The Blue Cross and Blue Shield Association (BCBS), a trade group for US Blue Cross health insurance plans, admitted last week that an employee's personal laptop that was stolen from his car contained business and personal information on some 800,000 practicing physicians - virtually the entire number practicing in the US.
(According to the 2006 US census data, there were 800,586 practicing physicians in the US).
The BCBS Association said the employee whose laptop was stolen "broke protocol", according to a story in today's Chicago Tribune, by downloading the information to his personal laptop from a central provider data repository.
The data downloaded onto the laptop was not encrypted.
If the data had been downloaded to a BCBS Association owned-computer, then the data would have been encrypted, a BCBS Association spokesperson said.
The BCBS Association said that they don't think the physician data has or will be misused since the theft appeared to be a random act, but that doctors should monitor their credit anyway, the Tribune story notes.The Association is also offering credit monitoring to those who had their Social Security numbers compromised.
It expressed all the usual regrets as well, and that it currently reviewing its laptop policies.
Not that it will likely do any good, as the next story indicates.
Also expressing its regrets is the Virginia Department of Education, according to the Washington Post, which announced yesterday that a 2 gigabyte flash drive containing the names, Social Security numbers and employment and demographic information of 103,270 former adult education students in Virginia has been reported missing.
Just like the Blue Cross and Blue Shield Association, the Virginia Department of Education says that it doesn't believe the information - which covers all students who finished an adult education course in Virginia from April 2007 through June 2009 or who passed a high school equivalency test between January 2001 and June 2009 - is being misused.
The information, which - surprise, surprise - was also not encrypted, was given, says the Post, by a Virginia Education Department employee to a representative of Virginia Tech's Center for Assessment Evaluation and Educational Programming during a Sept. 21 meeting in Richmond. The information was to be used for federally mandated research the center is conducting.
The Superintendent of Public Instruction Patricia I. Wright insists that her department views protecting the privacy of students as a "solemn obligation."
That must be why it took over three weeks to publicly announce the loss of the drive (it was reported missing on 22 September).
Superintendent Wright also said that the Virginia Department of Education "has policies and secure systems to safeguard data and prevent the loss or misuse of personal information. However, no policy or system is immune from human error."
Or in the BCBS Association incident, human laziness, carelessness, etc..
Nevertheless, I wonder if those policies will be reviewed anyway. At least it makes it look like you care.
Robert N. Charette is a Contributing Editor to IEEE Spectrum and an acknowledged international authority on information technology and systems risk management. A self-described “risk ecologist,” he is interested in the intersections of business, political, technological, and societal risks. Charette is an award-winning author of multiple books and numerous articles on the subjects of risk management, project and program management, innovation, and entrepreneurship. A Life Senior Member of the IEEE, Charette was a recipient of the IEEE Computer Society’s Golden Core Award in 2008.