IEHP reveals theft of laptop with members' records

[Erica Absetz <erica () riskbasedsecurity com>]

http://www.dailybulletin.com/news/ci_23455452/iehp-reveals-theft-laptop-members-records

RANCHO CUCAMONGA -- The Inland Empire Health Plan announced a
potential privacy breach of personal health information for 1,566 of
its members after an unencrypted laptop was stolen.

The equipment was stolen April 14 from a car owned by an employee of
SynerMed, a Los Angeles-based company that manages business service
for IEHP. The laptop was password-protected but the data was not
encrypted, according to IEHP.

Dr. Bradley Gilbert, IEHP chief executive officer, said there is no
evidence as of yet that the personal health information has been
accessed. He said SynerMed's failure to properly encrypt the laptop
represents a violation of IEHP's data protection requirements.

"We have policies and procedures to ensure this data must be
protected," Gilbert said. "In this case, they didn't protect it. The
employee shouldn't have left the laptop in the trunk and obviously
steps weren't taken to protect the information."

Darren McLachlan, vice president of Information Technology and Finance
at SynerMed, said the company has policies and procedures that address
the handling of personal health information.

"In this casse an employee violated these (policies and procedures)
and downloaded some reports to the local hard drive rather than
leaving them in our secure network."

As a result, McLachlan said SynerMed will be encrypting 100 percent of
connected devices to its network.

McLachlan said other health plans and their

members were affected and the company will release information on the
matter today.

Gilbert said data protection procudures for laptops used by IEHP
employees include thumb-print identification and encryption.

"There are a variety of ways to protect data," he said. "This one was
just password protected, which is not adequate."

Dan Manson, professor of computer information systems at Cal Poly
Pomona, said not encrypting sensitive information on a portable
device, is violating a basic control security.

"If you're going to carry around this information, you should keep it
encryped," Manson said.

The incident was reported to IEHP on May 7. Members were notified of
the incident in a letter last week and announced through a Thursday
press release.

Gilbert said any delay in the notification was not a function of the
IEHP as state officials had to review the information. Regarding the
time between the theft and SynerMed's notification of the incident to
IEHP, Gilbert said the company had to conduct an internal
investigation to determine if there was a breach and which patients
might have been affected.

SynerMed, Gilbert said, is now required to present a corrective action
plan so such an incident does not happen in the future. Gilbert said
IEHP and SynerMed have had a long relationship and there is no reason
to the sever business ties over the matter.

"This is one of those unfortunate incidents that should have been
prevented," Gilbert said.

The laptop contained personal information that included member names,
IEHP member ID numbers, date of birth, address, phone numbers and
other health-related information, according to IEHP. The laptop did
not include Social Security numbers, according to IEHP.

"IEHP is working with SynerMed to correct any actions that led to the
disclosure of our members' information," Gilbert said.

Interested members should call IEHP Member Services at 800-440-4347 to
place a confidentiality alert on their electronic record.

The IEHP, a not-for-profit health plan that provides Medi-Cal services
to San Bernardino and Riverside county residents. Based in San
Bernardino, it serves 625,000 customers. The company will move
headquarters to Rancho Cucamonga later this year.
_______________________________________________
Dataloss-discuss Mailing List (dataloss-discuss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss-discuss

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security equips organizations with security intelligence, risk
management services and on-demand security solutions to establish
customized risk-based programs to address information security and
compliance challenges. 

Tenable Network Security (http://www.tenable.com/)
Tenable Network Security provides a suite of solutions which unify real-time
vulnerability, event and compliance monitoring into a single, role-based, interface
for administrators, auditors and risk managers to evaluate, communicate and
report needed information for effective decision making and systems management.