40,000 BlueCross BlueShield members notified of lost laptop
Technorati Tag: Security Breach
Date Reported:
3/10/08
Organization:
HealthNow New York Inc.
Contractor/Consultant/Branch:
BlueCross BlueShield of Western New York
Victims:
Healthcare members
Number Affected:
40,000
Types of Data:
Names, dates of birth, Social Security numbers, addresses, employer group names, and health insurance identifier numbers
Breach Description:
"Blue-Cross Blue-Shield of Western New York says it is notifying tens of thousands of its members about identity theft concerns after one of it's company laptops went missing."
Reference URL:
The Buffalo News
WIVB Channel 4 News
WGRZ Channel 2 News
Report Credit:
WGRZ Channel 2 News
Response:
From the online sources cited above:
HealthNow New York has alerted 40,000 members in Western and Northeastern New York that they may be at risk for identity theft, after a former employee’s laptop computer went missing with confidential information several months ago.
The Buffalo-based parent of Blue- Cross BlueShield of Western New York sent letters late last week to the affected customers, even though officials are still not certain what, if anything, was on the computer.
[Evan] Not sure where confidential information is? Sad, common and true.
Based on the company’s investigation, the potential information includes names, dates of birth, Social Security numbers, addresses, employer group names, and health insurance identifier numbers.
there was no health or medical claims information involved
[Evan] I think a name, date of birth, Social Security number, address, and employer should be enough to do some damage.
HealthNow has arranged for any affected member to receive a one-year free membership in Equifax Credit Watch, to monitor for identity theft.
The laptop was not encrypted, but does have security features, including the requirement to enter the user’s identification number and passcode after 15 minutes of inactivity.
[Evan] OK, seriously? Does anyone expect a username and password to stop someone with even novice computer skills? I am assuming that this is a Windows laptop, all the more simple.
the company shut down the laptop’s access to the corporate network, and has not detected any activity from the laptop since the disappearance.
[Evan] Shutdown the laptop's access or access from the user id of the person that had been using the laptop? Semantics, I know. The information that may be on the laptop is the real concern.
The employee is no longer with HealthNow, having accepted a position at another company out of state, but the insurer is still in contact.
the company is reconfiguring its claims software system, and the employee had downloaded some member information to his laptop while working on the project so he could work either in building or at home
[Evan] Too many "no-nos". "No-no" #1 is not knowing where confidential resides within the organization. "No-no" #2 is allowing confidential information onto mobile devices without additional controls such as encryption. "No-no" #3 is working with sensitive confidential information for software development and testing purposes. Only sanitized information should be used for development and test work.
The laptop was reported missing in late fall, but the company did not notify customers until now because officials wanted to make sure whether such action would be necessary.
[Evan] This is way too long! An excerpt from New York Bill A02261 "Notice of Information Breach" can be found in the commentary below.
officials first "spent an exhorbitant amount of time" to try and locate the laptop, which they still believe is in the company’s building
Using the company’s shared drive and with the cooperation of the employee, officials retraced his path to determine what information he was working with. The company then set up the credit-monitoring, and began contacting members last Thursday and Friday.
"We didn’t want to have to reach out to our members and cause them unnecessary worry until we knew the potential of what we were dealing with," she said. "With all of the factors and orchestrating credit monitoring, we do believe our response time has been reasonable."
[Evan] "We didn't want to have to reach out to our members and cause them unnecessary worry until we know the potential of what we were dealing with" is a terrible reason to delay notification. BlueCross BlueShield needs to understand that they are NOT the information owners.
The company has also tightened its policies and procedures about use of laptops and other mobile devices "to ensure that the policies are more strict," she said. She added that officials are also encrypting all information on laptops "to prevent this situation from recurring."
[Evan] Of the "No-nos" I mentioned above, this takes care of one.
Commentary:
Another laptop that may or may not have contained sensitive personal information that goes missing without encryption. Do you think John Doe from XYZ company thought twice about filling out his health insurance forms on his first day of work? He probably just expected better protection from a company that handles thousands of personal records.
I am certainly not a lawyer, nor am I qualified to give legal advice of any kinds, but this is a simple copy and paste...
Excerpt from New York Bill A02261:
"ANY PERSON, FIRM, PARTNERSHIP, ASSOCIATION OR CORPORATION THAT COLLECTS, OWNS, MAINTAINS OR USES PERSONAL INFORMATION SHALL DISCLOSE A BREACH OF SECURITY RELATED TO UNENCRYPTED OR NON-REDACTED PERSONAL INFORMATION CONCERNING TWENTY-FIVE OR MORE RESIDENTS OF NEW YORK. THE DISCLOSURE SHALL BE MADE WITHIN TWO BUSINESS DAYS AFTER LEARNING OF THE BREACH OF SECURITY, BUT MAY BE DELAYED IF A LAW ENFORCEMENT AGENCY DETERMINES THAT THE NOTIFICATION WILL IMPEDE A CRIMINAL INVESTIGATION. THE NOTIFICATION REQUIRED BY THIS SECTION SHALL BE MADE AFTER THE LAW ENFORCEMENT AGENCY DETERMINES THAT IT WILL NOT COMPROMISE THE INVESTIGATION."
Past Breaches:
Unknown
Date Reported:3/10/08
Organization:
HealthNow New York Inc.
Contractor/Consultant/Branch:
BlueCross BlueShield of Western New York
Victims:
Healthcare members
Number Affected:
40,000
Types of Data:
Names, dates of birth, Social Security numbers, addresses, employer group names, and health insurance identifier numbers
Breach Description:
"Blue-Cross Blue-Shield of Western New York says it is notifying tens of thousands of its members about identity theft concerns after one of it's company laptops went missing."
Reference URL:
The Buffalo News
WIVB Channel 4 News
WGRZ Channel 2 News
Report Credit:
WGRZ Channel 2 News
Response:
From the online sources cited above:
HealthNow New York has alerted 40,000 members in Western and Northeastern New York that they may be at risk for identity theft, after a former employee’s laptop computer went missing with confidential information several months ago.
The Buffalo-based parent of Blue- Cross BlueShield of Western New York sent letters late last week to the affected customers, even though officials are still not certain what, if anything, was on the computer.
[Evan] Not sure where confidential information is? Sad, common and true.
Based on the company’s investigation, the potential information includes names, dates of birth, Social Security numbers, addresses, employer group names, and health insurance identifier numbers.
there was no health or medical claims information involved
[Evan] I think a name, date of birth, Social Security number, address, and employer should be enough to do some damage.
HealthNow has arranged for any affected member to receive a one-year free membership in Equifax Credit Watch, to monitor for identity theft.
The laptop was not encrypted, but does have security features, including the requirement to enter the user’s identification number and passcode after 15 minutes of inactivity.
[Evan] OK, seriously? Does anyone expect a username and password to stop someone with even novice computer skills? I am assuming that this is a Windows laptop, all the more simple.
the company shut down the laptop’s access to the corporate network, and has not detected any activity from the laptop since the disappearance.
[Evan] Shutdown the laptop's access or access from the user id of the person that had been using the laptop? Semantics, I know. The information that may be on the laptop is the real concern.
The employee is no longer with HealthNow, having accepted a position at another company out of state, but the insurer is still in contact.
the company is reconfiguring its claims software system, and the employee had downloaded some member information to his laptop while working on the project so he could work either in building or at home
[Evan] Too many "no-nos". "No-no" #1 is not knowing where confidential resides within the organization. "No-no" #2 is allowing confidential information onto mobile devices without additional controls such as encryption. "No-no" #3 is working with sensitive confidential information for software development and testing purposes. Only sanitized information should be used for development and test work.
The laptop was reported missing in late fall, but the company did not notify customers until now because officials wanted to make sure whether such action would be necessary.
[Evan] This is way too long! An excerpt from New York Bill A02261 "Notice of Information Breach" can be found in the commentary below.
officials first "spent an exhorbitant amount of time" to try and locate the laptop, which they still believe is in the company’s building
Using the company’s shared drive and with the cooperation of the employee, officials retraced his path to determine what information he was working with. The company then set up the credit-monitoring, and began contacting members last Thursday and Friday.
"We didn’t want to have to reach out to our members and cause them unnecessary worry until we knew the potential of what we were dealing with," she said. "With all of the factors and orchestrating credit monitoring, we do believe our response time has been reasonable."
[Evan] "We didn't want to have to reach out to our members and cause them unnecessary worry until we know the potential of what we were dealing with" is a terrible reason to delay notification. BlueCross BlueShield needs to understand that they are NOT the information owners.
The company has also tightened its policies and procedures about use of laptops and other mobile devices "to ensure that the policies are more strict," she said. She added that officials are also encrypting all information on laptops "to prevent this situation from recurring."
[Evan] Of the "No-nos" I mentioned above, this takes care of one.
Commentary:
Another laptop that may or may not have contained sensitive personal information that goes missing without encryption. Do you think John Doe from XYZ company thought twice about filling out his health insurance forms on his first day of work? He probably just expected better protection from a company that handles thousands of personal records.
I am certainly not a lawyer, nor am I qualified to give legal advice of any kinds, but this is a simple copy and paste...
Excerpt from New York Bill A02261:
"ANY PERSON, FIRM, PARTNERSHIP, ASSOCIATION OR CORPORATION THAT COLLECTS, OWNS, MAINTAINS OR USES PERSONAL INFORMATION SHALL DISCLOSE A BREACH OF SECURITY RELATED TO UNENCRYPTED OR NON-REDACTED PERSONAL INFORMATION CONCERNING TWENTY-FIVE OR MORE RESIDENTS OF NEW YORK. THE DISCLOSURE SHALL BE MADE WITHIN TWO BUSINESS DAYS AFTER LEARNING OF THE BREACH OF SECURITY, BUT MAY BE DELAYED IF A LAW ENFORCEMENT AGENCY DETERMINES THAT THE NOTIFICATION WILL IMPEDE A CRIMINAL INVESTIGATION. THE NOTIFICATION REQUIRED BY THIS SECTION SHALL BE MADE AFTER THE LAW ENFORCEMENT AGENCY DETERMINES THAT IT WILL NOT COMPROMISE THE INVESTIGATION."
Past Breaches:
Unknown
Posted by Evan Francen at 3/11/2008 3:21 PM 
Categories: HealthNow New York, BlueCross BlueShield, Lost Laptop
Categories: HealthNow New York, BlueCross BlueShield, Lost Laptop
Posts Atom 1.0
My agency was just notified yesterday that 10 of our clients MAY have been effected and now I find out this has been known since the fall???? Totally unacceptable
Reply to this