Human error is blamed in WellCare Health Plans breach
Technorati Tag: Security Breach
Date Reported:
4/7/08
Organization:
WellCare of Georgia, Inc.*
*WellCare Health Plans, Inc. provides managed care services exclusively for government-sponsored healthcare programs, focusing on Medicaid and Medicare. Headquartered in Tampa, Florida, WellCare offers a variety of health plans for families, children, the aged, blind and disabled and prescription drug plans, currently serving more than 2.3 million members nationwide.
Contractor/Consultant/Branch:
None
Victims:
Members of "Georgia Families"
Number Affected:
up to 71,000
Types of Data:
"name, birth date, dates of eligibility, Medicaid or PeachCare for Kids member identification number, social security number or other health plan related information"
Breach Description:
"ATLANTA, GA (April 7, 2008) — WellCare of Georgia, Inc. today announced that a human error made some Georgia Families member data available on the Internet. On March 28th, WellCare secured the data on its own computer systems and by April 2nd, all WellCare member information had been removed from the Internet. "
Reference URL:
WellCare announcement
Triangel Business Journal
The Atlanta Journal-Constitution
The Tampa Tribune
Report Credit:
WellCare Health Plans
Response:
From the online sources cited above:
Private records of up to 71,000 Georgia families who are members of health insurance programs for the poor or working poor were accidentally made available on the Internet for several days, and some of the data may have been viewed by unauthorized people, Tampa-based WellCare Health Plans Inc. said today.
“We were able to determine what data was available on the Internet,” explained Anil Kottoor, WellCare’s chief information officer, “and we are notifying anyone who might have been affected.”
a human error allowed the information to be accessible for an unknown period of time, but that the secret data was removed from the Internet on April 2. It was not immediately known when the data breach occurred or how long the secret data was available.
The state of Georgia said it was notified March 31.
WellCare believes that this affected only our Georgia Families membership in Georgia, and not our Medicare coordinated care, private fee-for-service or prescription drug plan membership.
The files exposed did not contain credit card, debit card or financial account numbers.
They may have contained personal identifying information, such as a member’s name, birth date, dates of eligibility, Medicaid or PeachCare for KidsTM member identification number, social security number or other health plan related information.
about 10,500 members' Social Security numbers may have been viewed by unauthorized people on the Internet, all members of Medicaid or PeachCare.
"There is a possibility that an initial 59,000 members may have had some personal information made accessible, so we are notifying them as well, just to be safe," Knapp said. (spokeswoman Amy Knapp)
At this time, WellCare is not aware of any misuse of its member information due to the accidental exposure of the file on the Internet.
A Web developer prepared a copy of a DCH report folder that was "to be deployed to our Georgia Web portal" but instead made it accessible on the Internet.
[Evan] Ugh. I can state from a lot of first-hand experience that developers can either be your information security best friend or your information security worst enemy. Developers that put functionality and usability first without taking information security into account along the way can be dangerous. Effective information security governance and information security training and awareness can help significantly. Having said all of that, people are people and we all make mistakes. I wonder if there is room for significant process improvement here though.
She said at least 53 folders of names were accessed 248 times.
[Evan] This means that the folders and files did not go completely unnoticed.
WellCare is now notifying in writing the members who could have been affected by this incident. Members should receive those letters by the middle of this week.
WellCare is offering to pay for one year of credit monitoring for those individuals.
[Evan] Every time I see this offering in a breach notification if feel like this is really short-sighted. Better than nothing I guess, but people need to recognize it for what it is.
“We regret that this incident occurred,” said Mike Cotton, president of WellCare’s Georgia region. “WellCare takes the privacy and security of personal information very seriously. It is an honor to serve our members in Georgia, and we apologize for any inconvenience this issue has caused.”
To ensure its data security for the future, WellCare has retained a national information technology firm to perform a full assessment of its security and privacy controls.
[Evan] I wonder who. A "national information technology firm" means very little to me. The "national information technology firm" may do a good job for helping improve "information technology", but who is going to handle "information security"? Information security is NOT an information technology issue. It's bigger than that.
Commentary:
This breach is being chalked-up as human error, but I think there are many times when "human error" could have been avoided by effective processes and controls. I appreciate WellCare's candid explanation and attempt to make things better.
Past Breaches:
Unknown
Date Reported:4/7/08
Organization:
WellCare of Georgia, Inc.*
*WellCare Health Plans, Inc. provides managed care services exclusively for government-sponsored healthcare programs, focusing on Medicaid and Medicare. Headquartered in Tampa, Florida, WellCare offers a variety of health plans for families, children, the aged, blind and disabled and prescription drug plans, currently serving more than 2.3 million members nationwide.
Contractor/Consultant/Branch:
None
Victims:
Members of "Georgia Families"
Number Affected:
up to 71,000
Types of Data:
"name, birth date, dates of eligibility, Medicaid or PeachCare for Kids member identification number, social security number or other health plan related information"
Breach Description:
"ATLANTA, GA (April 7, 2008) — WellCare of Georgia, Inc. today announced that a human error made some Georgia Families member data available on the Internet. On March 28th, WellCare secured the data on its own computer systems and by April 2nd, all WellCare member information had been removed from the Internet. "
Reference URL:
WellCare announcement
Triangel Business Journal
The Atlanta Journal-Constitution
The Tampa Tribune
Report Credit:
WellCare Health Plans
Response:
From the online sources cited above:
Private records of up to 71,000 Georgia families who are members of health insurance programs for the poor or working poor were accidentally made available on the Internet for several days, and some of the data may have been viewed by unauthorized people, Tampa-based WellCare Health Plans Inc. said today.
“We were able to determine what data was available on the Internet,” explained Anil Kottoor, WellCare’s chief information officer, “and we are notifying anyone who might have been affected.”
a human error allowed the information to be accessible for an unknown period of time, but that the secret data was removed from the Internet on April 2. It was not immediately known when the data breach occurred or how long the secret data was available.
The state of Georgia said it was notified March 31.
WellCare believes that this affected only our Georgia Families membership in Georgia, and not our Medicare coordinated care, private fee-for-service or prescription drug plan membership.
The files exposed did not contain credit card, debit card or financial account numbers.
They may have contained personal identifying information, such as a member’s name, birth date, dates of eligibility, Medicaid or PeachCare for KidsTM member identification number, social security number or other health plan related information.
about 10,500 members' Social Security numbers may have been viewed by unauthorized people on the Internet, all members of Medicaid or PeachCare.
"There is a possibility that an initial 59,000 members may have had some personal information made accessible, so we are notifying them as well, just to be safe," Knapp said. (spokeswoman Amy Knapp)
At this time, WellCare is not aware of any misuse of its member information due to the accidental exposure of the file on the Internet.
A Web developer prepared a copy of a DCH report folder that was "to be deployed to our Georgia Web portal" but instead made it accessible on the Internet.
[Evan] Ugh. I can state from a lot of first-hand experience that developers can either be your information security best friend or your information security worst enemy. Developers that put functionality and usability first without taking information security into account along the way can be dangerous. Effective information security governance and information security training and awareness can help significantly. Having said all of that, people are people and we all make mistakes. I wonder if there is room for significant process improvement here though.
She said at least 53 folders of names were accessed 248 times.
[Evan] This means that the folders and files did not go completely unnoticed.
WellCare is now notifying in writing the members who could have been affected by this incident. Members should receive those letters by the middle of this week.
WellCare is offering to pay for one year of credit monitoring for those individuals.
[Evan] Every time I see this offering in a breach notification if feel like this is really short-sighted. Better than nothing I guess, but people need to recognize it for what it is.
“We regret that this incident occurred,” said Mike Cotton, president of WellCare’s Georgia region. “WellCare takes the privacy and security of personal information very seriously. It is an honor to serve our members in Georgia, and we apologize for any inconvenience this issue has caused.”
To ensure its data security for the future, WellCare has retained a national information technology firm to perform a full assessment of its security and privacy controls.
[Evan] I wonder who. A "national information technology firm" means very little to me. The "national information technology firm" may do a good job for helping improve "information technology", but who is going to handle "information security"? Information security is NOT an information technology issue. It's bigger than that.
Commentary:
This breach is being chalked-up as human error, but I think there are many times when "human error" could have been avoided by effective processes and controls. I appreciate WellCare's candid explanation and attempt to make things better.
Past Breaches:
Unknown
Posts Atom 1.0
Comments