5,000 Health Net employees affected by stolen laptop
Technorati Tag: Security Breach
Date Reported:
1/4/08
Organization:
Health Net
Contractor/Consultant/Branch:
Unnamed
Victims:
Connecticut Health Net employees and health-care providers
Number Affected:
About 5,000 employees and "an undisclosed number of health-care providers outside the Northeast"
Types of Data:
Names and Social Security numbers
Breach Description:
A laptop computer containing personal information belonging to "about" 5,000 Health Net employees hired before January 1st, 2005 and an undisclosed number of health-care providers was stolen from a Health Net vendor more than a month ago.
Reference URL:
The Hartford Courant Story
Report Credit:
Diane Levick, The Hartford Courant
Response:
From the online source cited above:
Thousands of Health Net employees in Connecticut and other states have been notified that their names and Social Security numbers were on a laptop computer that was stolen more than a month ago from a company vendor.
There have been no reports of identity theft as a result of the incident, said David Olson, a Health Net spokesman. He wouldn't name the vendor or say where the laptop was stolen, other than it wasn't in the Northeast.
[Evan] I wonder why Mr. Olson is unwilling to disclose the vendor or location. I guess it could be due to the police investigation.
The laptop had information on about 5,000 employees companywide and an undisclosed number of health-care providers outside the Northeast.
There was no medical information about them on the computer, Olson said.
[Evan] Oh good no HIPAA violation then, eh?
Health Net members aren't affected
Health Net retained Kroll Inc. to provide free credit monitoring for one year, and help in restoring good credit in case of identity theft, to employees and providers who sign up for it.
[Evan] Although one year of protection is better than nothing, criminals involved in identity theft are most likely selling the information and/or waiting until one year has passed. If I were a victim of this breach, my concern would become much more serious sometime next year. This is IF the laptop was stolen for the information, which we wouldn't know.
Health Net "works to ensure the safety of our constituents' information and expects the same diligence from our vendors and contract partners," company chief executive Jay Gellert said in the letter. "We are vigorously pursuing this matter to ensure that no further damage has or can be done."
[Evan] Nice to see the CEO stating something about this breach.
Commentary:
There are many comments that I didn't write about concerning this breach because I have written them all before, and I want to give readers a break.
For those of you that are first time readers, or those of you that may have missed comments in earlier posts:
I am taking bets on how many mobile devices containing personal will be lost this year that were not encrypted. This is #5 on The Breach Blog in 2008 and we are only five days into the year, and I am sure we can find more. Give me a number.
Past Breaches:
Unknown
Date Reported:1/4/08
Organization:
Health Net
Contractor/Consultant/Branch:
Unnamed
Victims:
Connecticut Health Net employees and health-care providers
Number Affected:
About 5,000 employees and "an undisclosed number of health-care providers outside the Northeast"
Types of Data:
Names and Social Security numbers
Breach Description:
A laptop computer containing personal information belonging to "about" 5,000 Health Net employees hired before January 1st, 2005 and an undisclosed number of health-care providers was stolen from a Health Net vendor more than a month ago.
Reference URL:
The Hartford Courant Story
Report Credit:
Diane Levick, The Hartford Courant
Response:
From the online source cited above:
Thousands of Health Net employees in Connecticut and other states have been notified that their names and Social Security numbers were on a laptop computer that was stolen more than a month ago from a company vendor.
There have been no reports of identity theft as a result of the incident, said David Olson, a Health Net spokesman. He wouldn't name the vendor or say where the laptop was stolen, other than it wasn't in the Northeast.
[Evan] I wonder why Mr. Olson is unwilling to disclose the vendor or location. I guess it could be due to the police investigation.
The laptop had information on about 5,000 employees companywide and an undisclosed number of health-care providers outside the Northeast.
There was no medical information about them on the computer, Olson said.
[Evan] Oh good no HIPAA violation then, eh?
Health Net members aren't affected
Health Net retained Kroll Inc. to provide free credit monitoring for one year, and help in restoring good credit in case of identity theft, to employees and providers who sign up for it.
[Evan] Although one year of protection is better than nothing, criminals involved in identity theft are most likely selling the information and/or waiting until one year has passed. If I were a victim of this breach, my concern would become much more serious sometime next year. This is IF the laptop was stolen for the information, which we wouldn't know.
Health Net "works to ensure the safety of our constituents' information and expects the same diligence from our vendors and contract partners," company chief executive Jay Gellert said in the letter. "We are vigorously pursuing this matter to ensure that no further damage has or can be done."
[Evan] Nice to see the CEO stating something about this breach.
Commentary:
There are many comments that I didn't write about concerning this breach because I have written them all before, and I want to give readers a break.
For those of you that are first time readers, or those of you that may have missed comments in earlier posts:
- Confidential information should not be allowed on mobile devices (laptops, flash drives, CDs, etc.), unless exceptional business circumstances require it.
- If exceptional business circumstances require confidential information be on a mobile device, then additional controls MUST be present such as encryption.
- Vendors, contractors, consultants, etc. MUST be included in the organizational information security program.
- I respect a CEO who speaks about information security matters, it shows that they recognize that the "buck stops" with them.
I am taking bets on how many mobile devices containing personal will be lost this year that were not encrypted. This is #5 on The Breach Blog in 2008 and we are only five days into the year, and I am sure we can find more. Give me a number.
Past Breaches:
Unknown
Posts Atom 1.0
I left Health Net in 1998. I would like to know what my social security number was doing on a laptop at a vendor 10 years after I changed employment. Since I moved my 401k 10 years ago, received no pension or other benefits after the employment change, I am at a loss.
Reply to this