[ISN] Missing insurance disc found

From: InfoSec News (alerts@private)
Date: Thu Mar 15 2007 - 22:20:37 PST


March 14, 2007

A missing compact disc containing unprotected personal data for 75,000 
Empire Blue Cross Blue Shield members was recovered four days after the 
insurer began warning customers about potential privacy violations.

The disc, which had been missing since January, was found Wednesday 
afternoon, Empire spokeswoman Lisa Greiner said. A statement from Empire 
did not say where the disc was found or whether patient confidentiality 
had been violated.

Empire is a subsidiary of Indianapolis-based WellPoint Inc., which 
reported a separate security breach in Massachusetts last month.

In the latest incident, Health Data Management Systems had placed the 
disc in a UPS drop box in Chicago in January, but it never reached its 
Philadelphia destination, Health Data spokeswoman Oonagh Holt said.

UPS ships 15.6 million packages daily worldwide and less than 1 percent 
wind up missing, a UPS spokeswoman said.

Health Data normally sends confidential information via an encrypted 
e-mail or through a secure Web site, according to Holt. But her company 
and the contractor that was supposed to receive the disc, Magellan 
Behavioral Health Services, agreed to the unprotected format.

"That's not our policy, but in this situation both parties had agreed to 
do it that way," she said.

She referred questions on the agreement to Magellan. Representatives 
there did not return several phone calls seeking comment.

The disc contained information dating from 2003, including names, Social 
Security numbers and health plan identification numbers for mostly New 
York-area members, Greiner said.

Greiner said Empire sent the information to Health Data in an encrypted 
format and requires information sent by vendors to be protected as well.

Ohio-based Health Data cleans data and puts it in an easy-to-use format 
so people can review it, Holt said.

Magellan serves as a benefit program administrator for Empire.

Empire first learned about the missing disc Feb. 9 and started a review 
to determine which members were affected. It began sending letters to 
those members on Saturday.

Empire plans to offer free credit monitoring for a year to affected 
members, Greiner said.

In a separate incident, WellPoint notified nearly 200,000 members last 
month that personal information stored on back up computer tapes was 
stolen in October from the office of a Massachusetts vendor.

Greiner said there was no indication the WellPoint information was 
targeted. The insurer has received no reports of privacy violations from 

That incident affected members in Ohio, Indiana, Kentucky and Virginia.

Visit the InfoSec News Security Bookstore

This archive was generated by hypermail 2.1.3 : Thu Mar 15 2007 - 22:31:17 PST