Sidebar: Car Trouble Results in Breaches

Even as the FTC was fining ChoicePoint, two more companies reported large data-security breaches last week -- both involving the apparent theft of IT equipment from employees' cars.

Providence Home Services, a division of Providence Health System in Seattle, said it's notifying 365,000 hospice and home health care patients in Oregon and Washington about the theft late last month of backup disks and tapes that included personal information and confidential medical records.

A Providence employee told company officials on Dec. 31 that the disks and tapes had been stolen from his car while it was parked at his home. The employee took the devices home as part of a backup protocol that sent disks and tapes off-site to protect them against possible loss from fires or other disasters, a Providence spokesman said. That practice has since been stopped, he added.

The spokesman said some of the information on the tapes was password-protected at the application level, while the rest was stored in proprietary file formats. The data on the disks also wasn't encrypted but was stored in a proprietary file format "in a way that would make it difficult, if not impossible, for someone to access it [and] then make any sense out of it," he said.

Rick Cagen, CEO of Providence's Portland service area, said the home health care unit is implementing new data-backup procedures using more-traditional means, including secure sites in remote locations. "We do have alternate practices now," Cagen said.

In the other incident that came to light last week, Ameriprise Financial Inc. in Minneapolis said it's notifying 158,000 customers and 68,000 financial advisers that a laptop PC containing personal information about them was stolen late last month.

The laptop was taken from an employee's locked car in a public parking lot, Ameriprise said. The financial services firm didn't identify the city where the incident took place, saying that police are still investigating the theft.

Windows and Novell Inc.'s networking applications were password-protected on the laptop, but the data files weren't encrypted as required under company policies, according to an Ameriprise spokesman. He said the employee involved in the incident was fired because of the lack of encryption.

The spokesman added, though, that even having a customer's name and account number wouldn't let an identity thief access an account. At least three other pieces of personal information are needed to do so, he said.

Related:

Copyright © 2006 IDG Communications, Inc.

  
Shop Tech Products at Amazon