By Martin H. Bosworth

January 25, 2007
The personal records of Nationwide Mutual Insurance's 28,000-plus customers were stolen from the offices of a contracting vendor, the company said.

In addition to the Nationwide data tapes, the thieves made off with backup data tapes containing information on the medical claims of 130,000 Aetna customers.

The break-in took place at the Weymouth, Mass., offices of Concentra Preferred Systems, which audits hospital stay claims for Nationwide to ensure the company does not overpay.

The theft occurred on Oct. 26th, but Nationwide delayed notifying customers while it investigated the likelihood of identity theft.

Concentra made the theft public on Dec. 1st, 2006, and claimed that law enforcement investigations determined that the theft was for "cash or pawnable items of value, and not the act of sophisticated criminals targeting specific data."

Concentra said it had enlisted a forensic team from global accounting firm Grant Thornton to investigate the possibility that the tapes would be used for identity theft.

The Grant Thornton team claimed that, "Restoring data from a back-up tape like the one we tested for Concentra is generally considered to be a time-consuming process requiring specialized knowledge ... Typically, this level of technical sophistication exceeds the capabilities of the average computer user."

Nationwide was in the process of offering free credit monitoring and identity theft insurance to affected customers, though the company did not specify from which vendor.

The outsourcing of medical functions to third-party vendors may cut costs, but it also opens any company up to the threat of data breaches, whether from thefts of equipment or attacks by enterprising hackers.

Georgia-based Emory Healthcare suffered the loss of data on 38,000 patients when a laptop was stolen from the offices of a contracting company in Dec. 2006.

An employee of Perot Systems lost several CDs containing the personal and medical information on 260,000 patients of the Midwest-based Sisters of St. Francis hospital chain in October 2006. The CDs were later recovered, and the hospital claimed the data had not been accessed.

Aetna itself had a data breach last year when a laptop containing information on another 38,000 customers mysteriously disappeared in May 2006.