On March 8, 2013, a contractor working for North Carolina’s Department of Health and Human Services (HHS) billing department stored unencrypted data of 50,000 Medicaid providers on a thumb drive that was to be transferred between facilities.  However, the drive was lost along with the data it contained which includes names, social security numbers, dates of birth and addresses of the 50,000 providers.

In last week’s article titled, data breach threats of 2013, we cited breaches by third parties as one of the top three highest rated threats in the Deloitte survey of technology, media and telecommunications companies and here is a perfect example of a third party data breach.  As mentioned last week, organizations can conduct vendor risk management to reduce this threat.  The vendor risk management process begins by evaluating the security of third parties that work with sensitive data, controlling what data they have access to and conducting periodic audits to ensure that they maintain the same security standing.

Unfortunately, the North Carolina HHS assumed that their contractor, Computer Sciences Corporation (CSC), was taking adequate security precautions.  HHS Secretary Aldona Wos said, “We expect our vendors to maintain the security of information.”  However, N.C HHS is only now requesting validation of these assumptions.  Wos stated “I have instructed CSC that North Carolina expects an independent third-party assessment to assure CSC’s adherence to required security standards.”