By TOM MURPHY
March 14, 2007
A missing compact disc containing unprotected personal data for 75,000
Empire Blue Cross Blue Shield members was recovered four days after the
insurer began warning customers about potential privacy violations.
The disc, which had been missing since January, was found Wednesday
afternoon, Empire spokeswoman Lisa Greiner said. A statement from Empire
did not say where the disc was found or whether patient confidentiality
had been violated.
Empire is a subsidiary of Indianapolis-based WellPoint Inc., which
reported a separate security breach in Massachusetts last month.
In the latest incident, Health Data Management Systems had placed the
disc in a UPS drop box in Chicago in January, but it never reached its
Philadelphia destination, Health Data spokeswoman Oonagh Holt said.
UPS ships 15.6 million packages daily worldwide and less than 1 percent
wind up missing, a UPS spokeswoman said.
Health Data normally sends confidential information via an encrypted
e-mail or through a secure Web site, according to Holt. But her company
and the contractor that was supposed to receive the disc, Magellan
Behavioral Health Services, agreed to the unprotected format.
"That's not our policy, but in this situation both parties had agreed to
do it that way," she said.
She referred questions on the agreement to Magellan. Representatives
there did not return several phone calls seeking comment.
The disc contained information dating from 2003, including names, Social
Security numbers and health plan identification numbers for mostly New
York-area members, Greiner said.
Greiner said Empire sent the information to Health Data in an encrypted
format and requires information sent by vendors to be protected as well.
Ohio-based Health Data cleans data and puts it in an easy-to-use format
so people can review it, Holt said.
Magellan serves as a benefit program administrator for Empire.
Empire first learned about the missing disc Feb. 9 and started a review
to determine which members were affected. It began sending letters to
those members on Saturday.
Empire plans to offer free credit monitoring for a year to affected
members, Greiner said.
In a separate incident, WellPoint notified nearly 200,000 members last
month that personal information stored on back up computer tapes was
stolen in October from the office of a Massachusetts vendor.
Greiner said there was no indication the WellPoint information was
targeted. The insurer has received no reports of privacy violations from
That incident affected members in Ohio, Indiana, Kentucky and Virginia.
Visit the InfoSec News Security Bookstore