Companies are paying a lot of attention to securing their networks against malicious attackers and other threats, but some still lag in implementing similar measures for protecting data on desktops, laptops and portable storage devices.
The most recent examples are Horizon Blue Cross Blue Shield of New Jersey and Georgetown University, both of which faced data compromises this month.
Horizon today said it has notified about 300,000 of its members of the potential compromise of their personal information following the theft of a laptop containing the data on Jan 5.
A security feature on the stolen laptop automatically deleted all of the confidential information on Jan. 23, a company spokesman said. But it is not clear whether the thief who stole the computer accessed the data on the system before then, he said. The data on the laptop was unencrypted but password-protected.
"We think it is highly unlikely because the files were not readily identifiable as containing personal data," said Thomas Rubino, director of public affairs at Horizon Blue Cross Blue Shield, which services about 3.3 million people.
Rubino offered no explanation as to why the data deletion took place nearly three weeks after the computer was first reported stolen. "Obviously, if we had been able to do it before, we would have done it," he said. Blue Cross Blue Shield was in the midst of a data encryption project at the time of the theft. "Unfortunately, this computer did not have encryption on it," Rubino said. An alert posted on its Web site noted that the confidential information on the stolen laptop included names, addresses and Social Security numbers of its members. The laptop did not contain medical data on any members, the company noted.
The laptop was stolen from a health plan employee in Newark. The employee was authorized to have the information on his computer, Rubino said. But the individual appears not to have followed company policies for securing systems that are taken out of company facilities, Rubino said without offering any specifics.
Blue Cross Blue Shield is offering one year's worth of free credit-monitoring services to those affected by the breach.
Meanwhile, the theft of a computer disk from a locked room at Georgetown University in Washington has potentially exposed the Social Security numbers and other personally identifiable data of about 38,000 current and former students, faculty members and staffers between 1998 and 2006.
A university statement said the drive was stolen from an office within the university's Office of Student Affairs on Jan. 3. The unencrypted disk apparently was used to back up a computer that contained billing information for various student services, according to a story in the campus newspaper The Hoya.
A letter sent to alumni affected by the theft said that since the files "related to a range of cross-campus student financial transactions processed through the Office of Student Affairs, it pertained to students enrolled at the main, medical and law school campuses." No financial information was stored on the hard drive, the letter noted.
The university is also offering all affected individuals free credit monitoring for one year.
The two incidents are the latest in a slew of data compromises resulting from lost or stolen computer equipment that have been disclosed by companies. Over the past few days, Baltimore-based investment management firm T. Rowe Price Group Inc. had to notify about 35,000 customers of the potential exposure of their confidential data after the theft of a computer from the offices of a third-party service provider.
A similar laptop theft, also from the office of a third-party provider, may have compromised the names, birth dates and some health care data on 29,800 members of Fallon Community Health Plan, a Worcester, Mass.-based medical provider and insurer.