Last week, health plan provider Centene disclosed that they had lost track of six hard drives containing the private information of roughly 950,000 individuals. These records contained details such as names, addresses, dates of birth, member ID numbers, private health information (PHI), and Social Security Numbers. Luckily (if you can call it that), at least they did not contain any financial or payment details.
According to the disclosure from Centene, the missing hard drives contained about six years worth of research data (2009-2015) and “were a part of a data project using laboratory results to improve the health outcomes of [their] members.”
In a press release, the company announced that they had launched an “ongoing comprehensive internal search” for the hard drives.
The company also disclosed a statement on how the hard drives were lost, claiming “The incident resulted from an employee not following established procedures on storing IT hardware. While we cannot estimate the impact with certainty at this time, the company does not expect the impact of the incident to have a material effect on its future growth opportunities, financial position, cash flow, or results of operations.”
To be blunt, the second half of the above statement was likely an attempt to make sure that this incident did not jeopardize Centene’s upcoming $6.8 billion merger with Health Net (which, by the way, was expected to close on February 1, but was halted due to unrelated issues).
I’m sure the fact that this incident is not expected to “have a material effect” on the company is going to make the nearly one million people who have been affected by it feel tons better about the careless handling of their PHI. (Yes… that was sarcasm).
In their defense, Centene at least had an established procedure in place for securely handling hardware. Looks like they learned from the mistakes of others and chose to put the proper protocols in place. So they weren't just being willfully negligent, unlike with some similar breaches in the past. For example, some of you may remember that whole TRICARE debacle back in 2011, when a bunch of outdated (but completely unsecured and unencrypted) data backup tapes went missing and compromised an estimated 4.9 million records from customers as far back as 1992. The recent Centene breach is fairly small by comparison.
In all honesty, the employee should have followed the company’s hardware protocols and this recent breach at Centene should never have happened. Sometimes, however, the group must pay the price for the actions of an individual.
Not to sound like a broken record (some people still play music on vinyl, right?), but...
Sadly, Centene is yet another prime example of something I’ve stated previously in this blog (so many times that I have lost track)—
IRRESPONSIBLE AND/OR CARELESS HUMAN BEHAVIOR IS THE SINGLE MOST COMMON AND DANGEROUS THREAT TO AN ORGANIZATION’S DATA SECURITY.
While there is more than enough anecdotal evidence to back this up, as you’ve already seen, there are also hard numbers that support my claim.
According to a survey/study from the Ponemon Institute, the actions of “internal insiders” (meaning employees or contractors) are responsible for 43 percent of all enterprise data loss. When asked what they consider the biggest threats to endpoint security in their organizations, 78 percent of respondents pointed to “Negligent or careless employees who do not follow security policies” as one of the most serious security issues they faced.
Not only are security threats from employee actions causing more problems, but they are also occurring with increasing frequency. In fact, 90 percent of organizations experience at least one data security threat from insider actions every single month. In 2013 alone, U.S. businesses suffered losses totaling $40 billion as a result of employees engaging in unauthorized use of company computers.
About half the time, employees are accidentally causing these problems, often by doing any of the following:
- Shadow IT Applications: employees installing unsanctioned software on computers/devices (sometimes in order to help them do their jobs)
- Sync & Share Technology: according to a study from Sky High Networks, 28 percent of employees have uploaded a file containing sensitive information (such as PHI) to a public cloud
- Social Engineering: this is usually when employees fall for a phishing scam, such as spear-phishing emails or fraudulent phone calls (i.e. a person claiming to be from HR asking for login credentials). This method of hacking is also becoming increasingly popular among cyber criminals
- Weak Password Security: employees who fail to use unique passwords, engage in password sharing, and/or fail to change their passwords regularly
The other half of the time… the problems are being caused by dishonest or disgruntled employees who act to intentionally steal or damage data in any number of nasty ways:
- Cyber Sabotage: a disgruntled employee, perhaps after being passed over for promotion or denied a raise, takes malicious actions such as deleting important files, locking out accounts (again, this is what happens when employees share passwords), etc.
- Malware or Logic Bombs: this is often done by employees who are leaving the company or have been terminated. Before departing, they may infect the network with a virus or malware. Or worse, they may leave behind a “ logic bomb” that will not be triggered until well after they are gone
- Data Mining/Selling: data selling can sometimes be too lucrative for a dishonest techie to pass up. This may cause employees to copy and steal data such as sales lists, employee directories, and even intellectual property that they can then turn around and sell on the dark web
Feeling paranoid yet?
Have no fear, dear reader. In our next blog article, we will discuss some things that can be done to reduce (or perhaps even eliminate) many of the human threats posed by careless (or just plain evil) employees.
Until then… try not to stress yourself out about it.