by Martin H. Bosworth

August 16, 2007
In its second disclosure of a data breach in as many months, pharmaceutical giant Pfizer revealed that laptops containing personal data on 950 contractors for Pfizer were stolen from the car of employees for outside contracting firm Axia.

The theft took place on May 31, but Axia did not inform Pfizer until June 14.

The missing laptops contained names, complete home and business addresses, land and cellular telephone numbers, and Social Security numbers.

Attorney Bernard Nash, representing Pfizer, revealed the breach in communications with Connecticut Attorney General Richard Blumenthal, copies of which were posted publicly by New London, Connecticut newspaper The Day.

The package also included copies of the breach disclosure letter Pfizer sent to affected individuals.

Pfizer did not offer an explanation in the letter as to why the Axia employees had the information, though Nash said the laptop data was backed up to Axia's main computer system.

Predictably, Pfizer said that the stolen laptops were password-protected, and that there was no indication that the stolen data had been used for fraud or identity theft.

Pfizer and Axia are also providing a year of free identity protection services to affected customers through Identity Safeguards, an identity protection and recovery company based in Oregon.

"Pfizer and Axia are committed to maintaining the confidentiality and security of data," Nash wrote. "Pfizer is working with Axia to improve data security protections, and will apply the lessons learned from this incident to its work with other contractors, and its own employees as well."

The Axia data breach follows Pfizer's disclosure that an employee had accidentally shared data on 17,000 current and former Pfizer workers over a peer-to-peer file sharing network. Attorney General Blumenthal had criticized Pfizer for not disclosing the breach to consumers until June 1, even though the breach itself took place on April 18.

In follow-up correspondence on the earlier breach, Blumenthal reiterated his concern that the slow pace of notification would increase consumers' risk of exposure to identity theft.

"The sooner consumers are notified that their personally identifying information is at risk, the sooner they can respond to prevent further harm," Blumenthal wrote.

Pfizer claimed that the breach investigation was "complex and multifaceted," and differing "work streams" of the investigation prevented it from providing a specific timeline of the investigation and why it took so long to notify consumers.