Thursday, December 14, 2006

Contractor working for the state of Vermont accidentally posted Social Security numbers of hundreds of health care providers

Vermont officials blast contractor for security lapse
Jaikumar Vijayan

December 12, 2006 (Computerworld) A contractor working for the state of Vermont is drawing fire from the commissioner of human resources for accidentally posting the Social Security numbers of hundreds of health care providers on the state's Web site earlier this year.

The incident happened in May and involved The Segal Group Inc., a New York-based firm hired by the state to assist in the bidding process for new health care contracts, according to Commissioner Linda McIntire. As part of its contract, Segal was expected to draft, prepare and issue formal requests for proposals for the state employee health care administrator and mental health care administrator contracts, she said.

In carrying out that task, the company obtained a list of health care providers from Cigna, the state's current health care administrator. The lists, which contained taxpayer identification numbers and in some cases SSNs, were included as attachments for the RFPs and were subsequently posted on the state Web site -- where the information remained for about a month before being removed, McIntire said.

The numbers were not labeled as Social Security numbers but rather as taxpayer identification numbers, which a majority of providers use when submitting claims to Cigna, she said. In some cases, providers used SSNs as identifiers. It was those numbers that were inadvertently exposed, McIntire said.

More than 13,000 names were on the list provided by Cigna,

but only a few hundred of those used SSNs as identifiers, she said.

According to McIntire, the state learned of the potential compromise only last week and began sending out letters to the affected health care providers. Another letter will go out this week informing them of the state's decision to pay for one year's worth of credit-monitoring services for the affected individuals, she said today.

McIntire blasted Segal for the security lapse in a letter sent to the company last week. In the letter, she expressed her "deep dissatisfaction that an expert consultant could overlook the inclusion of Social Security numbers in a document that was to be publicly posted and disseminated to potential bidders." "I assume there is no need to point out to you the sensitivity of Social Security numbers or the harm that may flow from unauthorized access to those numbers," McIntire said in the letter. "We did not expect to encounter this kind of problem as a result of your work."

She went on to ask for Segal's full cooperation in helping the state correct the problem.

In an e-mailed statement, Segal said that the mistake resulted from the difficulty involved in distinguishing SSNs from employer identification numbers (EIN), since both are nine digits.

"The Social Security numbers that were released had been used as provider identifiers in the Cigna database," Segal said in the statement, noting that in most cases, providers used their EINs as identifiers. "This is an unfortunate circumstance. Segal has reached out to the state to help rectify the situation and alleviate any provider concerns."