Shostack + Friends Blog Archive

Connecticut Attorney General On The March

It’s been a bad couple of weeks for residents of Connecticut and their personal health information. First Blue Cross Blue Shield had a laptop stolen with enough PHI that over 800K doctors were notified that their patients were at risk, including almost 19K in Connecticut.

Connecticut’s attorney general said Monday that he’s investigating insurer Blue Cross Blue Shield’s loss of confidential information about health care providers, which was on an employee’s stolen laptop computer.
Richard Blumenthal said Monday that the company and its affiliates may have broken state law by losing the information and taking too long to notify doctors.

And if that wasn’t enough, Health Net lost Information for 450,000 Connecticut residents.

Blumenthal said he’s “outraged” that the company never told customers or police and only told the AG on Wednesday.
Blumenthal is investigating and demanding that Health Net provide consumers with at least two years of identity theft protection, identity theft insurance, reimbursement for credit freezes and credit monitoring for at least two years for all 446,000 consumers.

I wonder how many other State AGs are investigating Health Net at this point. There were a total of 1.5 million records lost at least count.
At bare minimum Arizona’s AG is also investigating.

Health Net officials said they were not able to determine which information was on the disk, so they investigated and learned the information was saved in an image format that cannot be read without special software.

So anyone have any clue what this supposed image format is? And what makes them think that someone who was smart enough to grab that drive wasn’t smart enough to grab a copy of the software? Assuming of course that wasn’t just all in pdf…

Originally published by Richard on 23 Nov 2009
Last modified on 23 Nov 2009
Categories:   breach analysis   Uncategorized