By Jaikumar Vijayan
January 29, 2008
What do Fallon Community Health Plan, Pennsylvania State University,
OmniAmerican Bank and T. Rowe Price Group Inc. all have in common?
Each of them recently joined the seemingly never-ending parade of
organizations that have disclosed security breaches resulting in the
potential compromise of personal data.
Leading the pack in terms of the number of data records known to be
involved was T. Rowe Price. Two weeks ago, the Baltimore-based
investment management firm's retirement plan services group began
notifying about 35,000 current and former participants in "several
hundred" plans that their names and Social Security numbers might have
been compromised, a company spokesman confirmed today.
The spokesman said that the possible breach resulted from the theft of
computers containing the data from the offices of CBIZ Benefits and
Insurance Services Inc., a third-party services provider that was
preparing tax-related forms on behalf of T. Rowe Price. The theft took
place during the last week of December, he added.
T. Rowe Price is offering one year's worth of free credit monitoring
services and up to $25,000 in identify theft insurance to the
individuals whose personal data was on the stolen systems, the spokesman
Meanwhile, a similar laptop theft that also took place in late December
may have compromised the names, birth dates and some health care data of
about 29,800 members at Fallon Community Health Plan, a Worcester,
Mass.-based medical provider and insurer.
A spokesman for Fallon said that the laptop was stolen from the offices
of a third-party services provider, and that the data stored on the
system doesn't appear to have been either encrypted or
password-protected. But the fact that other equipment was taken along
with the laptop may be an indication that the thieves were after the
systems and not the data on them, the Fallon spokesman said.
Like T. Rowe Price, Fallon is offering one year's worth of credit
monitoring to all of the members of its Fallon Senior Plan and Summit
ElderCare health plans who were affected by the breach. In cases where
it's needed, the credit monitoring services will be extended to two
years, the spokesman said, adding that all of the affected plan members
have been notified of the incident.
In the third incident to make the news over the past few days, Fort
Worth, Texas-based OmniAmerican Bank said that it had been forced to
impose unspecified restrictions on ATM and debit card transactions after
hackers broke into its systems.
In a prepared statement, the bank said that it has also implemented a
series of new "communications and security measures" in response to
attempted fraudulent activity stemming from the break-in last week. It
didn't specify what those measures were, and a call to the bank seeking
further comment wasn't immediately returned.
In addition, OmniAmerican said in the statement that it is issuing new
debit cards and personal identification numbers to its customers as a
precaution against future fraud.
The bank didn't disclose the number of cards that are being blocked and
reissued. But a story posted last Thursday by the Fort Worth
Star-Telegram newspaper that quoted OmniAmerican's president said that
the bank was reissuing about 40,000 cards and that the system break-in
was the work of an international gang of cybercriminals.
In comparison to the other incidents, the breach reported by Penn State
appears to have been much smaller in scope. According to a statement
posted on the university's Web site last week, a laptop computer
containing personally identifiable information on 677 individuals who
attended Penn State between 1999 and 2004 was stolen from a faculty
The theft occurred while the faculty member was traveling and appears to
have been a random theft of hardware, the statement noted. The
university said that it currently is in the process of notifying the
Subscribe to InfoSec News