http://www.startribune.com/stories/462/5457557.html Glenn Howatt Star Tribune June 15, 2005 Computer hackers twice stole sensitive and confidential data from Medica Health Plans computers in January and shut down parts of the company's computer system on four other occasions. The intruders downloaded the digital equivalent of a 140,000-page Microsoft Word document, Medica said in court papers, but the Minnetonka-based health plan was unable to determine what had been taken. In April, Medica obtained federal court orders against two former employees that it suspected of committing the security breaches. The orders required them to provide an accounting of the downloaded data and to turn over their personal computers for an inspection. Both defendants deny that they had violated Medica policies, as well as a federal law that prohibits the unauthorized use of electronic data. Medica has not referred the case to federal officials for prosecution, and the workers have not been charged with a crime. A Medica official said this week that it was unlikely that personal information about Medica's 1.2 million members had fallen into the wrong hands but that its investigation is continuing. The intruders seemed most concerned about company trade secrets and employee evaluations, a spokesman said. Health plans like Medica store the same types of sensitive private information that would be sought after by identity thieves: Social Security numbers, addresses, birth dates, employment information and names of relatives. Recent security breaches at the data giants LexisNexis and ChoicePoint, where sensitive personal information was lost to hackers or deceptions, as well as the loss of Bank of America data tapes containing personal financial information, are reigniting concerns about how to improve privacy protections. "Most of us in health care organizations have a tremendous amount of data," said Carol Quinsey of the American Health Information Management Association, which helps companies take data security measures. "It is bad enough that the health plan's security was breached," Quinsey said. "The next worse scenario would be if the [perpetrators] would use that data in a nefarious way and perpetuate identity theft." Medica spokesman Larry Bussey said that the health plan has no evidence that any of the information taken from its computers had yet been misused. "We believe that our system is very secure. We've never had any external break-in to the system," he said. Instead, according to Medica, two computer system employees conspired to disrupt Medica's system and to access confidential information. The employees, Austin Vhason and Pushpa Leadholm, were two of the six employees who had the power to set computer passwords, according to court documents. The two used this access to give extraordinary powers to computer log-ons used for training purposes, and they also created fake log-ons -- including one that was constructed from the backward spelling of "goddess," the documents said. Between them, the documents said, the employees used these accounts to download data, to cause some parts of the computer system to crash and to delete e-mail accounts of executives. They made copies of e-mails that contained reports from the chief executive to the board, performance reviews of information-systems personnel and communications to Medica's attorneys about ongoing lawsuits, the documents said. They also read e-mails about the company's investigation into the security breaches, using that information to cover their own tracks, according to the documents. "We do background checks on employees that have this level of access," Bussey said. "One thing you can't control for is someone abusing the trust you've placed in them." After hiring an outside computer forensics expert, Medica officials tracked much of this activity to the homes of the two employees, who accessed the system through their cable modems. Medica placed both employees on paid suspension in February and later fired them Both workers deny that they have done anything improper and allege that Medica filed the lawsuit to retaliate against them. Both employees had filed complaints that they were discriminated against because they were minority members. "My client feels that Medica was not providing the same opportunities to minorities as it was to Caucasians," Ryan Pacyga, the attorney representing Vhason, said Tuesday. Both employees had talked to the federal Equal Employment Opportunity Commission and a formal complaint was filed on March 31, according to attorney James Behrenbrinker, who represents Leadholm. "There is a claim alleging discrimination of race in national origin and retaliation," he said Tuesday. They cannot sue Medica for discrimination until federal authorities rule on the merits of their complaints, he said. "My client voluntarily turned over her computers" for inspection by Medica, he added. "Mrs. Leadholm wanted to cooperate and wanted to show them that she didn't do anything wrong. This is a bad deal for her." Medica spokesman Bussey said he would not comment on the discrimination charges. He said Medica stores data on several computer systems. The ones that were inappropriately accessed stored business information. Still, those computers contained data that Medica deemed sensitive and confidential. "They seemed to be more interested in business information," Bussey said. "They didn't seem to be even trying to get into places where member information would be stored." Computer security consultant Quinsey said there's only so much that a company can do to protect data from wayward employees. "What prudent employers have always done is have clear policies in place that say if employees abuse, then litigation will be filed and you will be appropriately challenged," she said. Although Medica has obtained court orders barring Vhason and Leadholm from disseminating any data they might have downloaded, a trial to determine whether they had acted improperly is pending while attorneys from both sides gather more information. _________________________________________ Attend the Black Hat Briefings and Training, Las Vegas July 23-28 - 2,000+ international security experts, 10 tracks, no vendor pitches. www.blackhat.com
This archive was generated by hypermail 2.1.3 : Tue Jun 14 2005 - 23:08:59 PDT