BreachExchange mailing list archives

Previous By Date Next
Previous By Thread Next

Insurer inadvertently posted physician SSNs

From: "Michael Hill, CITRMS" <mhill () idtexperts com>
Date: Wed, 21 Nov 2007 20:45:30 -0500
http://www.crainsnewyork.com/apps/pbcs.dll/article?AID=/20071120/FREE/71120008/1049

United Healthcare posted the social security numbers of doctors at Columbia University's faculty practice on a public 
Web site in a breach of security that exposed the doctors to identity theft.

The sensitive information was loaded on Oct. 31 and taken down Nov. 2.

United posted the taxpayer identification numbers, some of which were Social Security numbers, alongside the names of 
993 providers at Columbia who participate in the insurer's network. The list was supposed to be accessible to Columbia 
employees during the current open enrollment period. 

A United spokesman said the tax ID "inadvertently" included social security numbers, which were removed once the 
insurer was informed of the error. A forensic analysis showed there were some non-Columbia computers that downloaded 
the information, says the spokesman. 

The Web page was viewed 157 times before the ID information was removed. He adds that United also is trying to 
determine "from a technology perspective" how the breach occurred.

United notified the New York state Attorney General's office of the incident.

The insurer has written to the Columbia doctors to apologize. The providers can have their credit reports monitored by 
Equifax, which will alert them if a credit check is performed.

Subsequently, Columbia's faculty practice organization will closely monitor whether its doctors become the victims of 
identity theft. 

A spokeswoman for the university said that although only a small subset of the FPO's doctors had their SS numbers 
publicly displayed, the breach was "very serious" and has made the doctors unhappy. 

United complied with Columbia's request to notify the doctors, sent a company representative onsite to answer the 
doctors' questions, and provided one-year protection from Equifax. Columbia's legal department will monitor whether 
fraud occurs. For now, most of the information appears to have been accessed by "legitimate Columbia addresses," says 
the spokeswoman. 





Michael Hill 
Certified Identity Theft Risk Management Specialist
IDT Consultants
404-216-3751


"If You Think You're Not At Risk, Think Again!"

_______________________________________________
Dataloss Mailing List (dataloss () attrition org)
http://attrition.org/dataloss

Tenable Network Security offers data leakage and compliance monitoring
solutions for large and small networks. Scan your network and monitor your
traffic to find the data needing protection before it leaks out!
http://www.tenablesecurity.com/products/compliance.shtml
Previous By Date Next
Previous By Thread Next

Current thread: