Eleven missing disks containing sensitive pensioner information
Technorati Tag: Security Breach
Date Reported:
10/23/08
Organization:
School Employee Retirement System of Ohio (SERS)
State Teachers Retirements System of Ohio
Ohio Police and Fire Pension Fund
Ohio Highway Patrol Retirement System
Contractor/Consultant/Branch:
Medical Mutual of Ohio
Location:
Columbus, Ohio
Victims:
Retirees from the organizations listed above
Number Affected:
"Upwards of 36,000"
Types of Data:
"personal information" used for medical "claims reconciliation purposes"*
*"SERS’ understanding that the affected individuals’ names, Social Security numbers, date of birth, claim number, covered charges, and deductible amount were included on the lost disks" Source: SERS Taking Steps to Protect Retiree and Employee Data
Breach Description:
"Cleveland - Eleven computer disks containing personal information on thousands of Ohio retirees are missing and are believed to be somewhere in the US Postal Service, Medical Mutual of Ohio announced today."
Reference URL:
Medical Mutual of Ohio Press Release
Cleveland Live
Associated Press via Columbus Channel 4 News
School Employee Retirement System (SERS)
Report Credit:
Medical Mutual of Ohio
Response:
From the online sources cited above:
Cleveland - Eleven computer disks containing personal information on thousands of Ohio retirees are missing and are believed to be somewhere in the US Postal Service, Medical Mutual of Ohio announced today.
[Evan] I have said this before, but I will say it again. I do not recommend sending confidential information through the US Postal Service. Mail gets lost from time to time and it is too easily intercepted. Eleven disks go poof! Encrypted? I doubt it, otherwise it probably would have been mentioned.
The disks contain member data for five retiree groups, which include the School Employee Retirement System (SERS) and its employees, the State Teachers Retirements System (STRS), Ohio Police and Fire Fund and the Ohio Highway Patrol Retirement System.
Medical Mutual declined to give details about the types of member information contained on the lost disks.
It is SERS’ understanding that the affected individuals’ names, Social Security numbers, date of birth, claim number, covered charges, and deductible amount were included on the lost disks.
Upwards of 36,000 members may be potentially affected
SERS has been told that information for approximately 1,700 SERS retirees and 100 SERS employees or their dependents is contained on the disks.
The Cleveland-based health insurer said it announced the potential loss and investigation today in order to notify retiree members in the quickest way possible.
Medical Mutual said it was notified by the retiree systems when the disks failed to arrive at their Columbus offices.
The disks were contained in packages routinely mailed monthly by Medical Mutual for claims reconciliation purposes to the affected parties’ central offices in Columbus
[Evan] Does this mean that Medical Mutual and their customer organizations routinely send sensitive information to each other in a manner that is generally accepted as insecure? Did anyone even think to question this process at any of the organizations?
Jared Chaney, Medical Mutual chief communications officer and executive vice president, said the company notified the US Postal Service as soon as it discovered the disks did not reach their destination and the Postal Service launched an investigation.
"We still believe the disks are somewhere in the postal system and we are doing everything in our power to help locate the missing disks," Chaney said.
"We are confident that we will locate them. We ask Ohio Retirement System (ORS) members not be alarmed. Our investigation, so far, indicates that insufficient postage was placed on the envelopes, therefore we believe they are likely to still be safe within the postal system," he added.
[Evan] I sincerely hope that they do locate the disks, but having indications of what happened should not be considered sufficient. This is one of the reasons why sending sensitive information through standard mail is not recommended. How do you prove what happened?
U.S. Postal Service spokesman Ray Jacobs says Medical Mutual notified the agency about the disks last week. He says the postal service can't confirm the disks were ever put in the mail.
Jacobs says a search of postal service plants, delivery units and a mail recovery center in Atlanta has turned up nothing.
While the investigation continues, Chaney said Medical Mutual is taking stringent measures to ensure the security of potentially affected customers.
[Evan] This is backwards. You can't ensure the security (confidentiality) of information that has been disclosed.
"If the disks are not located, Medical Mutual has a customer protection plan in place and we are ready to provide credit monitoring services, free credit reports, a hotline to answer our customers’ questions and help with resolving potential fraud," said Chaney.
[Evan] See my previous comment. Credit monitoring, free credit reports and a hotline doesn't make information confidential again (assuming it was in the first place). Monitoring is an "after-the-fact" or detective control, not a preventative one. Free credit reports are "point-in-time" or snapshot detective controls that also do nothing for prevention. I can only imagine the script reading a caller gets when calling the hotline. How can the company fix the root of the problem and ensure that this same type of breach does not happen again? I am more interested in the answer to this question.
Chaney strongly emphasized that no data appears to have fallen into the wrong hands.
"It is very important to stress that, to date and to the best of our knowledge, no personal information has been compromised in any way," he said.
[Evan] I guess I subscribe to a different definition of compromise. If I cannot make a reasonable account for the confidentiality, integrity, or availability of information, I consider it compromised. I don't need definitive proof of misuse and fraud in order to consider information compromised, loss of control is enough.
"Medical Mutual has always taken our customers’ security matters very seriously and will continue to do so."
[Evan] Well then. I didn't realize this so please disregard all previous comments.
ORS members with questions may call , the customer service number that is on the back of their Medical Mutual ID card.
Medical Mutual spokesman Ed Byers said the insurer planned to staff its customer service hotline from 8 a.m. to 4 p.m. on both Saturday and Sunday to handle calls about the information loss.
Going forward, SERS is requiring a change in the way this information is delivered by its medical vendors. SERS expects all information to be delivered electronically in a secure, encrypted fashion.
[Evan] A start and a very good one at that.
Commentary:
I made quite a few comments above, and I am tired now. Please comment if you have something you would like to add. HINT: Maybe Vendor/Third-Party policy and procedures.
Past Breaches:
Unknown
Date Reported:10/23/08
Organization:
School Employee Retirement System of Ohio (SERS)
State Teachers Retirements System of Ohio
Ohio Police and Fire Pension Fund
Ohio Highway Patrol Retirement System
Contractor/Consultant/Branch:
Medical Mutual of Ohio
Location:
Columbus, Ohio
Victims:
Retirees from the organizations listed above
Number Affected:
"Upwards of 36,000"
Types of Data:
"personal information" used for medical "claims reconciliation purposes"*
*"SERS’ understanding that the affected individuals’ names, Social Security numbers, date of birth, claim number, covered charges, and deductible amount were included on the lost disks" Source: SERS Taking Steps to Protect Retiree and Employee Data
Breach Description:
"Cleveland - Eleven computer disks containing personal information on thousands of Ohio retirees are missing and are believed to be somewhere in the US Postal Service, Medical Mutual of Ohio announced today."
Reference URL:
Medical Mutual of Ohio Press Release
Cleveland Live
Associated Press via Columbus Channel 4 News
School Employee Retirement System (SERS)
Report Credit:
Medical Mutual of Ohio
Response:
From the online sources cited above:
Cleveland - Eleven computer disks containing personal information on thousands of Ohio retirees are missing and are believed to be somewhere in the US Postal Service, Medical Mutual of Ohio announced today.
[Evan] I have said this before, but I will say it again. I do not recommend sending confidential information through the US Postal Service. Mail gets lost from time to time and it is too easily intercepted. Eleven disks go poof! Encrypted? I doubt it, otherwise it probably would have been mentioned.
The disks contain member data for five retiree groups, which include the School Employee Retirement System (SERS) and its employees, the State Teachers Retirements System (STRS), Ohio Police and Fire Fund and the Ohio Highway Patrol Retirement System.
Medical Mutual declined to give details about the types of member information contained on the lost disks.
It is SERS’ understanding that the affected individuals’ names, Social Security numbers, date of birth, claim number, covered charges, and deductible amount were included on the lost disks.
Upwards of 36,000 members may be potentially affected
SERS has been told that information for approximately 1,700 SERS retirees and 100 SERS employees or their dependents is contained on the disks.
The Cleveland-based health insurer said it announced the potential loss and investigation today in order to notify retiree members in the quickest way possible.
Medical Mutual said it was notified by the retiree systems when the disks failed to arrive at their Columbus offices.
The disks were contained in packages routinely mailed monthly by Medical Mutual for claims reconciliation purposes to the affected parties’ central offices in Columbus
[Evan] Does this mean that Medical Mutual and their customer organizations routinely send sensitive information to each other in a manner that is generally accepted as insecure? Did anyone even think to question this process at any of the organizations?
Jared Chaney, Medical Mutual chief communications officer and executive vice president, said the company notified the US Postal Service as soon as it discovered the disks did not reach their destination and the Postal Service launched an investigation.
"We still believe the disks are somewhere in the postal system and we are doing everything in our power to help locate the missing disks," Chaney said.
"We are confident that we will locate them. We ask Ohio Retirement System (ORS) members not be alarmed. Our investigation, so far, indicates that insufficient postage was placed on the envelopes, therefore we believe they are likely to still be safe within the postal system," he added.
[Evan] I sincerely hope that they do locate the disks, but having indications of what happened should not be considered sufficient. This is one of the reasons why sending sensitive information through standard mail is not recommended. How do you prove what happened?
U.S. Postal Service spokesman Ray Jacobs says Medical Mutual notified the agency about the disks last week. He says the postal service can't confirm the disks were ever put in the mail.
Jacobs says a search of postal service plants, delivery units and a mail recovery center in Atlanta has turned up nothing.
While the investigation continues, Chaney said Medical Mutual is taking stringent measures to ensure the security of potentially affected customers.
[Evan] This is backwards. You can't ensure the security (confidentiality) of information that has been disclosed.
"If the disks are not located, Medical Mutual has a customer protection plan in place and we are ready to provide credit monitoring services, free credit reports, a hotline to answer our customers’ questions and help with resolving potential fraud," said Chaney.
[Evan] See my previous comment. Credit monitoring, free credit reports and a hotline doesn't make information confidential again (assuming it was in the first place). Monitoring is an "after-the-fact" or detective control, not a preventative one. Free credit reports are "point-in-time" or snapshot detective controls that also do nothing for prevention. I can only imagine the script reading a caller gets when calling the hotline. How can the company fix the root of the problem and ensure that this same type of breach does not happen again? I am more interested in the answer to this question.
Chaney strongly emphasized that no data appears to have fallen into the wrong hands.
"It is very important to stress that, to date and to the best of our knowledge, no personal information has been compromised in any way," he said.
[Evan] I guess I subscribe to a different definition of compromise. If I cannot make a reasonable account for the confidentiality, integrity, or availability of information, I consider it compromised. I don't need definitive proof of misuse and fraud in order to consider information compromised, loss of control is enough.
"Medical Mutual has always taken our customers’ security matters very seriously and will continue to do so."
[Evan] Well then. I didn't realize this so please disregard all previous comments.
ORS members with questions may call , the customer service number that is on the back of their Medical Mutual ID card.
Medical Mutual spokesman Ed Byers said the insurer planned to staff its customer service hotline from 8 a.m. to 4 p.m. on both Saturday and Sunday to handle calls about the information loss.
Going forward, SERS is requiring a change in the way this information is delivered by its medical vendors. SERS expects all information to be delivered electronically in a secure, encrypted fashion.
[Evan] A start and a very good one at that.
Commentary:
I made quite a few comments above, and I am tired now. Please comment if you have something you would like to add. HINT: Maybe Vendor/Third-Party policy and procedures.
Past Breaches:
Unknown
Posted by Evan Francen at 10/29/2008 2:41 PM 
Categories: Poor Business Practice, Medical Mutual of Ohio, School Employee Retirement System, State Teachers Retirements System, Ohio Police and Fire Pension Fund, Ohio Highway Patrol Retirement System
Categories: Poor Business Practice, Medical Mutual of Ohio, School Employee Retirement System, State Teachers Retirements System, Ohio Police and Fire Pension Fund, Ohio Highway Patrol Retirement System
Posts Atom 1.0
Comments