Lost Horizon Blue Cross Blue Shield of New Jersey laptop
Technorati Tag: Security Breach
Date Reported:
1/29/08
Organization:
Horizon Blue Cross Blue Shield of New Jersey (BCBSNJ)*
*Horizon Blue Cross Blue Shield of New Jersey (Horizon BCBSNJ), a not-for-profit organization headquartered in Newark, is the state's largest health insurer.
Contractor/Consultant/Branch:
None
Victims:
Horizon BCBSNJ members
Number Affected:
~300,000
Types of Data:
Names, addresses, and Social Security numbers
Breach Description:
On January 5th, 2008 a laptop used by a Horizon Blue Cross Blue Shield of New Jersey employee was stolen in Newark, NJ. The laptop contained sensitive personal information belonging to Horizon Blue Cross Blue Shield of New Jersey members and has not been recovered.
Reference URL:
Horizon BCBSNJ News Alert
New Jersey On-Line story (many comments)
New Jersey Business Journal report
Report Credit:
Horizon Blue Cross Blue Shield of New Jersey, with a special thanks to Attrition.org
Response:
From the online sources cited above:
Horizon Blue Cross Blue Shield of New Jersey is notifying more than 300,000 of its members that their names, social security numbers and other personal information were contained on a laptop computer stolen in Newark
If you are a Horizon BCBSNJ member and you have not received a letter indicating that your information was on the stolen laptop, you are not affected.
[Evan] This is a stated "fact" on the Horizon BCBSNJ News Alert site.
There was no medical data on the stolen laptop.
On January 5, 2008, a Horizon BCBSNJ employee’s laptop was stolen in the City of Newark.
Horizon BCBSNJ believes that it is highly unlikely that any personal data stored on the stolen computer has been accessed. The computer was password protected.
[Evan] Come on. Password protection (likely operating system level) is NOT adequate protection for confidential data, especially on mobile media. Password protection is certainly not the factor that would make access "highly unlikely".
Those whose names were on the laptop are being offered a free year of credit-monitoring services.
Horizon BCBSNJ has sent letters to all affected members alerting them to the theft.
The laptop, which was stolen on Jan. 5, was being taken home by an employee who regularly works with member data.
[Evan] I wonder how many other employees regularly work with member data on unencrypted laptops.
Thomas Rubino, director of public affairs for Horizon, said the loss of data resulted from a violation of company security practices, and was being investigated.
on January 23, 2008, a security feature was initiated that destroys all of the data on stolen computer.
[Evan] Why would Horizon BCBSNJ invest in software to remotely destroy data and not add encryption to the mix? The remote data destruction in which "a security feature was initiated" requires network connectivity. Simply disabling the network card(s) or slaving the drive(s) to another computer easily circumvents this security "feature" and does not provide certainty that the data is safe.
Horizon BCBSNJ takes seriously its obligation to protect personal information. We apologize for any inconvenience this theft may have caused those affected.
Commentary:
I don't understand the reluctance of some companies to encrypt data at rest on laptops and other mobile media. If the laptop were encrypted and there was no reason to believe that the key had been compromised, then there would be no effective breach of data confidentiality. For those companies that do encrypt data at rest, be sure that users are not writing passwords (keys) down with the laptop, i.e. Post-it notes and stickers.
Past Breaches:
Unknown
Date Reported:1/29/08
Organization:
Horizon Blue Cross Blue Shield of New Jersey (BCBSNJ)*
*Horizon Blue Cross Blue Shield of New Jersey (Horizon BCBSNJ), a not-for-profit organization headquartered in Newark, is the state's largest health insurer.
Contractor/Consultant/Branch:
None
Victims:
Horizon BCBSNJ members
Number Affected:
~300,000
Types of Data:
Names, addresses, and Social Security numbers
Breach Description:
On January 5th, 2008 a laptop used by a Horizon Blue Cross Blue Shield of New Jersey employee was stolen in Newark, NJ. The laptop contained sensitive personal information belonging to Horizon Blue Cross Blue Shield of New Jersey members and has not been recovered.
Reference URL:
Horizon BCBSNJ News Alert
New Jersey On-Line story (many comments)
New Jersey Business Journal report
Report Credit:
Horizon Blue Cross Blue Shield of New Jersey, with a special thanks to Attrition.org
Response:
From the online sources cited above:
Horizon Blue Cross Blue Shield of New Jersey is notifying more than 300,000 of its members that their names, social security numbers and other personal information were contained on a laptop computer stolen in Newark
If you are a Horizon BCBSNJ member and you have not received a letter indicating that your information was on the stolen laptop, you are not affected.
[Evan] This is a stated "fact" on the Horizon BCBSNJ News Alert site.
There was no medical data on the stolen laptop.
On January 5, 2008, a Horizon BCBSNJ employee’s laptop was stolen in the City of Newark.
Horizon BCBSNJ believes that it is highly unlikely that any personal data stored on the stolen computer has been accessed. The computer was password protected.
[Evan] Come on. Password protection (likely operating system level) is NOT adequate protection for confidential data, especially on mobile media. Password protection is certainly not the factor that would make access "highly unlikely".
Those whose names were on the laptop are being offered a free year of credit-monitoring services.
Horizon BCBSNJ has sent letters to all affected members alerting them to the theft.
The laptop, which was stolen on Jan. 5, was being taken home by an employee who regularly works with member data.
[Evan] I wonder how many other employees regularly work with member data on unencrypted laptops.
Thomas Rubino, director of public affairs for Horizon, said the loss of data resulted from a violation of company security practices, and was being investigated.
on January 23, 2008, a security feature was initiated that destroys all of the data on stolen computer.
[Evan] Why would Horizon BCBSNJ invest in software to remotely destroy data and not add encryption to the mix? The remote data destruction in which "a security feature was initiated" requires network connectivity. Simply disabling the network card(s) or slaving the drive(s) to another computer easily circumvents this security "feature" and does not provide certainty that the data is safe.
Horizon BCBSNJ takes seriously its obligation to protect personal information. We apologize for any inconvenience this theft may have caused those affected.
Commentary:
I don't understand the reluctance of some companies to encrypt data at rest on laptops and other mobile media. If the laptop were encrypted and there was no reason to believe that the key had been compromised, then there would be no effective breach of data confidentiality. For those companies that do encrypt data at rest, be sure that users are not writing passwords (keys) down with the laptop, i.e. Post-it notes and stickers.
Past Breaches:
Unknown
Posted by Evan Francen at 2/11/2008 12:46 PM 
Categories: Lost Laptop, Horizon Blue Cross Blue Shield
Categories: Lost Laptop, Horizon Blue Cross Blue Shield
Posts Atom 1.0
Comments