Notices about stolen SC insurance data sent 2 months after theft

ashain@thestate.comDecember 30, 2013 

Computer-Internet Security

CHAD MCDERMOTT/ISTOCKPHOTO.COM

More than 3,400 customers who get health insurance through a South Carolina state-mandated program did not learn that a laptop containing their names and Social Security numbers was stolen until two months after the theft.

The laptop was stolen Oct. 16 from the car of a private auditor hired to review S.C. Health Insurance Pool claims and payments, said Cynthia Hutto, a Charleston attorney hired to assist with the incident. The pool, run by insurers through the S.C. Department of Insurance, offers coverage to people who cannot get policies elsewhere.

The auditor informed the pool about the theft five days later. But the 3,432 customers whose information was on the stolen password-protected laptop did not receive notification letters until Dec. 18, Hutto said.

The pool needed time to get mailing information for the customers and set up a free year of credit monitoring, she said. Attorneys also had to follow regulations about informing potential identity-theft victims.

“We were running as fast as we can,” Hutto said. “We can’t just say, ‘Here’s a heads up.’ ”

The stolen computer has not been recovered. Authorities have received no reports of the information being used, Hutto said. Data on the computer included customers who were part of the pool in 2011 and 2012.

The auditor is paying the costs from the theft — including sending notification letters and a year of credit-report monitoring with Experian. Costs were not available Monday.

The credit monitoring is similar to what the state offered when foreign hackers stole financial information belonging to 6.4 million taxpayers, their children and businesses from servers at the S.C. Department of Revenue in 2012.

That breach, considered the largest ever at a state agency, led to increased security measures at South Carolina departments and millions spent on new equipment. News of the revenue breach was not revealed to the public for more than two weeks after state officials first learned of the hacking. Authorities said they needed time to investigate the breach.

The insurance pool does not receive state money or use state employees, said Ann Roberson, a spokeswoman for the S.C. Department of Insurance. Insurers pay fees into the pool, which is administered by Blue Cross Blue Shield of South Carolina.

About 1,500 customers used the pool in November, Hutto said.

To audit claims, the pool hired DeLoach & Williamson, a Columbia accounting firm.

The stolen laptop belonged to a DeLoach auditor, Hutto said. The computer was stolen from the auditor’s car at a Columbia residence, she said.

Kevin Dolan and Chris DiIenno, attorneys representing DeLoach, said the auditor likely violated company policy about keeping the laptop in a locked car. The auditor was “re-educated” on company security policies, but the attorneys did not know if the employee was disciplined.

“This occurrence will never happen again,” DiIenno said.

Roberson said the pool has its own security protocols. The insurance department does not allow employees to take identifying information about consumers outside agency offices, she said.

Bill Hancock, a managing partner with the auditing firm, said he was concerned about news on what was on the laptop becoming public. “The less this is discussed, the better,” he said.

The State is pleased to provide this opportunity to share information, experiences and observations about what's in the news. Some of the comments may be reprinted elsewhere in the site or in the newspaper. We encourage lively, open debate on the issues of the day, and ask that you refrain from profanity, hate speech, personal comments and remarks that are off point. Thank you for taking the time to offer your thoughts.

Commenting FAQs | Terms of Service