I just read a notification to the New Hampshire Attorney General’s Office that is both thorough in its description of the event and steps taken, but also needlessly increased the risk to those affected.
In a letter dated October 28, ValueOptions, Inc. described how a container of tapes containing unencrypted data went missing after being shipped on July 6 via UPS. Their letter provides a detailed chronology of what happened, their extensive search for the missing shipment, and the notifications they were sending to 350 New Hampshire residents who were enrolled in healthcare plans at National Elevator Industry.
Personal information on the tapes included names, addresses, dates of birth, phone numbers, Social Security numbers, and plan subscriber’s ID number. The notification does not indicate what other companies may also have data on the missing tapes or whether there even were any other companies whose employees were affected.
As readers will immediately grasp, there was a long delay between data loss and notification. Although ValueOption explains the steps they took, did they wait too long to notify? By today’s standards, I would say they did, but you can form your own opinion after reading their letter.
Unfortunately, in their attempt to inform the state and to show how low the risk of misuse was, ValueOptions included information as to the precise manufacturer and model of cartridge tapes and the type of server needed to read the data. That was not only unnecessary but counterproductive, and I suspect that they may not have realized that their notification would wind up on the Internet. While I doubt that anyone who finds the cartridges or who may have stolen them would come across the notification and immediately rush out to get an obsolete server to read the tapes, you never know.
So here’s a “pro tip” to all entities: assume your notification will wind up in my hands or others’ hands and don’t compound the incident.
Update: The NYS Consumer Protection Office reports that 6,669 New York State residents were also affected by the ValueOptions/NEI incident.
I’d say it took too long under one very specific yardstick: the Breach Notification Rule (BNR).
From this page (http://www.valueoptions.com/providers/ProCompliance.htm), it appears that ValueOptions is a HIPAA covered-entity (To be honest, I can’t tell if they’re actually covered or if they decided to follow HIPAA regardless).
Assuming it is a covered-entity, ValueOptions is in breach of the BNR since it exceeded the 60 calendar days for notifying affected people: AUG 4 to NOV 4 is 95 days.