The personal information of tens of thousands of Nationwide customers has been stolen.
The company said yesterday that a lockbox of backup tapes containing the personal data of 28,279 Nationwide Health Plans customers, most in central Ohio, was stolen from the Waymouth, Mass., office of Concentra Preferred Systems.
They are among the data records of more than 100 million U.S. citizens that have been compromised by security breaches since February 2005, according to the Privacy Rights Clearinghouse.
In the Nationwide case, the tapes contained medical claim information, health data and Social Security numbers.
Concentra is a Nationwide Health Plans subcontractor that audits hospital-stay charges to ensure that Nationwide isn't overpaying on claims, Nationwide spokesman Mike Switzer said.
Only Nationwide Health Plans customers were affected by the breach. The company's auto, life and homeowners insurance policyholders were not.
The theft occurred Oct. 26 and Nationwide was made aware of the incident two weeks later. Letters notifying customers were mailed last week by the company. A notice about the theft appeared on Concentra's Web site Dec. 1.
The gap between the theft and customer notification was necessary so Nationwide could assess the risk of identity theft and learn what data was stolen and whether thieves could take advantage of it, Switzer said.
Nationwide determined that the risk of identity theft as a result of this incident is very low, Switzer said.
In the letter, Concentra said "common criminals" wouldn't be able to access the data on the tapes, because they'd need "specific technical computer knowledge, equipment and software."
Ohio law requires companies to notify customers of data breaches within 45 days, but only if the company believes there is a "material risk of identity theft."
Police investigating the break-in said thieves didn't appear to be looking for data, but instead for valuables such as cash and DVD players, Switzer said. In cases such as this, "data breaches pose almost no risk to consumers," said Anne Wallace, executive director of the Identity Theft Assistance Center in Washington D.C.
Still, customers are usually mad when they find out months later that their data was compromised, said Paul Stephens, policy analyst with the Privacy Rights Clearinghouse in San Diego.
"It shouldn't take that long to notify customers," he said, but businesses "have no financial incentive to tell them" about a breach.
Consumers have little legal recourse, even if they do suffer as a result, Stephens said, so "the best approach is to take steps to minimize losses."
Nationwide said it would offer affected customers one year of free credit monitoring and one year of free identity-theft insurance. Nationwide was among the first insurance companies to offer identity theft insurance, rolling out the product in 2005 after one of the company directors had his identity stolen.
Nationwide's policy pays up to $25,000 to cover the costs of repairing the damage caused by identity theft, including attorney fees and lost wages. Nationwide, in conjunction with another company, handles calls to creditors and credit bureaus on behalf of policyholders. The policy usually costs about $45 a year.
The policy doesn't cover the direct financial losses resulting from identity theft, because creditors usually waive those costs.
The stolen tapes also contained personal information for participants in several other health-insurance plans, including 130,000 Aetna and 42,000 Group Health Insurance customers, according to the Privacy Rights Clearinghouse.
Those companies notified customers of the breach in mid-December.
In a more recent incident, TJX Companies, the parent company of TJ Maxx, Marshalls and A.J. Wright stores, said last week that it was investigating two breaches of its credit-card, debit and check-transaction databases.
Hackers allegedly obtained unencrypted customer-account numbers in 2003, and from May to December 2006. The company said it didn't know how many people have been affected. TJX Companies has about 10 stores in Columbus.