Learning From Someone Else’s Breach
A subsidiary of manged health care provider Health Net Inc, just reported the loss of personal information for 1.5 million customers that occurred six months ago according to a ComputerWorld article. Without knowing all the details of the situation, I can only speculate as to some of the security controls and thoughts of the Health Net leadership during this incident so take that into account. Hopefully there are some lessons learned for other organizations both in the management of sensitive information and the leadership response to an incident.
From the article:
The device containing the data was an external, portable hard drive. The data had not been encrypted.
So, let me get this straight. You work in an environment where the protection of information is highly regulated yet you are putting seven year’s worth of personally identifiable information on a portable hard drive unencrypted. They may need to reconsider their processes that allow this type of information to be stored in such a manner. If this is for backup, certainly there are better options available. The controls surrounding the physical handling of devices with personally identifiable information appear to be too loose and need to be examined. Securing that device when not in use and logging the device in and out of its secure storage location would be a good start.
In Nevada come January, organizations will need to pay special attention to personal information being stored on removable media, especially if the portable devices leave the confines of the facility. See my article Nevada’s New Data Security Law for more information on this new bit of legislation.
“Protecting the privacy of our members is extremely important to us,” Health Net said. “We apologize for any inconvenience or concern this may cause our members.”
A pretty standard response for a breach but the delayed timing of this sounds like there was no incident response plan in place in the best case scenario. In the worst case, one has to ask if their leadership were dragging their feet hoping the problem would simply go away if they ignored it long enough. I’m going to assume the former in that they simply did not have a plan for dealing with this type of disclosure which is really not acceptable. If you’re business maintains sensitive information about customers then you need to be prepared for the possibility of a breach.
The six-month delay in reporting this is also a huge issue. Data breach notification laws have been in place in most states for several years and they were put there to prevent this type of “keep it quiet” behavior that had been common place in business. The AG is attacking Health Net on this very issue and rightfully so.
“We will demand identity theft insurance and reimbursement for credit freezes as well as credit monitoring for at least two years for all 446,000 consumers” in Connecticut whose data is at risk.
I blogged before about the cost of a breach. This is a great example of the cost of poor security controls surrounding personally identifiable information. Let’s just assume the monitoring service costs $20 per person (a discount for the volume here). In addition to the cost of notification, the loss of this hard drive with unencrypted sensitive data could cost the company just under $9 million dollars to provide the fraud and monitoring service. That’s some real money.
While we can’t be certain what really happened or what the exact cost of this breach will be to Health Net, I think it’s certainly easy to identify some potential mistakes that are duplicated in many other organizations. Understanding all of your business processes surrounding the use, transmission, and storage of sensitive information is hugely important. Adopting sensible controls and finding appropriate alternatives to risky processes is essential. Last, detailing and practicing a response to a data breach incident may seem like a lot of wasted time…. that is, until you experience a breach.
