Georgia health officials reported today that a vendor working with the Georgia Department of Community Health is missing a disk containing the names, birth dates and Social Security numbers of 2.9 million Georgia health services recipients.
The breach was initially reported by the vendor, Affiliated Computer Services, which is contracted to maintain health care claims for the state. The company said that the CD was lost in transit between Georgia and Maryland.
A number of breaches have been suffered by Affiliated Computer Services over the past year. In August 2006, the vendor exposed more than 32,000 student loan recipients' records held by the U.S. Department of Education when it botched a routine software upgrade for the agency, causing these names to be made publicly available on the department’s website.
And in November 2006, more than 1.4 million health care recipients in the state of Colorado were left exposed to ID theft when a company laptop was stolen from an employee of the state's Department of Human Services.
According to Paul Stephens, policy analyst for the Privacy Rights Clearinghouse, the loss of the Georgia CD emphasizes the need for encryption technology to protect data when it does go missing.
"Things do get lost," said Stephens. "I think the key here is that the data on the CD, presumably, was not encrypted. That is the real issue."
While many corporations have a financial motivation to protect data through encryption, government organizations may need more regulatory oversight to protect valuable information handled by agencies and their vendors.
"I think with respect to government data, I think you are going to find that at some level there may be a requirement for encryption of data that is contained on storage media that can be lost," Stephens said.
Click here to email West Coast Bureau Chief Ericka Chickowski.
Looking for a new job? SCMagazine.com has the latest IT security employment opportunites. Click here for our jobs page.