BreachExchange mailing list archives
IEHP reveals theft of laptop with members' records
From: Erica Absetz <erica () riskbasedsecurity com>
Date: Fri, 14 Jun 2013 09:26:15 -0500
http://www.dailybulletin.com/news/ci_23455452/iehp-reveals-theft-laptop-members-records RANCHO CUCAMONGA -- The Inland Empire Health Plan announced a potential privacy breach of personal health information for 1,566 of its members after an unencrypted laptop was stolen. The equipment was stolen April 14 from a car owned by an employee of SynerMed, a Los Angeles-based company that manages business service for IEHP. The laptop was password-protected but the data was not encrypted, according to IEHP. Dr. Bradley Gilbert, IEHP chief executive officer, said there is no evidence as of yet that the personal health information has been accessed. He said SynerMed's failure to properly encrypt the laptop represents a violation of IEHP's data protection requirements. "We have policies and procedures to ensure this data must be protected," Gilbert said. "In this case, they didn't protect it. The employee shouldn't have left the laptop in the trunk and obviously steps weren't taken to protect the information." Darren McLachlan, vice president of Information Technology and Finance at SynerMed, said the company has policies and procedures that address the handling of personal health information. "In this casse an employee violated these (policies and procedures) and downloaded some reports to the local hard drive rather than leaving them in our secure network." As a result, McLachlan said SynerMed will be encrypting 100 percent of connected devices to its network. McLachlan said other health plans and their members were affected and the company will release information on the matter today. Gilbert said data protection procudures for laptops used by IEHP employees include thumb-print identification and encryption. "There are a variety of ways to protect data," he said. "This one was just password protected, which is not adequate." Dan Manson, professor of computer information systems at Cal Poly Pomona, said not encrypting sensitive information on a portable device, is violating a basic control security. "If you're going to carry around this information, you should keep it encryped," Manson said. The incident was reported to IEHP on May 7. Members were notified of the incident in a letter last week and announced through a Thursday press release. Gilbert said any delay in the notification was not a function of the IEHP as state officials had to review the information. Regarding the time between the theft and SynerMed's notification of the incident to IEHP, Gilbert said the company had to conduct an internal investigation to determine if there was a breach and which patients might have been affected. SynerMed, Gilbert said, is now required to present a corrective action plan so such an incident does not happen in the future. Gilbert said IEHP and SynerMed have had a long relationship and there is no reason to the sever business ties over the matter. "This is one of those unfortunate incidents that should have been prevented," Gilbert said. The laptop contained personal information that included member names, IEHP member ID numbers, date of birth, address, phone numbers and other health-related information, according to IEHP. The laptop did not include Social Security numbers, according to IEHP. "IEHP is working with SynerMed to correct any actions that led to the disclosure of our members' information," Gilbert said. Interested members should call IEHP Member Services at 800-440-4347 to place a confidentiality alert on their electronic record. The IEHP, a not-for-profit health plan that provides Medi-Cal services to San Bernardino and Riverside county residents. Based in San Bernardino, it serves 625,000 customers. The company will move headquarters to Rancho Cucamonga later this year. _______________________________________________ Dataloss-discuss Mailing List (dataloss-discuss () datalossdb org) Archived at http://seclists.org/dataloss/ Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss-discuss Supporters: Risk Based Security (http://www.riskbasedsecurity.com/) Risk Based Security equips organizations with security intelligence, risk management services and on-demand security solutions to establish customized risk-based programs to address information security and compliance challenges. Tenable Network Security (http://www.tenable.com/) Tenable Network Security provides a suite of solutions which unify real-time vulnerability, event and compliance monitoring into a single, role-based, interface for administrators, auditors and risk managers to evaluate, communicate and report needed information for effective decision making and systems management.
Current thread:
- IEHP reveals theft of laptop with members' records Erica Absetz (Jun 17)