DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Three months after tapes are reported missing, ValueOptions notifies National Elevator Industry subscribers (updated)

Posted on November 9, 2011 by Dissent

I just read a notification to the New Hampshire Attorney General’s Office that is both thorough in its description of the event and steps taken, but also needlessly increased the risk to those affected.

In a letter dated October 28, ValueOptions, Inc. described how a container of tapes containing unencrypted data went missing after being shipped on July 6 via UPS.  Their letter provides a detailed chronology of what happened, their extensive search for the missing shipment, and the notifications they were sending to 350 New Hampshire residents who were enrolled in healthcare plans at National Elevator Industry.

Personal information  on the tapes included names, addresses, dates of birth, phone numbers, Social Security numbers, and plan subscriber’s ID number.   The notification does not indicate what other companies may also have data on the missing tapes or whether there even were any other companies whose employees were affected.

As readers will immediately grasp, there was a long delay between data loss and notification. Although ValueOption explains the steps they took, did they wait too long to notify?  By today’s standards, I would say they did, but you can form your own opinion after reading their letter.

Unfortunately, in their attempt to inform the state and to show how low the risk of misuse was, ValueOptions included information as to the precise manufacturer and model of cartridge tapes  and the type of server needed to read the data.  That was not only unnecessary but counterproductive, and I suspect that they may not have realized that their notification would wind up on the Internet.  While I doubt that anyone who finds the cartridges or who may have stolen them would come across the notification and immediately rush out to get an obsolete server to read the tapes, you never know.

So here’s a “pro tip” to all entities:  assume your notification will wind up in my hands or others’ hands and don’t compound the incident.

Update:  The NYS Consumer Protection Office reports that 6,669 New York State residents were also affected by the ValueOptions/NEI incident.

No related posts.

Category: Breach IncidentsHealth DataLost or MissingSubcontractorU.S.

Post navigation

← Fannie Mae notifies 1,100 of a security breach – but it’s a puzzlement
Senator Franken considering legislation to encourage (but not require?) encryption for healthcare and OMR providers →

1 thought on “Three months after tapes are reported missing, ValueOptions notifies National Elevator Industry subscribers (updated)”

  1. Sang @ AlertBoot says:
    November 20, 2011 at 2:48 pm

    I’d say it took too long under one very specific yardstick: the Breach Notification Rule (BNR).

    From this page (http://www.valueoptions.com/providers/ProCompliance.htm), it appears that ValueOptions is a HIPAA covered-entity (To be honest, I can’t tell if they’re actually covered or if they decided to follow HIPAA regardless).

    Assuming it is a covered-entity, ValueOptions is in breach of the BNR since it exceeded the 60 calendar days for notifying affected people: AUG 4 to NOV 4 is 95 days.

Comments are closed.

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Hunters International to provide free decryptors for all victims as they shut down (1)
  • SEC and SolarWinds Seek Settlement in Securities Fraud Case
  • Cyberattacks Disrupt Iran’s Bread Distribution, Payments Remain Frozen
  • Hacker with ‘political agenda’ stole data from Columbia, university says
  • Keymous+ Hacker Group Claims Responsibility for Over 700 Global DDoS Attacks
  • Data breach reveals Catwatchful ‘stalkerware’ is spying on thousands of phones
  • DOJ investigates ex-ransomware negotiator over extortion kickbacks
  • Hackers Using PDFs to Impersonate Microsoft, DocuSign, and More in Callback Phishing Campaigns
  • One in Five Law Firms Hit by Cyberattacks Over Past 12 Months
  • U.S. Sanctions Russian Bulletproof Hosting Provider for Supporting Cybercriminals Behind Ransomware

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Record-Breaking $1.55M CCPA Settlement Against Health Information Website Publisher
  • Ninth Circuit Reviews Website Tracking Class Actions and the Reach of California’s Privacy Law
  • US healthcare offshoring: Navigating patient data privacy laws and regulations
  • Data breach reveals Catwatchful ‘stalkerware’ is spying on thousands of phones
  • Google Trackers: What You Can Actually Escape And What You Can’t
  • Oregon Amends Its Comprehensive Privacy Statute
  • Wisconsin Supreme Court’s Liberal Majority Strikes Down 176-Year-Old Abortion Ban

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.