The recent TRICARE/SAIC breach involved the theft of tapes that were en route to being converted/encrypted. Here’s another case where older-formatted files sent out for conversion have been involved in data loss, although in this case, the data were not stolen from an employee’s car but were lost by a delivery service. And while the SAIC data went back to the early 1990’s, these data go back to the 1960’s! From the press release:
On August 23, 2011, Concordia Plan Services (CPS), formerly known as Worker Benefit Plans—the plan administrator, was informed that a box of microfilm containing plan enrollment information from the 1960s and 1970s had been lost by a delivery service. On February 3, 2011, CPS had hand-delivered these records to a vendor hired to convert the microfilm to an electronic format. The loss occurred when the records were being transferred between the company assisting the vendor with the conversion process and the vendor. In May 2011, the delivery service had notified the vendor that the microfilm was lost.
The records contained some participants’ personal information, including names, addresses from the 1960s and 1970s, and dates of birth. In some cases, Social Security numbers also were on the microfilm, and in other cases, limited medical information for some participants was included. In response to this loss, CPS is:
- Notifying all affected individuals in writing.
- Taking all reasonable measures to locate the microfilm and working with legal and security vulnerability experts to assist us with our investigation and to help identify and implement any appropriate additional safeguards.
- Offering credit monitoring, identity theft restoration, and fraud insurance to eligible individuals at no cost for one year.
CPS has no knowledge of misuse or attempted misuse of the information contained on the microfilm.
The safety and security of plan member information is important to CPS. If you have any questions related to this incident, CPS is providing a privacy hotline that is staffed with representatives specially trained to help in these situations. Please do not hesitate to call the hotline toll-free at 888-414-8021 between 7 a.m. and 5 p.m. CST, Monday through Friday.
SOURCE Nelson Levin de Luca & Horst, LLC
That’s an unacceptably long delay in notifying CPS of the loss. When did the unnamed vendor first send the microfilm to their subcontractor? Did they send it in February and first learn of its non-delivery in May? Or were they notified promptly after the non-delivery/loss? In any event, if they learned of the loss in May, why their 3-month delay in notifying in CPS?
According to their web site, Concordia Plan Services supports the The Lutheran Church—Missouri Synod and provides health, disability, and retirement benefits to church workers and their families:
Today, Concordia Plan Services is the LCMS benefits provider of choice for over 6,000 LCMS congregations, schools, universities, seminaries, and other organizations in the United States and in mission fields world wide. Through these participating organizations, over 31,000 active workers, along with 54,000 dependents are covered by the various benefits Concordia Plan Services provides.
The press release does not indicate how many workers or dependents had data on the missing microfilm.
The delay in notification is somewhat disturbing. If this breach had occurred in California, the entities could predict that they would receive some huge fines for the delay in notification. But what will HHS do with this one? CPS’s press release itself appears to exceed HITECH’s 60 calendar day notice requirement, but the bigger issue is that their vendor/business associate did not notify them for 2-3 months following discovery of the data loss, which also exceeds HITECH’s 60 calendar day requirement. So what, if anything, will HHS do?
And did CPS really need to retain 50 year-old data to meet their current obligations? It seems so difficult for entities to purge data, but the more data you retain, the greater the risk of it being involved in a data breach or loss. Perhaps CPS had a valid reason to retain all the data. I do not know. But I expect that that is a question that they have also considered in light of this incident.
Update: When this breach appeared on HHS’s breach tool, the vendor was identified as HITS Scanning Solutions. The breach was reported as affecting 7,059. The date of loss was indicated as March 17, 2011.