Return of the Guru

Lessons to be Learned from Massive Data Breach Lawsuit

Ara Trembly
Insurance Experts' Forum, November 29, 2011

As my readers well know, I have a habit of commenting on data security matters. And while some may claim I am overly concerned with the topic, I have a feeling that the 4.2 million patients who recently found out their personal information had been swiped might disagree.

SC Magazine has reported that at least some of those individuals affected by a data breach at Sutter Health have filed a class-action lawsuit against the Northern California-based company. The suit, filed in Sacramento Superior Court, claims that the company was negligent in securing its computer systems and in notifying victims about the incident.

According to the report, on October 17 the personal information of 4.2 million patients went missing due to the theft of an unencrypted desktop computer. Affected patients were not alerted until about a month later. The company wouldn't comment on the lawsuit but said it needed time to investigate the incident before notifying those affected. Last week, the company said it would expedite plans to encrypt all desktops.

There are several problems here, and since we all handle private and sensitive data daily, insurers and financial services entities should take note. First, there is the mere fact that the affected individuals weren’t made aware of the breach for a whole month. During that time, their information could have been bought and sold several times while the victims had no chance whatsoever to take measures to protect their privacy. Needless to say, this will not enhance the company’s standing with the courts, should the suit reach them.

Next, the company will now have all of its security measures scrutinized, so it must hope that it has been diligent in every area, because if not, this will hurt them in litigation. If you are in any way doubtful of the completeness and efficacy of your own system defenses and company security policies, this lawsuit should inspire you to do a security audit immediately. Putting a lock on the barn door after someone has already made off with your prize horses just won’t cut it.

Third, and perhaps most significant, is that all it took to start this avalanche of problems was a single desktop PC that hadn’t yet been encrypted. According to the report, the company was actually in the process of encrypting all of its portable and desktop units but hadn’t gotten to this particular one yet. Timing is everything. Did the thief just happen to snatch a unit that hadn’t been encrypted, or did the robber already know which ones were still vulnerable?

Either way, the buck stops at the company’s virtual desk. Hopefully the damages to patients are minimal, but what about the damage to Sutter’s reputation? Insurers trade more than ever on the quality of their reputations, which may prove to be the most damaging loss of all.

Ara C. Trembly (www.aratremblytechnology.com) is the founder of Ara Trembly, The Tech Consultant, and a longtime observer of technology in insurance and financial services.

Readers are encouraged to respond to Ara using the “Add Your Comments” box below. He can also be reached at ara@aratremblytechnology.com.

This blog was exclusively written for Insurance Networking News. It may not be reposted or reused without permission from Insurance Networking News.

The opinions of bloggers on www.insurancenetworking.com do not necessarily reflect those of Insurance Networking News.

Comments (0)

Be the first to comment on this post using the section below.

Add Your Comments...

Already Registered?

If you have already registered to Insurance Networking News, please use the form below to login. When completed you will immeditely be directed to post a comment.

Forgot your password?

Not Registered?

You must be registered to post a comment. Click here to register.

Blog Archive

The Pitfalls of Using Assembly Line Methods to Create Software

Most of the time, when the business needs IT, it is for custom software development, just like creating a concept car.

Wearables and Gamification in Life Insurance Goes Mainstream?

With so many U.S. households still uninsured, insurers are going have to try new things to re-position their product, focusing on consumer needs.

Will John Hancock Vitality Transform Insurance?

The Vitality program integrates this information directly into the rewards, giving you credit for the exercise, just by virtue of reporting it.

Why Customers Should Want Innovative Insurers

At a time when confidence in the insurance industry has been compromised, innovative companies can break the mold.

Five Ways to a Positive User Experience

The user experience can make or break an application. Here are five ways to measure whether itís positive or negative.

Innovation & Insight Day Recap

The Insurance Team recognized fifteen model banks across five categories: Digital; Data Mastery; Legacy and Ecosystem Transformation; Innovation and Emerging Technologies; and Operational Excellence.