Blue Cross Blue Shield of Louisiana email exposes broker information
Technorati Tag: Security Breach
Date Reported:
9/30/08
Organization:
Blue Cross Blue Shield of Louisiana
Contractor/Consultant/Branch:
None
Location:
Baton Rouge, Louisiana
Victims:
"independent agents, called producers"
Number Affected:
"more than 1,700"
Types of Data:
"names, addresses, telephone numbers, birth dates and Social Security numbers"
Breach Description:
"BATON ROUGE, La.- Blue Cross & Blue Shield of Louisiana compromised the personal data of about 1,700 brokers via an e-mail last week, exposing information such as Social Security numbers, phone numbers and addresses, according to a Blue Cross spokesman."
Reference URL:
The Times-Picayune
Business Insurance
Report Credit:
Jaquetta White, The Times-Picayune
Response:
From the online sources cited above:
The names, addresses, telephone numbers, birth dates and Social Security numbers of more than 1,700 independent agents for Blue Cross and Blue Shield of Louisiana were accidentally included in an e-mail sent to the insurer's agents last week.
An e-mail about plans to update an internal operating system contained a spreadsheet attachment that listed personal information for more than 1,700 Blue Cross providers.
The independent agents, called producers, whose information was revealed are the same agents who received the message.
No customer information was leaked, said John Maginnis, a spokesman for the insurer.
The e-mail went out Thursday about 4 p.m. informing the agents about the launch of a new program.
Instead of pulling only the recipients' e-mail addresses for the mass mailing, the sender included a file with e-mail addresses and other personal data.
[Evan] Who was "the sender"? An employee or contractor?
Blue Cross responded to the initial e-mail minutes later asking that it be recalled
[Evan] Can you imagine the "Oh %#&@!"?
On Friday, an executive at the company sent out a note to the agents apologizing for "an accidental compromise of your personal data."
"We sincerely apologize for this computer error and assure you that we have taken appropriate measures to prevent future errors of this type," Mike Reitz, senior vice president and chief marketing officer of Blue Cross/Blue Shield Louisiana wrote to the victims of the breach. "We want to assure you that your privacy is our priority and we take it very seriously."
[Evan] Was the cause of this breach a computer error, human error, or process error? The company claims a computer error, but I'm inclined to believe that it was a combination of factors. Computers only do what they are told to do. What were the "appropriate measures" taken by organization? It seems likely that the company already assumed that they had "appropriate measures" before this incident occurred. Mr. Reitz is noted as the Chief Marketing Officer, but on the Blue Cross Blue Shield of Louisiana web site he is listed as the Interim President and Chief Executive Officer.
Blue Cross has offered free credit monitoring for one year to those agents whose information was released.
Commentary:
People make mistakes and I understand this. This fact holds true in any organization. So what can we do as information security professionals to limit the frequency and impact of the "human factor"? Some administrative controls that might help include training and constant awareness, segregation of duties, Job rotation, and process change. There are also some technological solutions that could help. Appropriate controls vary from organization to organization. What works for one, may not apply well for another.
It is also important to recognize that it is impossible to bring the risk (of unauthorized disclosure, modification and destruction) to zero. Having said this, we understand that we are not in the risk elimination business (impossible), but we are in the risk reduction/management business.
I don't know much detail about this breach so I can only infer as to the direct cause.
Past Breaches:
Unknown
Date Reported:9/30/08
Organization:
Blue Cross Blue Shield of Louisiana
Contractor/Consultant/Branch:
None
Location:
Baton Rouge, Louisiana
Victims:
"independent agents, called producers"
Number Affected:
"more than 1,700"
Types of Data:
"names, addresses, telephone numbers, birth dates and Social Security numbers"
Breach Description:
"BATON ROUGE, La.- Blue Cross & Blue Shield of Louisiana compromised the personal data of about 1,700 brokers via an e-mail last week, exposing information such as Social Security numbers, phone numbers and addresses, according to a Blue Cross spokesman."
Reference URL:
The Times-Picayune
Business Insurance
Report Credit:
Jaquetta White, The Times-Picayune
Response:
From the online sources cited above:
The names, addresses, telephone numbers, birth dates and Social Security numbers of more than 1,700 independent agents for Blue Cross and Blue Shield of Louisiana were accidentally included in an e-mail sent to the insurer's agents last week.
An e-mail about plans to update an internal operating system contained a spreadsheet attachment that listed personal information for more than 1,700 Blue Cross providers.
The independent agents, called producers, whose information was revealed are the same agents who received the message.
No customer information was leaked, said John Maginnis, a spokesman for the insurer.
The e-mail went out Thursday about 4 p.m. informing the agents about the launch of a new program.
Instead of pulling only the recipients' e-mail addresses for the mass mailing, the sender included a file with e-mail addresses and other personal data.
[Evan] Who was "the sender"? An employee or contractor?
Blue Cross responded to the initial e-mail minutes later asking that it be recalled
[Evan] Can you imagine the "Oh %#&@!"?
On Friday, an executive at the company sent out a note to the agents apologizing for "an accidental compromise of your personal data."
"We sincerely apologize for this computer error and assure you that we have taken appropriate measures to prevent future errors of this type," Mike Reitz, senior vice president and chief marketing officer of Blue Cross/Blue Shield Louisiana wrote to the victims of the breach. "We want to assure you that your privacy is our priority and we take it very seriously."
[Evan] Was the cause of this breach a computer error, human error, or process error? The company claims a computer error, but I'm inclined to believe that it was a combination of factors. Computers only do what they are told to do. What were the "appropriate measures" taken by organization? It seems likely that the company already assumed that they had "appropriate measures" before this incident occurred. Mr. Reitz is noted as the Chief Marketing Officer, but on the Blue Cross Blue Shield of Louisiana web site he is listed as the Interim President and Chief Executive Officer.
Blue Cross has offered free credit monitoring for one year to those agents whose information was released.
Commentary:
People make mistakes and I understand this. This fact holds true in any organization. So what can we do as information security professionals to limit the frequency and impact of the "human factor"? Some administrative controls that might help include training and constant awareness, segregation of duties, Job rotation, and process change. There are also some technological solutions that could help. Appropriate controls vary from organization to organization. What works for one, may not apply well for another.
It is also important to recognize that it is impossible to bring the risk (of unauthorized disclosure, modification and destruction) to zero. Having said this, we understand that we are not in the risk elimination business (impossible), but we are in the risk reduction/management business.
I don't know much detail about this breach so I can only infer as to the direct cause.
Past Breaches:
Unknown
Posts Atom 1.0
Comments