S.C. Medicaid Breach Shines Light on Employee Data Theft
This time it wasn't Anonymous or some other hacking group trying to make a name for itself. The South Carolina Department of Health and Human Services can blame one of its own for the security black eye it just took.
The agency last week discovered that a Medicaid employee inappropriately transferred personal information for 228,435 Medicaid beneficiaries to his personal e-mail account. Not only was it a blatant violation of agency policy, it also put the personal identities of nearly a quarter million Americans at risk.
Christopher Lykes Jr., 36, was arrested Thursday for allegedly committing the crime. Lykes, a project manager for the agency, was immediately terminated while law enforcement officials conducted their investigation. It is yet unclear what he planned to do with the information.
Blame the Browser
We asked Bill Morrow, executive chairman and CEO of Quarri Technologies, for his thoughts on the breach and what other organizations can learn from the internal theft. His first thought: Blame it on the browser.
"The risk of this type of transfer of confidential information by an employee is all too common at many organizations because they are increasingly using browsers as the primary platform for the delivery of information and making them the primary point of theft or data leakage," Morrow said.
As he has said before, standard Web browsers contain critical security gaps that create significant risks to organizations' confidential data, and online resources like Web mail and social networking sites can be open windows for data leakage. That sets the stage for a careless or malicious employee to easily steal company trade secrets, intellectual property or leak sensitive customer information.
"The end user is often the weakest link on any corporate network, since one malicious or unintentional click can lead to identity theft for hundreds of thousands of customers and patients," Morrow said. "It's critical for organizations dealing with sensitive data to enforce the use of a secure, hardened browser session for employees and customers that prevents unauthorized use and replication of confidential information by controlling malicious and careless end user behavior."
Personal Information at Risk
Customer, student, employee and patient information is most at risk for cyber attacks today, and defending that data is a top concern for IT professionals this year, according to the CDW national Data Loss Straw Poll.
Data loss comes at a cost. A Ponemon Institute study published in March reveals that organizations suffering a data loss in 2011 paid an average of $5.5 million per breach, which translates into an average of $194 per record lost.
"The damage resulting from data loss -- to the bottom line and to an organization's reputation -- is very real," said Christine Holloway, vice president of converged infrastructure solutions at CDW. "Perhaps it should come as no surprise that IT professionals view data loss as the greatest business risk to organizations this year. As tele-work and access to mobile computing grows, preventing data loss is increasingly important -- and increasingly complex."
According to the survey, the number of people accessing business networks increased by an average of 41 percent during the last two years. Inadequate security policies contribute to security challenges. While most organizations allow employees to access their networks with personal mobile devices, security policies for employee-owned devices are often less strict than for employer-owned devices. Twenty-seven percent of IT professionals said they do not have security policies for employee-owned mobile devices.
"No organization appears to be immune from data loss -- blue-chip companies, small business, schools and governments have been affected," said Rick Hanson, senior director of sales at Symantec. "Prevention is essential. Organizations that layer security solutions to address network endpoints, data at rest and data in motion are more aware of potential security threats, less susceptible to breaches and better able to respond when a breach occurs."