I wonder how they'd feel if it were them?"
In a few years, he's eligible for credit cards, all kinds of credit, people could steal his identity, ruin his credit, ruin his life."
"I'm pretty disgusted. I think they need to come up with a better idea than one year of identity theft,"
Commentary:
Was this inadequate training of a new employee that led to this breach or simply a mistake? If the new employee had not yet been trained, then this is an area of improvement required by Americhoice.
You can sense the frustration of the victim mentioned and quoted in the article. People are getting fed-up with lax security around their personal information as they should!
The role of an organization with respect to personal data is "custodian", and the role of the customer is "owner". As the "owner" of data, customers choose how data is to be protected. A "custodian" cares for the data at the discretion of the "owner". Data owners (you and me) need to demand better protection of our data, period.
Past Breaches:
None
Posted by Evan Francen at 9/12/2007 11:27 AM 
Categories: Poor Business Practice, Americhoice, State of Tennessee
Categories: Poor Business Practice, Americhoice, State of Tennessee
Posts Atom 1.0
I decided to check out Americhoice's home page for any sign of an announcement and the site has been down for a couple of hours (and is still down). Hmmm.
Reply to this