We got the following notice in our e-mail from Laer Pearce & Associates: Regarding the item you ran recently regarding a data breach at CalOptima, this matter has been resolved successfully. From the healthcare blog at today's Orange County Register: Lost personal information of Medical members is found October 29th, 2009, 6:00 am by Courtney Perkes CalOptima, the county's Medi-Cal provider, has found lost electronic claims records that contain identifying information belonging to as many as 68,000 members. Discs of data were lost two weeks ago after being sent certified mail by CalOptima's scanning vendor. When only the packaging arrived, but not the box with the discs, CalOptima notified the state. On Wednesday, the U.S. Postal Service located the discs in Atlanta, said Margaret Tatar, director of public affairs. The discs were not password protected, but it appears no one accessed the confidential information, Tatar said. CalOptima had planned to send letters notifying members of the lost information and offering them credit monitoring services. Anyone with questions should call 800-509-4225 or visit http://www.caloptima.org/ The medical record data for adults and children included names, addresses, birthdays and some Social Security numbers. Emphases are mine. Well, that's surprising. My understanding is that one usually doesn't recover contents lost in the mail. On the other hand, I've never seen actual numbers backing up such claims, which is probably apocryphal anyway. Regardless, kudos to the US Postal Service. I'm not too crazy about one aspect, though: The disks were not password-protected. I dislike that word, password-protection. It's better than nothing, but as countless data security guys will tell you, password-protection is worth next to nothing. Mentioning password-protection in notices such as this one spreads around the opposite notion: "Ah! If only the CDs had password-protection! The data would have been safe!" What they really should be mentioning is the lack of use of encryption. I'm surprised; CalOptima's spokesperson had already said that they plan to "find out why the third-party claims-scanning vendor did not encrypt the data," meaning they already knew what the correct data protection tool was. Overall, though, all's well that ends well. CalOptima lucked out big time, though. They really ought to follow up with their vendor, and make sure it doesn't happen again.
We got the following notice in our e-mail from Laer Pearce & Associates:
Regarding the item you ran recently regarding a data breach at CalOptima, this matter has been resolved successfully. From the healthcare blog at today's Orange County Register: Lost personal information of Medical members is found October 29th, 2009, 6:00 am by Courtney Perkes CalOptima, the county's Medi-Cal provider, has found lost electronic claims records that contain identifying information belonging to as many as 68,000 members. Discs of data were lost two weeks ago after being sent certified mail by CalOptima's scanning vendor. When only the packaging arrived, but not the box with the discs, CalOptima notified the state. On Wednesday, the U.S. Postal Service located the discs in Atlanta, said Margaret Tatar, director of public affairs. The discs were not password protected, but it appears no one accessed the confidential information, Tatar said. CalOptima had planned to send letters notifying members of the lost information and offering them credit monitoring services. Anyone with questions should call 800-509-4225 or visit http://www.caloptima.org/ The medical record data for adults and children included names, addresses, birthdays and some Social Security numbers.
Regarding the item you ran recently regarding a data breach at CalOptima, this matter has been resolved successfully.
From the healthcare blog at today's Orange County Register: Lost personal information of Medical members is found
October 29th, 2009, 6:00 am by Courtney Perkes
CalOptima, the county's Medi-Cal provider, has found lost electronic claims records that contain identifying information belonging to as many as 68,000 members.
Discs of data were lost two weeks ago after being sent certified mail by CalOptima's scanning vendor.
When only the packaging arrived, but not the box with the discs, CalOptima notified the state.
On Wednesday, the U.S. Postal Service located the discs in Atlanta, said Margaret Tatar, director of public affairs.
The discs were not password protected, but it appears no one accessed the confidential information, Tatar said.
CalOptima had planned to send letters notifying members of the lost information and offering them credit monitoring services.
Anyone with questions should call 800-509-4225 or visit http://www.caloptima.org/
The medical record data for adults and children included names, addresses, birthdays and some Social Security numbers.
Emphases are mine.
Well, that's surprising. My understanding is that one usually doesn't recover contents lost in the mail. On the other hand, I've never seen actual numbers backing up such claims, which is probably apocryphal anyway. Regardless, kudos to the US Postal Service.
I'm not too crazy about one aspect, though: The disks were not password-protected. I dislike that word, password-protection. It's better than nothing, but as countless data security guys will tell you, password-protection is worth next to nothing. Mentioning password-protection in notices such as this one spreads around the opposite notion: "Ah! If only the CDs had password-protection! The data would have been safe!"
What they really should be mentioning is the lack of use of encryption. I'm surprised; CalOptima's spokesperson had already said that they plan to "find out why the third-party claims-scanning vendor did not encrypt the data," meaning they already knew what the correct data protection tool was.
Overall, though, all's well that ends well. CalOptima lucked out big time, though. They really ought to follow up with their vendor, and make sure it doesn't happen again.