AvMed Breach Affects 1.2 Million Florida Residents
Monday, June 07, 2010
A data breach in December 2009 at AvMed Health Plans included the theft of the Social Security numbers, names, addresses, birth dates, and health records of both current and former AvMed subscribers. Two laptop computers containing the records were stolen from the company's Gainesville office in December.
360,000 breach victims were notified in February and on June 3 the company announced that it is notifying an additional 860,000 breach victims. AvMed is offering breach victims two years of free credit monitoring service with the Debix Identity Protection Network. Breach victims requiring more information can visit the AvMed website contact Debix at 1-877-441-3004 (TTY: 877-442-8633). Breach victims that want the Debix coverage must register.
Breach victims should visit the Florida Attorney General' website for more information about identity theft and steps to take if their medical or personal information is used fraudulently by criminals. The Florida AG advises victims of fraud to:
- Report the incident to the fraud department of the three major credit bureaus
- Contact the fraud department of each of your creditors
- Contact your bank or financial institution
- Report the incident to law enforcement
Breach victims can get a free copy of their credit reports from the three credit bureaus at AnnualCreditReport.com. Since this breach involves medical information, breach victims should obtain a copy of their medical records from their AvMed physician and review it for fraudulent entries.
After a data breach with 1.5 million records stolen, in 2009 Health Net selected Debix as the complimentary credit monitoring service for its breach victims.
Is the health care industry doing a good job at protecting patients' medical information? I think not. Data breaches at health care companies are more common than many consumers and patients realize.
According to the Privacy Rights Clearinghouse, recent health care breaches:
- June 2010: Safe Harbor Med Santa Cruz, California)
- May 2010: Aetna (South Windsor, Connecticut)
- May 2010: Loma Linda University Medical Center (Loma Linda, California)
- May 2010: New Mexico Medicaid (Santa Fe, New Mexico)
- May 2010: Millennium Medical Management Resources (Westmont, Illinois)
- April 2010: St. Jude Heritage Medical Group (Orange, California)
- April 2010: The Medical Center (Bowling Green, Kentucky)
- April 2010: Hutcheson Medical Center and one other medical facility (Chattanooga, Tennessee)
- April 2010: DRC Physical Therapy Plus (Monticello, New York)
- April 2010: Affinity Health Plan (Bronx, New York)
- April 2010: Massachusetts Eye and Ear Infirmary (Boston, Massachusetts)
- April 2010: Brooke Army Medical Center (San Antonio, Texas)
- April 2010: St. Peter's Hospital (Albany, New York)
- April 2010: Virginia Beach Dept. of Social Services (Virginia Beach, Virginia)
- April 2010: ManorCare Health Services (Wheaton, Maryland)
- April 2010: St. Francis Hospital (Tulsa, Oklahoma)
- April 2010: Providence Hospital (Southfield, Michigan)
- April 2010: John Muir Physician Network (Walnut Creek, California)
- March 2010: Northwestern Medical Faculty Foundation (Chicago, Illinois)
- March 2010: University of Calgary Sunridge Medical Clinic (Calgary, California)
- March 2010: Atlanta Veterans Affairs Medical Center (Atlanta, Georgia)
- March 2010: UT Southwestern Medical Center (Dallas, Texas)
- March 2010: The Open Door Clinic of Greater Elgin (Elgin, Illinois)
Whenever I read about a large breach including laptop computers, I wonder why firms and their employees insist on storing so many records on a single computer. It raises the question about whether AvMed properly trained its employees with effective data security practices.
I read AvMed's February and June press releases. Neither press release mentioned whether or not the stolen information was encrypted. Breach victims have to assume the worst: nothing was encrypted. This makes one wonder why the company didn't encrypt sensitive information.
And while the company claims that the risk of identity fraud is low, the fact is that using the types of information stolen, criminals can assume breach victims' identities, apply for credit in breach victims' names, and apply for health care fraudulently using breach victims' medical information.
Great article highlighting the need for everyone to have a much higher computer/data security awareness. Check a (free) blog, "The Business-Technology Weave" (can Google to it) - it reflects what this article is saying. The majority of breaches are due to human error, therefore awareness and common sense are key, in supporting all necessary best practices. The blog author also has a book we use at work, "I.T. WARS" (you can Google that too). It has a great Security chapter, and others that treat security. Highly recommended. Great stuff.
Posted by: Janice Taylor-Gaines | Monday, June 07, 2010 at 11:59 AM
"...I wonder why firms and their employees insist on storing so many records on a single computer."
The simple answer is: Because they can.
It never ceases to amaze how incredibly uninformed the medical community is about information security. I believe the root of the problem is that information technology in medical environments isn't being regulated or certified to be HIPAA complaint.
Posted by: Mister Reiner | Sunday, June 13, 2010 at 03:59 AM
This is just crazy!! I haven't been insured with AvMed for over 12 years, yet my data was stored on one of those laptops...How can this be??? I work in the cc industry and sensitive data more than 3 years old is moved to tape drives and held at an offsite storage facility......how the heck are they allowed to keep Data over 10 years old locally on laptops in the office??? this is mind boggling!!
Posted by: kaffyx228 | Thursday, June 17, 2010 at 03:04 PM
I share your frustration. Companies retain our sensitive personal data for long periods of time.
When I.B.M. Corporation had its data breach in 2007, it exposed my sensitive personal data even though I never worked for I.B.M. Corporation. I.B.M. Corporation acquired my sensitive personal data when it acquired Lotus Development Corporation in 1995. I'd left Lotus in 1991.
The companies, or more accurately their lawyers, will tell you that they retain our data due to the myriad of federal and state laws. Some of this is valid because you may have a retirement account with a former employer.
At a minimum, this data should be encrypted. And you are correct, so many files should never be downloaded and stored on a single computer or laptop. Doing that is a poor data security habit.
This is one reason why I firmly advocate for long periods of free credit monitoring after a breach. Companies are storing our data for long periods and the risk of ID-theft and fraud doesn't magically end after 1 or 2 years of free credit monitoring.
Posted by: George | Friday, June 18, 2010 at 12:43 PM
Is the health care industry doing a good job at protecting patients' medical information? is it? I believe the root of the problem is that information technology in medical environments isn't being regulated or certified to be HIPAA complaint.right?
Posted by: Account Deleted | Thursday, June 24, 2010 at 08:48 AM
Good article because fulfills needs
Posted by: Neil Asher Scam | Friday, August 06, 2010 at 06:24 AM
I dropped AvMED three years ago and just got a billing invoice in the mail for coverage from July 1,2010-July 31,2010.Probably a phishing trip to get me to call them,or wrong I am to asume that.
Posted by: db | Sunday, August 08, 2010 at 09:45 AM
My advice: look into your situation. Get a copy of your medical records. Review all EOBs (Explanation of Benefits) that you receive via snail mail. Look for fraud. Then get an attorney/resolution service to help you. Maybe also check the Identity Theft Resource Center for tips. Read this blog post for additional suggestions to protect yourself:
7 Tips To Protect Your Medical Records
Let us know what happens.
Posted by: George | Friday, August 13, 2010 at 02:04 PM
I believe the root of the problem is that information technology in medical environments isn't being regulated or certified to be HIPAA complaint.
Posted by: Credit Repair Services | Monday, August 23, 2010 at 07:42 AM