DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

FL: Healthcare Insurance Applications Found in Trash

Posted on January 15, 2011 by Dissent

Last month, I posted a breach story by Robert Siciliano about a then-unnamed insurance agency that had reportedly discarded Blue Cross Blue Shield insurance applications in a dumpster. The files were found by investigator  William “Cobra” Staubs, who was engaged in “research.”

Simon Barrett followed up on the incident and posted some pictures that suggest that the files may have belonged to Action Insurance Planners, LLC of Boca Raton.  The agency has not issued any public statement either confirming or denying that their agency is responsible for this breach.

Although the original story and Barrett’s follow-up focus on Blue Cross Blue Shield, Staubs informs this blog that there were applications for other insurance companies as well, including Cigna, Allstate, Accord, John Hancock, Aetna, and Quest, although Blue Cross Blue Shield had the most applications. [Note: Siciliano’s blog entry indicated that there were approximately 30 forms with about 50 Social Security Numbers, Barrett’s coverage indicates a “file box” was found,  while  Staubs’ most recent correspondence to PHIprivacy.net referred to 1000 documents. In light of conflicting reports, I have no idea how many individuals had their data exposed by this incident.]

According to Staubs, the applications contained

medical history and social security numbers as well as bank account numbers and some even contain credit card numbers complete with the three digit security numbers

A copy of one of the insurance application forms he found, sent to this site, contains the full name, address, telephone number, Social Security Number, hourly pay rate, job title, and other details of an employee of Total Network Consultants who applied for Aetna coverage in 2008.  Staubs did not reveal what other companies had their employees’ information in the improperly disposed files.

Shortly after Siciliano’s and Barrett’s reports,  I sent inquiries to both Blue Cross Blue Shield and Aetna about the incident and specifically inquired as to whether their contracts with insurance agencies have any requirements for secure disposal of applications.

A spokesperson for Blue Cross Blue Shield of Florida (BCBSF) responded to my inquiry with this statement:

Thank you for your note concerning the possible breach of BCBSF applications. At this time an investigation is currently being conducted regarding this situation and the appropriate safeguards and contractual obligations are in place to protect sensitive information. Until the investigation is completed, no additional information is available at this time.

Aetna has assured me that they will be providing me with a statement next week.

But how many insurance applications with sensitive PII and PHI are still in the hands of someone who should not have been able to even see them, much less possess them?   Staub informs PHIprivacy.net that he has turned over the Aetna applications to them but that he is still in possession of the BCBSFL forms because “Blue Cross and Shield has been non responsive and quite frankly irresponsible.”

I would think that retrieving and securing the documents would be the first priority and a necessary part of any response or breach investigation, yet that has reportedly not occurred yet,  even though it is now more than two weeks since the breach.

In his own coverage, Simon Barrett wrote:

What shocks me is that what this company has done is not illegal in the state of Florida.

It no longer shocks me, but I find it irresponsible and inexcusable that  some states, including Florida, have no law that requires secure disposal of files containing PII or PHI.

Even if there were such a law, some entities would undoubtedly violate it – either accidentally or intentionally – but at least the law would be setting a standard of care and the state attorney general could then sue or take action against those who put people at risk of identity theft or other harm. Without any law or right of private action, where does this  leave consumers and patients?  It would seem to leave them in the dumpster with their most sensitive information.

I’ll have more on this situation in the near future.

Related posts:

  • Aetna, still looking for scapegoat in HIV disclosure fiasco, sues plaintiffs firms
  • Yet another mailing error from Blue Cross Blue Shield of Florida?
  • Blue Cross Blue Shield Association to offer all members nationwide free identity theft protection service
  • Insurance applications breach in FL: is anyone cleaning up that mess?
Category: Health Data

Post navigation

← Sg: DBS Bank employee sold customer data to ease financial woes
Is Florida failing to adequately protect its residents? →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • National Health Care Fraud Takedown Results in 324 Defendants Charged in Connection with Over $14.6 Billion in Alleged Fraud
  • Swiss Health Foundation Radix Hit by Cyberattack Affecting Federal Data
  • Russian hackers get 7 and 5 years in prison for large-scale cyber attacks with ransomware, over 60 million euros in bitcoins seized
  • Bolton Walk-In Clinic patient data leak locked down (finally!)
  • 50 Customers of French Bank Hit by Insider SIM Swap Scam
  • Ontario health agency atHome ordered to inform 200,000 patients of March data breach
  • Fact-Checking Claims By Cybernews: The 16 Billion Record Data Breach That Wasn’t
  • Horizon Healthcare RCM discloses ransomware attack in December
  • Disgruntled IT Worker Jailed for Cyber Attack, Huddersfield
  • Hacker helped kill FBI sources, witnesses in El Chapo case, according to watchdog report

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • The Trump administration is building a national citizenship data system
  • Supreme Court Decision on Age Verification Tramples Free Speech and Undermines Privacy
  • New Jersey Issues Draft Privacy Regulations: The New
  • Hacker helped kill FBI sources, witnesses in El Chapo case, according to watchdog report
  • Germany Wants Apple, Google to Remove DeepSeek From Their App Stores
  • Supreme Court upholds Texas law requiring age verification on porn sites
  • Justices nix Medicaid ‘right’ to choose doctor, defunding Planned Parenthood in South Carolina

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.