Last month, I posted a breach story by Robert Siciliano about a then-unnamed insurance agency that had reportedly discarded Blue Cross Blue Shield insurance applications in a dumpster. The files were found by investigator William “Cobra” Staubs, who was engaged in “research.”
Simon Barrett followed up on the incident and posted some pictures that suggest that the files may have belonged to Action Insurance Planners, LLC of Boca Raton. The agency has not issued any public statement either confirming or denying that their agency is responsible for this breach.
Although the original story and Barrett’s follow-up focus on Blue Cross Blue Shield, Staubs informs this blog that there were applications for other insurance companies as well, including Cigna, Allstate, Accord, John Hancock, Aetna, and Quest, although Blue Cross Blue Shield had the most applications. [Note: Siciliano’s blog entry indicated that there were approximately 30 forms with about 50 Social Security Numbers, Barrett’s coverage indicates a “file box” was found, while Staubs’ most recent correspondence to PHIprivacy.net referred to 1000 documents. In light of conflicting reports, I have no idea how many individuals had their data exposed by this incident.]
According to Staubs, the applications contained
medical history and social security numbers as well as bank account numbers and some even contain credit card numbers complete with the three digit security numbers
A copy of one of the insurance application forms he found, sent to this site, contains the full name, address, telephone number, Social Security Number, hourly pay rate, job title, and other details of an employee of Total Network Consultants who applied for Aetna coverage in 2008. Staubs did not reveal what other companies had their employees’ information in the improperly disposed files.
Shortly after Siciliano’s and Barrett’s reports, I sent inquiries to both Blue Cross Blue Shield and Aetna about the incident and specifically inquired as to whether their contracts with insurance agencies have any requirements for secure disposal of applications.
A spokesperson for Blue Cross Blue Shield of Florida (BCBSF) responded to my inquiry with this statement:
Thank you for your note concerning the possible breach of BCBSF applications. At this time an investigation is currently being conducted regarding this situation and the appropriate safeguards and contractual obligations are in place to protect sensitive information. Until the investigation is completed, no additional information is available at this time.
Aetna has assured me that they will be providing me with a statement next week.
But how many insurance applications with sensitive PII and PHI are still in the hands of someone who should not have been able to even see them, much less possess them? Staub informs PHIprivacy.net that he has turned over the Aetna applications to them but that he is still in possession of the BCBSFL forms because “Blue Cross and Shield has been non responsive and quite frankly irresponsible.”
I would think that retrieving and securing the documents would be the first priority and a necessary part of any response or breach investigation, yet that has reportedly not occurred yet, even though it is now more than two weeks since the breach.
In his own coverage, Simon Barrett wrote:
What shocks me is that what this company has done is not illegal in the state of Florida.
It no longer shocks me, but I find it irresponsible and inexcusable that some states, including Florida, have no law that requires secure disposal of files containing PII or PHI.
Even if there were such a law, some entities would undoubtedly violate it – either accidentally or intentionally – but at least the law would be setting a standard of care and the state attorney general could then sue or take action against those who put people at risk of identity theft or other harm. Without any law or right of private action, where does this leave consumers and patients? It would seem to leave them in the dumpster with their most sensitive information.
I’ll have more on this situation in the near future.