Another stolen laptop ... and this time we have 850,000 doctors swallowing the bitter pill of knowing that their sensitive professional and personal information may have fallen into hands bent on identity theft.
According to this report in Amednews.com, an American Medical Association publication:
A file containing identifying information for every physician in the country contracted with a Blues-affiliated insurance plan was on a laptop computer stolen from a BlueCross BlueShield Assn. employee. It is not yet known whether any identity theft has resulted from the data breach.
The file included the name, address, tax identification number and national provider identifier number for about 850,000 doctors, Jeff Smokler, spokesman for the Chicago-based Blues association, said Oct. 6. That number represents every physician who is part of the BlueCard network, which allows Blues members to access networks in other states, Smokler said.
Up to 187,000 of the doctors reportedly used their Social Security numbers for identification purposes in these profiles. The laptop was stolen from an employee's car in Chicago on Aug. 27.
The association updates its file of BlueCard network physicians weekly, Smokler said. An unidentified employee downloaded the unencrypted file onto his personal computer to work on it at home, a practice that is against company policy, he said.
"We are re-evaluating that protocol and how we prevent this from happening again," Smokler said.
It's a familiar story. According to statistics compiled by DatalossDB, stolen laptops account for fully one in five data breaches. I asked Kelly Todd, a curator at DatalossDB, what more organizations can do to prevent employees from being so reckless.
"Companies should make sure their security policies are openly available to their employees, and also make sure their policies are communicated on a regular basis in clear, concise language," says Todd. "Don't just tell employees what they can't do, but also tell them why they aren't allowed to do it by using real world examples (like this one.) It also doesn't hurt if the companies in question can help enforce their policies with technology-based access controls and active monitoring across their networks."
So should policy violations of this nature mean automatic termination?
"That's a very touchy area," says Todd. "Phrases like 'disciplinary action up to, and including, termination' are probably pretty common in employee handbooks, but there are always numerous factors to consider before terminating an employee for a security incident, even if in direct violation of a company policy. However, if someone had directly told the employee 'if you do this, you may be fired,' he or she may have thought twice about downloading the file to their laptop. VPNs and other remote access solutions exist for a reason."
And what level of risk are the doctors facing here based on what's been made public?
"Missing names, addresses, and Social Security numbers are never a good combination, but most stolen laptops probably either end up wiped or in a pawn shop somewhere," he says. "Considering the laptop has yet to be recovered, there's certainly some risk, but there's no way to know for sure until or unless the laptop shows up somewhere."
As has become customary in such cases, BlueCross BlueShield is offering the doctors free credit monitoring. Small comfort.
Welcome regulars and passersby. Here are a few more recent Buzzblog items. And, if you'd like to receive Buzzblog via e-mail newsletter, here's where to sign up.
MIT ditches 500-word "long" essay? Does that "T" stand for Tweet?