We can all breathe easier. WellPoint, the country's largest managed care firm, has found its missing disk -- the unencrypted one that contains the personal information (including Social Security numbers and medical records) of 75,000 people. It had been lost in transit by UPS. But they found it. Don't you feel better?The idea that these companies still think it's OK to stick a CD with highly confidential information into an envelope and drop it off at their nearest UPS office (or hand it to the UPS guy), even after all the other examples of lost and stolen data that we've had over the past couple of years, has got to make you wonder: What were they thinking? I've got nothing against UPS, but how many packages get lost/torn/misrouted every year by package services?
And the icing on this particular cake is that the disk wasn't even encrypted. Thousands of Social Security numbers, and not even the most basic security protocols were followed. Heck, I have better security on my trusty USB flash drive (which contains my secondary e-mail app and a few personal documents). If I know the value of encryption, shouldn't the experts entrusted with our medical data have some kind of clue?
Actually, I should be fair to WellPoint's personnel. They didn't actually send the disk out via UPS. It was a third-party vendor, Health Data Management Solutions (which, according to its Web site, "prides itself on setting the standard for data management and analytic services"), that sent the disk out via UPS. It makes you wonder just what today's standard for data management is these days.
WellPoint has stated that Magellan Behavioral Health Services, the intended recipient of the disk, will now only transmit data through a secure network. That's certainly nice to know. These companies sound so up-to-date technologically that one can't help wondering if they will have to upgrade their systems first -- to Windows XP.