CareFirst Dental HMO Exposes SSNs, Says You Should "Take It Seriously"

Last month, The Dental Network—a dental HMO owned by CareFirst BlueCross Blue Shield—discovered it had accidentally revealed personal data and Social Security numbers online for about 75,000 of its customers. It told the members about the screw-up three weeks later. “The company says that to its knowledge, no one has misused the information. But it says ‘the risk … should be taken seriously,'” and it’s offering affected members one year of credit monitoring. After that, as you know, the thread of identity theft plummets. Wait, what?

Companies, is it really that expensive to offer 5 years, or 10 years, of credit monitoring to victims of your data security incompetence? Seriously, own up to your responsibility in exposing people to the risk of financial and credit problems and give them the tools they need to protect themselves. After all, it’s your fault.

The Baltimore Sun, which first reported the breach, pushed The Dental Network for a reason why it took them three weeks to notify their members:

The company also created a Web site and phone line for members to learn more about the breach, which details the credit protections.

On the Web site, the company posted a list of frequently asked questions, including one about the delayed notification.

“Action was taken immediately and your personal data was secured within minutes of our learning of this accidental exposure,” the response states. “With any such event, it takes time to gather the relevant information, identify the affected individuals, hold the necessary internal discussions, make the appropriate decisions and line up the assistance services that are being offered.”

Here’s another idea, as long as we’re giving them out for free: why don’t companies create contingency plans for accidents like this? You know, a formalized process that outlines step-by-step what should happen, so that action can be taken within, oh, 72 hours instead of 480 hours.

We searched their amateurish website (it explains a lot about the breach and the slow response) and can’t find any mention of this special website or press release. If anyone has more information on either one, please send us a link or post it in the comments below.

Update: Here’s the website for victims of the security breach: lds.thedentalnet.org (Thanks to the author of the original article, Liz F. Kay!)

“Patient data exposed online” [Baltimore Sun] (Thanks to Nick!)

Comments

Edit Your Comment

  1. mduser says:

    How long until we find out they also exposed information for non-dental HMO customers?

  2. wgrune says:

    My guess is yes, it is pretty expensive to offer 5 or 10 years of credit monitoring. 75,000 people at $10 per month (estimated) equates to $9 million per year. I am not saying that they shouldn’t pay for their mistake, just that 10 years of credit monitoring for these people approaches $100 million.

  3. B says:

    Is a class action lawsuit serious enough for them? Cause that’s how seriously I take it.

  4. courtarro says:

    I think their visitors who use Netscape Gold 4.7 should have known that they needed to be using Netscape 6.2 in order to prevent ID theft.

  5. Wow…that’s a really bad website. I love the five people huddled around the laptop. They look like their plotting to steal your identity.
    Blonde woman on the left: I’ll take that one!

  6. johnva says:

    @courtarro: Sure does look like they cut their website and/or IT staff to the bare minimum and didn’t update the site for years, doesn’t it?

  7. scoosdad says:

    1. Steal info from The Dental Network.

    2. Read media stories about The Dental Network offering only one year of credit monitoring.

    3. Set Outlook calendar reminder notification for one year from now.

    4. Profit!

  8. azntg says:

    “Due to a technical issue involving the internal restructuring of The Dental Network (TDN), sales of TDN Dental HMO (DHMO) stand-alone products in Maryland (both group and individual) have been temporarily discontinued.”

    Think recent events have anything to do with this? Love the gobbledygook language there. As if they can cover up the third rate website they have running.

  9. Grrrrrrr, now with two buns made of bacon. says:

    Geez, when the local hospital left my information (including my SS #) unprotected for 4 months in an online accessible database, all I got was an “Ooops…you should probably get a credit report and freeze your credit. Good luck.” I didn’t even get a year of free credit monitoring.

  10. uricmu says:

    I used to work for a major IT company, one of their vendors lost a tape with all our employee data (SSNs and all), and they only offered on year, if I remember correctly.

  11. You know, these stories are becoming more and more frequent, the possibility of stolen identity. No matter how much us as the consumer protect ourselves by shredding mail offers, alerting companies, all that entails… what really is starting to piss me off, is that no matter how diligent WE are, if THEY frig up, there isn’t much consequence. If I accidentally leave my SS#, name, address, phone, mother’s maiden name, all that out for someone to steal, fine. I pay the price, having to pay for credit report monitoring for years to come. But if some of these COMPANIES do it, they say “sorry, our bad, yo.” and most don’t even OFFER credit monitoring!

    Message to our companies: either straighten up your systems, have a contigency plan set aside for these types of f*ck ups, or GET OUR INFO OFF THE FREAKIN INTERNET AND GO BACK TO THE WRITTEN WORD.

  12. scoosdad says:

    @uricmu: Ditto in my case with the lost ABN AMRO data tape about two years ago.