New Hampshire Medicare recipients affected by email mistake
Technorati Tag: Security Breach
Date Reported:
12/17/08
Organization:
State of New Hampshire
Contractor/Consultant/Branch:
Department of Health and Human Services
Location:
Concord, New Hampshire
Victims:
Clients (Medicare Part D recipients)
Number Affected:
"about 9,300"
Types of Data:
"names, addresses, Medicare Part D plan information, Social Security numbers and the amount of each person's monthly premium"
Breach Description:
"CONCORD, N.H. (AP) - The New Hampshire's Department of Health and Human Services mistakenly released the Social Security numbers and other personal information of about 9,300 Medicare Part D recipients two weeks ago."
Reference URL:
Associated Press via WCAX-TV
Report Credit:
Associated Press
Response:
From the online sources cited above:
CONCORD, N.H. (AP) — The New Hampshire health department mistakenly released 9,300 names and Social Security numbers of Medicare recipients.
In letters to clients and service providers obtained Wednesday by The Associated Press, the Department of Health and Human Services said it is taking steps to make sure no information is used illegally.
[Evan] Hmm. How do you make sure that "no information is used illegally"?
It urged the people affected to initiate credit fraud alerts or to freeze their accounts.
"We have no evidence that the information has been misused or distributed further," Associate Commissioner Nancy Rollins said in a letter to affected clients.
Rollins said 9,300 clients are affected by the breach, the first at the department.
[Evan] Not only is this the first breach I have posted concerning the department, this is the first breach I have posted concerning any State of New Hampshire agency.
Their information was mistakenly attached to a Dec. 1 e-mail sent to 61 providers and health-related organizations, such as nursing homes and home health care agencies.
The attachment contained names, addresses, Medicare Part D plan information, Social Security numbers and the amount of each person's monthly premiums.
The department said it discovered the breach on Dec. 4 and asked agencies that the e-mail to delete the information.
[Evan] How does the Department of Health and Human Service intend, or do they intend to ensure compliance with this request to their agencies?
Rollins urged clients to pay close attention to insurance claim notices and warned them not to divulge additional information to callers claiming to represent the department.
Rollins defended the delay in notifying clients and the media.
"The decision was to work with our providers. It had not gone out in any kind of public document," she said.
Commentary:
Shucks. People make mistakes. We all do. It's part of what makes human beings human. I know I make my share of mistakes as my wife will surely attest. We can only implement technological controls in so many places. No matter what we do, we still rely on secure people and process too. How do we make "secure people"?
We try with information security training (good training, not the kind you get out of a box) and constant awareness campaigns. Does your organization employ an information security awareness campaign?
Past Breaches:
Unknown
Date Reported:12/17/08
Organization:
State of New Hampshire
Contractor/Consultant/Branch:
Department of Health and Human Services
Location:
Concord, New Hampshire
Victims:
Clients (Medicare Part D recipients)
Number Affected:
"about 9,300"
Types of Data:
"names, addresses, Medicare Part D plan information, Social Security numbers and the amount of each person's monthly premium"
Breach Description:
"CONCORD, N.H. (AP) - The New Hampshire's Department of Health and Human Services mistakenly released the Social Security numbers and other personal information of about 9,300 Medicare Part D recipients two weeks ago."
Reference URL:
Associated Press via WCAX-TV
Report Credit:
Associated Press
Response:
From the online sources cited above:
CONCORD, N.H. (AP) — The New Hampshire health department mistakenly released 9,300 names and Social Security numbers of Medicare recipients.
In letters to clients and service providers obtained Wednesday by The Associated Press, the Department of Health and Human Services said it is taking steps to make sure no information is used illegally.
[Evan] Hmm. How do you make sure that "no information is used illegally"?
It urged the people affected to initiate credit fraud alerts or to freeze their accounts.
"We have no evidence that the information has been misused or distributed further," Associate Commissioner Nancy Rollins said in a letter to affected clients.
Rollins said 9,300 clients are affected by the breach, the first at the department.
[Evan] Not only is this the first breach I have posted concerning the department, this is the first breach I have posted concerning any State of New Hampshire agency.
Their information was mistakenly attached to a Dec. 1 e-mail sent to 61 providers and health-related organizations, such as nursing homes and home health care agencies.
The attachment contained names, addresses, Medicare Part D plan information, Social Security numbers and the amount of each person's monthly premiums.
The department said it discovered the breach on Dec. 4 and asked agencies that the e-mail to delete the information.
[Evan] How does the Department of Health and Human Service intend, or do they intend to ensure compliance with this request to their agencies?
Rollins urged clients to pay close attention to insurance claim notices and warned them not to divulge additional information to callers claiming to represent the department.
Rollins defended the delay in notifying clients and the media.
"The decision was to work with our providers. It had not gone out in any kind of public document," she said.
Commentary:
Shucks. People make mistakes. We all do. It's part of what makes human beings human. I know I make my share of mistakes as my wife will surely attest. We can only implement technological controls in so many places. No matter what we do, we still rely on secure people and process too. How do we make "secure people"?
We try with information security training (good training, not the kind you get out of a box) and constant awareness campaigns. Does your organization employ an information security awareness campaign?
Past Breaches:
Unknown
Posts Atom 1.0
Comments