Inadvertent internal email leads to KCI breach
|
Date Reported:
9/14/10
Organization:
Kinetic Concepts, Inc.
Contractor/Consultant/Branch:
None
Location:
In transit
Victims:
Employees
Number Affected:
Undisclosed
Types of Data:
Personal information, "such as name, address, date of birth and Social Security number"
Breach Description:
Kinetic Concepts, Inc. ("KCI") has notified the New Hampshire Attorney General of a breach. The breach occurred when an email attachment containing personal information belonging to KCI employees was inadvertently distributed to other KCI employees.
Reference URL:
The New Hampshire Attorney General breach notification
Report Credit:
The New Hampshire Attorney General
Response:
From the online source cited above:
We recently became aware of an incident involving an email attachment that inadvertently was distributed to employees of Kinetic Concepts, Inc. ("KCI").
The attachment contained personal information of certain KCI employees, such as name, address, date of birth and Social Security number.
[Evan] I'm just speculating, but this seems like an HR blunder. HR people need comprehensive security training and awareness. They work with very sensitive employment data.
While the personal information was accessed by some KCI employees, we are not aware at this time of any identity theft resulting from this incident.
We have taken steps to delete the relevant email and the attachment from our servers.
[Evan] One problem with email is the ease in which you can forward it somewhere else. A good rule of thumb; never use email to transfer sensitive information (in the traditional sense). If you must use email to send sensitive information, use secure email; there are many solutions available.
We regret that this incident may affect you.
We take our obligation to safeguard employee personal information very seriously and, therefore, we are alerting you so you can take steps to protect yourself.
We encourage you to remain vigilant and regularly review and monitor your credit reports.
The attached Reference Guide provides details on these and other steps you may wish to consider.
You are entitled under U.S. law to one free credit report annually from each of the three national credit bureaus.
To order your free credit report, call toll-free at or visit www.annualcreditreport.com.
/>
To further assist you, we recommend that you register for identity protection under the Debix Identity Protection Network, which we have arranged to provide for one year at no charge to you.
We hope this information is useful to you.
If you would like to speak with us, please call our dedicated KCI/Debix hotline toll-free at , Monday through Saturday, between 9 a.m. CST to 5 p.c. CST.
Again, we regret any inconvenience this may cause you.
[Evan] What will the company do in order to reduce the likelihood of a similar future occurrence?
Commentary:
Just so I'm not missing anything; this breach resulted from an internal email sent with an attachment containing sensitive personal information. I can't tell you how many times I have seen emails just like this one. The difference is that management (and legal) in those companies decided against notification because in their opinion it wasn't a breach. What's your take? Would you consider this incident to be a breach? If so, would you recommend public notification?
I consider this incident to be a breach, but my definition may be more strict than most. Would I recommend public notification? This is a tougher question. I suppose you might have no choice. You could make the case that this incident is an internal matter that does not affect anyone outside of the company. What does the law say?
Posted by Evan Francen, President of FRSecure LLC.
About FRSecure LLC
Past Breaches:
Unknown
Posts Atom 1.0
Comments