Once again, news has circulated of a missing laptop that may lead to the access of personally identifiable information for several thousand students in Massachusetts and Vermont. Unlike the recent Sterne Agee breach in which an employee’s laptop was simply lost, this incident involves the intentional theft of a laptop from the employee’s vehicle.
In this particular case, the billing company—New Hampshire-based Multi-State Billing Services—allowed a laptop computer containing the complete identities of almost 3,500 thousand public school students to be taken from their facility. The laptop was later stolen, and despite the password protection to turn on the computer, the information it contained was not encrypted.
This information includes the names, addresses, birthdates, Social Security numbers, and Medicaid numbers of nearly three thousand students in grades kindergarten through twelve in nineteen different Massachusetts school districts, and more than four hundred students in Vermont schools. The information, presumably gathered to process reimbursements to schools whose special education students receive services that are covered under Medicaid, is not believed to have been the target of the theft, but rather the physical laptop itself.
And that’s what presents the problem. In cases of cyber crime or data breach, companies have long followed the protocol of informing the possible victims so they can take steps to protect themselves. Companies have even started purchasing insurance policies to cover the cost of cleaning up after a data breach and securing their clients’ information. Once hackers steal private information, the credit reporting agencies will freeze those customers’ accounts for free. But in the case of a stolen laptop that just happened to contain identifying information, the credit reporting agencies do not necessarily waive their fees to put a hold, freeze, or alert on someone’s account, especially a child’s.
One of the chief issues is the access was given to the information in the first place. It was the job of MBS to secure the laptop and the information, and certainly to encrypt the data, not just password protect the computer itself. It would be interesting to know why the laptop ever left the office in the first place and why it was left in someone’s car.
But parents also have to protect themselves and their children by remembering who is entitled to the information. While the school was billing Medicaid for legitimate services and using a widely known billing contractor to handle the paperwork, there is no clear connection between the Medicaid services and the Social Security numbers. The Medicaid numbers had to be provided, and it is possible that the Social Security number had to be given to the Medicaid office when the child was first signed up, but as far as the school or the service provider needing the SSN, there’s no clear reason for it.
Often, requesting a Social Security number is simply a holdover from the days when it was commonly used as an identification number. Now that the dangers of doing so have become clear, many organizations are turning away from the practice, especially considering it’s actually a violation of the Social Security system. The SSN is not to be used for identification or proof of citizenship, as those are not its intended purposes. Any organization which requests your number or your child’s number, without doing so for employment or taxation, is not necessarily entitled to it. Once a breach occurs, though, it’s important to follow through with the help that is offered. In this case, MBS is paying for up to three years of fees on the children’s credit reports, should the three different reporting agencies not waive the fees associated with freezing and unfreezing the reports.
This blog is a part of the ITRC’s ongoing commitment to spreading knowledge and awareness of data breach issues. This work would not be possible without the generous support of IDT911 and their commitment to keeping the public informed regarding this issue. The ITRC Data Breach Report is available weekly and all information is free to the public.