Laptop stolen from HealthSpring employee affects members
Technorati Tag: Security Breach
Date Reported:
5/22/08
Organization:
HealthSpring
Contractor/Consultant/Branch:
None
Victims:
Members
Number Affected:
~9,000
Types of Data:
"names, dates of birth and social security numbers"
Breach Description:
HealthSpring Inc. is notifying members whose personal information was stored on a stolen laptop computer used by an employee of the company.
Reference URL:
The Tennessean
Report Credit:
Wendy Lee, The Tennessean by way of Attrition.org Data Loss Archive and Database
Response:
From the online source cited above:
Nashville-based managed care company HealthSpring Inc. said Wednesday a laptop computer containing personal information of about 450 state residents was stolen in March.
The laptop, believed to contain names, dates of birth and social security numbers of about 9,000 individuals, was stolen from a HealthSpring employee's locked car on March 30 in Houston
[Evan] Why was it important for this information to be stored on a laptop computer (without encryption)? This is a question for which data owners (affected members) should be able to demand an answer to. This was not company information; this was information that was entrusted to the company by the members.
HealthSpring said the theft was reported to police on April 1 and it does not believe any of the information on the laptop has been misused.
[Evan] IF it were to be misused, I doubt we would see signs of it (yet).
The company sent a letter dated May 7 to the individuals affected by the theft, encouraging them to use a credit monitoring and identity theft restoration service.
HealthSpring will pay for the service.
[Evan] I did not find details that outline how long the company will pay for the service, but the "standard" is one year. Identity thieves know this, and what do you think they are likely to do? Wait a year (or however long the paid for service runs), then use the information. I don't want to spread fear, but the threat is real. Chances are probably less than 50/50 that this will happen, but why should a victim have to worry due to a data custodian's (HealthSpring in this instance) poor protection?
"We take it very seriously and feel badly about it," said Jerry Coil, executive vice president and chief operating officer.
He added that he thinks it's "highly unlikely" any data was compromised.
[Evan] Based on?
The stolen laptop was password protected but not encrypted
[Evan] The "highly unlikely" assessment certainly couldn't be based on this fact.
Coil said the company has been in the process of encrypting all of its laptops and desktop computers.
[Evan] An excellent step in the right direction.
Commentary:
Breaches resulting from a lost or stolen laptop computer containing confidential information without encryption are NOT breaking news. These are reported regularly. So what would be the excuse? It's hard to claim that you didn't know any better.
Past Breaches:
Unknown
Date Reported:5/22/08
Organization:
HealthSpring
Contractor/Consultant/Branch:
None
Victims:
Members
Number Affected:
~9,000
Types of Data:
"names, dates of birth and social security numbers"
Breach Description:
HealthSpring Inc. is notifying members whose personal information was stored on a stolen laptop computer used by an employee of the company.
Reference URL:
The Tennessean
Report Credit:
Wendy Lee, The Tennessean by way of Attrition.org Data Loss Archive and Database
Response:
From the online source cited above:
Nashville-based managed care company HealthSpring Inc. said Wednesday a laptop computer containing personal information of about 450 state residents was stolen in March.
The laptop, believed to contain names, dates of birth and social security numbers of about 9,000 individuals, was stolen from a HealthSpring employee's locked car on March 30 in Houston
[Evan] Why was it important for this information to be stored on a laptop computer (without encryption)? This is a question for which data owners (affected members) should be able to demand an answer to. This was not company information; this was information that was entrusted to the company by the members.
HealthSpring said the theft was reported to police on April 1 and it does not believe any of the information on the laptop has been misused.
[Evan] IF it were to be misused, I doubt we would see signs of it (yet).
The company sent a letter dated May 7 to the individuals affected by the theft, encouraging them to use a credit monitoring and identity theft restoration service.
HealthSpring will pay for the service.
[Evan] I did not find details that outline how long the company will pay for the service, but the "standard" is one year. Identity thieves know this, and what do you think they are likely to do? Wait a year (or however long the paid for service runs), then use the information. I don't want to spread fear, but the threat is real. Chances are probably less than 50/50 that this will happen, but why should a victim have to worry due to a data custodian's (HealthSpring in this instance) poor protection?
"We take it very seriously and feel badly about it," said Jerry Coil, executive vice president and chief operating officer.
He added that he thinks it's "highly unlikely" any data was compromised.
[Evan] Based on?
The stolen laptop was password protected but not encrypted
[Evan] The "highly unlikely" assessment certainly couldn't be based on this fact.
Coil said the company has been in the process of encrypting all of its laptops and desktop computers.
[Evan] An excellent step in the right direction.
Commentary:
Breaches resulting from a lost or stolen laptop computer containing confidential information without encryption are NOT breaking news. These are reported regularly. So what would be the excuse? It's hard to claim that you didn't know any better.
Past Breaches:
Unknown
Posts Atom 1.0
Comments