Shostack + Friends Blog Archive


Medco (prescription drug service)/ 4600 people, birth dates, SSNs, drug info/lost laptop

Executive summary:
Prescription drug benefits provider Medco employee loses laptop with Ohio government employee (and dependents) info. Waits six weeks to let Ohio know. Ohio complains vociferously. Interestingly, the names of the affected individuals were not on the laptop.
Money quote from a Medco spokesperson:

You’re as efficient as the lessons learned in the last scenario.

Network World
Medco says that the delay in notice was because local police in New Jersey were investigating and that

a complete log of the stolen data had to be created so it could be reported

Ohio is one of the many states that has a disclosure law (which went into effect two weeks ago). It defines “personal information” in an interesting way:

“Personal information” means any information that describes anything about a person, or that indicates actions done by or to a person, or that indicates that a person possesses certain personal characteristics, and that contains, and can be retrieved from a system by, a name, identifying number, symbol, or other identifier assigned to a person.

Now, to this layman that means that if the info says that a person with social security number 123-45-6789 has a prescription for birth control pills, you have to disclose.
Update 4/25: WRONG. They override this definition in the notification section of the law!
Ohio’s law also says:

[disclosure may be delayed] if a law enforcement agency determines that the disclosure or notification will impede a criminal investigation or jeopardize homeland or national security, in which case, the state agency or agency of a political subdivision shall make the disclosure or notification after the law enforcement agency determines that disclosure or notification will not compromise the investigation or jeopardize homeland or national security.

The emphasis is mine. If I were a reporter, I’d be asking for documentation that a law enforcement agency made such a determination, and when they made it. To me (IANAL), a “determination” is an affirmative thing — you need to actually do something — it isn’t passive. So, Medco, let’s see some proof. What police department in New Jersey told you that speaking up to your customer would impede their investigation of this theft of a single laptop?
[Note: I cleaned this up a bit and added the part about what constitutes personal info a few minutes after originally posting it]