Personal information of 103,000 doctors from 11 states posted to web site
Technorati Tag: Security Breach
Date Reported:
2/27/08
Organization:
Health Net, Inc.
Contractor/Consultant/Branch:
Health Net Federal Services
Victims:
Doctors in eleven states*
*The states involved include Wisconsin, Michigan, Illinois, Indiana, Ohio, Pennsylvania, Tennessee, Iowa, Missouri, Kentucky and West Virginia.
Number Affected:
103,000
Types of Data:
Names, Social Security numbers, work addresses, and national insurance identification numbers.
Breach Description:
Heath Net Federal Services inadvertently posted sensitive personal information to a publicly accessible web server. The breach affects as many as 103,000 doctors from eleven states.
Reference URL:
WEAU Channel 13 News
WDTN Channel 2 News
Radio Iowa news story
Report Credit:
WEAU Channel 13 News
Response:
From the online sources cited above:
Health Net Federal Services representatives told us Wednesday night the company notified 103-thousand doctors in eleven states that their personal information was openly posted on a company website.
[Evan] I assume that this was a publicly accessible web site, but this isn't clear.
The company is a government contractor that deals with health insurance for military families and veterans.
The states involved include Wisconsin, Michigan, Illinois, Indiana, Ohio, Pennsylvania, Tennessee, Iowa, Missouri, Kentucky and West Virginia.
Director of Communications, Molly Tuttle, says the information was accidently posted to the website for about two months, and involved doctors who had filed a claim with the company between September of 2005, and September of 2006.
[Evan] I wonder how it was detected. Two months is plenty of time for search bots to index the site if it was publicly accessible.
The mistake was attributed to human error and software problems.
[Evan] Both?
Health Net Federal Services is now paying for a year's worth of credit monitoring for the doctors involved, and is not aware of any circumstances where the personal information of any doctor has been obtained or used illegally.
[Evan] Monitoring for one year, Social Security number for life.
"Protecting the privacy of our providers’ personal information is a critical priority at Health Net Federal Services. Unfortunately, in late December 2007, we were notified of potential vulnerability for us that provider data was accessible through our Web site that included social security numbers of a limited group of network and non-network providers.
Since that time, Health Net has sealed this data gap, notified the providers whose data was potentially accessible, and reported the incident to our customer.
[Evan] What "data gap"? They didn't "seal" the employee that made the mistake, did they?
In an abundance of caution, Health Net hired outside IT security experts to test our security measures and found them sound.
We regret any alarm this may have caused
Some doctors have complained in emails obtained by NewsCenter 13, that credit monitoring for a year isn't enough.
Commentary:
In the WEAU article, the Medical Director for the Western Division of Marshfield Clinic, Dr. Greg Burnett mentions how the clinic is pushing for the use of national insurance numbers (NPIs) instead of Social Security numbers and other personal information. This is a great idea! Today, doctors are required to give their personal information to insurance companies.
Also, Burnett now says in light of the recent online mistake, Marshfield Clinic is trying to decide if ending the business relationship with Health Net Federal Services, would better protect its doctors in the future.
According to the report there were two causes to this breach, "human error and software problems". It's hard to believe that it was both at the same time. Humans will always be humans, and we will always make mistakes.
Past Breaches:
January, 2008 - 5,000 Health Net employees affected by stolen laptop
Date Reported:2/27/08
Organization:
Health Net, Inc.
Contractor/Consultant/Branch:
Health Net Federal Services
Victims:
Doctors in eleven states*
*The states involved include Wisconsin, Michigan, Illinois, Indiana, Ohio, Pennsylvania, Tennessee, Iowa, Missouri, Kentucky and West Virginia.
Number Affected:
103,000
Types of Data:
Names, Social Security numbers, work addresses, and national insurance identification numbers.
Breach Description:
Heath Net Federal Services inadvertently posted sensitive personal information to a publicly accessible web server. The breach affects as many as 103,000 doctors from eleven states.
Reference URL:
WEAU Channel 13 News
WDTN Channel 2 News
Radio Iowa news story
Report Credit:
WEAU Channel 13 News
Response:
From the online sources cited above:
Health Net Federal Services representatives told us Wednesday night the company notified 103-thousand doctors in eleven states that their personal information was openly posted on a company website.
[Evan] I assume that this was a publicly accessible web site, but this isn't clear.
The company is a government contractor that deals with health insurance for military families and veterans.
The states involved include Wisconsin, Michigan, Illinois, Indiana, Ohio, Pennsylvania, Tennessee, Iowa, Missouri, Kentucky and West Virginia.
Director of Communications, Molly Tuttle, says the information was accidently posted to the website for about two months, and involved doctors who had filed a claim with the company between September of 2005, and September of 2006.
[Evan] I wonder how it was detected. Two months is plenty of time for search bots to index the site if it was publicly accessible.
The mistake was attributed to human error and software problems.
[Evan] Both?
Health Net Federal Services is now paying for a year's worth of credit monitoring for the doctors involved, and is not aware of any circumstances where the personal information of any doctor has been obtained or used illegally.
[Evan] Monitoring for one year, Social Security number for life.
"Protecting the privacy of our providers’ personal information is a critical priority at Health Net Federal Services. Unfortunately, in late December 2007, we were notified of potential vulnerability for us that provider data was accessible through our Web site that included social security numbers of a limited group of network and non-network providers.
Since that time, Health Net has sealed this data gap, notified the providers whose data was potentially accessible, and reported the incident to our customer.
[Evan] What "data gap"? They didn't "seal" the employee that made the mistake, did they?
In an abundance of caution, Health Net hired outside IT security experts to test our security measures and found them sound.
We regret any alarm this may have caused
Some doctors have complained in emails obtained by NewsCenter 13, that credit monitoring for a year isn't enough.
Commentary:
In the WEAU article, the Medical Director for the Western Division of Marshfield Clinic, Dr. Greg Burnett mentions how the clinic is pushing for the use of national insurance numbers (NPIs) instead of Social Security numbers and other personal information. This is a great idea! Today, doctors are required to give their personal information to insurance companies.
Also, Burnett now says in light of the recent online mistake, Marshfield Clinic is trying to decide if ending the business relationship with Health Net Federal Services, would better protect its doctors in the future.
According to the report there were two causes to this breach, "human error and software problems". It's hard to believe that it was both at the same time. Humans will always be humans, and we will always make mistakes.
Past Breaches:
January, 2008 - 5,000 Health Net employees affected by stolen laptop
Posts Atom 1.0
Comments