http://www.businessweek.com/ap/financialnews/D8NS71VG2.htm By TOM MURPHY INDIANAPOLIS March 14, 2007 A missing compact disc containing unprotected personal data for 75,000 Empire Blue Cross Blue Shield members was recovered four days after the insurer began warning customers about potential privacy violations. The disc, which had been missing since January, was found Wednesday afternoon, Empire spokeswoman Lisa Greiner said. A statement from Empire did not say where the disc was found or whether patient confidentiality had been violated. Empire is a subsidiary of Indianapolis-based WellPoint Inc., which reported a separate security breach in Massachusetts last month. In the latest incident, Health Data Management Systems had placed the disc in a UPS drop box in Chicago in January, but it never reached its Philadelphia destination, Health Data spokeswoman Oonagh Holt said. UPS ships 15.6 million packages daily worldwide and less than 1 percent wind up missing, a UPS spokeswoman said. Health Data normally sends confidential information via an encrypted e-mail or through a secure Web site, according to Holt. But her company and the contractor that was supposed to receive the disc, Magellan Behavioral Health Services, agreed to the unprotected format. "That's not our policy, but in this situation both parties had agreed to do it that way," she said. She referred questions on the agreement to Magellan. Representatives there did not return several phone calls seeking comment. The disc contained information dating from 2003, including names, Social Security numbers and health plan identification numbers for mostly New York-area members, Greiner said. Greiner said Empire sent the information to Health Data in an encrypted format and requires information sent by vendors to be protected as well. Ohio-based Health Data cleans data and puts it in an easy-to-use format so people can review it, Holt said. Magellan serves as a benefit program administrator for Empire. Empire first learned about the missing disc Feb. 9 and started a review to determine which members were affected. It began sending letters to those members on Saturday. Empire plans to offer free credit monitoring for a year to affected members, Greiner said. In a separate incident, WellPoint notified nearly 200,000 members last month that personal information stored on back up computer tapes was stolen in October from the office of a Massachusetts vendor. Greiner said there was no indication the WellPoint information was targeted. The insurer has received no reports of privacy violations from it. That incident affected members in Ohio, Indiana, Kentucky and Virginia. _________________________________________ Visit the InfoSec News Security Bookstore http://www.shopinfosecnews.org
This archive was generated by hypermail 2.1.3 : Thu Mar 15 2007 - 22:31:17 PST