West Virginia PEIA lost backup affects 200,000
Technorati Tag: Security Breach
Date Reported:
10/22/07
Organization:
State of West Virginia
Contractor/Consultant/Branch:
Public Employees Insurance Agency (PEIA)
Victims:
Current and former members of PEIA, the Children's Health Insurance Program and AccessWV.
Number Affected:
200,000
Types of Data:
Name, maiden name, address, Social Security number, telephone number, and marital status.
Breach Description:
On October 16th, a backup tape containing sensitive personal information about certain West Virginia residents was lost while in transit to an unnamed third-party data analyst in Pennsylvania. The unnamed mail carrier conducted an "exhaustive search" for the tape and has yet to locate it.
Reference URL:
State of West Virginia Press Release
Charleston Daily Mail
Report Credit:
State of West Virginia Department of Administration
Response:
From the official West Virginia press release and other online resource cited above:
"West Virginia Public Employees Insurance Agency (PEIA) officials today announced that a specialized computer tape containing an eligibility data file was reported missing on October 16, 2007, by a third party mail carrier used to transport the tape to PEIA's data analyst in Pennsylvania"
[Comfyllama] I wonder if the victims were ever aware that their personal information was being sent (daily, weekly, or monthly) to another third-party in Pennsylvania. I also wonder how many organizations my data is shared with or transferred to. It seems simple enough to write my SSN on a health insurance application (you don't have a choice by the way if you want insurance), not really thinking of all the places it may go afterwards. Worse yet, do the organizations know all of the other organizations that they share our data with?
"Officials believe the package came unglued in transit, and do not suspect theft, Department of Administration Spokeswoman Diane Holley said."
"The tape was in a format that cannot be read by standard computer equipment. It would require specialized data processing equipment loaded with appropriate software and highly knowledgeable individuals to view the data."
[Comfyllama] This statement would be a good joke if there weren't real people affected. This is a minimizing statement meant to detract from the fact that PEIA did not do the right thing by encrypting data backups and other confidential data at rest. The "specialized data processing equipment" would be what, a tape drive? The "appropriate software" would be what, Backup Exec, Commvault, or ARCserve? Let's not forget about the "highly knowledgeable individuals" requirement!
"The tape does not contain medical or prescription claims information."
"However, it does include names and maiden names, addresses, Social Security numbers, telephone numbers, and marital status of the program participants and their covered dependents."
[Comfyllama] Ugh! As long as Social Security numbers continue to be used for identification and verification purposes, these victims could continue to be candidates for fraud for years.
"The State's Privacy and Security Offices were notified and are fully investigating this matter"
[Comfyllama] IF the State's Privacy and Security Offices knew about the practice of sending backup tapes through a "mail carrier" containing sensitive personal information that was not encrypted then shame of them to begin with.
"Officials advise enrollees to check their credit reports and request fraud alerts. Both are free services from any of the three main credit reporting agencies."
"A call center has been established and will be operational, beginning at 8 a.m. on Wednesday, October 24th, 2007, to address questions relating to this incident. The call center's telephone number is toll-free 1-."
Commentary:
This breach points out two main points. One, do organizations do a good enough job of informing people what they do with personal information or who they share it with? It is important to note that when an organization shares information with another that the security domain expands to include the other organization. A weaknesses (vulnerabilities) in one defeat the strengths in the other. I don't think many of us are well informed on this front.
The second point has been reiterated on The Breach Blog over and over. Confidential and personal information MUST be encrypted at rest (on disk, on laptops, on flash drives, on backup tapes, etc.).
Of course, we could solve many of these problems if organizations didn't use Social Security numbers for identification/authentication and instead used more creative solutions.
Past Breaches:
Unknown
Date Reported:10/22/07
Organization:
State of West Virginia
Contractor/Consultant/Branch:
Public Employees Insurance Agency (PEIA)
Victims:
Current and former members of PEIA, the Children's Health Insurance Program and AccessWV.
Number Affected:
200,000
Types of Data:
Name, maiden name, address, Social Security number, telephone number, and marital status.
Breach Description:
On October 16th, a backup tape containing sensitive personal information about certain West Virginia residents was lost while in transit to an unnamed third-party data analyst in Pennsylvania. The unnamed mail carrier conducted an "exhaustive search" for the tape and has yet to locate it.
Reference URL:
State of West Virginia Press Release
Charleston Daily Mail
Report Credit:
State of West Virginia Department of Administration
Response:
From the official West Virginia press release and other online resource cited above:
"West Virginia Public Employees Insurance Agency (PEIA) officials today announced that a specialized computer tape containing an eligibility data file was reported missing on October 16, 2007, by a third party mail carrier used to transport the tape to PEIA's data analyst in Pennsylvania"
[Comfyllama] I wonder if the victims were ever aware that their personal information was being sent (daily, weekly, or monthly) to another third-party in Pennsylvania. I also wonder how many organizations my data is shared with or transferred to. It seems simple enough to write my SSN on a health insurance application (you don't have a choice by the way if you want insurance), not really thinking of all the places it may go afterwards. Worse yet, do the organizations know all of the other organizations that they share our data with?
"Officials believe the package came unglued in transit, and do not suspect theft, Department of Administration Spokeswoman Diane Holley said."
"The tape was in a format that cannot be read by standard computer equipment. It would require specialized data processing equipment loaded with appropriate software and highly knowledgeable individuals to view the data."
[Comfyllama] This statement would be a good joke if there weren't real people affected. This is a minimizing statement meant to detract from the fact that PEIA did not do the right thing by encrypting data backups and other confidential data at rest. The "specialized data processing equipment" would be what, a tape drive? The "appropriate software" would be what, Backup Exec, Commvault, or ARCserve? Let's not forget about the "highly knowledgeable individuals" requirement!
"The tape does not contain medical or prescription claims information."
"However, it does include names and maiden names, addresses, Social Security numbers, telephone numbers, and marital status of the program participants and their covered dependents."
[Comfyllama] Ugh! As long as Social Security numbers continue to be used for identification and verification purposes, these victims could continue to be candidates for fraud for years.
"The State's Privacy and Security Offices were notified and are fully investigating this matter"
[Comfyllama] IF the State's Privacy and Security Offices knew about the practice of sending backup tapes through a "mail carrier" containing sensitive personal information that was not encrypted then shame of them to begin with.
"Officials advise enrollees to check their credit reports and request fraud alerts. Both are free services from any of the three main credit reporting agencies."
"A call center has been established and will be operational, beginning at 8 a.m. on Wednesday, October 24th, 2007, to address questions relating to this incident. The call center's telephone number is toll-free 1-."
Commentary:
This breach points out two main points. One, do organizations do a good enough job of informing people what they do with personal information or who they share it with? It is important to note that when an organization shares information with another that the security domain expands to include the other organization. A weaknesses (vulnerabilities) in one defeat the strengths in the other. I don't think many of us are well informed on this front.
The second point has been reiterated on The Breach Blog over and over. Confidential and personal information MUST be encrypted at rest (on disk, on laptops, on flash drives, on backup tapes, etc.).
Of course, we could solve many of these problems if organizations didn't use Social Security numbers for identification/authentication and instead used more creative solutions.
Past Breaches:
Unknown
Posts Atom 1.0
Comments