http://securityratty.com/tag/fallon Fri, 25 Jan 2008 08:54:27 +0000 iRatty Engine http://blogs.law.harvard.edu/tech/rss http://securityratty.com/article/fef649699bab3bfa56860edca6af847d http://securityratty.com/article/fef649699bab3bfa56860edca6af847d Security Breach

Date Reported:
1/24/08

Organization:
Fallon Community Health Plan

Contractor/Consultant/Branch:
Unknown vendor

Victims:
Fallon Senior Plan and Summit ElderCare customers

Number Affected:
29,800

Types of Data:
Names, dates of birth and Medicare identification numbers*

*"Medicare identification number" is the generic term for any number, other than the National Provider Identifier, used by a provider or supplier to bill the Medicare program, which usually consists of the person's or his or her spouse's Social Security number.

Breach Description:
Three laptops were stolen from a Boston office used by an unnamed Fallon Community Health Plan vendor.  One of the three laptops contained sensitive personal information belonging to Fallon Senior Plan and Summit ElderCare customers.  The computer was originally though to be encrypted, but a subsequent investigation has proven this to be false.

Reference URL:
Worcester Telegram
Boston Herald story
Boston Business Journal story

Report Credit:
Bob Kievra, Worcester Telegram & Gazette

Response:
From the online sources cited above:

Fallon Community Health Plan said this afternoon the names, dates of birth and Medicare identification numbers of approximately 30,000 Senior Plan members was on a laptop computer stolen earlier this month from a Boston-based vendor of the HMO.
[Evan] I have been unable to determine the vendor from the 4 or 5 news reports I have read.  If you know for certain, please comment.

members with Fallon Senior Plan and Summit ElderCare coverage

"I deeply regret that this incident occurred,'' said President and Chief Executive Officer Eric H. Schultz. "I sincerely apologize for the inconvenience and trouble this theft may cause our members.''

Mr. Schultz said the laptop containing Fallon's information was one of three computers stolen from a Boston office on either Dec. 31 or Jan. 1.

The vendor discovered the theft Jan. 2 and originally said the material had been encrypted. But the health plan, with the assistance of a forensic technologist, came to the conclusion Jan. 14 that the information was not protected.
[Evan] I wonder why the vendor thought that the information had been encrypted.  Do they encrypt some laptops, and not others?  It is a good idea to encrypt all laptops (and mobile devices) rather than try to determine which ones may have confidential information on them and which ones do not.

the data was not password protected or encrypted, in violation of the company's policies
[Evan] I assume that we are talking about FCHP's policies.  Kudos to FCHP for including password protection and encryption in policy.  Does FCHP have Vendor/Third-Party access policy and/or regularly audit their vendors for compliance?

The vendor was using the data to ensure that Medicare claims were being appropriately processed

The HMO said Thursday it will offer a year’s free credit monitoring to those affected.

Those individuals have also been mailed letters notifying them of the incident, and FCHP has alerted regulatory authorities to the theft.

Commentary:
A vendor that accesses confidential information and stores it on mobile media without proper protection is inexcusable.  I am perplexed.  Doing business with a vendor that won't (or can't) provide evidence supporting how they will protect confidential information is taking unnecessary risk.

Past Breaches:
Unknown

]]> Fri, 25 Jan 2008 08:54:27 +0000 information sensitive personal information fallon protect confidential information accesses confidential information fallon senior plan senior plan confidential information unknown vendor Stolen laptop contained unencrypted Fallon Community Health Plan information