Lessons to be Learned from Massive Data Breach Lawsuit
Insurance Experts' Forum, November 29, 2011
As my readers well know, I have a habit of commenting on data security matters. And while some may claim I am overly concerned with the topic, I have a feeling that the 4.2 million patients who recently found out their personal information had been swiped might disagree.
SC Magazine has reported that at least some of those individuals affected by a data breach at Sutter Health have filed a class-action lawsuit against the Northern California-based company. The suit, filed in Sacramento Superior Court, claims that the company was negligent in securing its computer systems and in notifying victims about the incident.
According to the report, on October 17 the personal information of 4.2 million patients went missing due to the theft of an unencrypted desktop computer. Affected patients were not alerted until about a month later. The company wouldn't comment on the lawsuit but said it needed time to investigate the incident before notifying those affected. Last week, the company said it would expedite plans to encrypt all desktops.
There are several problems here, and since we all handle private and sensitive data daily, insurers and financial services entities should take note. First, there is the mere fact that the affected individuals weren’t made aware of the breach for a whole month. During that time, their information could have been bought and sold several times while the victims had no chance whatsoever to take measures to protect their privacy. Needless to say, this will not enhance the company’s standing with the courts, should the suit reach them.
Next, the company will now have all of its security measures scrutinized, so it must hope that it has been diligent in every area, because if not, this will hurt them in litigation. If you are in any way doubtful of the completeness and efficacy of your own system defenses and company security policies, this lawsuit should inspire you to do a security audit immediately. Putting a lock on the barn door after someone has already made off with your prize horses just won’t cut it.
Third, and perhaps most significant, is that all it took to start this avalanche of problems was a single desktop PC that hadn’t yet been encrypted. According to the report, the company was actually in the process of encrypting all of its portable and desktop units but hadn’t gotten to this particular one yet. Timing is everything. Did the thief just happen to snatch a unit that hadn’t been encrypted, or did the robber already know which ones were still vulnerable?
Either way, the buck stops at the company’s virtual desk. Hopefully the damages to patients are minimal, but what about the damage to Sutter’s reputation? Insurers trade more than ever on the quality of their reputations, which may prove to be the most damaging loss of all.
Ara C. Trembly (www.aratremblytechnology.com) is the founder of Ara Trembly, The Tech Consultant, and a longtime observer of technology in insurance and financial services.
Readers are encouraged to respond to Ara using the “Add Your Comments” box below. He can also be reached at firstname.lastname@example.org.
This blog was exclusively written for Insurance Networking News. It may not be reposted or reused without permission from Insurance Networking News.
The opinions of bloggers on www.insurancenetworking.com do not necessarily reflect those of Insurance Networking News.
Add Your Comments...
If you have already registered to Insurance Networking News, please use the form below to login. When completed you will immeditely be directed to post a comment.
You must be registered to post a comment. Click here to register.