29,808 Care1st members affected by lost CD
|
Date Reported:
7/6/10
Organization:
State of California
Care1st Health Plan
Contractor/Consultant/Branch:
California Department of Health Care Services (DHCS)
Location:
Sacramento, California
Victims:
Care1st members
Number Affected:
29,808
Types of Data:
"personal information, including names and addresses"
Breach Description:
"SACRAMENTO – The California Department of Health Care Services (DHCS) has reported to federal authorities that a missing compact disc (CD) delivered to the department may not have been encrypted by the sender, Care 1st Health Plan. The CD contains personal information, including names and addresses, for 29,808 Care 1st members."
Reference URL:
California DHCS News Release (pdf)
Report Credit:
California Department of Health Care Services (DHCS)
Response:
From the online source cited above:
SACRAMENTO – The California Department of Health Care Services (DHCS) has reported to federal authorities that a missing compact disc (CD) delivered to the department may not have been encrypted by the sender, Care 1st Health Plan.
[Evan] There is no reason to send confidential information on compact discs (CDs). There are much more efficient and secure methods to transfer information.
The CD contains personal information, including names and addresses, for 29,808 Care 1st members.
[Evan] This is a little confusing to me. Was the personal information limited to names and addresses, or does this concern other personal information, including names and addresses? If this breach was limited to names and addresses, then I cannot see how this qualifies as a breach that requires any notification.
Without proper encryption, which is required by DHCS of all its trading partners who share protected and personal information, the CD could possibly be accessed by unauthorized users.
Care 1st cannot confirm that the CD was encrypted.
Though DHCS believes the CD is still on its premises and there is no indication of inappropriate access, DHCS reported the incident to the U.S. Department of Health and Human Services as required by law.
[Evan] There’s got to be sensitive information in addition to names and addresses.
DHCS and Care 1st consider the protection of confidential personal information a top priority.
[Evan] My wife reminds me all of the time that actions speak louder than words.
When the CD could not be located, DHCS immediately launched an investigation and conducted numerous exhaustive searches of the premises.
DHCS then reiterated and reinforced its longstanding direction to Care 1st and all trading partners that all personal information must be transmitted or delivered to DHCS in an approved, secure format.
[Evan] Unfortunately, this is where far too many organizations stop. They may inform their third-party providers and partners about requirements, but fail to audit and enforce the requirements. All third-party agreements that concern the transfer of confidential information should include the right to audit, and information security personnel need to certify compliance.
Care 1st now submits the information using secure electronic transfer rather than CDs.
[Evan] Good! This is much more efficient and hopefully secure (depending upon implementation).
DHCS has taken extensive steps to eliminate the use of CDs to transmit personal information and to implement electronic transfers for such information.
Nearly all transactions are now carried out via secure electronic transfers or, in limited cases, via encrypted CDs.
Care 1st delivered the CD to DHCS for the purpose of identifying Care 1st members who are also Medi-Cal beneficiaries.
The members whose information is contained on the misplaced CD are mostly Medicare recipients.
On April 29, when the information on the CD that was delivered on April 7 was scheduled to be processed, it was determined to be missing.
On June 18, Care 1st began sending individual notification letters to the members whose information was on the CD.
The letters gave the members information on steps they may take to protect themselves from any possibility of identity theft.
Care 1st also arranged for free credit monitoring services to be provided to the members for one year at no cost.
DHCS has been implementing numerous steps to protect information for more than two years.
During this period, it has successfully converted all mainframe computer tapes and paper reports containing confidential data to a secured electronic transfer.
This includes approximately 600 annual exchanges and more than 400 paper reports (approximately 1.7 million pages printed annually) containing thousands and, in some cases, millions of records of beneficiary data.
[Evan] Seems like a good target for the bad guys.
Commentary:
I don't doubt that DHCS takes information security seriously or that they have made significant investments in information security. It's nice to know. A very significant part of most information security programs is third-party information security management, and in this area we find the failure that led to this breach.
I would still like to know what the "personal information" is exactly.
Past Breaches:
State of California:
Numerous
Posted by Evan Francen at 7/15/2010 4:01 PM 
Categories: State of California, Lost Media, Care1st Health Plan
Categories: State of California, Lost Media, Care1st Health Plan
Posts Atom 1.0
Comments