June 15, 2005
Computer hackers twice stole sensitive and confidential data from
Medica Health Plans computers in January and shut down parts of the
company's computer system on four other occasions.
The intruders downloaded the digital equivalent of a 140,000-page
Microsoft Word document, Medica said in court papers, but the
Minnetonka-based health plan was unable to determine what had been
In April, Medica obtained federal court orders against two former
employees that it suspected of committing the security breaches. The
orders required them to provide an accounting of the downloaded data
and to turn over their personal computers for an inspection.
Both defendants deny that they had violated Medica policies, as well
as a federal law that prohibits the unauthorized use of electronic
Medica has not referred the case to federal officials for prosecution,
and the workers have not been charged with a crime.
A Medica official said this week that it was unlikely that personal
information about Medica's 1.2 million members had fallen into the
wrong hands but that its investigation is continuing. The intruders
seemed most concerned about company trade secrets and employee
evaluations, a spokesman said.
Health plans like Medica store the same types of sensitive private
information that would be sought after by identity thieves: Social
Security numbers, addresses, birth dates, employment information and
names of relatives.
Recent security breaches at the data giants LexisNexis and
ChoicePoint, where sensitive personal information was lost to hackers
or deceptions, as well as the loss of Bank of America data tapes
containing personal financial information, are reigniting concerns
about how to improve privacy protections.
"Most of us in health care organizations have a tremendous amount of
data," said Carol Quinsey of the American Health Information
Management Association, which helps companies take data security
"It is bad enough that the health plan's security was breached,"
Quinsey said. "The next worse scenario would be if the [perpetrators]
would use that data in a nefarious way and perpetuate identity theft."
Medica spokesman Larry Bussey said that the health plan has no
evidence that any of the information taken from its computers had yet
"We believe that our system is very secure. We've never had any
external break-in to the system," he said.
Instead, according to Medica, two computer system employees conspired
to disrupt Medica's system and to access confidential information.
The employees, Austin Vhason and Pushpa Leadholm, were two of the six
employees who had the power to set computer passwords, according to
The two used this access to give extraordinary powers to computer
log-ons used for training purposes, and they also created fake log-ons
-- including one that was constructed from the backward spelling of
"goddess," the documents said.
Between them, the documents said, the employees used these accounts to
download data, to cause some parts of the computer system to crash and
to delete e-mail accounts of executives.
They made copies of e-mails that contained reports from the chief
executive to the board, performance reviews of information-systems
personnel and communications to Medica's attorneys about ongoing
lawsuits, the documents said.
They also read e-mails about the company's investigation into the
security breaches, using that information to cover their own tracks,
according to the documents.
"We do background checks on employees that have this level of access,"
Bussey said. "One thing you can't control for is someone abusing the
trust you've placed in them."
After hiring an outside computer forensics expert, Medica officials
tracked much of this activity to the homes of the two employees, who
accessed the system through their cable modems. Medica placed both
employees on paid suspension in February and later fired them
Both workers deny that they have done anything improper and allege
that Medica filed the lawsuit to retaliate against them. Both
employees had filed complaints that they were discriminated against
because they were minority members.
"My client feels that Medica was not providing the same opportunities
to minorities as it was to Caucasians," Ryan Pacyga, the attorney
representing Vhason, said Tuesday.
Both employees had talked to the federal Equal Employment Opportunity
Commission and a formal complaint was filed on March 31, according to
attorney James Behrenbrinker, who represents Leadholm.
"There is a claim alleging discrimination of race in national origin
and retaliation," he said Tuesday. They cannot sue Medica for
discrimination until federal authorities rule on the merits of their
complaints, he said.
"My client voluntarily turned over her computers" for inspection by
Medica, he added. "Mrs. Leadholm wanted to cooperate and wanted to
show them that she didn't do anything wrong. This is a bad deal for
Medica spokesman Bussey said he would not comment on the
He said Medica stores data on several computer systems. The ones that
were inappropriately accessed stored business information. Still,
those computers contained data that Medica deemed sensitive and
"They seemed to be more interested in business information," Bussey
said. "They didn't seem to be even trying to get into places where
member information would be stored."
Computer security consultant Quinsey said there's only so much that a
company can do to protect data from wayward employees. "What prudent
employers have always done is have clear policies in place that say if
employees abuse, then litigation will be filed and you will be
appropriately challenged," she said.
Although Medica has obtained court orders barring Vhason and Leadholm
from disseminating any data they might have downloaded, a trial to
determine whether they had acted improperly is pending while attorneys
from both sides gather more information.
Attend the Black Hat Briefings and
Training, Las Vegas July 23-28 -
2,000+ international security experts,
10 tracks, no vendor pitches.