Who is he? Is he the mysterious man who breaks walls and steals data or is he A.J. Raffles. Whatever be the case, the data thief is striking quite regularly & making it big everytime. This time his victim was the corporate office of AvMed Health Plans in Gainesville. The objective was to to steal the two company laptops. But as mentioned in Ceridian’s case, the loss was not just the cost of physical devices. It also meant that the personal information of more than 200,000 current and former subscribers, their dependents was compromised.
Once again the exposure of data was a common set of objects:
- The personal information includes names, addresses, phone numbers
- Social Security numbers
- Protected health information.
While we believe that any aspect of data loss needs to be treated with a high degree of seriousness, in this case the company admitted that the data was structured randomly & the losses amounting from the theft are very low as well.
How did the invisible ghost strike?
It is a bit surprising to know & difficult to understand that the laptops were stolen from the closed doors. According to the security employees, the doors of conference room were properly locked in the evening but when they came the next day, the laptops were found to be stolen. Apparently, the only people to have the keys with them are the security staff & the cleaning crew. So do this mean that we should zero down on them as the invisible ghosts?
But rightly so, Cochita Ruiz Topinka, the spokeswoman of AvMed mentioned that they didn’t want to jump to any conclusions.
Why the delay in announcement?
If you notice carefully, there has been a decent delay in the security breach announcement. While the incident was determined in December, the public announcement of breach was only made on 5th February. According to the authorities, the delay in announcement was caused to avoid problems in investigation and for setting up the identity protection services.
The magnitude of the loss
As mentioned, it is believed that there is no major loss since the data was completely unstructured. However, things will become clear when the members being the identity protection registration process.
Ed Hannum, President & COO mentioned in a press release, “We will do all we can to work with our members whose personal information may have been compromised and help them work through the process”. “We regret that this incident has occurred, and we are committed to prevent future occurrences.”
What you can do
In the meantime, if you are an affected subscriber this is what you can do. Register yourself with Debix Identity Protection Network, which would tell you if your information was potentially exposed. You can call Debix at 877-263-7998 (TTY 877-442-8633).
Be it Ceridian, Hitech or AvMed the sequence of events is quite similar. There is a physical device that is stolen for e.g. a laptop or portable disk. The loss is reported by the authorities, there is an initial silence and after a period of weeks/months it is made public. While we can understand the delay by the authorities, what certainly don’t augur well are the methods of encrpytion. If the organizations can use the right type of data security software and laptop encryption methods, it would ensure that the data remains protected if a physical device theft is reported.