Welcome to the club!
As EC readers may know, I’ve been sort of a collector of breach notices, and an enthusiastic supporter of the Open Security Foundation’s DataLossDB [link to http://datalossdb.org/ no longer works] project. Recently, I had an opportunity to further support DataLossDB, by making an additional contribution to their Primary Sources archive [link to http://datalossdb.org/primary_sources no longer works] – a resource I find particularly valuable.
Unfortunately, that contribution was a breach notification letter[pdf - http://datalossdb.org/attachments/0000/0524/EHP_Breach_Letter.pdf no longer works] addressed to me! Since I now have some skin in the game, I figured I’d use the opportunity to take a close look at this incident and see what can be learned from it.
Who sent the letter, and how do I reach them?
Let’s start with the letter itself. While it identifies the data owner (“EHP”, an emergency room practice I had patronized), it provides no return address, and the letter is unsigned. Unsurprisingly given this opacity, the envelope return address is a post office box. While a toll-free number is provided, this is a requirement of many state breach laws, and repeated calls to the number resulted in my being placed in an ACD queue, rather than being routed to a human being. So far, it looks to me like they’re trying to ensure that all communication regarding this issue is either squelched by the magic of painful on-hold music, or diverted into a call center. In particular, there seems to be no enthusiasm for written correspondence.
What was exposed, and how?
Now let’s consider the nature of the exposed data. According to the notification letter [http://datalossdb.org/attachments/0000/0524/EHP_Breach_Letter.pdf no longer works], a hard drive was stolen from a 3rd party service provider (Millennium Medical Management Resources). That hard drive contained “unencrypted copies of records with health and financial information about [me]”. Furthermore, the service provider
…believes the hard drive contained personally identifiable information about EHP patients, including name, address, phone number, date of birth, and Social Security Number and, in some cases, other information such as diagnosis and/or diagnosis code, types of procedure and/or procedure code, medical record number, account number, driver’s license number, and health insurance information.
Surprisingly, the letter does not say that “the exposure appears to be the work of criminals interested in the hardware” or other such language often used to suggest that crooks don’t go after data. This even though the police report [http://datalossdb.org/attachments/0000/0525/10-1880_foia_response.pdf no longer works] notes that the “suite [was] in disarray”. Kudos to EHP for this. And kudos to the Westmont, IL PD for handling my FOIA request same day. I understand they received literally hundreds of requests for this report. Anyone who handles a dramatic, unexpected increase in work so cheerfully deserves praise.
As to what was stolen, the notification letter — seemingly drafted by an attorney — states what the service provider believes, not what the service provider knows. This suggests there is some question as to what precisely was on the unencrypted drive. Clearly, though, health and financial information are involved, suggesting that this breach is subject to HITECH and HIPAA provisions, as well as to myriad state breach laws. Reading on, this is further reinforced, when EHP says they “…will report this security breach to the Office of Civil Rights of the U.S. Department of Health and Human Services.” Such a report is required by HITECH when more than 499 persons have been affected by a breach, which establishes a lower bound for the likely number of affected individuals in this incident. (In the few days I have been composing this blog post, the report has appeared on HHS’s web site [link to http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/postedbreaches.html no longer works]. 180,111 folks impacted by this one. Ouch. Why not put this in the letter to me, if it will be one mouse-click away anyhow?)
How long did notification take?
HITECH requires that notification occur within sixty days of the discovery of the breach. This breach was discovered March 1st. The letter is dated April 30. I wonder if the delay would have been longer, were it legally permissible?
How will future incidents be prevented?
According to the letter,the service provider has
…implemented new and improved technical, physical, and administrative security measures to prevent future thefts and security breaches, including encryption of electronic personally identifiable information stored on portable storage devices. Millennium will also take additional steps to further secure patient information.
Meanwhile,
EHP is carefully monitoring these security measures to ensure that they meet regulatory requirements and appropriately secure information about its patients.
With a letter such as this, which undoubtedly was closely crafted by people who pay attention to word choice, it seems fair to read it as attentively as it was written. An admittedly cynical interpretation is that this “careful monitoring” is a new thing for EHP. After all, they didn’t say they would “continue to carefully monitor” or would “more carefully monitor”. As to what “technical, physical, and administrative” measures Millennium might be adding, who knows? It’s hard enough to audit ones own service provider. Knowing what somebody else’s is doing is harder still.
So what can I do?
The letter concludes with sections which roughly follow the guidelines provided by various sample breach notification letters. This is impressive. After reading many notification letters, I’ve come to expect some soft-pedaling of the risk of identity theft. This one does not do that. Again, kudos.
Closing Thoughts
So this has been a long blog post about one incident and one letter, and not exactly a man bites dog situation either. Apologies. I think two things are interesting about this particular letter:
- For matters that pertain to breaches generally rather than to this one specifically, it was straightforward, clear, and reasonably complete. The advice about what to do, how to interact with credit bureaus, when to notify law enforcement, etc., was all sound, with little or no “spin”.
- With respect to the details of this specific incident, the letter was more circumspect, with — to my eyes — more parsing of words.
Unsurprising, perhaps, but (I have not done a content analysis to verify this) I wonder how typical the openness would have been three or four years ago. Perhaps, if California’s SB 1166 is signed by the Governor (rather than vetoed, as was a previous version), this greater transparency will extend to incident-specific details as well. I don’t see the harm in it. I’ve already filled in the blanks with what I think really happened to my information. There isn’t too much EHP could say that would make me feel much different about their vendor management program, or about the degree of care Millennium evinced here, so they should just say it.
One wonders why they didn’t give more explanation about the data they gathered about you and why *they* need it. SSN? For a healthcare entity? Why? Are they doing your taxes while you wait for a flu shot? Incident-specific details are certainly important. They might want to also give some thought to carefully collecting just the data they need to treat you.
EY: SSN were used as the health insurance identifiers by almost every company – if not every company — until recently. Some companies are still in the process of switching over from SSN to other identifiers. When I called my health insurer recently, they asked for my husband’s SSN to authenticate. So they’re still using it/have it in their databases that are connected online, which is scary.
And of course, Medicare numbers are often the individual’s SSN.
As to the EHP breach, it’s troubling that neither EHP nor its business associate could determine with complete confidence what was on the stolen drive. A number of recipients of their notification letter who posted on my blog are also furious that they were not offered free credit monitoring services and that it is very difficult to reach EHP. The intent of HITECH in mandating contact info was to ensure that affected individuals could reach someone if they have questions. Having a phone number that doesn’t work or that puts people in endless queue does not seem consistent with Congress’s intent.
A part I left out of my post is that *I was not even a patient*. I am simply “the guy who pays the bills” since my family’s insurance coverage was via my plan during the time in question.
I can’t wait to see what happens when I try to find out what information of mine was exposed. I am expecting it to be amusing/infuriating.