• United States

Car trouble results in breaches

Jan 30, 20062 mins
Data BreachGovernmentNetworking

Even as the U.S. Federal Trade Commission was fining ChoicePoint, two more companies reported large data-security breaches last week – both involving the apparent theft of IT equipment from employees’ cars.

Providence Home Services, a division of Providence Health System in Seattle, said it’s notifying 365,000 hospice and home healthcare patients in Oregon and Washington about the theft late last month of back-up disks and tapes that included personal information and confidential medical records.

A Providence employee told company officials on Dec. 31, 2005 that the disks and tapes had been stolen from his car while it was parked at his home. The employee took the devices home as part of a backup protocol that sent disks and tapes off-site to protect them against possible loss from fires or other disasters, a Providence spokesman said. That practice has since been stopped, he added.

The spokesman said some of the information on the tapes was password-protected at the application level, while the rest was stored in proprietary file formats. The data on the disks also wasn’t encrypted but was stored in a proprietary file format “in a way that would make it difficult, if not impossible, for someone to access it [and] then make any sense out of it,” he said.

Rick Cagen, CEO of Providence’s Portland service area, said the home healthcare unit is implementing new data back-up procedures using more-traditional means, including secure sites in remote locations. “We do have alternate practices now,” Cagen said.

In the other incident that came to light last week, Ameriprise Financial in Minneapolis said it’s notifying 158,000 customers and 68,000 financial advisers that a laptop PC containing personal information about them was stolen late last month.

The laptop was taken from an employee’s locked car in a public parking lot, Ameriprise said. The financial services firm didn’t identify the city where the incident took place, saying that police are still investigating the theft.

Windows and Novell’s networking applications were password-protected on the laptop, but the data files weren’t encrypted as required under company policies, according to an Ameriprise spokesman. He said the employee involved in the incident was fired because of the lack of encryption.

The spokesman added, though, that even having a customer’s name and account number wouldn’t let an identity thief access an account. At least three other pieces of personal information are needed to do so, he said.


Todd R. Weiss is an award-winning technology journalist and freelance writer who worked as a staff reporter for Computerworld from 2000 to 2008. Weiss covers enterprise IT from cloud computing to Hadoop to virtualization, enterprise applications such as ERP, CRM and BI, Linux and open source, and more. He spends his spare time working on a book about an unheralded member of the 1957 Milwaukee Braves and watching classic Humphrey Bogart movies.

More from this author