in

This Blog

Syndication

Tags

News

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Archives

AlertBoot Endpoint Security

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Data Encryption Software: CalOptima Loses Unencrypted CDs

Update 29 OCT 2009: CDs recovered

CalOptima in Orange County has announced the loss of several CDs containing personal information of members.  It will affect approximately 68,000 people.  The use of data encryption software like AlertBoot would have been extremely useful, on a number of fronts.

What Was Lost

The CDs contained "names, home addresses, dates of birth, medical procedure codes, diagnosis codes and member ID numbers, and an unspecified number of Social Security numbers," according to computerworld.com.

These had been mailed (via certified mail) to CalOptima by one of its vendors.  While not identified, it looks like the vendor was engaged in scanning paper documents into digital versions.

The box sent by the vendor, however, was empty when CalOptima received it.  There was nothing to suggest that the CDs were stolen, so it looks like the package arrived at CalOptima undamaged.  Of course, this implies that the box was sent empty, which further means the vendor should still have the CDs.  They have not been found to date, however.

Uh-Oh.  CalOptima Looking Into Why CD Encryption Not Used

CalOptima is busy with post-breach actions.  One of them is the inquiry into the data protection of the CDs.  A spokesman for the company has stated that "the health plan (CalOptima) also wants to find out why the third-party claims-scanning vendor did not encrypt the data."

In other words, it looks like there was an agreement in place that the data would be protected via encryption.  Why wasn't it?--many inquiring minds want to know.  It only makes sense to do so when you consider the following:

  • Encryption provides safe harbor under California law.  It's true.  If the information had been encrypted prior to its loss, it wouldn't have required public disclosure.
  • Encryption provides data protection.  Aside from legal protections, encryption software also provides technical protection.  In other words, it actually would prevent someone from popping the CDs into a computer and accessing the SSNs and whatnot.
  • Stuff goes missing from packages all the time.  Highlighting how badly things can go, a couple of CDs went missing in the UK, back in 2008.  It affected 25 million.  The UK'S population is approximately 61 million. (Yikes!)

Third Party Breach

Who's responsible for the breach?  Well, it turns out its CalOptima.  The loss was perpetrated by another, but since it's the health plan's information, they are held accountable (I'm not a lawyer, but I've heard this over and over again).

This is--among other reasons, I'm sure--why CalOptima is contacting members, offering them credit monitoring services, etc.

Take it from me--this is not the last time you're going to hear about a third party setting off a data breach.  It seems to me, based on how people are acting, that maybe third parties should be held accountable, too.  Sure, the vendor will lose CalOptima's business, but doesn't the law not actually going after them create something of a "moral hazard?"

I'd assume so, especially when you consider that CD encryption was supposed to be used.

Related Articles and Sites:
http://www.computerworld.com/s/article/9139913/CalOptima_says_data_on_68_000_members_may_be_compromised
http://datalossdb.org/incidents/2395-names-home-addresses-dates-of-birth-and-medical-information-of-68-000-on-lost-discs

 
<Previous Next>

Cost Of Computer Security Breach: Judge Rejects TD Ameritrade Offer

Drive Encryption Software: UK Companies Report 356 Data Breaches In Less Than One Year

Comments

No Comments

About sang_lee

Sang Lee is a Senior Account Manager and Security Analyst with AlertBoot, Inc., the leading provider of managed endpoint security services, based in Las Vegas, NV. Mr. Lee helps with the deployment and ongoing support of the AlertBoot disk encryption managed service. Prior to working at AlertBoot, Mr. Lee served in the South Korean Navy. He holds both a B.S. and an M.S. from Tufts University in Medford, Massachusetts, U.S.A.