Insurance Company Loses 540,000 N.Y. Employee Records
Government officials in New York are warning 540,000 injured state workers that an outside contractor has lost a computer containing their personal data, including the employees names, addresses and social security numbers.
State officials have sent letters warning the individuals affected by the data loss to be on the lookout for potential identity fraud, based on the mistake made by insurance and disability claims management vendor CS Stars, of Amarillo, Texas. Representatives from both New York and CS Stars have confirmed that the company cannot locate a computer in its Chicago offices on which the injured worker records resided.
According to the state, the majority of the people listed in the system were involved with claims from two of New Yorks workers compensation funds. The funds involved workers who had sustained at least two injuries on the job, and people with lingering effects from earlier medical problems, respectively, officials said.
The letter mailed to people involved in the incident reported that the missing personal computer was the property of the state of New York but had been turned over to CS Stars, which offered no further explanation of the data loss. Company officials said that the FBI is already involved in an investigation into the incident.
In the meantime, CS Stars is offering identity theft insurance, 12 months of free credit reports and access to fraud protection services to those individuals whose data was stored on the missing PC. Officials said that there have been no crimes related to the data breach reported to either the state or CS Stars thus far.
The New York incident is only the latest in a long string of high-profile data losses reported by government agencies, businesses and other institutions in the United States. Most recently, the U.S. Department of Veterans Affairs was involved in a situation where a laptop containing the personal information of roughly 26.5 million individuals was stolen from a workers home. That machine was later recovered.
As a result of the VA incident, the U.S. government is pushing for stricter laws that will explicitly require companies to inform any people whose data they may have somehow lost.
Members of the U.S. House of Representatives are expected to vote on one such bill before the end of July. The Financial Data Protection Act of 2005 would supersede legislation passed by individual states in requiring communication with individuals affected by information losses. The bill also includes specifications detailing the level of encryption companies would need to have in place in order to defer from reporting a data breach publicly.
The landslide of attention currently being given to the handling of consumer information was touched off by a California law passed in 2003, dubbed SB 1386, which requires companies to inform people affected by a breach. At least 28 states have imposed similar laws as public awareness of the issue has grown over the last several years.
Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.