A CD containing the clear text personal information of 75,000 WellPoint Empire Blue Cross and Blue Shield New York members that was reported lost on February 9 while being transported by UPS has been found.
The CD was lost when one of Wellpoint’s outsourced vendors, Health Data Management Solutions, sent the CD via UPS to Magellan Behavioral Health Services.
Wellpoint sent letters to the members on March 10 notifying them about the lost CD.
The CD contained names, Social Security numbers, health plan identification numbers, and description of medical services back to 2003.
“The company points out in the advisory that the CD was not transferred in accordance with WellPoint’s contractual terms with Magellan, which did not require HDMS to encrypt or password protect the data.
“We are addressing these issues and we have made it clear to both HDMS and Magellan that their security practices with respect to the data transfer were unacceptable,” the advisory states.
“As a result, Magellan will now only transmit personal health information electronically through a secure network, eliminating CDs and the use of a delivery service.”
WellPoint adds that it will continue to investigate and use any additional findings to improve its security practices. The company set up a toll-free number for members who have questions or concerns about the data loss.”
Just a few of the lessons learned:
* Organizations must be diligent to ensure the organizations to whom they entrust handling and processing of their data have strong information security programs with enforced practices.
* Not only should contracts with outsourced vendors include detailed security requirements, they should also include sanctions/penalties for not following the security requirements.
* All organizations with personally identifiable information (PII) need to ensure they have a well documented incident response and breach response plan.
* PII that moves, either through public networks or on mobile storage devices, such as CDs, backup tapes, etc. need to be encrypted.
Organizations, and folks in general, must also realize that sending information using delivery services such as UPS, FedEx, DHL, and even the U.S. Postal Service cannot consider such methods as completely secure. They all have established percentages of “acceptable” loss rates for their deliveries. And, they all have significant human factors.
I personally experienced 3 incidents in the last two months with deliveries.
Most recently I was alarmed to go to my mailbox and find I had a huge stack of mail…all addressed to my neighbor who lives a mile down the road! (I live in the country, and that is my closest neighbor.) Not only did I have access to potentially sensitive information within this stack of mail for someone else, but I worried about who had MY mail! Since my business office is in my home, I get my business mail delivered here. I called the post office to report the error, it was 2pm, and no one answered! I let the phone ring, literally, for 60 straight minutes and no one ever answered. (That is another long story.) Fortunately my neighbor up the road in the other direction showed up around 4:30pm to give me my stack of mail that she had mistakenly received. I took my other neighbor’s mail down the road to them, and they also had someone else’s mail. We had more traffic than usual on our road that day just through the mail swapping. Appears the mail delivery person got off one house throughout his route. This mis-delivery of mail is not the first time it has happened…to me or to other folks in other states I know. Moral of the story; the post office can and DOES sometimes make mistakes, putting mail, with potentially sensitive information, into the hands of unintended recipients. They also have thefts occur from their mail delivery trucks, as I have blogged about here.
Last month I received three packages, left tied in a stack by our garage, from UPS. Two of the packages were for me, but the package sandwiched between the other two was addressed for someone in Wyoming, Michigan…several hundred miles from here!
And there is a recurring error with the post office over the past few years; they keep delivering mail to me addressed to Rebecca He*****d who has the same city address, but a completely different street address many miles from my house.
We need to keep after delivery services to do more to prevent such delivery errors. However, the human factors involved will mean that even with the most stringent procedures, mistakes will continue to happen and packages and mail will continue to be delivered to the wrong people, and the risk will always be present that letters and packages may be stolen or lost while enroute. For these reasons alone, all electronic PII should be encrypted when sent through delivery services.
Tags: awareness and training, encryption, Information Security, IT compliance, policies and procedures, privacy, privacy breach, privacy incident, stolen mail