Wellesley seniors' personal information lost in mail
Technorati Tag: Security Breach
Date Reported:
2/29/08
Organization:
Town of Wellesley, Massachusetts
Contractor/Consultant/Branch:
Wellesley Health Department
Victims:
Certain town residents who received flu shots, all over the age of 65
Number Affected:
480
Types of Data:
Names, dates of birth, addresses, and Social Security numbers
Breach Description:
An envelope containing sensitive personal information belonging to seniors was sent from the Wellesley Health Department to a Medicare processing office in Charlestown. When the envelope arrived it was missing the list of information. The U.S. Postal Inspection Service and local police are investigating.
Reference URL:
The Boston Globe
WCVB-TV Channel 5
The Boston Herald
Report Credit:
WCVB-TV Channel 5 News
Response:
From the online sources cited above:
NewsCenter 5's Steve Lacy reported that the seniors got the flu shots last fall and then, last week, the town sent an envelope with all their personal information, including names, ages, addresses and Social Security numbers to Medicare as part of the reimbursement process.
All those listed were age 65 or older.
[Evan] Wonderful. Seniors are typically the easiest targets with much to lose.
The roster was mailed Feb. 21 by the town to Medicare for reimbursement.
The envelope arrived but was missing the list of names
Wellesley police were notified and launched an investigation, as has the U.S. Postal Inspection Service.
The sealed envelope was reportedly hand-delivered to the post office for mailing, which reduces the chances the information was stolen.
[Evan] This does not reduce the risk to a point that would be acceptable to me. Hand delivering the envelope to the post office eliminates one opportunity (maybe two) for loss, and that is between the Health Department office and the post office. It does not take into account theft or loss at the post office, between post offices, between the destination post office and the Medicare processing office, or within the Medicare processing office. Not to mention data destruction procedures once the information has been entered into the systems. In my opinion, this is a poor attempt at minimizing the situation.
The Postal Service is trying to determine whether theft or mechanical failure was to blame.
"There would be no reason why we would have questioned or hesitated using the US Postal Service to do this," Cohen said of the department's choice to send personal information through the mail. "We've been doing it for years this way. And I suspect most providers do it this way.", Shepard Cohen, chairman of the Board of Health in Wellesley
[Evan] Really? Do you think it's OK to send personal information including Social Security numbers in the mail nowadays? This is a fantastic opportunity for identity thieves. If I had a dime for every time I've heard "We've been doing it for years this way", I would be a rich man. Times change, people change, technology changes, an ______ changes (fill in the blank). Don't you think processes should change too?
One possible sign of ID theft is if consumers fail to receive bills, because thieves sometimes change mailing addresses to cover their tracks. Another is if consumers receive credit cards they did not apply for or if they are suddenly denied credit. Also, if consumers receive telephone calls about items they have not purchased.
The town said it will be mailing letters to anyone effected by early next week.
Commentary:
I wish that Mr. Cohen was wrong when he stated "I suspect most providers do it this way", but I would be fooling myself if I thought it weren't true. Most providers probably do follow similar processes that put confidential information at risk. Confidential information is money in the right (or wrong) hands.
Possible solutions...
Don't use Social Security numbers as identifiers (probably a lot of work!).
Send the information on an encrypted CD.
Send the information through a VPN
______ (add your own).
Past Breaches:
Unknown
Date Reported:2/29/08
Organization:
Town of Wellesley, Massachusetts
Contractor/Consultant/Branch:
Wellesley Health Department
Victims:
Certain town residents who received flu shots, all over the age of 65
Number Affected:
480
Types of Data:
Names, dates of birth, addresses, and Social Security numbers
Breach Description:
An envelope containing sensitive personal information belonging to seniors was sent from the Wellesley Health Department to a Medicare processing office in Charlestown. When the envelope arrived it was missing the list of information. The U.S. Postal Inspection Service and local police are investigating.
Reference URL:
The Boston Globe
WCVB-TV Channel 5
The Boston Herald
Report Credit:
WCVB-TV Channel 5 News
Response:
From the online sources cited above:
NewsCenter 5's Steve Lacy reported that the seniors got the flu shots last fall and then, last week, the town sent an envelope with all their personal information, including names, ages, addresses and Social Security numbers to Medicare as part of the reimbursement process.
All those listed were age 65 or older.
[Evan] Wonderful. Seniors are typically the easiest targets with much to lose.
The roster was mailed Feb. 21 by the town to Medicare for reimbursement.
The envelope arrived but was missing the list of names
Wellesley police were notified and launched an investigation, as has the U.S. Postal Inspection Service.
The sealed envelope was reportedly hand-delivered to the post office for mailing, which reduces the chances the information was stolen.
[Evan] This does not reduce the risk to a point that would be acceptable to me. Hand delivering the envelope to the post office eliminates one opportunity (maybe two) for loss, and that is between the Health Department office and the post office. It does not take into account theft or loss at the post office, between post offices, between the destination post office and the Medicare processing office, or within the Medicare processing office. Not to mention data destruction procedures once the information has been entered into the systems. In my opinion, this is a poor attempt at minimizing the situation.
The Postal Service is trying to determine whether theft or mechanical failure was to blame.
"There would be no reason why we would have questioned or hesitated using the US Postal Service to do this," Cohen said of the department's choice to send personal information through the mail. "We've been doing it for years this way. And I suspect most providers do it this way.", Shepard Cohen, chairman of the Board of Health in Wellesley
[Evan] Really? Do you think it's OK to send personal information including Social Security numbers in the mail nowadays? This is a fantastic opportunity for identity thieves. If I had a dime for every time I've heard "We've been doing it for years this way", I would be a rich man. Times change, people change, technology changes, an ______ changes (fill in the blank). Don't you think processes should change too?
One possible sign of ID theft is if consumers fail to receive bills, because thieves sometimes change mailing addresses to cover their tracks. Another is if consumers receive credit cards they did not apply for or if they are suddenly denied credit. Also, if consumers receive telephone calls about items they have not purchased.
The town said it will be mailing letters to anyone effected by early next week.
Commentary:
I wish that Mr. Cohen was wrong when he stated "I suspect most providers do it this way", but I would be fooling myself if I thought it weren't true. Most providers probably do follow similar processes that put confidential information at risk. Confidential information is money in the right (or wrong) hands.
Possible solutions...
Don't use Social Security numbers as identifiers (probably a lot of work!).
Send the information on an encrypted CD.
Send the information through a VPN
______ (add your own).
Past Breaches:
Unknown
Posts Atom 1.0
Comments