Medica ignored warnings, says ex-employee

June 29, 2005

By Glenn Howatt, Star Tribune

The former manager of computer security for Medica Health Plans said the company ignored repeated warnings that its information system was vulnerable to attack and abuse.

Scott Charleson, the health plan's security engineer until early 2004, said Medica didn't act on his recommendation to "lock down" the computer system and protect sensitive information, including personal information about Medica's 1.2 million members.

That and other measures could have prevented two Medica computer administrators from allegedly sabotaging the company's computers and downloading data earlier this year, Charleson said.

"I left the company in January 2004 because it was clear to me that they had no intention of taking action on serious security issues until something blew up," he said.

Officials of the Minnetonka-based health plan denied that they skimped on security during Charleson's tenure. The two accused employees were fired and Medica sued them in April. They have not been charged with a crime.

"We detected something happened, we analyzed it, investigated it ... and took appropriate action," said Chris Grillo, Medica's director of information security.

Still, it took Medica's security investigators at least 45 days to detect problems and another 20 days before the company took direct action to stop the employee alleged to have done the most damage, according to court documents.

During that time, the system was sabotaged four times, limiting legitimate access by employees and vendors. Confidential business documents were copied, including personnel information about the information technology department as well as letters to outside attorneys concerning lawsuits, according to court documents.

Evidence destroyed

The perpetrators knew they were being tracked because they read the e-mails of security investigators. They found and used a secret account and password that the investigators had created to stabilize the system. Instead, the account was used to disable the accounts of 12 employees, the documents said.

And even after Medica had identified the suspects, they erased the hard drives of their company laptops without interference, destroying critical evidence, according to court documents.

Charleson said it shouldn't have taken Medica two months to find and stop insiders from creating computer havoc.

He said such companies should have programs in place to "watch the watchers," the systems operators who have the most opportunity to cause damage.

Charleson said he wanted to hire an outside company to test Medica's security.

"Not once, from December 2001 to January 2004, was there a security audit by a third-party security company," he said.

Charleson said his proposals were never vetoed outright. But as top managers kept delaying decisions, he grew more concerned.

"I know that I am missing attacks on our network," he wrote in a memo in 2002 to his supervisors. "Maybe they are not successful, maybe they are and we just haven't found it yet. Either way, it's my worst nightmare."

Medica defense

Medica officials disagree with Charleson's assessment of the company's computer security then and now. But they acknowledge that there were disagreements at the time about how to improve security.

"Were there differences of opinion about how to handle that? There probably was," said spokesman Larry Bussey. "But from the highest levels on down, security was an issue that people cared about and committed to."

Grillo said that since he became security officer in March 2004, the system has been tested several times through internal and external audits. Most recently, an outside auditor found Medica to be in compliance with federal standards requiring health plans to protect member privacy.

"I have been with Medica now for a year and a half, and the security mindset is excellent compared to what I've seen in other industries," said Grillo.

In response to this year's security breach, Medica has tightened its hiring practices and has limited broad administrative access to the system.

In the end, Medica did find the alleged perpetrators, and even though it is not completely certain about what information was downloaded, the evidence suggests that it did not include personal information about Medica members.

Detection difficult

Grillo said Medica has and did have all of the safeguards that Charleson proposed.

"The hardest thing to do is detect an authorized person doing unauthorized things," Grillo said.

One of the former employees, he said, was in charge of the company's e-mail system. Periodic audits would have found that sensitive e-mails were being copied, he said, but immediate detection would be possible only if the company scrutinized every keystroke the employee made.

Medica said it has enough evidence to prove that the two former employees were responsible for the security breaches.

However, attorneys representing the employees, Austin Vhason and Pushpa Leadholm, have said the shortcomings of Medica's system will be an issue for the defense.

Court papers filed on behalf of Leadholm allege that Medica didn't take appropriate steps to protect its secret and confidential data, leaving the door open to countless electronic intruders and calling into question whether the system has recorded enough electronic fingerprints to point to the real culprits.

Both employees denied any wrongdoing. In its suit, Medica seeks to recover the downloaded data, inspect the two suspects' home computers and recover the costs of detecting the security breaches.

main page ATTRITION feedback