CareFirst Dental HMO Exposes SSNs, Says You Should "Take It Seriously"
Last month, The Dental Network—a dental HMO owned by CareFirst BlueCross Blue Shield—discovered it had accidentally revealed personal data and Social Security numbers online for about 75,000 of its customers. It told the members about the screw-up three weeks later. “The company says that to its knowledge, no one has misused the information. But it says ‘the risk … should be taken seriously,'” and it’s offering affected members one year of credit monitoring. After that, as you know, the thread of identity theft plummets. Wait, what?
Companies, is it really that expensive to offer 5 years, or 10 years, of credit monitoring to victims of your data security incompetence? Seriously, own up to your responsibility in exposing people to the risk of financial and credit problems and give them the tools they need to protect themselves. After all, it’s your fault.
The Baltimore Sun, which first reported the breach, pushed The Dental Network for a reason why it took them three weeks to notify their members:
The company also created a Web site and phone line for members to learn more about the breach, which details the credit protections.
On the Web site, the company posted a list of frequently asked questions, including one about the delayed notification.
“Action was taken immediately and your personal data was secured within minutes of our learning of this accidental exposure,” the response states. “With any such event, it takes time to gather the relevant information, identify the affected individuals, hold the necessary internal discussions, make the appropriate decisions and line up the assistance services that are being offered.”
Here’s another idea, as long as we’re giving them out for free: why don’t companies create contingency plans for accidents like this? You know, a formalized process that outlines step-by-step what should happen, so that action can be taken within, oh, 72 hours instead of 480 hours.
We searched their amateurish website (it explains a lot about the breach and the slow response) and can’t find any mention of this special website or press release. If anyone has more information on either one, please send us a link or post it in the comments below.
Update: Here’s the website for victims of the security breach: lds.thedentalnet.org (Thanks to the author of the original article, Liz F. Kay!)
“Patient data exposed online” [Baltimore Sun] (Thanks to Nick!)