What You Post Online Could Be Used To Determine Your Mental State

Elizabeth Martin, a researches in the Psychological Science department at the University of Missouri recently completed a study of social networking usage. Martin concluded:

"Therapists could possibly use social media activity to create a more complete clinical picture of a patient... The beauty of social media activity as a tool in psychological diagnosis is that it removes some of the problems associated with patients’ self-reporting. For example, questionnaires often depend on a person’s memory, which may or may not be accurate. By asking patients to share their Facebook activity, we were able to see how they expressed themselves naturally. Even the parts of their Facebook activities that they chose to conceal exposed information about their psychological state.”

Martin had study participants -- about 200 college students -- print out their Facebook activity, and then:

"... correlated aspects of that activity with the degree to which those individuals exhibited schizotypy, a range of symptoms including social withdrawal to odd beliefs. Some study participants showed signs of the schizotypy condition known as social anhedonia, or the inability to experience pleasure from usually enjoyable activities, such as communicating and interacting with others. In the study, people with social anhedonia tended to have fewer friends on Facebook, communicated with friends less frequently and shared fewer photos."

According to Mashable:

"The idea for the study came through a conversation between Martin and the second author, Drew Bailey, who doesn't have a Facebook profile. A discussion arose about profile content and its correlation to psychology."

If therapists and psychologists believe that can tell a person's mental state from their posts on social networking websites, then it is appropriate to assume that other professionals (e.g., insurance, human resource professionals) will also want access to social networking profiles. In other words, some social networking websites may view this as a potnetial, new revenue stream. Credit reporting agencies already want access to consumers' social networking profiles to enhance credit decisions. And in some instances, courts have ruled that your social networking activity can be accessible during a lawsuit.

 

Anthem Blue Cross Settles With California Attorney General Over Data Breach

Everyone who is security conscious knows that a business should never printer consumers' Social Security numbers on health care identification cards, statements, and letters. Doing so facilitates identity theft, fraud, and medical identity theft -- a big help for identity thieves.

Yesterday, the California Attorney General announced both a lawsuit and settlement involving Blue Cross of California, which operates under the name Anthem Blue Cross. The lawsuit, filed in Los Angeles Superior Court today along with the settlement, alleged that Anthem printed Social Security numbers on letters it mailed to more than 33,000 from April 2011 and March 2012. The lawsuit claimed that this violate state law prohibiting the disclosure of Social Security numbers. After the breach, Anthem offered those subscribers one year of free credit monitoring.

This blog has discussed repeatedly how the risk of identity theft doesn't end after a year or two - typically the period businesses offer breach victims free credit monitoring services. Identity criminals will use stolen credentials until they know the credentials are no longer usable.

Terms of the settlement include a $150,000 payment and:

"... requires Anthem to implement new technical safeguards for its data management system, restrict employee access to members’ Social Security numbers and provide enhanced data security training for all of its associates."

The fine seems light since this is not the first breach involving Anthem. A breach of the company's website in June 2010 affected about 470,000 subscribers nationwide.

FTC Publishes 9 Guidelines For Mobile App Developers

Earlier this week, the U.S. Federal Trade Commission (FTC) introduced guidelines for businesses and mobile application (app) developers. The information is in a new guide titled, "Marketing Your Mobile App: Get It Right from the Start." The guide includes nine recommendations:

"1. Tell the truth about what your app can do. Once you start distributing your app, you become an advertiser... Whether it’s what you say on a website, in an app store, or within the app itself, you have to tell the truth. False or misleading claims, as well as the omission of certain important information, can tick off users and land you in legal hot water... If you make objective claims about your app, you need solid proof to back them up before you start selling. The law calls that “competent and reliable evidence.” If you say your app provides benefits related to health, safety, or performance, you may need competent and reliable scientific evidence."

Businesses that are unsure how to back up their claims with scientific evidence can visit the Business Center Blog for more information.

"2. Disclose key information clearly and conspicuously... your disclosures have to be “clear and conspicuous.” What does that mean? That they’re big enough and clear enough that users actually notice them and understand what they say."

"3. Build privacy considerations in from the start... privacy by design... Incorporating privacy protections into your practices, limiting the information you collect, securely storing what you hold on to, and safely disposing of what you no longer need... For any collection or sharing of information that’s not apparent, get users’ express agreement."

"4. Be transparent about your data practices... be clear to users about your practices. Explain what information your app collects from users or their devices and what you do with their data."

You'd think that following these guidelines was obvious, but researchers at M.I.T. recently documented abuses by mobile apps that tracked users' GPS locations and collected users' browser histories without notice nor consent; sometimes, even when the app was supposedly turned off.

"5. Offer choices that are easy to find and easy to use. Give your users tools that offer choices in how to use your app – like privacy settings, opt-outs, or other ways for users to control how their personal information is collected and shared... Make it easy for people to find the tools you offer, design them so they’re simple to use, and follow through by honoring the choices users have made."

"6. Honor your privacy promises... Chances are you make assurances to users about the security standards you apply or what you do with their personal information. At minimum, app developers — like all other marketers — have to live up to those promises. The FTC has taken action against dozens of companies that claimed to safeguard the privacy or security of users’ information, but didn’t live up to their promises... The FTC also has taken action against businesses that made broad statements about their privacy practices, but then failed to disclose the extent to which they collected or shared information with others – like advertisers or other app developers."

"7. Protect kids’ privacy. If your app is designed for children or if you know that you are collecting personal information from kids, you may have additional requirements under the Children’s Online Privacy Protection Act (COPPA) and the FTC’s COPPA Rule. Specifically, under COPPA, any operator whose app is directed to kids under age 13 or who has actual knowledge that a user is under 13 must clearly explain its information practices and get parental consent before collecting personal information from children. App operators also must keep personal information collected from children confidential and secure."

"8. Collect sensitive information only with consent... get users’ affirmative OK before you collect any sensitive data from them, like medical, financial, or precise geolocation information. It’s a mistake to assume they won’t mind."

"9. Keep user data secure. At minimum, you have to live up to the privacy promises you make. But what if you don’t say anything specific about what you do with users’ information? Under the law, you still have to take reasonable steps to keep sensitive data secure."

This is a good list, but in my view the above guidelines are the minimum app developers should do. Ways for businesses and app developers to do better than the FTC minimums:

• Choices for consumers should be opt-in not opt-out
• Consolidate and simplify whenever possible. There are too many privacy policies: mobile device manufacturers, device operating system developers, app stores, telecommunications providers, and the app developer
• Plain language privacy policies, not lawyer speak
• Consistent, easy access. Prior studies have documented sporadic and inconsistent access to privacy policies before app install, after app install, and while the app is running
• Give users an estimate of the daily or monthly consumption by the app, so users can make informed decisions and avoid data plan surprises and overage fees. Auto manufacturers publish mileage estimates. App developers can easily do the same (and should) about data plan consumption by their apps

It is a sad state of affairs when the first guideline has to be, "tell the truth." What do you think mobile apps should do to protect consumers' privacy?

The Risks Of Buying Drugs Online

Everyone loves a good deal. And the Internet provides several sources of deals and discounts. If you seek deals on prescription drugs, there are several things you should know so you don't get "mugged" by a rogue online pharmacy website.

Earlier this year, the National Association of Boards of Pharmacy (NABP), which accredits online drugstores, released the results of a study where it reviewed more than 9,600 online pharmacies. Key results:

• Most are rogues sites: 96.6% (or 9.349 of 9,677 online pharmacies reviewed) operated out of compliance with existing laws and standards
• Only 2.7% (259 online pharmacies) to be legitimate websites, and 0.7% (69 sites) were accredited through an NABP verification program
• Of these 9,349 online pharmacies, 8,122 don't require a valid physician's prescription
• 4,648 offer foreign or drugs not approved the U.S. FDA
• 3,363 have internet servers outside the USA
• 1,523 don't have secure web sites

The problem is intensified by drugs that are in short supply. Fraudsters know this and try to take advantage of the situation:

"The most critical shortages involve cancer, antibiotic, nutrition, and electrolyte-imbalance medicines, according to the FDA. For many community pharmacies, health-system pharmacies, and patients the lack of availability of needed -- and often life-saving -- medications through official, authorized supply channels means resorting to unconventional and more dangerous means of obtaining the medications, sometimes turning to unknown sellers online. The unfulfilled demand for these medications has created a lucrative market for counterfeiters..."

The results: several risks to consumers. One risk is that you may not get what you paid for:

"... health care facilities and patients have no assurance that the substances they receive are what they are purported to be. Many of the replacement drugs purchased online are unregulated, meaning there are no safeguards in place to ensure their identity, safety, efficacy, where and under what conditions they were made, or how they were handled."

A second risk is to your health. Counterfeit drugs can fail to address your medical conditions, make you sicker, or kill you:

"... two-thirds of the online drug sellers discovered in this study are represented on the NABP list of Not Recommended sites. These illegal online drug sellers pose serious risks to patient health. The risk is especially high with vaccines..."

A third risk is identity theft or fraud at those online pharmacies that operate unsecured sites.

Earlier this year, the U.S. Congress House Committee on Oversight and Government Reform investigated "gray market" companies, that operate outside of authorized drug distribution networks to provide short-supply drugs at hugely inflated prices. In July 2012, the committee released its report (Adobe PDF), which found:

"... a growing number of prescription drugs sold in the United States have experienced supply shortages. Because these shortages have been most severe among a group of injectable drugs used to treat patients with cancer and other serious illnesses, they have had a particularly serious impact on hospitals... During drug shortages, hospitals are sometimes unable to buy drugs from their normal trading partners, usually one of the three large national “primary” distributors... some short-supply injectable drugs do not reach health care providers through the manufacturer-wholesaler distributor-dispenser chain that policymakers and industry stakeholders present as the typical model for drug distribution. Instead, these drugs “leak” into longer gray market distribution networks, in which a number of different companies – some doing business as pharmacies and some as distributors – buy and resell the drugs to each other before one of them finally sells the drugs to a hospital or other health care facility. In more than two-thirds (69%) of the 300 drug distribution chains reviewed in this investigation, prescription drugs leaked into the gray market through pharmacies. Instead of dispensing the drugs in accordance with their professional duties, state laws, and the expectations of their trading partners, these pharmacies re-sold the drugs to gray market wholesalers..."

The investigation also found:

"... a number of businesses holding pharmacy licenses that do not dispense drugs, but instead appear to operate for the sole purpose of acquiring short-supply drugs that can be sold into the gray market.... Some gray market wholesalers gain access to shortage drugs by recruiting pharmacies to act as their purchasing agents..."

The impact is far higher drug prices than otherwise for health care facilities, hospitals, and consumers.

The NABP operates several online pharmacy accreditation programs, including the Verified Internet Pharmacy Practice Sites (VIPPS), the Veterinary-Verified Internet Pharmacy Practices Sites (Vet-VIPPS), and the e-Advertiser Approval Program. The NABP has appllied to the Internet Corporation For Assigned Names and Numbers (ICANN) for a specific domain-name to help consumers recognize accredited online pharmacies.

To protect yourself online, experts advise consumers to:

1. Buy drugs online from reputable stores you already know
2. Look for NABP VIPPS and Vet-VIPPS symbols when shopping
3. Visit AwareRX.org, which maintains lists of both NABP-recommended and not-recommended online pharmacy websites
4. Visit SafeMedicines.org operated by the Center for Safe Internet Pharmacies (CSIP), which contains a tool for patients to check if doctors in their state purchased counterfeit cancer medications
5. Watch this public service announcement produced by the CISP:

Download the full NABP report: "Internet Drug Outlet Identification Program Progress Report for State and Federal Regulators: April 2012" (Adobe PDF).

Update: Massachusetts 2011 Breach Notification Report

Back in April, this blog discussed the release of the 2011 Data Breach Notification Report (Adobe PDF) by the Massachusetts Office of Consumer Affairs and Business Regulation (OCABR). Since then, I further analyzed some of the results from the report. New charts are below.

You may remember that the report covered data breach activity since October 31, 2007, when the state's breach law went into effect. The 2007 law requires businesses that store consumers sensitive personal information to notify the OCABR if they experience or suspect a data breach. In 2009, the state enacted tougher data security rules. In March 2010, the law was amended to require applicable businesses to develop a comprehensive, written information security program and to encrypt certain data.

Some highlights from the report:

• 1,833 data breaches and 3,166,031 Massachusetts residents affected since November 1, 2007
• Notable data breaches during 2011: Sony Playstation, Michael's craft stores, Departments of Unemployment Assistance and Career Services
• Industries with the most data breaches include financial service, health care, education, and state government
• While the number of breaches are evenly split between malicious and non-malicious categories, on average malicious data breaches affect a larger number of residents with each breach compared to non-malicious breaches
• On average, breaches where information is stored in electronic formats are substantially larger than breaches where information is stored in paper format

Breach history (number of data breaches):

Year	Malicious Breaches		Non-Malicious Breaches		Total Breaches
	#	% of Total		% Of Total
2007	11	44%	14	56%	25
2008	257	55%	214	45%	471
2008	261	61%	170	39%	431
2010	161	36%	291	64%	452
2011	241	53%	213	47%	454
Total	931	51%	902	49%	1,833
The non-malicious category includes breaches where, "... either negligence or mistakes by employees or third-party contracgtors resulted in exposing personal information..."

The malicious category includes breaches:

"... made by disgruntled former employees of businesses which held personal information who either retained access to data, or used the access codes of a former coworker to gain access."

The average number of residents affected per data breach:

Year	Malicious Breaches	Non-Malicious Breaches	Total Average Residents/Breach
2007	372	356	363
2008	1,009	2,139	1,522
2008	1,337	209	892
2010	5,757	374	2,291
2011	3,811	421	2,221
Total	2,640	773	1,721

Breach activity based on the storage format of the information:

Year	Electronic		Paper
	# Breaches	Residents / Breach	# Breaches	Residents / Breach
2007	20	432	7	16
2008	331	2,112	81	21
2008	324	1,074	106	54
2010	326	2,912	143	437
2011	364	2,954	106	140
Total	1,365	2,256	443	192

The number of breaches by industry:

Industry	Breaches: 2011	Breaches: 2007 - 2011
Commercial	19	43
Education	24	101
Entertainment	10	30
Federal Government	--	1
Financial Services	257	955
Food & Beverage	5	35
Health Care	63	214
Local Government	2	7
Manufacturing	4	29
Not-For-Profit	4	30
Other	36	164
Pharmaceutical	1	16
Retail	2	21
State Government	18	87
Technology	12	79
Telecommunications	2	17
Trade Union	--	4
Total	459	1,833

Data Breach At Beth Israel Deaconess Medical Center Affects 3,900 Patients

About 3,900 patients of Beth Israel Deaconess Medical Center (BIDMC) are being notified of a data breach exposing their sensitive personal information. According to the Boston Globe newspaper, the patient records were stored on a physician's laptop which was stolen from an office on May 22. The hospital has already notified local law enforcement and began a breach investigation to determine the data exposed/stolen.

This is a second major breach at the hospital. In July 2011, a breach exposed the protected health information (PHI) of about 2,021 patients after a vendor failed to restore security controls on an Internet-connected computer during routine maintenance. That 2011 breach exposed patients' names, BIDMC medical record numbers, gender, date of birth and the date and name of radiology procedures. According to the 2011 breach announcement, the breached computer, infected with a computer virus, had transmitted stolen data to an unknown location.

A check of the hospital's website did not find an announcement yet about its 2012 breach. Hopefully, the data was encrypted on the laptop. Earlier this month, BIDMC was again rated by U.S. News & World Report as a leading hospital in the USA.

After its 2011 breach, BIDMC provided affected patients with one year of free identity protection services, and a list of state and federal resources.

[Update, Tuesday May 23, 1:30 pm: BIDMC released a press release later on Monday, explaining that it was in hte process of contacting affected patients. Local law enforcement had arrested a suspect, but the stolen laptop had not been recovered.]

South Shore Hospital To Pay $750,000 In 2010 Breach Settlement

Yesterday, South Shore Hospital and the Massachusetts Attorney General's Office both announced a settlement agreement regarding the hospital's 2010 data breach. the breach exposed the sensitive personal and medical information of 800,000 current and former patients, plus patients at Harbor Medical Associates and South Shore Physician Hospital Organization.

In February 2010, South Shore Hospital shipped three boxes containing 473 unencrypted back-up computer tapes to an off-site vendor, Archive Data Solutions, for erasure. The boxes contained the records of 800,000 patients. According to AAG Coakley's office, the hospital failed to inform Archive Data that boxes contained sensitive personal protected health information. Nor did the hospital determine whether Archive Data had sufficient data security methods to protect this sensitive information.

In June 2010, the hospital learned that only one of the boxes, shipped via several companies, arrived at its destination in Texas. The missing boxes have not been recovered. In a statement, AG Coakley emphasized:

“Hospitals and other entities that handle personal and protected health information have an obligation to properly protect this sensitive data, whether it is in paper or electronic form... It is their responsibility to understand and comply with the laws of our Commonwealth and to take the necessary actions to ensure that all affected consumers are aware of a data breach.”

According to terms of the settlement approved in Suffolk Superior Court, the hospital will pay a $750,000 fine which includes a $250,000 penalty and $225,000 for a data security education fund. The Massachusetts Attorney General's office will use the education fund to:

"... promote education concerning the protection of personal information and protected health information."

The payment is also reduced by $275,000 for expenses the hospital has already made for data security improvements. The HIPAA Privacy Rule specifies which health care organizations must comply with certain data security standards. the rule also defines what "protected health information" is: personally identifiable health care information in any format (e.g., print, electronic).

BCBS Of Tennessee To Pay $1.5 Million To HHS To Settle 2009 Breach

Blue Cross Blue Shield of Tennessee (BCBST) announced a settlement agreement with the U.S. Department of Health and Humans Services (HHS) about its 2009 data breach which exposed the medical records of about 500,000 patients in 32 states. Terms of the settlement agreement require BCBST to pay a $1.5 million penalty and submit to a 450-corrective action plan.

HHS had alleged in a lawsuit that BCBST had violated the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rules. The HIPAA Security Rules require covered health care organizations to notify affected individuals of any breach involving their health information, and to notify HHS and the news media about any breaches affecting more than 500 consumers.

HHS disclosed in a news release:

"... BCBST failed to implement appropriate administrative safeguards to adequately protect information remaining at the leased facility by not performing the required security evaluation in response to operational changes. In addition, the investigation showed a failure to implement appropriate physical safeguards by not having adequate facility access controls; both of these safeguards are required by the HIPAA Security Rule."

The 450-day corrective action plan requires BCBST to:

• Review, revise, and maintain its Privacy and Security policies and procedures,
• Conduct regular and robust trainings for all BCBST employees covering employee responsibilities under HIPAA, and
• Perform monitor reviews to ensure BCBST compliance with the corrective action plan.

Utah Medicaid Breach Larger Than First Estimated

A data breach at the Utah Department of Technology Services (DTS), which operates computer servers that store Medicaid claims data for the Utah Department of Health (UDH), appears to have affected more consumers than first estimated. Late last week, the DTS reported that about 181,000 Medicaid and Children's Health Insurance Plan (CHIP) recipients were affected. About 25,096 people of the 181k total had their Social Security numbers exposed/stolen.

Yesterday, the UDH disclosed a greater number of breach victims: an additional 255,000 additional victims had that Social Security numbers stolen, and an additional 350,000 had lesser personal information exposed/stolen. So, the total count is now 780,000 breach victims:

Medicaid claims typically include patients' names, addresses, birth dates, Social Security numbers, physician’s names, national provider identifiers, addresses, tax identification numbers, and billing codes for medical procedures. The initial breach estimate was 24,000 records exposed/stolen. The breach investigation is still ongoing. UDH disclosed in a press release:

"DTS servers have multi-layered security systems that include many controls, including: perimeter security, network security, identity management, application security, and data security. In this particular incident, a configuration error occurred at the authentication level, allowing the hacker to circumvent the security system. DTS has processes in place to ensure the state's data is secured, but this particular server was not configured according to normal procedure. DTS has identified where the breakdown occurred and has implemented new processes to ensure this type of breach will not happen again..."

The UDH is notifying all breach victims via a breach letter, but with a priority of first notifying the consumers whose Social Security numbers were exposed. These breach letters offer one year of free credit monitoring services. Other breach victims will receive a slightly different notice with information about how to further protect themselves. People with online access via the My Case web portal, were given breach notices both online at the web site and via e-mail.

When Worlds Collide

The Bright Side of Identity Theft And Fraud For Consumers

In a New York Times article titled, "The Bright Side Of Being Hacked," reporter Somini Sengupta described several benefits for corporations of a data breach via hacking. The article concluded:

"Rather, what Anonymous has done, experts said at the big RSA computer security conference here last week, is raise the alarm about the unguarded state of corporate computer systems."

Yes, raised awareness is a good thing, as was recently discussed about unsecured corporate video conferencing systems. Sengupta's articles reminded me of a blog post I wrote in 2010 which listed six benefits for consumers of being an identity theft victim:

"1. Awareness: After an identity thief has stolen your personal data, account credentials, and/or money consumers seem to have a new awareness of of the value of their sensitive personal data.
2. Acceptance and curiosity: after having their identity information and/or money stolen, there is an acceptance that identity theft is a problem. There is a curiosity to learn about other ways identity thieves and criminals might harm them, so they can avoid this painful experience in the future.
3. Willingness to change behaviors: Not knowing how to protect yourself is terrifying to most people. The pain from this terror seems to be sufficient incentive for consumers to change their habits (e.g., practice safe online shopping habits, check their credit reports for accuracy, use strong passwords at online sites, maintain anti-virus software on their home computer, etc.). Of the people I have talked with, after being an identity-theft victim, none want to return to their old ways.
4. Stronger consumer interest: along with this awareness about identity theft is an interest in products, services, processes, and/or laws that address and protect the needs and assets of consumers. Getting good customer service seems to become more important, too.
5. Gratitude and appreciation: before becoming a victim of identity theft and fraud, many consumers perceive warnings by consumer and privacy advocates to be unnecessary and overly cautious. Some have called me paranoid. After experiencing the pain of the theft and fraud, a different attitude emerges which includes a sincere appreciation for identity theft protection advice to help them fix their fraud problem, and a context for listening to future warnings.
6. Participation in our democracy: when the perception is that local or federal laws haven't kept up with business practices, some been motivated to write to their Congressional reps to demand action."

While, identity theft and fraud are painful experiences for consumers, these events can be a huge wake-up call for consumers to change their habits and practice better data security habits at home, at work, at ATM machines, at their doctor's office, at social networking websites, and with their mobile devices.

PHI Project Releases Report About Health Care Data Security

On Monday, the PHI Project released a report about the state of data security within health care organizations titled, "The Financial Impact of Breached Protected Health Information: A Business Case for Enhanced PHI Security." Key findings:

• Weak Data Security: health care organizations are entrusted with safeguarding patient privacy, but their security efforts are not keeping pace with the growing risks of lost/stolen protected health information (PHI),
• Data Breach Activity: the number and size of data breaches including PHI are increasing. The negative impacts are financial, legal, clinical, and reputational for the organizations experiencing data breaches,
• The PHI Project recommends that health care organizations implement a five-step method – PHI Value Estimator (PHIve) -- to evaluate the risks of a breach of PHI data, and implement preventative measures.

According to Rick Kam, president and co-founder of ID Experts and chair of the PHI Project:

“No organization can afford to ignore the potential consequences of a data breach... We assembled this working group to drive a meaningful dialogue on appropriate levels of investment to better protect healthcare organizations and PHI.”

The PHI Project is a partnership including the American National Standards Institute (ANSI) via its Identity Theft Prevention and Identity Management Standards Panel (IDSP), The Santa Fe Group/Shared Assessments Program Healthcare Working Group, and the Internet Security Alliance (ISA) -- with assistance from ID Experts.

How To Evaluate A Health Care Debit Card Plan From Your Employer

A blog post on Tuesday described Caren's experience with her United Healthcare Consumer Accounts Card, a specialized debit card her employer provided for Flexible Spending Account (FSA) expenses. That blog post highlighted what can go wrong with a health care debit card.

I wanted to take a closer look at the card agreement, and see what broader issues might apply in general. Today's blog post includes my findings about several items employees should be aware of when considering a health care debit card plan. I am not an attorney, so this is not legal advice -- just my observations and opinions as a consumer -- like you tyring to navigate a complex world. If you need legal advice, hire an attorney.

First, healthcare debit cards are similar to traditional debit cards, but with several important differences. Employees must understand how they work and when fees apply, just as you would with a traditional debit card with your bank checking account. So, it is important to closely read all appliable agreements, terms, or policies y to know your rights and responsibilities -- especially when bad things happen.

The introduction to the United Healthcare Consumer Accounts Card agreement (Adobe PDF; which is also available here) lists some important warnings:

"At the register or cashier: This is not a credit card, but you will need to choose “credit” when making purchases... At the pharmacy, supermarket or other retail store: Pay for eligible over-the-counter (OTC) supplies and materials. Please note: The card will be rejected if purchasing OTC medicines, even when prescribed..."

Select "credit" at the point-of-sale even though the card says "Debit" on its face? Prescribed OTC medicine will still be rejected? These exceptions sound like a recipe for employee confusion and rejected purchases. While the agreement states that it is a MasterCard Debit, I wonder if the bank tweaked a traditional credit-card payment solution for health care purchases and rushed it to market without removing all the bugs first.

What comes to mind is that old saying: never buy the first year of a new car production (and wait until the manufacturer gets all of the bugs out). Seems to apply to payment solutions, too.

Section #2 of the same agreement states:

"When you use the Card, you represent and warrant that you will not submit, and have not previously submitted, a claim for reimbursement for the same expenses under any other plan or program. You agree to save all invoices or receipts that are provided to you by merchants and service providers when you use the Card. You agree to provide a copy of any such receipt to us or United Healthcare, promptly on request. If you fail to submit a receipt when it is requested, under IRS rules, the amount in question may not be excluded from your gross income for federal tax purposes or may otherwise result in financial penalties to you. Your use of the Card is subject to the terms and conditions of the Plan, as well as the terms and conditions of this Agreement..."

So, employees must still save all purchase receipts. The health care debit card doesn't eliminate all paperwork. The last sentence in the above clause is important because it highlights the fact that several policies apply. It would be helpful if this agreement listed all applicable policies. My estimate is that at least five different policies apply:

1. Consumer Accounts Card Agreement,
2. United Healthcare HIPAA Privacy Policy,
3. Any additional policies at myUHC.com,
4. Employee handbook or manual,
5. Optum Bank policy

Employees should not have to guess which policies apply. It would be best for employees if a single, consolidated policy applied, but unfortunately American business does not operate that way today.

Let's return to the Consumer Accounts Card agreement, which also states:

"You agree that you will only use the Card to pay for eligible expenses under the Plan... if you use the Card for anything other than an eligible expense, you will be liable for any taxes, penalties and other expenses payable under applicable law and any expenses we, United Healthcare or your employer may incur as a result of such impermissible use. Upon demand, you agree to reimburse us, United Healthcare or your employer, as the case may be, for any such use for non-eligible expenses..."

While employees may think that ineligible FSA expenses are automatically blocked at the point-of-sale, the agreement governs what really happens. The Consumer Accounts Card payment process may indeed block some ineligible purchases, but United Healthcare and the bank seem to have left themselves a convenient loophole where employees are still liable. It would be helpful if the agreement stated what those amounts of taxes, penalties, and other expenses could be. It seems risky to use a debit card when you don't know the exact amount of fees that might apply.

Second, employees should be aware of their responsibilities to avoid liability. The "Consumer Liability" portion of the agreement states:

"Tell us AT ONCE if you believe your Card has been lost or stolen. Telephoning is the best way of keeping your possible losses down. If you tell us within 4 business days, you can lose no more than $0 if someone used your Card without your permission. (If you believe your Card has been lost or stolen, and you tell us within 4 business days after you learn of the loss or theft, you can lose no more than $0 if someone used your Card without your permission.)"

This four-day time period seems unreasonably short. My bank allows 60 days from my statement to dispute a charge on that statement. Does United Healthcare expect employees to check their online FSA account every four days? The next portion of the agreement states what happens when employees provide notice after the four-day window:

"If you do NOT tell us within 4 business days after you learn of the loss or theft of your Card, and we can prove we could have stopped someone from using your Card without your permission if you had told us, you could lose as much as $50."

Now, the liability sounds more like the liability with a traditional credit card: $50. What I find troubling about this clause is that it assumes traditional theft or loss. This blog has documented numerous examples of identity thieves plant skimming devices inside point-of-sale terminals at gas stations, supermarkets, and other retail stores to steal consumers' data to clone debit cards. Since employees are forced to use health care debit cards at retail stores, a more relevant agreement would provide tips about what to do if they believe their card has been cloned. Perhaps the myUHC.com site explains this, but I don't have a myUHC.com account.

The agreement also states (emphasis added by me):

"... if the statement you receive from the Plan administrator shows transfers that you did not make, tell us at once. If you do not tell us within 90 days after the statement was mailed to you, you could lose as much as $50 if we can prove that we could have stopped someone from taking the money if you had told us in time."

Again, that sounds like traditional credit card liability (e.g., $50), but at least the window for notice is longer at 90 days. Why lead with the four day clause? It seems unnecessary. In Caren's case, it seems that United Healthcare is enforcing the 90-day clause. What I find troublesome about the above clause is that it assumes paper statements sent via postal mail. In reality, employees' statements are available online. Nothing is sent via postal mail. So, why write the agreement assuming this? It sounds like the card agreement was rushed to market without all the bugs removed.

Another portion of the agreement states:

"ALL QUESTIONS ABOUT TRANSACTIONS MADE WITH YOUR CARD MUST BE DIRECTED TO THE BANK, AND NOT TO YOUR EMPLOYER OR PLAN ADMINISTRATOR. The Bank is responsible for issuing the Card and for resolving any errors in transactions made with your Card. The transactions will appear only on the statements provided to you by the Plan administrator."

It would be helpful if the agreement listed the bank's phone and postal address information. I couldn't find it in the agreement. The agreement lists United Healthcare's phone and postal address information. In my experience, well-written agreements provide both phone and postal address information with any instructions where consumers should give notice. Perhaps, the other policies provide this information, but I don't have a myUHC.com account.

SO, let's see if I got this correct. The agreement directs employees to contact United Healthcare for transfers the employee didn't make, but contact the bank about statement "errors."What's the difference? How are employees to tell? This sounds confusing.

It troubles me that the above clause mentions "errors" and doesn't mention "fraud." I would expect any bank to aggressively investigate suspected fraud. The fact that Optum Bank's flow of funds page still presents a 2008 copyright does not give me much confidence in the bank:

If something this simple still says 2008, what else has this bank missed? Or, should consumers conclude that the Optum web site hasn't been updated in four years? Or is this flow-of-funds information that is four-years old and/or obsolete? I would expect more timely and current information from any bank -- especially one processing my extremely sensitive health care information.

The "Fees" section of the agreement states:

"OptumHealth Bank does not charge usage fees for this card."

No fees are good, because banks can apply a wide variety of fees to debit-card accounts.However, it means that employees should monitor any changes in the card agreement. Things might change with new fees introduced. So, employees should read any updates to the card agreements or policies with their health care debit cards.

Now, let's return to Caren's story. The fact that Caren never used the Medco online pharmacy should be a huge "red flag" to Optum Bank, Large HR Firm, and United Healthcare. It suggests that Caren's payment information was stolen. The payment data on Caren's Consumer Accounts Card could have been stolen via a skimming device, which identity thieves plant inside point-of-sale terminals at retail stores and gas stations -- not just at bank ATM machines.

If Caren's Consumer Accounts Card was not cloned via skimming device theft, then a couple other options are possible. The pharmacy may have re-submitted the purchases it originally rejected -- and if so, it should have notified Caren, and reimbursed her for the purchases she paid out-of-pocket. Caren could test this by using a different pharmacy. If the duplicate charges don't happen at the second pharmacy, then it is reasonable to assume a problem at the first pharmacy. If the duplicate charges continue, then it seems safe to assume that her debit payment data was stolen.

Insider identity theft is always a possibility. It's harder for employees to spot, but it does happen.

What should employees do if your employer offers a specialized debit card for healthcare expenses? I suggest the following steps:

• Read all applicable policies to know your rights and responsibilities -- especially before registering for a FSA with your employer. Your employer may have negotiated a really good deal for its employees, or not. Don't blindly assume so; read the fine print in the agreement first. Part of evaluating if it's a good deal is looking for certain clauses in the agreement -- like the ones listed above. If you have difficulty reading contracts, get help from a trusted friend, family member, or attorney if you can afford one.
• Use the Internet to find reviews written by employees about their health care debit card plan. Places I like to look include Consumer Reports, The Consumerist, and Epinions.
• File a police report with local law enforcement. (In Caren's case, somebody spent money from her FSA account without her authorization. That is theft.) Insist on law enforcement accepting the report. Make several copies. Attached the police report to any complaints filed with your employer, the FSA healthcare administrator, and the bank,
• Use a different pharmacy. If the duplicate charge problem stops, it is reasonable to assume a problem at the first pharmacy, and file a police report accordingly,
• If you feel that you aren't getting the services promised by the bank which processes your health care debit card transactions, learn about how to file a complaint against your bank.
• File a fraud complaint with the U.S. Federal Trade Commission (FTC) including any relevant documents (and non-action by employer, HR Firm, health care firm, and bank). This will help the FTC track any emerging theft trends with health care debit cards.
• If there is no action by the employer, HR Firm, healthcare firm, and/or bank), write a letter to your federal or state elected officials asking for help. It's part of their jobs -- to help their constituents.

Is the United Healthcare Consumer Accounts Card a good deal? Only you can decide for yourself, as everyone's needs are different. Hopefully, I have highlighted the things consumers should look for in any health care card agreement, so you can make an informed decision.

If you use a specialized debit card for health care expenses, what has been your experience?

A Debit Card Cautionary Tale

[Editor's Note: today's post is by guest author R. Michelle Green, the Principal for her company, Client Solutions. She is a combination geek girl, personal organizer, and career coach. Michelle helps others improve their use of technology in their personal or professional life. Today, she tackles what I believe will become a huge identity-theft problem. As employers lower their administrative costs by outsourcing payment systems that include debit-card transactions, the result is a more complicated, patchwork mix of companies where it is not easily clear who is responsible when bad things happen.]

By R. Michelle Green

At a business conference I attended, the topic turned to health care insurance administration. Some of the attendees now have new debit cards they didn’t ask for. Their employers gave them debit cards for their health care expenses (to access their Flexible Spending Accounts). Instead of having to submit receipts, employees offer the card at the point of sale. If s/he tries to charge more than allowed, or tries to charge things that are not acceptable, the card is rejected. Easily fits into the distributor’s payment systems (cash credit debit), no paperwork for the employee, less evaluative work for the FSA provider. Everyone wins, right?

Not everyone.

Meet Caren (not her real name, of course). She offered her new debit card -- her's is called a United Healthcare Consumer Accounts Card -- for prescription meds in January last year. However, the purchase was rejected by the pharmacy. She assumed it was a glitch, and paid for it herself. While this eventually happened every time, she doesn’t have medical charges every day, so it took a while to recognize that the card never worked. For reasons not relevant here, she did not pursue this with the provider until the fall, only to discover that all her money had been used up on health care charges she didn’t make.

She spoke with United Healthcare using the phone number on her Consumer Accounts Card. She submitted all her information in writing as they requested. They produced a sheet showing that her charges mostly matched (about 70%) identical charges paid 1-2 business days after hers. Though they did not accuse her of fraud, they did say the case was closed and did not merit an appeal. When she approached her human resources provider, he said, well at least she got the tax break. (!) She didn’t get a tax break, she got a salary reduction! She was deprived of access to her own money, set aside from her salary. The debit card agreement online says that she should call the bank operating the card, but that hasn’t proven productive either.

Had a second card been issued to someone else, we wondered? Not to her (or to the bank’s) knowledge. Did the drugstore have signatures on the other charges ostensibly hers? The other charges were mail order charges through Medco, so no receipts or signatures. She has no account with Medco. The pharmacy is not interested in pursuing this, they’ve been paid (perhaps twice!). Medco won’t address it, as she is not a client. The debit card provider only knows the money is spent. The FSA account holder is satisfied that it was spent for the right things. Only Caren is out of pocket and disadvantaged. Doubly so – this was so traumatic that she did not enroll in FSA this year. That makes her ineligible for the associated tax benefit in 2012.

Turns out our blog host is interested in the way financial systems are evolving, and found this issue particularly interesting. There are a lot more parties in the mix than you might at first think. Caren has an employer small enough that it purchases human resources expertise from a national firm. So there’s Caren, Small Firm, and Big HR Firm. Big HR Firm takes the money from her account and sends it somewhere based on their agreement with United Healthcare. Her debit card is managed by United Healthcare, and Optum Health Bank administers that card for them. Optum Health Bank has a subsidiary, Optum Financial, that handles the flow of money from the holding account to the point of sale. And what about the pharmacy: could their processes have been compromised as well?

I read a lot about fraud and scams, and wondered if this could be the tip of a software theft operation, selecting certain customers, and duplicating certain customers’ receipts, at just low enough rates that they are not perceived. (Good movie, eh? But Occam’s Razor says: not likely.) But who is the person with enough clout to investigate this, particularly if no one person or entity loses big bucks?

Today she tweeted that she had heard from Big HR Firm – there’s nothing they can do. So who’s responsible? Several corporations are in play; doesn’t each have a responsibility to Caren? Who can help her?

Data Breach Via Insider Identity Theft at North Carolina Hospital

The Data breach cause that scares me most is insider identity theft because it involves employees that should be trustworthy, and aren't. It also emphasizes that the company, hospital, or government agency have an aggressive "red flags" program in place to monitor who accesses sensitive consumer information (e.g., customers, patients, clients, employees, contractors), and compliance with data security policies.

Yesterday, the News-Record reported a data breach involving protected patient information at High Point Regional Health System. An employee took home 47 patients' files, and later returned them. Officials believe the data breach occurred between September 14 and October 6. Hospital representatives learned of the breach last month by an employee at Premier Imaging LLC, a hospital subsidiary. The employee has since been fired.

The breached records included patients' names, residential addresses, dates of birth, Social Security numbers, driver's license numbers and insurance information -- all of the critical data elements for thieves to assume another person's identity and do significant damage with health or financial accounts. An investigation by the health system could not determine whether the former employee has any patient information in her possession or has used it in any way.The hospital has notified affected patients, and arranged an identity protection service for the affected consumers.

Specific data security rules exist for hospitals and health care organizations. According to the Health & Human Services website, the information that must be protected includes:

"Information your doctors, nurses, and other health care providers put in your medical record; conversations your doctor has about your care or treatment with nurses and others; Information about you in your health insurer’s computer system; billing information about you at your clinic; and most other health information about you held by those who must follow these laws."

The companies that must follow this law are called "covered entities," and include doctors, pharmacies, nursing homes, HMO's, health plans, health insurance companies, and vendors hired under certain conditions.

Data Breach Affects 4.9 Million Active And Retired Military Personnel And Their Families

TRICARE Management Activity, the health care program for military personnel worldwide, reported last week a massive data breach involving the personal and medical records of 4.9 million active and retired military personnel and their families. The backup computer tapes, stolen from a contractor's automobile, included records from a military health system that captured patient data from 1992 to September 7, 2011. The lost/stolen information included:

"... Social Security numbers, addresses and phone numbers, and some personal health data such as clinical notes, laboratory tests and prescriptions. There is no financial data, such as credit card or bank account information..."

In its press release, TRICARE stated that it will take about four to six weeks to notify directly all breach victims. A breach investigation is underway. The contractor company is Science Applications International Corporation (SAIC). SAIC is operating an Incident Response Call Center, which breach victims can call. Breach victims should monitor their credit reports, and report any fraud to the U.S. Federal Trade Commission and to local law enforcement.

While TRICARE estimated the risk to breach victims as low, and stated in its press release that special computer hardware and software are required to access the data on the backup tapes. Based on this estimate, TRICARE is not offering breach victims complimentary credit monitoring or credit resolution services. In my opinion, that is unacceptable and not the way to support the troops. It places the burden on troops who are busy defending the country, often at risk of life. It is a time consuming and burdensome process to fix medical records that co-mingle both the victim's and the fraudster's health history. TRICARE and SAIC are responsible for maintaining adequate data security, and should do the right thing: provide free credit monitoring and credit resolution for two to five years to breach victims.

If there is one thing I have learned while writing this blog is that identity thieves and fraudsters are persistent, and often have access to the same computing resources that everyone else has. Simply, it may take time for the criminals to access the stolen data, and the criminals have the time. The value of the stolen data is unquestionable, and is sufficient for identity thieves to obtain medical care fraudulently, assume others' identities, and/or reuse the Social Security numbers for other identity fraud acts or fraudulent employment.

SAIC describes itself as:

"... a FORTUNE 500® scientific, engineering, and technology applications company that uses its deep domain knowledge to solve problems of vital importance to the nation and the world, in national security, energy and the environment, critical infrastructure, and health. We do this with the constant and deliberate commitment to ethical performance and integrity that has marked SAIC since its founding."

Refusing to help breach victims by avoiding to pay for credit monitoring and resolution services does not demonstrate any type of "commitment to ethical performance" or problem solving. Rather, it is hoping the problem will simply go away, and leaves the breach victims with the monitoring and cleanup burden. To use an American football analogy, TRICARE and SAIC have simply punted the football.

Interested military personnel and families should read the TRICARE press release with accompanying questions and answers (PDF).

If you agree and believe that both TRICARE and SAIC should do more, share your opinions below and at:

• SAIC: Facebook, Twitter
• TRICARE Management Activity: Facebook, Twitter

Doctor Paid $40K For Illegal Disposal Of Patients' Files

Last week, North Carolina Attorney General Roy Cooper announced that Dr. Ervin Batchelor, owner and operator of the Carolina Center for Development and Rehabilitation (CCDR), has paid $40,000 for the alleged illegal disposal of patients medical records.

In June of 2010, the CCDR dumped 1,000 patient files at the West Mecklenburg Recycling Center. The files contained names, addresses, dates of birth, Social Security numbers, drivers’ license numbers, insurance account numbers, and health information for 1,600 people. Mecklenburg County officials contacted the Attorney General’s Office, which then launched an investigation into the illegal dumping.

Besides the fine, Dr. Batchelor has agreed to comply with both state and federal data security laws to protect patients' personal financial and medical information. The CCDR has already notified patients of the data breach. North Carolina law requires businesses and local government agencies to notify consumers affected by a data breach.

In North Carolina, organizations must also report data breaches to the Consumer Protection Division. A total of 889 breaches involving information about more than 3.3 million North Carolina consumers have been reported since state laws on security breaches took effect in 2005 and 2006. AG Cooper said:

“Any business you entrust with your information has a duty to keep it safe. Sensitive financial and health information should never be carelessly dumped, putting customers and patients at risk of identity theft.”

I agree. This is a good example of why it is important for all organizations that archive consumers' personal medical and financial information should have data security procedures in place to prevent data breaches. Unfortunately, several special interest groups have lobbied the U.S. Congress for exemptions to Red Flag Rules, notably physicians and accountants. Special interest groups often claim that the Red Flag Rules are an unnecessary and cumbersome burden.

Well, post data breach responses are a huge burden on organizations. The above fine is one of many costs. And, the improper disposal or theft of consumers' sensitive personal financial and medical information is a huge burden on consumers. Instead of wasting time and resources looking for ways to avoid protecting consumers' information, these groups should be doing the opposite. Protecting consumers' data is in both their and consumers' best interests.

Attorneys General Increase Enforcement Of State Data Breach Laws; WellPoint To Settle Class Action Lawsuit

One way to understand what organizations and executives should know about data security and data breach laws is to read about the advice their law firms provide. The law firm of Dickstein Shapiro advises its corporate clients on several topics including dispute resolution, corporate finance, energy, government law, government contracts, public policy, and intellectual property.

In an alert to its clients, the firm discussed the recent settlement agreement between WellPoint and the State of Indiana Attorney General Office:

"... the AG settled with WellPoint for violations of the State's data breach notification law (although, notably, not for violations of federal health care data protection rules under HIPAA)... Wellpoint notified affected customers three months after it had corrected the problem. Additionally, WellPoint did not notify the AG of the breach. Under the settlement, WellPoint was required to: (1) pay a $100,000 fine to a state fund providing restitution to defrauded consumers; (2) provide up to two years of credit monitoring and identity theft protection to each person exposed; and (3) provide up to $50,000 to address further losses each person exposed might experience."

About the proposed Federal data breach legislation, the alert said:

"Until there is a comprehensive data protection and notice law at the federal level applicable to businesses generally, AGs will continue to be aggressive in enforcing their States' data breach notification and data privacy laws. At present, 46 States have data loss notification laws, and the majority of States also have laws requiring that businesses protect customer and employee data. AGs have used these laws to obtain substantial settlements, protect consumers, and change business practices."

About medical records data security, the alert said:

"State AGs also have the authority to enforce federal data breach notification laws governing protected health information. The HITECH Act, Title XIII of the 2009 stimulus bill (the American Recovery and Reinvestment Act) imposes notice obligations on entities covered by HIPAA when they experience a breach affecting protected heath information and allows for enforcement of the Act by State AGs using their parens patriae authority. AGs may bring a civil action in federal court for injunctive relief or monetary penalties... AGs also may seek to recover costs and reasonable attorneys fees incurred in prosecuting a successful action."

According to American Medical News, WellPoint has agreed to settle the class-action lawsuit filed in California. The terms of the reported settlement agreement seem similar to the terms of the agreement with the Indiana AG. The class-action settlement includes:

• Two years of credit monitoring service for all breach victims
• Reimbursement to class-action participants for identity theft losses of up to $50,000 per incident,
• Extended time to file identity theft claims until May 31, 2016,
• Class-action participants filing claims are eligible for an additional five years of credit monitoring, and
• WellPoint will donate $250,000 total to two nonprofit organizations involved with consumers online privacy

Comparison Of The Current Data Breach Bills In Congress

There is a good article by the Center For Democracy And Technology (CDT) which compares the current data breach bills in the U.S. Congress. I discussed this proposed legislation in this prior blog post. The CDT reported:

"... there are a number of pending data breach bills, including Representative Rush’s DATA, Representative Bono Mack’s recently marked up SAFE Data Act, and Senators Pryor and Rockefeller’s (acronym-free) Data Security and Breach Notification Act. Other pending legislation, including Senator Leahy’s Personal Data Privacy and Security Act as well as the White House’s Cybersecurity Proposal, also addresses data breaches."

This proposed legislation is important because:

"Current federal law requires notification of consumers in the event of a breach only in limited circumstances, while nearly every state has its own version of a data breach law. Congress is now looking to simplify data breach laws with a national standard, but the question is whether such a standard would be a step forward for consumers. It’s an issue, that CDT has been following since at least 2005."

Whenever politicians want to "simplify" something, it's usually time to start worrying. What may be simpler for corporations and organizations could place consumers' sensitive personal information at risk. And, the usually players will argue about the cost burdens on companies. Let's remember the burdens on consumers, too, who typically have fewer resources.

When I read proposed legislation, I consider it effective data breach legislation when it addresses all of the following components:

1. Definition of personal information. This can be tricky. Just as there are various data elements available about consumers today (e.g., GPS location data attached to photos, images, tweets, social media posts, etc.) that didn't exist 5 or 10 years ago, future technologies will contain new data elements that don't exist today.
2. Define organizations covered by this law. It should cover all organizations in both the private and government sectors. in prior "Red Flag" legislation, attorneys gained an exclusion
3. Dictate how data should be protected (e.g., if electronic records, then encryption) both during transmission and during storage. The legislation has to assume that a variety of identity-theft criminals and hactivists will continually attempt to hack or breach websites containing sensitive consumer information. Prior legislation seemed to assume the traditional data storage within a company's premises. Futurre legislation must assume traditional and cloud-computing storage. Ideally, certain types of sensitive personal information shouldn't be "stored in the cloud."
4. Define the types of events (e.g., a minimum number of records exposed, doemstic locations, international lcoations) that trigger notification
5. Define the parameters of notification (e.g., personal letter via snail mail, ads in news media)
6. Define the assistance provided to breach victims (e.g., consumers, employees, customers). There is no standard definition of "credit monitoring" which may or may not include credit monitoring, quarterly or real-time updates, real-time notices, credit resolution, insurance, and credit scores. Typically, companies offered one or two years of free credit monitoring services. This length is insufficient given the high value and long life of various data elements (e.g., Social Security Numbers).
7. Effect on state law. According to the National Council of States Legislatures (NCSL), at October 2010 about 46 states in the USA plus Puerto Rico and the U.S. Virgin Islands have breach notification laws. The four states lacking breach notification laws are Alabama, Kentucky, New Mexico, and South Dakota. Weak federal legislation that supercede state law would be a step backwards for residents in states with strong breach notification and data security laws.
8. Fit with existing law. There are existing laws for medical and financial informaton. New breach legislation should not weaken these existing laws.
9. Contain sufficient penalties for violators. This can't be a simple "slap on the hand," and must contain sufficiently high fines and/or jail time for repeat offenders.

WellPoint To Pay $100K Settlement To State of Indiana For Data Breach

On Tuesday, the State of Indiana Attorney General Office announced an agreement with WellPoint regarding the health care insurer's data breach in 2010. WellPoint will pay the State $100,000 for the breach with exposed the sensitive personal information of 32,051 Indiana residents. The settlement resolved a lawsuit that Indiana Attorney General Greg Zoeller's office filed under a new data-breach notification law passed in 2009.

A faulty website security update exposed the personal, financial, and medical information of about 470,000 consumers nationwide, including about 5,600 in Connecticut and 230,000 in California. The breach victims included patients who used the company's website to apply for individual health insurance through WellPoint subsidiaries (Anthem Blue Cross or Anthem Blue Cross and Blue Shield) in 10 states.

The data breach exposed consumer information from October 23, 2009, to March 8, 2010. A consumer alerted WellP:oint on February 22, 2010, and again on March 8, 2010, that records containing personal information were potentially accessible. Upon notification, Affected consumers were notified about the breach starting June 18, 2010. Indiana Attorney General Greg Zoller said:

"This case should be a teaching moment for all companies that handle consumers' personal data: If you suffer a data breach and private information is inadvertently posted online, then you must notify the Attorney General's Office and consumers promptly. Early warning helps minimize the risk that consumers will fall victim to identity theft."

I agree. Breach detection, early notification of consumers, and prompt action are essential. I only wish the settlement amount was larger.