Friday, October 4, 2013

less than one week into the Health Insurance Exchange - we have a security breach!

and what a stupid one at that. Unencrypted information from subscribers (which included social security numbers) was sent to the wrong email address. Now I know that we all at one point may have possibly sent something as a response to a listserv when we only wanted to email one person, but we are not working for a Health Insurance Exchange and we do not routinely handle SSNs of other people. This incident involved only 2400 people, but still. This is less than one week after this whole exchange enrollment started and we already have a breach.



Does this government have any experience in information security before they offer these exchanges to people? Most hospitals require encryption for any patient records because state laws, such as in North Carolina, will already put you in a spot that if you encrypt patient data you can save yourself a boatload of trouble. If you store SSNs on your laptop and it gets stolen from the backseat of your car, usually encryption of that data at rest can save you the cost of a breach notification. If the data was not encrypted, you likely will have to do a breach notification. Now the calculation is easy, invest in some relatively cheap encryption software (you can get even get some free software for encryption) or risk paying your patients $100+ for credit monitoring in addition to your reputation damage. No wonder encryption is so popular with healthcare providers.

Seemingly with healthcare providers that are not associated with healthcare exchanges. Emailing SSNs over the public internet? I guess the government has not heard of the ability to sniff traffic? Or a bunch of other attacks, like DNS spoofing, that are only a few years old or older? Who handled the security assessment for these exchanges?

I am wondering whether the government really wants people to use these exchanges because this does not bode well for people planning on trusting these exchanges with their information.
You can read more about this little incident here. For now, my reaction can be summed up as follows.



7 comments:

Diana Ionita said...

I totally agree with your reaction. After billions were spent and so called computer experts spent 3 years setting it up...we see the effective job they did: first day, the site crashed and had errors and 2nd day, it let patient's private information files to be leaked out.

Mad Typer said...

Encryption just seems like the smart thing to do.

Unknown said...

Double Face-palm indeed! My husband works in IT for a major health insurer. He is appalled that this happened. Honestly, the whole incident scares me.

gfdes said...

I just hope this thing gets better. I know lots of people that work in healthcare and this new ACA seems pretty bad.

Unknown said...

Looks like a great future in front of us (sarcasm). My personal info has been on laptops twice now that have been stolen. So far, my identity hasn't been stolen (that I know of), but it really worries me that it's so easy to do.

Raka said...

I'm not living in the US but even I've heard about those problems there right now.

Btw I'd love to use photos like these but I know about copyright problems so I'm kind of weary, thus I'm still looking for a great source. Can you please share yours?

Courtney Pies said...

It's sad that there are breaches like this going on. Nobody's information is safe it doesn't seem.