The whoops factor has reared its ugly head again. This time in the form of a data leak by Blue Shield. In California, health plans that are regulated by the Department of Managed Health Care (DMHC) are required to receive lists of medical providers that are contracted to the health plans. These documents are in the public domain under the Public Record Act.
OK, fair enough. But, on May 16, 2014 the list had an added bonus that no one seemed to catch. This time the list had social security numbers (SSN) included. It turns out that this wasn't a one time error. It turns out that this list was sent out at least 10 other times between March 2013 and April 2014.
From the breach notification letter:
As a result of this incident, the DMHC and Blue Shield have instituted additional protections to safeguard against future inadvertent disclosure of confidential personal information. The DMHC has acquired and installed data loss prevention software to scan all documents health plans submit to the DMHC via the DMHC’s electronic filing system to alert the DMHC if confidential information, such as SSNs, is included. The DMHC is also working with health plans to ensure that they do not inadvertently include confidential information in otherwise public documents.
Again I find myself returning to the lessons of other similar leaks. Be sure to have, and test, defined repeatable processes. These are problems that are easily preventable and should not have occurred in the first place.
While there is "no reason to believe that your personal information has been misused," customers affected by the breach will be receiving their 12 months of credit reporting as stipulated under US federal law.
In the United States the SSN is tied rather tightly to a person's identity and as such anyone affected by this data leak should be very careful to keep tabs on their credit information.
Nothing could be worse than waking up one morning to a summons for failing to make payments on your 50' yacht...wait, what yacht?