Blue Cross physicians warned of data breach Stolen laptop had doctors' tax IDs
By Kay Lazar, Globe Staff | October 3, 2009 The Boston Globe
The largest health insurer in Massachusetts is warning roughly 39,000 physicians and other health care providers in the state that personal information, including Social Security numbers, may have been compromised after a laptop containing the data was stolen in August from an employee of the Blue Cross and Blue Shield Association's national headquarters in Chicago.
The breach involves "tens of thousands'' of physicians nationwide, although the precise number is unclear, according to a national Blue Cross-Blue Shield spokesman. Thirty-nine affiliates feed information about providers into a database maintained by the association's national headquarters.
Massachusetts doctors were not notified by letter until yesterday, because state Blue Cross-Blue Shield officials said they did not at first know what kind of data were on the stolen laptop. They said the data did not contain any information about patients or personal health records.
...
On Monday, I got a recorded "reverse-911" call from my son's former school, telling me that a laptop had been stolen from a transportation company that provided buses for the school in previous years. The school official's recorded voice said "we thought it best to let you know", but didn't mention the fact that Massachusetts law requires disclosure of data theft, and also mentioned "identifying numbers" - in other words, Social Security numbers - "may" have been in a "deleted" file.
This kind of spin control is going to get more common, and so are data loses: portable devices are getting more powerful, and will hold more data, and employees at large companies are prone to myopia like everyone else. It's easy to think that it's possible to get in another hour of "work" on the train or in a car pool or on a bus, and easy to rationalize the danger of leaving someone else's personal information behind when you step off.
Bruce Schnier was right: eventually, the insurance industry will drive change to a more secure paradigm - although I don't think it's possible to get more simple than checking the box that says "Encrypt folder contents to prevent unauthorized access" - because there will be some precedent-setting lawsuits, and then those who have the data will be forced to protect it.
In the meantime, I advise that anyone forced to entrust their personal information to third parties simply lie: make up a new maiden name for your mother, take a few years off your age, and (if you can't refuse to provide it) scramble the digits on your ssn. You'll be amazed when you find out that nobody ever complains: they _say_ they need the info for reporting or security or whatever, but what they really want is to fill in the form on their screen and go home on time.
Bill Horne Moderator