Discarded insurance documents return to haunt three years later

|

Date Reported:
8/16/10

Organization:
American Fidelity Assurance Company

Contractor/Consultant/Branch:
None

Location:


Victims:
Customers

Number Affected:
"hundreds"

Types of Data:
Personal information typically found on "insurance and related employee forms".  Names, addresses, Social Security numbers, etc.

Breach Description:
An Edmond, Oklahoma couple found hundreds of confidential documents inside storage containers located on a curb during trash day.  The couple stored the documents for three years, and only recently reported their finding.  The documents include hundreds of insurance-related forms, allegedly from American Fidelity Assurance Company.

Reference URL:
KWTV News9.com
Official statement from American Fidelity Assurance Company

Report Credit:
Ed Murray, News 9

Response:
From the online source cited above:

OKLAHOMA CITY -- When you work for a company that provides health insurance and you fill out all that personal paperwork, you think that information will stay private.
[Evan] Yes, you would like to think this.

But that's not always the case.
[Evan] Not even close.

An Edmond couple said they found hundreds of personal employee documents that were supposed to be in the care of American Fidelity Assurance.

NEWS 9 is one of the many Oklahoma companies whose employee records are involved.

The people who found these documents asked their identity be protected in this story.

"I had two to three drawers full of this information," an Edmond woman said.

The woman said she and her husband found the documents inside storage containers on a curb they salvaged on a trash day in an Edmond neighborhood.
[Evan] Identities treated like trash, or at least the information tied to identities.

"Really, frankly, made us kind of mad because people, their lives are in this," she said.

The couple said they found more than 50 folders full of insurance and related employee forms for companies across Oklahoma.

"I have a lot of your staff members Social Security numbers, their dependents, all their information, when they get paid...all of that is in here," the woman said.

The folders came from American Fidelity Assurance, which is headquartered in Oklahoma City and is one of the largest private, family owned life and health insurance companies in the United States.

"We took the folders and put them away in the filing cabinets in our storage room because we didn't know what to do with them because we didn't want to throw them out either," she said.
[Evan] Not a good idea.  If you take possession of sensitive information, you become involved as a custodian of the information.  There could be some liability on the part of this couple if they had lost the information.

Three years later the couple discovered the documents again while emptying that storage room for a garage sale.
[Evan] So these people had the information for three years!?  And they didn't tell anyone about it until now?  What were these people thinking?

"And it just made me mad all over again," she said.

The woman called NEWS 9 and we called American Fidelity.

Two days later, NEWS 9 gave all of the documents to an AFA representative.

Company officials don't want to go on camera at this point, but did give a statement:
"Though it appears these documents have been safely secured since they were obtained a few years ago, they should have never left our possession. There is no evidence at this time that the information has been misused, and we believe the likelihood of misuse is low...We are in the process of notifying those customers involved. We regret this happened and apologize."
[Evan] How does the company explain a breach like this that happened three years ago?

NEWS 9 contacted the State Insurance Commissioner's office. A spokesman said there is no state law that spells out exactly how records must be stored or destroyed, but there are penalties for handling them with negligence.

The commissioner's office will be contacting parties involved in this situation which could lead to a full investigation.
[Evan] Nobody wants a full investigation from the commissioner's office, do they?

Commentary:
A breach like this drives home one of our guiding principles; "Information security is not an IT issue".

Past Breaches:
Unknown

Posted by Evan Francen at 8/20/2010 12:31 PM
Categories: American Fidelity Assurance Company, Insecure Discard
 
Trackbacks
Trackback specific URL for this post
  • No trackbacks exist for this post.
Comments
  • No comments exist for this post.
Leave a comment