Up to 25000 could be affected by laptop stolen from New West employee – The Missoulian

A laptop computer stolen from an employee of New West Health Services contains current and former customers’ names and addresses, some of their Social Security and driver’s license numbers, and may contain their medical, credit card and banking information.

There is no indication the data has been accessed or used improperly, CEO Angela Huschka said Monday, when New West announced the theft “out of an abundance of caution.”

New West declined to say how many of its customers may be affected by the theft, but Montana Insurance Commissioner Monica Lindeen said her office was told by New West it could involve 25,000 people.

The stolen laptop “contained electronic files with personal information from past and present New West customers,” according to New West’s news release. “The computer was password protected, and there is no evidence to suggest that the information stored on the laptop was the target of the theft or that any customer information has been accessed or misused.”

Ryan O’Connell, New West’s vice president of market strategy and external affairs, declined to say when and where the laptop was stolen.

“At this time, we do not have any additional information to share,” O’Connell said in an emailed response to the questions.

New West Health Services, which also does business as New West Medicare, is a not-for-profit, provider-sponsored health plan offering Medicare Advantage and Medicare Supplement plans.

It is headquartered in Helena, and has an operations center in Kalispell and a regional sales office in Billings. New West did say the laptop was stolen from “an off-site location.”

The company established a call center, open Monday through Friday from 7 a.m. to 7 p.m., to address questions or provide information to current and former customers. The number is 1-877-802-1399.

New West said it would also offer one year of complimentary credit monitoring and identity protection services to individuals whose Social Security numbers were involved.

***

Based on a forensic investigation, New West says it believes the laptop contained:

• Customers’ names, addresses and, in certain instances, driver’s license numbers and Social Security numbers or Medicare claim numbers.
• It “may have also contained” information relating to some customers’ payment of Medicare premiums. That information includes electronic funds transfer information (bank account number, account holder name, account type and bank routing number) or credit card information (card holder name, credit card account number, expiration date and the card’s CVV number).
• And, the laptop may have contained some customers’ health information, including date of birth, medical history and condition, and diagnosis and/or prescription information.

“Once we learned of the theft, New West took immediate action including initiating an internal investigation and notifying law enforcement,” Monday’s news release from Hurschka said. “We also retained Navigant, a leading national computer forensic firm, to assist us in our investigation.”

New West said it was installing additional security on all company laptops, “enhancing” education for employees, and “strengthening our data security policies and practices.”

***

Lindeen, who helped implement a Cybersecurity Consumer Protections document while serving as president of the National Association of Insurance Commissioners last year, encouraged current and former New West customers who receive letters from the company advising them they may have been affected, to take steps to protect themselves.

“When you purchase insurance, you have the right to know how your personal information is being collected, maintained and used,” Lindeen said. “This protection also extends to being notified if your information has been involved in a data breach.”

The Cybersecurity Consumer Protections document says people should:

• Know the types of personal information collected and stored by their insurance company, agent or any business it contracts with.
• Expect insurance companies to have a privacy policy posted on their websites and available in hard copy. It should explain what personal information insurance companies and agents collect, what choices customers have about their data, how customers can see and change or correct their data if needed, and how the data is stored and protected.
• Receive a notice from their insurance company, agent or any business they contract with if an unauthorized person has seen, stolen or used their personal information.
• Get at least one year of identity theft protection paid for by the company or agent involved in the data breach.
• Know their rights, and actions they should take, if someone steals their identity.

Those rights and actions are spelled out at the National Association of Insurance Commissioners website, naic.org.