Stephanie Steitzer reports that names, dates of birth and Social Security numbers of roughly 28,000 state retirees were e-mailed without the required encryption to the Kentucky Retirement Systems by Walgreens Health Initiative, its pharmacy benefit provider.
Affected retirees were notified by letter from WHI, who informed recipients that the mistake was “solely the responsibility of WHI, and not that of KRS.”
For its part, KRS has a notice on its web site that explains that, “In recent years, the Board has adopted formal policies regarding protection and encryption of data. Additionally, the Board has adopted a disclosure policy to notify members whenever there has been a potential exposure of their data, even though there are currently no statewide disclosure regulations in place mandating such disclosure. ” Good for them! Their security policy can be found here.