and what a stupid one at that. Unencrypted information from subscribers (which included social security numbers) was sent to the wrong email address. Now I know that we all at one point may have possibly sent something as a response to a listserv when we only wanted to email one person, but we are not working for a Health Insurance Exchange and we do not routinely handle SSNs of other people. This incident involved only 2400 people, but still. This is less than one week after this whole exchange enrollment started and we already have a breach.
Does this government have any experience in information security before they offer these exchanges to people? Most hospitals require encryption for any patient records because state laws, such as in North Carolina, will already put you in a spot that if you encrypt patient data you can save yourself a boatload of trouble. If you store SSNs on your laptop and it gets stolen from the backseat of your car, usually encryption of that data at rest can save you the cost of a breach notification. If the data was not encrypted, you likely will have to do a breach notification. Now the calculation is easy, invest in some relatively cheap encryption software (you can get even get some free software for encryption) or risk paying your patients $100+ for credit monitoring in addition to your reputation damage. No wonder encryption is so popular with healthcare providers.
Seemingly with healthcare providers that are not associated with healthcare exchanges. Emailing SSNs over the public internet? I guess the government has not heard of the ability to sniff traffic? Or a bunch of other attacks, like DNS spoofing, that are only a few years old or older? Who handled the security assessment for these exchanges?
I am wondering whether the government really wants people to use these exchanges because this does not bode well for people planning on trusting these exchanges with their information.
You can read more about this little incident here. For now, my reaction can be summed up as follows.