Client Information Security Helping Organizations Protect Private Client Data

Note: This website, sponsored by Steve Anderson, provides business leaders with the information they need to identify, prioritize, and mitigate their vulnerabilities in the event private client information is breached. Click the About link to the right to read more detailed information about Steve and this site.
21Jan/100

BCBS of Tennessee Client Data Breach

My health insurance is with BCBS of Tennessee. For a couple of months now I have been receiving updates because of a Client data breach they experiences last October. Following is a copy of the official information.

“In October 2009, 57 hard drives containing video and audio files related to coordination of care and eligibility telephone calls from providers and members were stolen from a leased facility in Chattanooga, Tenn. that formerly housed a BlueCross BlueShield of Tennessee call center. The video files were images from computer screens of BlueCross BlueShield of Tennessee customer service representatives and the audio files were recorded phone conversations from January 1, 2007 to October 2, 2009.

“Almost immediately, BlueCross BlueShield of Tennessee began communicating to brokers and employers of this incident and has been providing periodic updates as more information became available.  Additionally, BlueCross BlueShield of Tennessee has been diligently reviewing and analyzing the backup files of the stolen hard drives.  Since early December, nearly 200,000 active and former members have been identified on those files and notified that certain personal information was included on the stolen hard drives.

“As of January 4, 2010, we have completed the audit of the 1.3 million audio files and 300,000 video files and will now begin a broad communications effort to members, brokers and employers.  Part of this comprehensive communications effort will include a progress report delivered via email every two weeks to brokers and group administrators.  This report will include details of total affected members and our notification and remediation steps.  We will continue to post regular updates to our Web site, bcbst.com – including a special Eastgate Hard Drive Theft page – along with a FAQ section to assist in providing answers to many questions we have received over the past few weeks.

“We will also be providing more detail on the steps BlueCross BlueShield of Tennessee has taken to identify and protect the personal data of affected members. Beginning with the member notification letters generated the week of January 11, 2010, information will be included regarding the discovery of the theft of the hard drives and BlueCross BlueShield of Tennessee’s response to that incident.  Additionally, BlueCross BlueShield of Tennessee members that are classified as minors will be receiving a specific notification letter addressed to their parent or guardian and offering LifeLock Identity Alert™ services (see attached).  Letters to current and former BlueCross BlueShield of Tennessee groups explaining these changes will be sent the week of January 11, 2010.

“BlueCross BlueShield of Tennessee is committed to delivering up-to-date and relevant communications to its clients – members, brokers and employers – as information becomes available.”

This organization had to pay for someone to review 1.3 million audio and 300,000 video files. They also have mailed letters to all the potentially affected members. All because some hard drivers were stolen. Another reason to make sure your physical security will protect client information from being compromised because of a burglary.

What is your organization doing to enhance your physical security?

Filed under: Client Data Breach No Comments
11Jan/100

Farmers Insurance Agent Hires Hacker

In a statement to the Channel 4 I-Team (local Nashville TV Station WSMV), Farmers Insurance Company said a former insurance agent of theirs may have accessed private client information, and it is in the process of notifying potentially affected customers.

Allegedly a local ISP provider was contracted by a former Farmers agent to exploit a flaw on the Farmers web site that allowed someone to extract all the information from its database, such as insurance policies, names, addresses and Social Security numbers. Because of this client information security breach, Farmers contacted the Secret Service which investigates cyber crime, which is investigating this incident.

Read the full story by clicking this link: http://www.wsmv.com/news/21715549/detail.html

There are at least two lessons to learn from this incident.

First, it is vitally important that every company perform an information security audit to make sure they identify (and correct) as many of the possible client information security problems and holes as possible. Having performed an audit will also help an organization defend itself against the consequences of a data breach.

Second, every company regardless of size needs to have a client security breach plan in place. It is alleged that Farmers Insurance was notified by the ISP provider that they had a potential client information breach, but did not take steps to determine the extent of the breach until Channel 4 started to investigate.

Filed under: Client Data Breach, Insurance Agent Breach No Comments
6Jan/100

Anderson Issues Report Protecting Agencies from Data Breaches

Client Data Security

Client Data Security

NASHVILLE, Tenn. (January 6, 2010)—“Information is the most radioactive element in today’s businesses,” says Steve Anderson of The Anderson Agency Report in his most recent business guide for independent insurance agencies, called Client Information Security.

Anderson’s report highlights that more than 88% of client data breach cases last year involved employee negligence and that 84% of cases involved organizations with more than one incident. The average, total, per-incident cost of a breach was nearly $6.7 million, including civil and regulatory penalties, administrative expenses and legal defense costs.

Insurance agencies of all sizes are treasure troves of personal client data, and they need to establish effective protective barriers and appropriate responses in case there is a breach. Client Information Security provides agency leaders with the information they need to identify and prioritize their vulnerabilities.

The report provides a walk through the agency’s “weak links,” including employee malpractices and negligence, theft of equipment, and external attacks, such as hacking. It aids the agency in categorizing what data to protect and gives more than 20 detailed steps on how to get a data-breach security plan up and running. Anderson provides a convenient, at-a-glance method for classifying risks and incidents in a graphic depiction that can be used to track, analyze and document compliance with a security plan.

Anderson gives insights into surprising areas of vulnerability, such as the problem of “reverse shredding” of documents, and how to foil hardcopy data thieves. He also goes into substantial detail on dealing with an incident from original, internal discovery to notification of authorities, gathering of evidence, damage control and corrective action.

Client Information Security goes beyond treatment of personal data, addressing corporate data held at agencies as well. It not only helps the agency with its data but makes agency members smarter about risk management and insurance resources for their own clients. Security breach laws are covered in their own section, and a state-by-state summary and “further resources” section round out the comprehensive report. To find out more or order a copy, visit http://www.ClientInformationSecurity.com/.

The report can be purchased at www.ClientDataSecurity.com.

About Anderson: Based in Nashville, Tenn., Steve Anderson (www.SteveAnderson.com) is one of the insurance industry’s top consultants and speakers. He delivers keynote addresses, lectures, seminars and conference programs, in addition to individual agency consultations, helping clients maximize productivity and profits by smart use of technology. He is executive editor of The Anderson Agency Report (TAAR), a monthly newsletter dedicated to providing independent agents with the technology information they need to more effectively manage and grow their agencies. In addition to being a licensed independent agent for more than 30 years, Steve has a master’s in Insurance Law.

Tagged as: , No Comments
   

Data Backup & Recovery

Many sections of the Interim Final Rule cite data protection. Protect your EHR investment. Start by downloading this complimentary checklist from Data Mountain.

Pages

Latest Release

The Anderson Report on
Client Data Security

Categories

Blogroll

Archives