Virtually All US Doctors' Business and Personal Information Potentially Compromised

The Blue Cross and Blue Shield Association (BCBS), a trade group for US Blue Cross health insurance plans, admitted last week that an employee's personal laptop that was stolen from his car contained business and personal information on some 800,000 practicing physicians - virtually the entire number practicing in the US.

(According to the 2006 US census data, there were 800,586 practicing physicians in the US).

The information contained physician names, addresses, health provider and tax id numbers, and for some 170,000 doctors, their Social Security numbers as well, a report in SC Magazine says.

The BCBS Association said the employee whose laptop was stolen "broke protocol", according to a story in today's Chicago Tribune,  by downloading the information to his personal laptop from a central provider data repository.

The data downloaded onto the laptop was not encrypted.

If the data had been downloaded to a BCBS Association owned-computer, then the data would have been encrypted, a BCBS Association spokesperson said.

The BCBS Association said that they don't think the physician data has or will be misused since the theft appeared to be a random act, but that doctors should monitor their credit anyway, the Tribune story notes.The Association is also offering credit monitoring to those who had their Social Security numbers compromised.

It expressed all the usual regrets as well, and that it currently reviewing its laptop policies.

Not that it will likely do any good, as the next story indicates.

Also expressing its regrets is the Virginia Department of Education, according to the Washington Post, which announced yesterday that a 2 gigabyte flash drive containing the names, Social Security numbers and employment and demographic information of 103,270 former adult education students in Virginia has been reported missing.

Just like the Blue Cross and Blue Shield Association, the Virginia Department of Education says that it doesn't believe the information - which covers all students who finished an adult education course in Virginia from April 2007 through June 2009 or who passed a high school equivalency test between January 2001 and June 2009 - is being misused.

The information, which - surprise, surprise - was also not encrypted, was given, says the Post, by a Virginia Education Department employee to a representative of Virginia Tech's Center for Assessment Evaluation and Educational Programming during a Sept. 21 meeting in Richmond. The information was to be used for federally mandated research the center is conducting.

The Superintendent of Public Instruction Patricia I. Wright insists that her department views protecting the privacy of students as a "solemn obligation."

Most assuredly.

That must be why it took over three weeks to publicly announce the loss of the drive (it was reported missing on 22 September).

Superintendent Wright also said that the Virginia Department of Education "has policies and secure systems to safeguard data and prevent the loss or misuse of personal information. However, no policy or system is immune from human error."

Or in the BCBS Association incident, human laziness, carelessness, etc..

Nevertheless, I wonder if those policies will be reviewed anyway. At least it makes it look like you care.

Advertisement

Risk Factor

IEEE Spectrum's risk analysis blog, featuring daily news, updates and analysis on computing and IT projects, software and systems failures, successes and innovations, security threats, and more.

Editor
Robert Charette
Spotsylvania, Va.
Contributor
Willie D. Jones
New York City
 
Advertisement