According to databreaches.net, ValueOptions, Inc. filed a breach notification letter with the New Hampshire Attorney General's Office (and the New York State Consumer Protection Office). The letter describes how a shipment of backup tapes was lost while being transferred via UPS. The tapes were not protected with data encryption software like AlertBoot.
Personal information was stored on the missing backup tapes: names, addresses, dates of birth, telephone numbers, SSNs, and subscriber IDs. Under the New Hampshire notification letter, ValueOptions (VOI) noted that 350 NH residents were involved. The figure reported for New York was 6,669. One can only assume more people are involved, however. According to a Wikipedia entry (always to be taken with a grain of salt), VOI is "the largest privately-owned behavioral health maintenance organization" and it has centers in 15 states. Under these circumstances, it seems unlikely that only information related to NH and NY residents were lost, especially when you consider that four tapes were involved: that particular data storage medium is noted for its capacity. Text-based information for approximately 7,000 people wouldn't require four tapes. On the other hand, in both NH and NY instances, the lost information revolves around members of the Nation Elevator Industry. Of course, it looks like we won't really know the total figure unless the above is a HIPAA situation, in which case the HITECH Breach Notification Rule will kick into place (due to the lack of encryption software, an excellent data security measure): once more than 500 people are affected, the breached entity must report the situation to the Department of Health and Human services (HHS). The HHS, in turn, is required to make public any such instances (as of 20 NOV 2011, there isn't an entry for ValueOptions). Moreover, if the HIPAA scenario is valid, then I imagine that state AGs can expect even more breach notification letters like the above: VOI is an HMO, so naturally it has a number of corporate clients who'll probably have to file similar letters. I found a potentially small problem with VOI's actions. While their notification letter was very forthcoming, it had its drawbacks, as I noted in the comments section at databreaches.net: From this page (http://www.valueoptions.com/providers/ProCompliance.htm), it appears that ValueOptions is a HIPAA covered-entity (To be honest, I can't tell if they're actually covered or if they decided to follow HIPAA regardless). Assuming it is a covered-entity, ValueOptions is in breach of the BNR [HITECH Breach Notification Rule] since it exceeded the 60 calendar days for notifying affected people: AUG 4 to NOV 4 is 95 days.
Personal information was stored on the missing backup tapes: names, addresses, dates of birth, telephone numbers, SSNs, and subscriber IDs.
Under the New Hampshire notification letter, ValueOptions (VOI) noted that 350 NH residents were involved. The figure reported for New York was 6,669.
One can only assume more people are involved, however. According to a Wikipedia entry (always to be taken with a grain of salt), VOI is "the largest privately-owned behavioral health maintenance organization" and it has centers in 15 states. Under these circumstances, it seems unlikely that only information related to NH and NY residents were lost, especially when you consider that four tapes were involved: that particular data storage medium is noted for its capacity. Text-based information for approximately 7,000 people wouldn't require four tapes.
On the other hand, in both NH and NY instances, the lost information revolves around members of the Nation Elevator Industry.
Of course, it looks like we won't really know the total figure unless the above is a HIPAA situation, in which case the HITECH Breach Notification Rule will kick into place (due to the lack of encryption software, an excellent data security measure): once more than 500 people are affected, the breached entity must report the situation to the Department of Health and Human services (HHS). The HHS, in turn, is required to make public any such instances (as of 20 NOV 2011, there isn't an entry for ValueOptions).
Moreover, if the HIPAA scenario is valid, then I imagine that state AGs can expect even more breach notification letters like the above: VOI is an HMO, so naturally it has a number of corporate clients who'll probably have to file similar letters.
I found a potentially small problem with VOI's actions. While their notification letter was very forthcoming, it had its drawbacks, as I noted in the comments section at databreaches.net:
From this page (http://www.valueoptions.com/providers/ProCompliance.htm), it appears that ValueOptions is a HIPAA covered-entity (To be honest, I can't tell if they're actually covered or if they decided to follow HIPAA regardless). Assuming it is a covered-entity, ValueOptions is in breach of the BNR [HITECH Breach Notification Rule] since it exceeded the 60 calendar days for notifying affected people: AUG 4 to NOV 4 is 95 days.
From this page (http://www.valueoptions.com/providers/ProCompliance.htm), it appears that ValueOptions is a HIPAA covered-entity (To be honest, I can't tell if they're actually covered or if they decided to follow HIPAA regardless).
Assuming it is a covered-entity, ValueOptions is in breach of the BNR [HITECH Breach Notification Rule] since it exceeded the 60 calendar days for notifying affected people: AUG 4 to NOV 4 is 95 days.
As Dissent over at databreaches.net noted, Unfortunately, in their attempt to inform the state and to show how low the risk of misuse was, ValueOptions included information as to the precise manufacturer and model of cartridge tapes and the type of server needed to read the data. That was not only unnecessary but counterproductive, and I suspect that they may not have realized that their notification would wind up on the Internet. While I doubt that anyone who finds the cartridges or who may have stolen them would come across the notification and immediately rush out to get an obsolete server to read the tapes, you never know. I'm in agreement with pretty much everything written above. In fact, I'm leaning towards blaming the Attorney General's office for this particular slip. ValueOptions and its associates would have probably assumed that the letter wouldn't be made public (which is not a bad assumption to make. Not too many AGs go public with notification letters, after all). Plus, VOI has to make its case that the probably of a breach is low, and make and model of hardware can go a long way towards making that argument. And, last but not least, the AG's office had the ability to take a Sharpie and just black out the appropriate information before posting it on-line. I mean, I bet it would have been done if only one person was affected and the reporting organization had actually included his SSN in the letter!
As Dissent over at databreaches.net noted,
Unfortunately, in their attempt to inform the state and to show how low the risk of misuse was, ValueOptions included information as to the precise manufacturer and model of cartridge tapes and the type of server needed to read the data. That was not only unnecessary but counterproductive, and I suspect that they may not have realized that their notification would wind up on the Internet. While I doubt that anyone who finds the cartridges or who may have stolen them would come across the notification and immediately rush out to get an obsolete server to read the tapes, you never know.
I'm in agreement with pretty much everything written above. In fact, I'm leaning towards blaming the Attorney General's office for this particular slip. ValueOptions and its associates would have probably assumed that the letter wouldn't be made public (which is not a bad assumption to make. Not too many AGs go public with notification letters, after all). Plus, VOI has to make its case that the probably of a breach is low, and make and model of hardware can go a long way towards making that argument.
And, last but not least, the AG's office had the ability to take a Sharpie and just black out the appropriate information before posting it on-line. I mean, I bet it would have been done if only one person was affected and the reporting organization had actually included his SSN in the letter!
Apart from noting the "precise manufacturer and model of cartridge tapes and the type of server needed to read the data," VOI noted in its notification letter to the AG that "this model is considered obsolete and is no longer supported...." The implication is, of course, there's a very low risk of a data breach: the tape hooks up to obsolete hardware. It's like finding your insurance company lost a bunch of 5.25" diskettes. Where are you going to find the hardware for those, right? A quick on-line search shows that you can get a 5.25" drive one for $200 or less. As for the obsolete hardware that VOI was using: I did quick search on Google, and there appears to be a significant market that deals with the sale and resale of such equipment. Even on eBay I was able to find over 20 devices listed, ranging from $2,500 and down. Economics-wise, it doesn't make sense to make a purchase on everyone's favorite on-line bazaar, what with in the current black market prices for stolen SSNs. But still, I would like to point out that just because the "manufacturer considers it obsolete" doesn't actually mean that something's actually obsolete.
Apart from noting the "precise manufacturer and model of cartridge tapes and the type of server needed to read the data," VOI noted in its notification letter to the AG that "this model is considered obsolete and is no longer supported...."
The implication is, of course, there's a very low risk of a data breach: the tape hooks up to obsolete hardware. It's like finding your insurance company lost a bunch of 5.25" diskettes. Where are you going to find the hardware for those, right?
A quick on-line search shows that you can get a 5.25" drive one for $200 or less. As for the obsolete hardware that VOI was using: I did quick search on Google, and there appears to be a significant market that deals with the sale and resale of such equipment. Even on eBay I was able to find over 20 devices listed, ranging from $2,500 and down.
Economics-wise, it doesn't make sense to make a purchase on everyone's favorite on-line bazaar, what with in the current black market prices for stolen SSNs. But still, I would like to point out that just because the "manufacturer considers it obsolete" doesn't actually mean that something's actually obsolete.
Related Articles and Sites:http://www.databreaches.net/?p=21465http://doj.nh.gov/consumer/security-breaches/documents/valueoptions-20111028.pdf