Sept. 29, 2009
Recently [local plan name] was made aware that the Blue Cross and Blue Shield Association (BCBSA) -- the licensor of the Blue Cross and Blue Shield brands to [local plan] and to Blue Plans across the United States -- experienced an unauthorized transfer of provider [i.e., hospital, doctor, dentist, nurse practitioner, chiropractor, pharmacist, etc.] network data. As background, you should know that each Blue Plan is required to send weekly updates of its provider network information to BCBSA for purposes of a national directory, including the national Doctor and Hospital Finder Web Site that contains the participating provider listings for all Blue Plans. A BCBSA employee transferred this Blue Plan provider data information onto a personal laptop, in violation of BCBSA's established data security policies. Subsequently, the employee's laptop containing the provider data was stolen. We have no evidence at this time that the information on the stolen laptop has been misused.
As the national association that represents all Blue Plans, BCBSA takes its responsibility to protect your information seriously, and sincerely regrets this loss of data. BCBSA employees receive annual and departmental training on privacy and security procedures, which includes use of encryption software when saving personally identifiable information to mobile devices, and only saving that information to BCBSA-issued devices. BCBSA is reviewing and strengthening its privacy/security controls, as well as its employee training regimen.
The data included the following elements:
Provider tax ID/Social Security #
It goes on to offer a 12 month subscription to a credit monitoring service.
WTF is it with allowing people to use social security numbers as if they were signatures, anyway? Why should the fact that criminals have your social security number allow them to apply for credit in your name so easily?
My SSN isn't a secret. Every employer I've ever worked for had to ask me for it to pay me. The purpose of the SSN is to collect and credit social security insurance payments from payroll taxes. All these other uses by financial institutions, insurance companies, academic testing agencies, etc., are in violation of the original intent of the law, which was specifically NOT to create a government identification number for citizens.
While I usually left jobs under amicable circumstances, in one case I had reported a fast food manager for inappropriate sexual advances to underage coworkers and for taking money out of the cash register for personal use. Shortly after I went back to school the manager was fired, and not long after that the restaurant burned down. But that manager had my social security number at the time. And that same number is still valid years later.
So why is 12 months monitoring supposed to help? It's not like they stole credit card numbers that will be canceled. Those numbers are valid as long as the individuals affected are alive. I can't see criminals saying, "Oh, these social security numbers were stolen last year; there's no point to holding on to that data." I've gotten so many of these letters over the years myself that I can't imagine there are too many social security numbers they don't already have for sale on carder forums.
The same companies that are accepting credit applications without question as long as they include a social security number are discriminating against anyone who puts a fraud alert on their credit bureau accounts, too. Your credit score is automatically lowered so you pay higher interest on loans, even though the most intelligent thing to do would be to put a fraud alert on your account all the time, so you would always get notified when someone tried to take out a new account in your name.
Oh yeah, to take advantage of this credit monitoring, I have to go to the website of this credit monitoring company I've never heard of and give them more personal information about myself, so they know it's really me. The social security number isn't enough. They want highly personal information from me, information that would make it even harder for me to distinguish my own activity from that of a criminal if they lost it. Why do they need to know that? Just notify me if someone takes out a new account. They have my name, social security number and address, for pity's sake.
As far as the employee who lost the laptop: It's fine to say that he/she violated policy by using a device not issued by the employer. But these same Blues plans require "providers" to use Internet Explorer to check eligibility or get prior authorization for procedures. They don't provide their own software for that purpose, and they don't provide a list of the URLs that need to be added to the IE "Trusted Zone," either. Lots of their "providers" are solo or small group professionals who don't have IT departments to know how to customize their computers to limit which sites employees can visit. The Blues honestly expect that all those small businesses will have their employees using IE as the default browser, and that it will be set to the lowest security setting for all web sites visited. So with that background, if you were a Blues employee, which storage device would you trust -- your own laptop, that has been under no one's control but your own, or one issued by the Blues and used by who knows what other employees? The employee didn't have to be careless about the laptop, either. No one expects his home to be burglarized, but plenty of laptops are lost that way.