I had one of those *blink* experiences the other night while I was going through all of the new breach notifications on the Maryland Attorney General’s site. It all started when two breach reports were clearly identical in all respects except for the substitution of names.

Both SavaSeniorCare Administrative Services, LLC and Mariner Health Care. Inc. both reported that their respective employees’ 401(k) data were on a computer stolen from Windham Brannon, P.C., a firm that provides audit services for the benefits plan.

That two customers of a vendor should both report a breach is certainly nothing new. But for two firms to claim that they each had exactly 2,199 Maryland residents affected by the breach sounded a bit odd. And the oddity only grows as you read more about the incident and post-recovery “findings.”

According to their reports, the computer stolen on December 31, 2007 was password-protected but the data were unencrypted. It was recovered on January 7 and returned to Windham the next day. SavaSeniorCare and Mariner both say they then hired Navigant Consulting to inspect the computer to determine if the files containing personal data had been accessed.

If you believe their reports, after a two-day analysis of the computer, the consultants

found that the computer was reformatted within a few hours of the theft and that, as a result, most of the files containing personal information about [name of company] employees and former employees had been destroyed. Consequently, the examiners were not able to determine with certainty whether these files were accessed before they were destroyed. However, the examiners were able to find three of our files that had not been over-written and determined that these files had not been accessed after the theft. The examiners also inspected the data files of other clients that survived the reformatting process and determined that none of these files were accessed at any time after the theft.

So each company filed a report with a state attorney general that claimed that three files of theirs were not overwritten by reformatting and that each company had personal information on 2,199 residents of Maryland in their files.

Does anybody think about what they’re submitting or how plausible it is?

I wrote to both SavaSeniorCare and Mariner Health Care yesterday to ask them about these remarkable coincidences. Neither have replied.

Could these reports be an honest mistake? Sure. But then they should correct their reports promptly. Do I think that the data were misused? Probably not, but that’s not the point. If a company is required under state law to notify the state of a breach, then the report should be accurate — or at least make sense.

SavaSeniorCare’s report.
Mariner Health Care’s report.

Comments are closed