FLORIDA COMPUTER STOLEN http://www.news-press.com/article/20121111/COLUMNISTS40/311110039/1005/NEWS0103

Tell Mel: Data taken? remain calm

Richard Downing was skeptical about the letter he received from Alere Home Monitoring, Inc. telling him his personal information had been stolen. The company was giving him the opportunity to sign up for a credit monitoring service free of charge – a good way to get his Social Security number if it were a ruse.

“I have never dealt with them, nor have I ever heard of them,” Downing wrote to me in an email attaching Alere’s letter. “Do you think it would be safe to do as they say? It sure sounds like a scam.”

I doubted the letter was a scam and a call to Alere, a multinational company with more than 15,000 employees, confirmed my suspicion this was bad news.

Downing and about 100,000 others were at risk for identity theft.

An Alere employee had their data on his laptop computer. It was not encrypted – put into a code that would need to be broken to read the data – but the laptop was password protected.

So it’s possible the computer was stolen by someone who had no interest in the valuable personal information it contained. And what was that data? The name, address, Social Security number, date of birth and diagnosis of people like Downing who take the drugs warfarin or Coumadin to prevent blood clots.

“We don’t think (the thief) was going after data, the data wasn’t supposed to be there,” said Doug Guarino, director of corporate relations for Alere Inc., of Waltham, Mass. “We’ve taken steps to ensure everyone that this mistake won’t happen again.”

Maybe not at Alere, but it will surely happen again, said security expert David Aitel.

“You can’t be a modern adult without having your data stolen once or twice a year,” said Aitel, CEO of Immunity Inc., described as an “ethical hacking company,” based in Florida.

Employees’ laptops with sensitive information on them are stolen all the time, Aitel said. But it doesn’t mean a person’s identity will be sold to the highest bidder and their life will turn into a Sandra Bullock movie. (If you didn’t get that reference, rent “The Net.”)

The real danger comes from data breaches in which hackers get into a company’s network. That can really do damage to the company and its customers, Aitel said, because the hackers are specifically after this type of information. “These (stolen) laptops just end up on eBay, they’re not as likely to be getting exploited,” Aitel said.

Aitel wasn’t particularly impressed by the 100-grand number of this security mishap either, saying hackers that crack computer systems can easily get 10 times that many accounts and Social Security numbers.

“Tell people, don’t panic,” Aitel said.

Breaches involving medical information of more than 500 people must to be reported to the U.S. Department of Health and Human Services, which in turn posts the information on the Office of Civil Rights website. The company has up to 60 days to make the report.

The reporting began in 2009, and there have been 500 breach notifications involving more than 21 million individuals, according to Rachel Seeger, spokeswoman for HHS’ Office of Civil Rights.

About 60 breaches have been reported this year. The biggest on the HHS website happened in March when hackers broke into a Utah state government server and took records for 780,000 individuals, which included 280,000 Social Security numbers.

If you receive one of these letters from Alere, I’d suggest you take them up on the 12-month identity theft protection offer. These services usually cost $10-$16 a month. And it comes with a $1 million insurance policy that can cover costs such as a private investigator, time loss from work or illegal funds transfers.

Hopefully this is just a precaution and Downing and others will never need to use the service to help them recover from identity theft. And things are looking good on that front. The break-in occurred on Sept. 23 and so far, the company stated in its letter to Downing and others, “(T)here has been no evidence that your information has been disclosed or misused as a result of this incident.”