Vendor waited six weeks to notify Ohio officials of data breach

March 1, 2006

By Todd R. Weiss, Computerworld

http://computerworld.com/securitytopics/security/story/0,10801,109116,00.html?SKC=security-109116



The Ohio state attorney general's office is investigating the terms of a contract between the state Department of Administrative Services and a New Jersey-based prescription drug benefits provider after a laptop computer containing the unencrypted Social Security numbers and birth dates of about 4,300 state workers and 300 of their dependents was stolen in late December.

The theft wasn't reported to the state until last month.

Ben Piscitelli, a spokesman for the Ohio Department of Administrative Services (DAS), said the laptop was stolen Dec. 28 from the home of an employee of Medco Health Solutions Inc., which handles prescription drug benefits for state employees. Medco officials waited until Feb. 8 to inform the state about the theft.

"We told them that delay was unacceptable," Piscitelli said. Officials of the Franklin Lakes, N.J.-based company met with state DAS officials on Feb. 16 and agreed to provide free credit- and fraud-monitoring services to the affected workers for one year to help them watch their credit records for potential illegal activity, he said. The DAS announced the incident and its aftermath in a statement last week.

The DAS has also asked Attorney General Jim Petro to review the two-year, $4 million drug benefits management contract DAS has with Medco through July 2007.

Kim Norris, a spokeswoman for the attorney general's office, said the contract is being reviewed for any violations that may have occurred in terms of data security. "If they promised to protect the information in a certain manner, those are the kinds of issues we.ll look at," she said. "We're working on that right now."

If related violations of specific agreements are found, the state could sue Medco, Norris said.

Piscitelli said the Medco employee had possession of a laptop computer owned by Medco that contained the prescription benefits membership numbers -- which are the same as employee Social Security numbers -- of the state employees and dependents. Birth dates and details about the drugs the patients were taking were also in the data records. But the data, which is from 2003 and 2004, did not include names or addresses of the affected persons.

The Medco employee was using the data for a routine audit of the prescription benefits records of the patients, Piscitelli said.

"Our concern is that the state can't gamble" with such data losses, he said. "We hope that this was just a theft, that someone was interested in the laptop and not the information on it."

The agency has received no reports of identity theft or credit fraud from any of the persons affected by the incident, Piscitelli said.

Soraya Balzac, a Medco spokeswoman, today confirmed that the data on the laptop was not encrypted but said that the laptop itself required a password for user log-on. The company has since changed its procedures and is now encrypting such data for state workers, she said. "Whether this specific incident prompted that, I couldn.t confirm that," Balzac said. "We have moved to [encryption] in transit since then."

Balzac said the Medco worker had permission to have the data and the laptop off-site, but she would not describe where the laptop was when it was stolen. The six-week delay in notifying the state of the theft was necessary because the incident was under investigation by local police in New Jersey and a complete log of the stolen data had to be created so it could be reported, she said.

"It did take time," Balzac said. "Medco takes this extremely seriously."

Balzac said the company is reviewing its response procedures for the future. "You're as efficient as the lessons learned in the last scenario," she said.

[an error occurred while processing this directive]