Patient data exposed online

March 26, 2008

By Liz F. Kay, Sun reporter,0,4823354.story

A CareFirst BlueCross BlueShield dental HMO accidentally exposed personal information, including Social Security numbers, of about 75,000 members on a public Web site last month and didn't notify them until about three weeks later.

The Dental Network, which is owned by CareFirst, informed the members - mostly Maryland and District of Columbia residents - that their names, addresses, dates of birth and Social Security numbers had been posted on its Web site for two weeks in February because of a technical error.

The company says that to its knowledge, no one has misused the information. But it says "the risk ... should be taken seriously" and has offered members 12 months of free credit monitoring, as well as information about contacting the three credit bureaus to place a fraud alert on their account.

"We moved in a timely fashion to secure the data and notify the members," CareFirst spokesman Michael Sullivan said yesterday.

A state law passed last year requires businesses to promptly notify those potentially affected by a security breach or theft, according to the Maryland attorney general's office. Approval followed the loss of computer tapes containing information on more than 135,000 Johns Hopkins employees and patients in early 2007.

Experts say security breaches such as The Dental Network's - where the company itself inadvertently posts the information - are uncommon. More often, experts say, information is compromised when hackers break into a computer system or when computers are stolen - as happened with the theft of a National Institutes of Health laptop last month.

The Dental Network discovered the security breach Feb. 20 and informed members in a March 10 letter.

The Sun obtained a copy of the letter from a Dental Network member. After inquiries from the paper, CareFirst issued a press release yesterday.

The HMO said the problem that resulted in the breach has been resolved and that no personal medical information was disclosed.

The company also created a Web site and phone line for members to learn more about the breach, which details the credit protections.

On the Web site, the company posted a list of frequently asked questions, including one about the delayed notification.

"Action was taken immediately and your personal data was secured within minutes of our learning of this accidental exposure," the response states. "With any such event, it takes time to gather the relevant information, identify the affected individuals, hold the necessary internal discussions, make the appropriate decisions and line up the assistance services that are being offered."

Paul Stephens of the Privacy Rights Clearinghouse said any breach that involves Social Security numbers poses a high risk of identity theft.

Consumers cannot guard themselves against security breaches such as The Dental Network's, he said. The notification time varies when they do occur.

"In some situations, companies are very responsible about getting the word out quickly," Stephens said, though the news media or mass mailings.

The privacy group's Web site has a chronology of identity theft incidents, including an incident last month in which the personal information of more than 100,000 doctors from 11 states was posted on the Web site of California-based Health Net Federal Services. Also last month, a computer file with information about former and current Texas A&M University employees was posted online for about three weeks.

The CareFirst security breach is the most recent example of confidential patient or employee records being exposed in Maryland.

Last summer, a desktop computer containing the personal information of about 5,800 Johns Hopkins patients was stolen, and the hospital waited five weeks to inform them.

Hopkins officials reported in February 2007 that a courier mistakenly left a box of computer tapes containing the personal records of 135,000 employees and patients at the wrong stop. Officials believed that the tapes were likely thrown away or incinerated.

In 2006, a laptop computer containing the Social Security numbers of more than 26 million veterans and their spouses was stolen from the Montgomery County home of a Department of Veterans Affairs employee, and later recovered.

In January, a state law took effect that requires credit bureaus to allow residents to put a "security freeze" on their credit reports.

main page ATTRITION feedback