Laptop stolen from a Quest Diagnostics employee
Technorati Tag: Security Breach
Date Reported:
5/30/08
Organization:
Quest Diagnostics
Contractor/Consultant/Branch:
None
Victims:
Patients*
*assumed
Number Affected:
Unknown
Types of Data:
"name, address, and social security number"
Breach Description:
On May 1, 2008 a Quest Diagnostics employee's password protected laptop computer, which contained certain personally identifiable information, was stolen.
Reference URL:
Maryland State Attorney General breach notification
Report Credit:
The Maryland State Attorney General
Response:
From the online source cited above:
This letter is being sent to you in accordance with the requirements of the Maryland Personal Information Protection Act to advise you of the breach of security of personal data of certain Maryland residents.
The breach arose out of the theft of a password protected laptop computer of one of our employees on May 1, 2008.
[Evan] Really, what does the "password protected" mention have to do with anything other than to convince someone into thinking that the laptop was more protected than it actually is/was? Password protection (alone) is just not adequate for sensitive confidential information, unless of course an organization has deemed the risk to be not significant enough to warrant further protection such as encryption coupled with strong authentication. I presume that the laptop was not protected with encryption due to the fact that there is no mention of it. To me, the risk seems significant enough.
The personal data includes the name, address and social security number
At this time we have no reason to believe this incident will lead to fraudulent credit applications or other identity theft crimes.
[Evan] Yep, but the company DID unnecessarily increase the risk of this happening to someone now and in the future.
Nevertheless, because the laptop which includes this information cannot be located, we want to notify you about this incident.
To further reduce the risk of any harm to you we are offering you a credit monitoring product to identify any potential misuse of your personal information.
Quest Diagnostics takes the issue of safeguarding private information very seriously. For this reason, our data privacy and security policies incorporate comprehensive physical, technical and administrative processes and employee training designed to protect the privacy and security of data and minimize the risk of inappropriate access to sensitive information.
[Evan] Nice! This statement sounds very impressive and uses some common information security best practices lingo. Did any of these "data privacy and security policies" that "incorporate comprehensive physical, technical and administrative processes and employee training designed to protect the privacy and security of data and minimize the risk of inappropriate access to sensitive information" protect the information on the laptop? Do any of these things include restrictions on confidential information stored on mobile devices or encryption of data at rest?
We deeply regret any inconvenience caused by this incident and appreciate your understanding.
If you have any questions, please feel free to call Lisa Mullaly, Information Technology Compliance Director at , extension 6147 at your convenience.
Commentary:
I may have been a little harsh in my comments, but I think I was justified. Breaches like these are so preventable. Hey, there's another best practice security lingo term, preventative controls. This breach only affected three Maryland residents, according to the breach notification. It is not known if the breach only affects these three people.
Past Breaches:
Unknown
Date Reported:5/30/08
Organization:
Quest Diagnostics
Contractor/Consultant/Branch:
None
Victims:
Patients*
*assumed
Number Affected:
Unknown
Types of Data:
"name, address, and social security number"
Breach Description:
On May 1, 2008 a Quest Diagnostics employee's password protected laptop computer, which contained certain personally identifiable information, was stolen.
Reference URL:
Maryland State Attorney General breach notification
Report Credit:
The Maryland State Attorney General
Response:
From the online source cited above:
This letter is being sent to you in accordance with the requirements of the Maryland Personal Information Protection Act to advise you of the breach of security of personal data of certain Maryland residents.
The breach arose out of the theft of a password protected laptop computer of one of our employees on May 1, 2008.
[Evan] Really, what does the "password protected" mention have to do with anything other than to convince someone into thinking that the laptop was more protected than it actually is/was? Password protection (alone) is just not adequate for sensitive confidential information, unless of course an organization has deemed the risk to be not significant enough to warrant further protection such as encryption coupled with strong authentication. I presume that the laptop was not protected with encryption due to the fact that there is no mention of it. To me, the risk seems significant enough.
The personal data includes the name, address and social security number
At this time we have no reason to believe this incident will lead to fraudulent credit applications or other identity theft crimes.
[Evan] Yep, but the company DID unnecessarily increase the risk of this happening to someone now and in the future.
Nevertheless, because the laptop which includes this information cannot be located, we want to notify you about this incident.
To further reduce the risk of any harm to you we are offering you a credit monitoring product to identify any potential misuse of your personal information.
Quest Diagnostics takes the issue of safeguarding private information very seriously. For this reason, our data privacy and security policies incorporate comprehensive physical, technical and administrative processes and employee training designed to protect the privacy and security of data and minimize the risk of inappropriate access to sensitive information.
[Evan] Nice! This statement sounds very impressive and uses some common information security best practices lingo. Did any of these "data privacy and security policies" that "incorporate comprehensive physical, technical and administrative processes and employee training designed to protect the privacy and security of data and minimize the risk of inappropriate access to sensitive information" protect the information on the laptop? Do any of these things include restrictions on confidential information stored on mobile devices or encryption of data at rest?
We deeply regret any inconvenience caused by this incident and appreciate your understanding.
If you have any questions, please feel free to call Lisa Mullaly, Information Technology Compliance Director at , extension 6147 at your convenience.
Commentary:
I may have been a little harsh in my comments, but I think I was justified. Breaches like these are so preventable. Hey, there's another best practice security lingo term, preventative controls. This breach only affected three Maryland residents, according to the breach notification. It is not known if the breach only affects these three people.
Past Breaches:
Unknown
Posts Atom 1.0
Sometimes harshness is warranted.
Although I didn't name them specifically in my blog entry on the inclusion of false reassurances that a lost or stolen device was "password-protected," they certainly fall under the umbrella of cases I was discussing.
Reply to this
Right on Dissent. Once again, we see eye to eye. I really enjoy your commentary and blog.
Reply to this
Your blog really belongs on my site, you know. :)
I originally wanted to allow commentary in the news section of my site but the spam killed all thoughts of that and I simply don't have time to blog about every breach -- it's all I can do to report all the ones I find as well as other privacy-related news.
I think it's wonderful that you provide this commentary and forum. Maybe we can figure out a way for us to xref even more.
Reply to this