Personal member information on The Dental Network website
Technorati Tag: Security Breach
Date Reported:
3/10/08
Organization:
The Dental Network (TDN)
Contractor/Consultant/Branch:
None
Victims:
Members
Number Affected:
Unknown
Types of Data:
Names, Social Security numbers, addresses and dates of birth
Breach Description:
"On February 20, 2008, The Dental Network (TDN) learned that, for a limited period of time, access to member data on its website was left unprotected from outside exposure. This data included personal information that included name, Social Security number, address(es) and date of birth."
Reference URL:
The New Hampshire Attorney General breach notification
Report Credit:
The New Hampshire State Attorney General
Response:
From the online source cited above:
This letter is to inform you of a privacy incident affecting residents of your state. We have been hired by The Dental Network to notify and provide identity theft protection to the population of persons whose personal information was compromised as the result of a recent security breach that occurred on The Dental Network's public website.
[Evan] The letter is written by Identity Safeguards, not TDN.
On February 20, 2008, The Dental Network (TDN) learned that, for a limited period of time, access to member data on its website was left unprotected from outside exposure. This data included personal information that included name, Social Security number, address(es) and date of birth.
Identity Safeguards and The Dental Network wanted to inform you of this privacy incident and make you aware that The Dental Network has secured robust protection for those who were affected. In addition to making sure that The Dental Network properly notified those whose information was compromised, our company is also providing a one-year membership in our identity theft protection and restoration program. The service includes 12 months of credit monitoring, as well as fraud restoration services and a $30,000 insurance reimbursement component should anyone experience ID theft as a result of this incident. This membership is paid for entirely by The Dental Network.
[Evan] It's good to see that that The Dental Network has notified the affected individuals (which they are probably obligated to by law) and arranged for some protection, but is this an Identity Safeguards brochure or is this a breach notification?
Our company has been providing identity theft services to individuals and organizations since 2003. We have been a leader in the industry since then, and we also recently received a blanket purchase agreement from the General Services Administration (GSA), to provide independent risk analysis to state or federal agencies in the event of a data breach. We have serviced over 100 data breaches and millions of victims in this time.
[Evan] Holy cow! This is a sales brochure. How "independent" is it really, when the company providing the risk analysis of a breach also markets and sells additional protection services?
Please be assured that your data is now secure and that a careful and thorough investigation into the potential risk to members has been our top priority since this was first discovered. TDN understands the value of your personal information and the potential risk that such a breach presents
[Evan] How can one secure confidential information that has been disclosed? Can you "undisclose" it?
Has my personal information been stolen or compromised?
At this time, we have no evidence that anyone has used the personal information that was maintained on our website. You are only being notified because, for approximately two weeks, your personal data was accessible to the public. While such exposure does not necessarily mean that your personal information was taken, any risk -regardless of how slight -should be taken seriously.
[Evan] Has the information been stolen? I would guess probably not. Has the information been compromised? Yes. In this case, if the confidentiality of information can not be reasonably assured, then I consider the information "compromised". Risk is very difficult to judge in this case due to lack of available information.
Has TDN resolved the issue that allowed this breach to occur?
Yes, upon learning of the breach, the TDN website was taken offline immediately. The data is now secure, and the issues leading to this breach have been corrected.
[Evan] What were the issues that lead to this breach? Why was personally identifiable information, and especially Social Security numbers available on the website to begin with?
We have set-up a dedicated website - ids.thedentalnet.org/ - that offers a one-stop site that features answers to questions you may have
Commentary:
This is the first time I can recall (in recent memory) that a contractor (Identity Safeguards) issues the breach notification completely, on the behalf of the organization that experienced the breach. If I were a victim, I don't know how this would make me feel. Identity Safeguards wasn't responsible for the breach, The Dental Network was. Maybe I would rather hear from them, it's hard to say. I was also a little disappointed by the Identity Safeguards sales pitch.
After reading the breach notification and letter to affected individuals, I am left with more questions than answers. The personally identifiable information belongs to the person, not the organization. This being said, I hope affected persons are getting all of the answers they should demand.
Past Breaches:
Unknown
Date Reported:3/10/08
Organization:
The Dental Network (TDN)
Contractor/Consultant/Branch:
None
Victims:
Members
Number Affected:
Unknown
Types of Data:
Names, Social Security numbers, addresses and dates of birth
Breach Description:
"On February 20, 2008, The Dental Network (TDN) learned that, for a limited period of time, access to member data on its website was left unprotected from outside exposure. This data included personal information that included name, Social Security number, address(es) and date of birth."
Reference URL:
The New Hampshire Attorney General breach notification
Report Credit:
The New Hampshire State Attorney General
Response:
From the online source cited above:
This letter is to inform you of a privacy incident affecting residents of your state. We have been hired by The Dental Network to notify and provide identity theft protection to the population of persons whose personal information was compromised as the result of a recent security breach that occurred on The Dental Network's public website.
[Evan] The letter is written by Identity Safeguards, not TDN.
On February 20, 2008, The Dental Network (TDN) learned that, for a limited period of time, access to member data on its website was left unprotected from outside exposure. This data included personal information that included name, Social Security number, address(es) and date of birth.
Identity Safeguards and The Dental Network wanted to inform you of this privacy incident and make you aware that The Dental Network has secured robust protection for those who were affected. In addition to making sure that The Dental Network properly notified those whose information was compromised, our company is also providing a one-year membership in our identity theft protection and restoration program. The service includes 12 months of credit monitoring, as well as fraud restoration services and a $30,000 insurance reimbursement component should anyone experience ID theft as a result of this incident. This membership is paid for entirely by The Dental Network.
[Evan] It's good to see that that The Dental Network has notified the affected individuals (which they are probably obligated to by law) and arranged for some protection, but is this an Identity Safeguards brochure or is this a breach notification?
Our company has been providing identity theft services to individuals and organizations since 2003. We have been a leader in the industry since then, and we also recently received a blanket purchase agreement from the General Services Administration (GSA), to provide independent risk analysis to state or federal agencies in the event of a data breach. We have serviced over 100 data breaches and millions of victims in this time.
[Evan] Holy cow! This is a sales brochure. How "independent" is it really, when the company providing the risk analysis of a breach also markets and sells additional protection services?
Please be assured that your data is now secure and that a careful and thorough investigation into the potential risk to members has been our top priority since this was first discovered. TDN understands the value of your personal information and the potential risk that such a breach presents
[Evan] How can one secure confidential information that has been disclosed? Can you "undisclose" it?
Has my personal information been stolen or compromised?
At this time, we have no evidence that anyone has used the personal information that was maintained on our website. You are only being notified because, for approximately two weeks, your personal data was accessible to the public. While such exposure does not necessarily mean that your personal information was taken, any risk -regardless of how slight -should be taken seriously.
[Evan] Has the information been stolen? I would guess probably not. Has the information been compromised? Yes. In this case, if the confidentiality of information can not be reasonably assured, then I consider the information "compromised". Risk is very difficult to judge in this case due to lack of available information.
Has TDN resolved the issue that allowed this breach to occur?
Yes, upon learning of the breach, the TDN website was taken offline immediately. The data is now secure, and the issues leading to this breach have been corrected.
[Evan] What were the issues that lead to this breach? Why was personally identifiable information, and especially Social Security numbers available on the website to begin with?
We have set-up a dedicated website - ids.thedentalnet.org/ - that offers a one-stop site that features answers to questions you may have
Commentary:
This is the first time I can recall (in recent memory) that a contractor (Identity Safeguards) issues the breach notification completely, on the behalf of the organization that experienced the breach. If I were a victim, I don't know how this would make me feel. Identity Safeguards wasn't responsible for the breach, The Dental Network was. Maybe I would rather hear from them, it's hard to say. I was also a little disappointed by the Identity Safeguards sales pitch.
After reading the breach notification and letter to affected individuals, I am left with more questions than answers. The personally identifiable information belongs to the person, not the organization. This being said, I hope affected persons are getting all of the answers they should demand.
Past Breaches:
Unknown
Posted by Evan Francen at 3/20/2008 11:55 AM 
Categories: The Dental Network, Poor Design, Identity Safeguards
Categories: The Dental Network, Poor Design, Identity Safeguards
Posts Atom 1.0
Comments