HealthNow data goes missing as laptop vanishes

HealthNow data goes missing as laptop vanishes
HealthNow data goes missing as laptop vanishes

  This message is in MIME format.  The first part should be readable text,
  while the remaining parts are likely unreadable without MIME-aware tools.

Content-Transfer-Encoding: QUOTED-PRINTABLE

By Jonathan Epstein
The Buffalo News

HealthNow New York has alerted 40,000 members in Western and 
Northeastern New York that they may be at risk for identity theft, after 
a former employee=E2=80=99s laptop computer went missing with confidential 
information several months ago.

The Buffalo-based parent of Blue- Cross BlueShield of Western New York 
sent letters late last week to the affected customers, even though 
officials are still not certain what, if anything, was on the computer.

Based on the company=E2=80=99s investigation, the potential information includes 
names, dates of birth, Social Security numbers, addresses, employer 
group names, and health insurance identifier numbers. However, there was 
no health or medical claims information involved, spokeswoman Karen 
Merkel-Liberatore said late Monday.

HealthNow has arranged for any affected member to receive a one-year 
free membership in Equifax Credit Watch, to monitor for identity theft. 
But the company has no plans to re-assign new health insurance 
identification numbers en masse, though it will do so at the request of 
any individual members, Merkel-Liberatore said.

=E2=80=9CAt this point, I don=E2=80=99t believe we=E2=80=99ve had any requests to do that,=E2=80=9D she 
said. =E2=80=9CIf they feel more comfortable changing their identification 
number, we could certainly do that.=E2=80=9D

She stressed, however, that it=E2=80=99s unlikely anyone could or would use the 
information to find out about a member=E2=80=99s health status or obtain 
healthcare in their name, since most doctors and hospitals ask for the 
membership card before providing care.

The laptop was not encrypted, but does have security features, including 
the requirement to enter the user=E2=80=99s identification number and passcode 
after 15 minutes of inactivity. Also, the company shut down the laptop=E2=80=99s 
access to the corporate network, and has not detected any activity from 
the laptop since the disappearance.

The employee is no longer with HealthNow, having accepted a position at 
another company out of state, but the insurer is still in contact. =E2=80=9CWe 
definitely have taken this matter very seriously,=E2=80=9D Merkel-Liberatore 

This is the latest example nationwide of a computer security breach 
involving confidential personal information that could be used to commit 
identity theft, although that doesn=E2=80=99t necessarily happen. Lost laptops 
and computer backup tapes or disks in transit have been a particular 
source of problems, as companies increasingly use such =E2=80=9Cmobile devices=E2=80=9D 
and storage that often is not as secure as the primary in-house computer 

Tens of millions of U.S. consumers have been affected in recent years by 
breaches involving more than 100 million accounts at banks, merchants, 
health insurers, hospitals and government agencies in recent years. The 
biggest, involving retailer T.J. Maxx parent TJX Cos., hit 45.7 million 
people in late 2006.

In HealthNow=E2=80=99s case, the company is reconfiguring its claims software 
system, and the employee had downloaded some member information to his 
laptop while working on the project so he could work either in building 
or at home. The laptop was reported missing in late fall, but the 
company did not notify customers until now because officials wanted to 
make sure whether such action would be necessary.

Instead, officials first =E2=80=9Cspent an exhorbitant amount of time=E2=80=9D to try 
and locate the laptop, which they still believe is in the company=E2=80=99s 
building, Merkel- Liberatore said. Only =E2=80=9Cwhen it was apparent we 
couldn=E2=80=99t find it=E2=80=9D did officials try to narrow down what information 
might have been lost, she added.

Using the company=E2=80=99s shared drive and with the cooperation of the 
employee, officials retraced his path to determine what information he 
was working with. The company then set up the credit-monitoring, and 
began contacting members last Thursday and Friday.

=E2=80=9CWe didn=E2=80=99t want to have to reach out to our members and cause them 
unnecessary worry until we knew the potential of what we were dealing 
with,=E2=80=9D she said. =E2=80=9CWith all of the factors and orchestrating credit 
monitoring, we do believe our response time has been reasonable.=E2=80=9D

The company has also tightened its policies and procedures about use of 
laptops and other mobile devices =E2=80=9Cto ensure that the policies are more 
strict,=E2=80=9D she said. She added that officials are also encrypting all 
information on laptops =E2=80=9Cto prevent this situation from recurring.=E2=80=9D

Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

Subscribe to InfoSec News 

Site design & layout copyright © 1986-2014 CodeGods