582 Ohioans were affected when a hard disk drive was stolen after it was sent to a vendor for repairs. The breach affects only members of United Healthcare’s Medicare plans. It was not revealed whether the medical information was protected with disk encryption software like AlertBoot, although it would have been highly recommended, especially in hindsight.
Futurity First Insurance Group’s Disk
The hard drive contained names, Social Security numbers, and other protected health information. While the information belonged to Minnetonka, Minnesota-based United Healthcare, the disk that was stolen belonged to Futurity First Insurance Group, a company that provides sales and marketing services.
Futurity First sent the hard disk for repairs. And, apparently, they also triggered open the portal to The Twilight Zone by doing so:
The device was stolen on June 28.
Futurity First Insurance Group was notified on August 12. (45 days later)
United Healthcare was notified by Futurity First on September 14. (33 days later)
United Healthcare is notifying their clients now, around October 12. (28 days later)
Uh, what’s with the slow-as-molasses response? Most damning is the vendor, who took 45 days to get in touch with Futurity First to say “hey, someone stole your hard drive from us.” I mean, did they actively decide not to fix that thing for a month and a half, and that’s why they didn’t notice it? How’d they know when it was stolen, then? Or were they actually looking for a hard drive for those 45 days, or what? The number doesn’t make sense.
I have no doubt that had the vendor known that protected health information was stored in the device, they may have moved faster. But still, forty-five days!
If your repair guy comes back to you and says that hey, your “thing” — regardless of what it might be, be it a toaster or a TV — got stolen 45 days ago but I’m letting you know now…. Well, I can’t imagine too many people not taking issue with such a lengthy delay.
And, why did Futurity First wait 33 days to get in touch with United Healthcare? Was it reconstituting the data from backups to figure out who was affected? That’s understandable, but if so, why did United Healthcare take 28 days to get in touch with their clients?
Marketing Services and SSNs
As Dissent over at databreaches.net has remarked, the big question is, what is a marketing firm doing with people’s SSNs?
I can understand the other patient data, be it medical diagnoses, addresses, or otherwise: the holy grail of sales and marketing is laser-like focus on your audience. However, how does a Social Security number help you as a marketer? Unlike a zip code, it doesn’t reveal anything about the person. (I guess you could run a credit report, but such information is not exactly accurate data.)
So, you’ve got a situation where this data category is useless to you but holds an immense amount of risk. No upside, all downside. The smart thing would have been not to accept the data. The other smart thing to do would have been not to give out that data.
The next best thing? Use encryption software to protect it. Heck, it’s only the one thing that protects HIPAA covered-entities from the Breach Notification Rule.
Related Articles and Sites: