In the biggest loss ever of personal information compiled by state government, a computer disk containing data on 2.9 million residents of the state of Georgia has been lost in shipping. The CD, which had been in the possession of contractor Affiliated Computer Services, held names, addresses, birth dates, and Medicaid numbers, in addition to the Social Security numbers, for Georgia residents enrolled in the state's Medicaid and PeachCare for Kids programs. InfoWatch specialists regard the case as yet another instance of the need for the encryption of sensitive data to be the default position in company culture.
The package containing the CD was being shipped from an Atlanta office of Affiliated Computer Services to another Medicaid contractor in Maryland, ACS spokesman David Shapiro said. Sixteen other packages shipped from the Atlanta office the same day arrived at their destination, he said. Shapiro would not identify the ground carrier handling the packages. Although there's no evidence the information has been used for identity theft or other fraudulent purpose, the incident has alarmed officials and consumers.
He declined to name the shipping company used to transport the disc. ACS had to physically transport the media to the Georgia DCH "because the volume was too great for e-mail.”
"Both we and the shipper have been looking for [the missing package] for the past several days," Shapiro said. "There's no indication of data being misused. There's certainly no indication that any of the information is in the hands of an unauthorized party." He declined to say whether the data on the disc was encrypted.
ACS will review its internal procedures for transporting sensitive data once the investigation is complete. "If we need to tighten up certain areas then we will do that," he said.
ACS has been ordered to provide all affected residents with written notification about the incident and assistance with credit monitoring in case the data has fallen into the hands of identity thieves.
State officials said they also have notified several agencies about the loss, including the US Department of Health and Human Services Office of Civil Rights, the Georgia Governor's Office of Consumer Affairs, and Georgia's attorney general's office.
Affiliated Computer Services, which has processed claims for the state insurance programs, has run into trouble in before. In August 2006, the vendor exposed more than 32,000 student loan recipients' records held by the U.S. Department of Education when it botched a routine software upgrade for the agency, causing these names to be made publicly available on the department’s website.
The data loss is frightening, said Lynn Carlisle, 42, of Rome. She has a 12-year-old with a disability covered by Medicaid, a 17-year-old on PeachCare and a 5-year-old granddaughter also on Medicaid.
"If somebody has your Social Security number, they can do anything, they can pretty much ruin your life,'' said Carlisle, a financial secretary for a church and also a bookkeeper for a domestic violence shelter.
"I would have thought there would have been a whole lot more security because as a financial secretary, I know how carefully you have to guard this information.''
Consumer advocates said the government has responsibility to protect the information, and to hold its contractors accountable.
"People on Medicaid — including children — don't have the resources to monitor their credit," said Lillie Coney, associate director of the Washington-based Electronic Privacy Information Center. "It makes them more vulnerable.''
Security breaches have become a not uncommon event in both the public and private sectors, and even major retailers like Amazon and T.J. Maxx have been the victim of hacks or accidental data exposure. The rash of security problems has prompted some states to require companies to notify customers if their personal information has been compromised.
Denis Zenkin, InfoWatch’s Marketing Director said, “This is one of the most spectacular data losses of recent times. The monitoring costs alone – if they are deemed necessary – will be in the region of 300 million USD per year. While we hope that the data was encrypted, one finds it hard to believe that those involved in the case would have any reason to hide the fact if it were true. In the absence of either evidence or a firm statement either way, we should work on the assumption that the data is in a vulnerable state.”
Sources: http://www.itnews.com.au, http://www.daytondailynews.com, http://www.secguru.com
