The Mercer Health & Benefits breach involving a backup tape lost in transit after being shipped by FedEx is one of those multi-client breaches that comes out in dribs and drabs. But if Mercer hoped to keep the total number affected under wraps, one of their clients may have spilled their beans.
On August 12, Idaho Power Health Plan posted an FAQ on their site that I just came across. It says, in part:
2. What happened and what data information was lost?
A data breach was reported by Mercer to Idaho Power on June 16, 2010. According to Mercer, on March 26, 2010 a package containing a server back-up tape was sent via FedEx from Mercer’s Boise office to their Seattle office and is presently unaccounted for.The tape contained personal demographic information (not medical or health-related data). The lost information included names, addresses, dates of birth, and Social Security numbers for approximately 5,000 Idaho Power employees and dependents and approximately 375,000 other individuals whom Mercer services through their client base.
The FAQ challenges Mercer’s reassuring statement that the unencrypted data would be difficult to be read:
3. Has the tape been recovered? Any indication the tape or any information on the tape has been inappropriately misused?
The tape cannot be accounted for, and we cannot confirm the tape or any information on it has or has not been inappropriately misused.While the tape was not encrypted, Mercer indicates it is not the type of media that is readily accessible. Idaho Power disagrees and we are moving forward with our own independent investigation. You will be informed as the investigation progresses.
The FAQ is four pages and is either the most detailed, or one of the most detailed, breach FAQs I can recall seeing. The only thing I don’t spot in the FAQ is a phone number at Idaho Power that people can call.