Unencrypted data at HHS exposes 50,000 Medicaid providers

On March 8, 2013, a contractor working for North CarolinaÔÇÖs Department of Health and Human Services (HHS) billing department stored unencrypted data of 50,000 Medicaid providers on a thumb drive that was to be transferred between facilities.┬á However, the drive was lost along with the data it contained which includes names, social security numbers, dates of birth and addresses of the 50,000 providers.

In last weekÔÇÖs article titled, data breach threats of 2013, I cited breaches by third parties as one of the top three highest rated threats in the Deloitte survey of technology, media and telecommunications companies and here is a perfect example of a third party data breach.┬á As mentioned last week, organizations can conduct vendor risk management to reduce this threat.┬á The vendor risk management process begins by evaluating the security of third parties that work with sensitive data, controlling what data they have access to and conducting periodic audits to ensure that they maintain the same security standing.

Unfortunately, the North Carolina HHS assumed that their contractor, Computer Sciences Corporation (CSC), was taking adequate security precautions. ┬áHHS Secretary Aldona Wos said, ÔÇ£We expect my vendors to maintain the security of information.ÔÇØ ┬áHowever, N.C HHS is only now requesting validation of these assumptions.┬á Wos stated ÔÇ£I have instructed CSC that North Carolina expects an independent third-party assessment to assure CSCÔÇÖs adherence to required security standards.ÔÇØ

Leave a Reply

Your email address will not be published. Required fields are marked *