A stolen laptop was reported by Fallon Community Health Plan earlier this month as being encrypted. Now, Fallon is reversing itself and saying that the laptop was not encrypted, based on the conclusions of a forensic technologist.
This means that over 30,000 members of Fallon Community Health Plan could be affected. While financial information was not present in the laptop, other information such as Medicare IDs were present, as well as dates of birth, names, etc. Now, I’m not sure if this is true, but apparently Medicare Identification numbers are composed of people’s (or their spouses’) SSNs. I guess I’ll find out once I become eligible. At any rate, if the above is true, obviously the data loss could have a significant impact—and Fallon has offered free credit monitoring services for the next 12 months to those affected.
The direct victim of the theft was a contractor for Fallon that was handling medical claims. Fallon has declined to identify them, but it is known that the computer was stolen from the contractor’s offices. The theft was discovered on January 2, but it was not found out that the device was not protected with encryption until January 14.
This goes to highlight why not all encryption programs are the same. With AlertBoot, not only do you get strong encryption with the encryption standard of the past thirty years (namely, RSA), you also get a very comprehensive reporting engine to go with it. In other words, if a laptop gets stolen, you can easily look up the encryption status of that machine, as well as who had access to it. Granted, the forensics guy probably didn’t spend 12 days trying to figure out whether there was encryption on the laptop—he’s got other stuff to check into as well—but something like AlertBoot would have allowed Fallon’s officers to correctly state that the laptop was not encrypted from the get go. Worse than appearing incompetent is appearing incompetent twice.
Of course, with such a reporting system, the IT department would also have been privy to the fact that one (or more) of their laptops was not encrypted during regular audits, and could (or rather, should) follow up with the renegade worker. So, the data breach could have been prevented; one can hardly say the same for the theft itself.