Now that California is posting breach notes on its site, I’m finding out about a slew of breaches that I did not find through other sources. Of the 27 breaches they’ve posted since the beginning of this year, I didn’t know about 16 of them:
They’ve now all been entered in DataLossDB.org. One just added today is noteworthy because we’re finding out about it before those affected have been notified. Cigna Dental will be sending out a breach notice to some of their insured members on April 26. The notice explains:
I am writing to inform you of a matter that the Cigna Enterprise Privacy Office was made aware of on March 27, 2012. On March 23, 2012, in violation of Cigna corporate policies, a Cigna employee emailed an unencrypted document containing Cigna Dental customers’ first names and social security numbers to her home email address and to the email address of her son. The document was created by Cigna for internal use by our Dental Customer Service Agents. It included your first name and social security number, but it did not contain any other personal information about you (such as your address or health information).
At Cigna, we take this type of policy violation very seriously. The employee indicated that she had emailed the document with the intention of reviewing it at home, with the assistance of her son, so that she could identify the Cigna customers who had been assigned to her for follow-up telephone calls. The employee confirmed, in writing, that she destroyed the document, retained no copies of it, and that it was not shared with anyone else. We have received confirmation from the son as well, that he destroyed the document, retained no copies of it, and that it was not shared with anyone else. The employee’s position with Cigna was terminated on March 29.
Cigna is already taking steps to prevent this type of situation from recurring. The document forwarded by the former employee is no longer being produced for internal distribution to Cigna’s Customer Service Agents as this information is accessible through other, secure means. Additional automatic preventive safeguards are being enhanced to help minimize the potential for future occurrences of this type of policy violation. Cigna is also retraining its workforce on privacy and information protection regulations and corporate policies in May and June.
[…]
It’s nice to find out about breaches promptly and it’s important to find out about as many breaches as we can so we can learn from them. I wish all states would post their breaches publicly.