My Data Breach ExperienceReflections Upon Receiving a Notification Letter
Four years ago this week, I joined Information Security Media Group to help launch the HealthcareInfoSecurity website. As the editor of that site, and subsequently as news editor of all of ISMG's sites, including DataBreachToday, I've written or edited literally hundreds of stories about data breaches. But now I have a personal tale to share.
On Dec. 9, the day we posted a story about a major breach at Horizon Blue Cross and Blue Shield of New Jersey, I received a letter alerting me that I was among those whose personal information was potentially breached in the incident, which involved the theft of two unencrypted laptops.
Protecting personal information is not just an issue of complying with HIPAA. It's about helping ensure that real people don't face real fraud threats.
For years now, HealthcareInfoSecurity has featured reports about case after case of breaches stemming from stolen or lost unencrypted laptops and other devices. In fact, the federal "wall of shame" tally of major health information breaches shows that the No. 1 cause of these incidents is the loss or theft of unencrypted devices or media. I've been puzzled about why this trend has shown no signs of abating. And now the impact has hit home.
After editing the breach story written by my colleague, Marianne Kolbasuk McGee, I was pondering why organizations still continue to store massive amounts of patient information on laptops in the first place, much less fail to protect the devices with encryption.
Then the letter hit my mailbox. After immediately signing up for free credit monitoring protection, as recommended in the letter, I now have a much more personal connection to the need for better breach prevention. And it's likely only a matter of time before you, too get that same personal connection when you receive notification of a breach of some sort - if you haven't gotten one already.
Horizon's leaders deserve credit for getting the letter to me promptly after they investigated the laptop theft, which occurred the weekend of Nov. 1-3. And I truly appreciate that they offered me free credit monitoring for a year. Too many organizations fail to take this step when sensitive personal information is breached.
The letter was clearly written, and signing up for the free monitoring service was quick and easy. Nevertheless, receiving it made me edgy.
The letter explains that the two password-protected, unencrypted laptops, which were cable-locked to employee workstations, were stolen from the insurer's headquarters in Newark. "Horizon BCBSNJ has no reason to believe that the laptops were stolen for the information they contained or that your information has been accessed or used in any way," the letter notes.
But the 840,000 individuals being notified of the breach are left pondering: Did someone steal the laptops just to sell them to make a couple of quick bucks? Or were they hoping to hit it big by stealing personal data to commit fraud? We may never know.
Even if the thieves quickly sell the devices, the next owner might be savvy enough to figure out what they contain. And if they can crack the password, they may wait a few years before using my unencrypted personal information, or the information of hundreds of thousands of others, to try to commit fraud.
As attorney Adam Greene told my colleague, Marianne, this case is yet another example of how physical security is no substitute for encryption and other security measures, such as making sure sensitive information isn't stored on mobile or desktop devices that can be stolen - even when they're locked up inside a secure office.
When organizations, such as yours, are contemplating what security measures are necessary, they need to keep in mind their obligation to protect their customers. Protecting personal information is not just an issue of complying with HIPAA or other regulations. It's about helping ensure that real people don't face real fraud threats.