[ISN] Hackers took data, Medica alleges

[InfoSec News]

http://www.startribune.com/stories/462/5457557.html

Glenn Howatt
Star Tribune 
June 15, 2005

Computer hackers twice stole sensitive and confidential data from 
Medica Health Plans computers in January and shut down parts of the 
company's computer system on four other occasions.

The intruders downloaded the digital equivalent of a 140,000-page 
Microsoft Word document, Medica said in court papers, but the 
Minnetonka-based health plan was unable to determine what had been 
taken.

In April, Medica obtained federal court orders against two former 
employees that it suspected of committing the security breaches. The 
orders required them to provide an accounting of the downloaded data 
and to turn over their personal computers for an inspection.

Both defendants deny that they had violated Medica policies, as well 
as a federal law that prohibits the unauthorized use of electronic 
data.

Medica has not referred the case to federal officials for prosecution, 
and the workers have not been charged with a crime.

A Medica official said this week that it was unlikely that personal 
information about Medica's 1.2 million members had fallen into the 
wrong hands but that its investigation is continuing. The intruders 
seemed most concerned about company trade secrets and employee 
evaluations, a spokesman said.

Health plans like Medica store the same types of sensitive private 
information that would be sought after by identity thieves: Social 
Security numbers, addresses, birth dates, employment information and 
names of relatives.

Recent security breaches at the data giants LexisNexis and 
ChoicePoint, where sensitive personal information was lost to hackers 
or deceptions, as well as the loss of Bank of America data tapes 
containing personal financial information, are reigniting concerns 
about how to improve privacy protections.

"Most of us in health care organizations have a tremendous amount of 
data," said Carol Quinsey of the American Health Information 
Management Association, which helps companies take data security 
measures.

"It is bad enough that the health plan's security was breached," 
Quinsey said. "The next worse scenario would be if the [perpetrators] 
would use that data in a nefarious way and perpetuate identity theft."

Medica spokesman Larry Bussey said that the health plan has no 
evidence that any of the information taken from its computers had yet 
been misused.

"We believe that our system is very secure. We've never had any 
external break-in to the system," he said.

Instead, according to Medica, two computer system employees conspired 
to disrupt Medica's system and to access confidential information.

The employees, Austin Vhason and Pushpa Leadholm, were two of the six 
employees who had the power to set computer passwords, according to 
court documents.

The two used this access to give extraordinary powers to computer 
log-ons used for training purposes, and they also created fake log-ons 
-- including one that was constructed from the backward spelling of 
"goddess," the documents said.

Between them, the documents said, the employees used these accounts to 
download data, to cause some parts of the computer system to crash and 
to delete e-mail accounts of executives.

They made copies of e-mails that contained reports from the chief 
executive to the board, performance reviews of information-systems 
personnel and communications to Medica's attorneys about ongoing 
lawsuits, the documents said.

They also read e-mails about the company's investigation into the 
security breaches, using that information to cover their own tracks, 
according to the documents.

"We do background checks on employees that have this level of access," 
Bussey said. "One thing you can't control for is someone abusing the 
trust you've placed in them."

After hiring an outside computer forensics expert, Medica officials 
tracked much of this activity to the homes of the two employees, who 
accessed the system through their cable modems. Medica placed both 
employees on paid suspension in February and later fired them

Both workers deny that they have done anything improper and allege 
that Medica filed the lawsuit to retaliate against them. Both 
employees had filed complaints that they were discriminated against 
because they were minority members.

"My client feels that Medica was not providing the same opportunities 
to minorities as it was to Caucasians," Ryan Pacyga, the attorney 
representing Vhason, said Tuesday.

Both employees had talked to the federal Equal Employment Opportunity 
Commission and a formal complaint was filed on March 31, according to 
attorney James Behrenbrinker, who represents Leadholm.

"There is a claim alleging discrimination of race in national origin 
and retaliation," he said Tuesday. They cannot sue Medica for 
discrimination until federal authorities rule on the merits of their 
complaints, he said.

"My client voluntarily turned over her computers" for inspection by 
Medica, he added. "Mrs. Leadholm wanted to cooperate and wanted to 
show them that she didn't do anything wrong. This is a bad deal for 
her."

Medica spokesman Bussey said he would not comment on the 
discrimination charges.

He said Medica stores data on several computer systems. The ones that 
were inappropriately accessed stored business information. Still, 
those computers contained data that Medica deemed sensitive and 
confidential.

"They seemed to be more interested in business information," Bussey 
said. "They didn't seem to be even trying to get into places where 
member information would be stored."

Computer security consultant Quinsey said there's only so much that a 
company can do to protect data from wayward employees. "What prudent 
employers have always done is have clear policies in place that say if 
employees abuse, then litigation will be filed and you will be 
appropriately challenged," she said.

Although Medica has obtained court orders barring Vhason and Leadholm 
from disseminating any data they might have downloaded, a trial to 
determine whether they had acted improperly is pending while attorneys 
from both sides gather more information.