DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Three months after tapes are reported missing, ValueOptions notifies National Elevator Industry subscribers (updated)

Posted on November 9, 2011 by Dissent

I just read a notification to the New Hampshire Attorney General’s Office that is both thorough in its description of the event and steps taken, but also needlessly increased the risk to those affected.

In a letter dated October 28, ValueOptions, Inc. described how a container of tapes containing unencrypted data went missing after being shipped on July 6 via UPS.  Their letter provides a detailed chronology of what happened, their extensive search for the missing shipment, and the notifications they were sending to 350 New Hampshire residents who were enrolled in healthcare plans at National Elevator Industry.

Personal information  on the tapes included names, addresses, dates of birth, phone numbers, Social Security numbers, and plan subscriber’s ID number.   The notification does not indicate what other companies may also have data on the missing tapes or whether there even were any other companies whose employees were affected.

As readers will immediately grasp, there was a long delay between data loss and notification. Although ValueOption explains the steps they took, did they wait too long to notify?  By today’s standards, I would say they did, but you can form your own opinion after reading their letter.

Unfortunately, in their attempt to inform the state and to show how low the risk of misuse was, ValueOptions included information as to the precise manufacturer and model of cartridge tapes  and the type of server needed to read the data.  That was not only unnecessary but counterproductive, and I suspect that they may not have realized that their notification would wind up on the Internet.  While I doubt that anyone who finds the cartridges or who may have stolen them would come across the notification and immediately rush out to get an obsolete server to read the tapes, you never know.

So here’s a “pro tip” to all entities:  assume your notification will wind up in my hands or others’ hands and don’t compound the incident.

Update:  The NYS Consumer Protection Office reports that 6,669 New York State residents were also affected by the ValueOptions/NEI incident.

Category: Breach IncidentsHealth DataLost or MissingSubcontractorU.S.

Post navigation

← Fannie Mae notifies 1,100 of a security breach – but it’s a puzzlement
Senator Franken considering legislation to encourage (but not require?) encryption for healthcare and OMR providers →

1 thought on “Three months after tapes are reported missing, ValueOptions notifies National Elevator Industry subscribers (updated)”

  1. Sang @ AlertBoot says:
    November 20, 2011 at 2:48 pm

    I’d say it took too long under one very specific yardstick: the Breach Notification Rule (BNR).

    From this page (http://www.valueoptions.com/providers/ProCompliance.htm), it appears that ValueOptions is a HIPAA covered-entity (To be honest, I can’t tell if they’re actually covered or if they decided to follow HIPAA regardless).

    Assuming it is a covered-entity, ValueOptions is in breach of the BNR since it exceeded the 60 calendar days for notifying affected people: AUG 4 to NOV 4 is 95 days.

Comments are closed.

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Nigerian National Sentenced To More Than Five Years For Hacking, Fraud, And Identity Theft Scheme
  • Data breach of patient info ends in firing of Miami hospital employee
  • Texas DOT investigates breach of crash report records, sends notification letters
  • PowerSchool hacker pleads guilty, released on personal recognizance bond
  • Rewards for Justice offers $10M reward for info on RedLine developer or RedLine’s use by foreign governments
  • New evidence links long-running hacking group to Indian government
  • Zaporizhzhia Cyber ​​Police Exposes Hacker Who Caused Millions in Losses to Victims by Mining Cryptocurrency
  • Germany fines Vodafone $51 million for privacy, security breaches
  • Google: Hackers target Salesforce accounts in data extortion attacks
  • The US Grid Attack Looming on the Horizon

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • California county accused of using drones to spy on residents
  • How the FBI Sought a Warrant to Search Instagram of Columbia Student Protesters
  • Germany fines Vodafone $51 million for privacy, security breaches
  • Malaysia enacts data sharing rules for public sector
  • U.S. Enacts Take It Down Act
  • 23andMe Bankruptcy Judge Ponders Trump Bill’s Injunction Impact
  • Hell No: The ODNI Wants to Make it Easier for the Government to Buy Your Data Without Warrant

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.