Update 29 OCT 2009: CDs recovered. CalOptima in Orange County has announced the loss of several CDs containing personal information of members. It will affect approximately 68,000 people. The use of data encryption software like AlertBoot would have been extremely useful, on a number of fronts.
Update 29 OCT 2009: CDs recovered.
CalOptima in Orange County has announced the loss of several CDs containing personal information of members. It will affect approximately 68,000 people. The use of data encryption software like AlertBoot would have been extremely useful, on a number of fronts.
The CDs contained "names, home addresses, dates of birth, medical procedure codes, diagnosis codes and member ID numbers, and an unspecified number of Social Security numbers," according to computerworld.com. These had been mailed (via certified mail) to CalOptima by one of its vendors. While not identified, it looks like the vendor was engaged in scanning paper documents into digital versions. The box sent by the vendor, however, was empty when CalOptima received it. There was nothing to suggest that the CDs were stolen, so it looks like the package arrived at CalOptima undamaged. Of course, this implies that the box was sent empty, which further means the vendor should still have the CDs. They have not been found to date, however.
The CDs contained "names, home addresses, dates of birth, medical procedure codes, diagnosis codes and member ID numbers, and an unspecified number of Social Security numbers," according to computerworld.com.
These had been mailed (via certified mail) to CalOptima by one of its vendors. While not identified, it looks like the vendor was engaged in scanning paper documents into digital versions.
The box sent by the vendor, however, was empty when CalOptima received it. There was nothing to suggest that the CDs were stolen, so it looks like the package arrived at CalOptima undamaged. Of course, this implies that the box was sent empty, which further means the vendor should still have the CDs. They have not been found to date, however.
CalOptima is busy with post-breach actions. One of them is the inquiry into the data protection of the CDs. A spokesman for the company has stated that "the health plan (CalOptima) also wants to find out why the third-party claims-scanning vendor did not encrypt the data." In other words, it looks like there was an agreement in place that the data would be protected via encryption. Why wasn't it?--many inquiring minds want to know. It only makes sense to do so when you consider the following: Encryption provides safe harbor under California law. It's true. If the information had been encrypted prior to its loss, it wouldn't have required public disclosure. Encryption provides data protection. Aside from legal protections, encryption software also provides technical protection. In other words, it actually would prevent someone from popping the CDs into a computer and accessing the SSNs and whatnot. Stuff goes missing from packages all the time. Highlighting how badly things can go, a couple of CDs went missing in the UK, back in 2008. It affected 25 million. The UK'S population is approximately 61 million. (Yikes!)
CalOptima is busy with post-breach actions. One of them is the inquiry into the data protection of the CDs. A spokesman for the company has stated that "the health plan (CalOptima) also wants to find out why the third-party claims-scanning vendor did not encrypt the data."
In other words, it looks like there was an agreement in place that the data would be protected via encryption. Why wasn't it?--many inquiring minds want to know. It only makes sense to do so when you consider the following:
Who's responsible for the breach? Well, it turns out its CalOptima. The loss was perpetrated by another, but since it's the health plan's information, they are held accountable (I'm not a lawyer, but I've heard this over and over again). This is--among other reasons, I'm sure--why CalOptima is contacting members, offering them credit monitoring services, etc. Take it from me--this is not the last time you're going to hear about a third party setting off a data breach. It seems to me, based on how people are acting, that maybe third parties should be held accountable, too. Sure, the vendor will lose CalOptima's business, but doesn't the law not actually going after them create something of a "moral hazard?" I'd assume so, especially when you consider that CD encryption was supposed to be used.
Who's responsible for the breach? Well, it turns out its CalOptima. The loss was perpetrated by another, but since it's the health plan's information, they are held accountable (I'm not a lawyer, but I've heard this over and over again).
This is--among other reasons, I'm sure--why CalOptima is contacting members, offering them credit monitoring services, etc.
Take it from me--this is not the last time you're going to hear about a third party setting off a data breach. It seems to me, based on how people are acting, that maybe third parties should be held accountable, too. Sure, the vendor will lose CalOptima's business, but doesn't the law not actually going after them create something of a "moral hazard?"
I'd assume so, especially when you consider that CD encryption was supposed to be used.
Related Articles and Sites:http://www.computerworld.com/s/article/9139913/CalOptima_says_data_on_68_000_members_may_be_compromisedhttp://datalossdb.org/incidents/2395-names-home-addresses-dates-of-birth-and-medical-information-of-68-000-on-lost-discs