An incident recently occurred where a contractor for the State of Vermont accidentally posted the Social Security numbers for hundreds of healthcare workers within Vermont. The data existed on the web site for approximately one month before it was removed.
This demonstrates one of the multiple reasons why organizations must ensure the acceptable security practices of the business partners to whom they entrust sensitive information.
In this case, the contractor apparently did not have procedures in place to ensure only appropriate data was being posted to their web site, otherwise this incident likely would not have occurred. As a result, the State of Vermont now has to deal with the incident.
“In carrying out that task, the company obtained a list of health care providers from Cigna, the state’s current health care administrator. The lists, which contained taxpayer identification numbers and in some cases SSNs, were included as attachments for the RFPs and were subsequently posted on the state Web site — where the information remained for about a month before being removed, McIntire said.”
This also raises the question of why Cigna included the taxpayer IDs on the list of health care providers to use for the RFP to the contractor to begin with. Is such information necessary when posting an RFP? Without having much information to go on from the report it would seem to not be necessary. What responsibility does Cigna have in this incident? Should the State of Vermont have asked them not to have included PII within the information sent to the contractor? Should Cigna have had policies and procedures in place to not send such information?
The State of Vermont is offering 1 year of credit monitoring services to the impacted individuals, so that is a good thing. Organizations must take responsibility for the impact their incidents have upon individuals, and not push the brunt of the impact to the individual victims themselves, who will still need to take their own time, and often money, to deal with the repercussions.
In this situation Vermont was dealing with two business partners. The more business partners, vendors, and so on that an organization entrusts their PII to, the more vulnerabilities and threats that are created for the PII. The situation certainly can get very dicey, and security-convoluted, quite quickly.
A Few of the Lessons learned:
* Performing due diligence to ensure comprehensive information security programs and practices are implemented with business partners to whom you entrust sensitive information is not only a good idea for compliance reasons, it is necessary to protect your organization’s own business interests and reputation as well as your customers’ PII.
* As you increase the number of businesses to whom you entrust your PII, you increase exponentially the risks to the PII.
* All organizations need to have information security incident and privacy breach response and notification plans in place. This is something that concerns me greatly, and I’ve written often about it. Situations that lead to privacy breaches are described within the latest issue of the Cutter IT Journal for which I was guest editor, “Avoiding Privacy Pitfalls.” I will also be discussing the importance of having a breach incident response and notification plan in place, along with the necessary components for an effective plan, within a webinar I am giving January 23, “The Anatomy of a Privacy Breach.” If you have the opportunity to attend, I’d welcome your participation in the discussion.
Tags: awareness and training, data protection, Information Security, IT compliance, personal data breach, policies and procedures, privacy, privacy breach