USPS Breach Exposed Health Data485,000 Employees' Injury Data 'Potentially Compromised'
As the U.S. Postal Service's investigation into its data breach continues to unfold, it's now reporting that certain health information for approximately 485,000 current and former employees was potentially compromised.
The news follows confirmation from the USPS on Nov. 10, 2014, of a breach of some of its information systems that impacted more than 800,000 employees and 2.9 million customers (see: U.S. Postal Service Breach: A Timeline).
The investigation has now determined that the intruders may have compromised a file containing workers' compensation injury claim data, according to a letter detailing the incident that the USPS provided to Information Security Media Group. The file, created in August 2012, contains information associated with current and former workers' compensation claims. Information included in the file dates from November 1980 to Aug. 30, 2012, according to the USPS.
Although the type of information varies greatly based on individual cases, workers' compensation-related data that may have been exposed includes names, addresses, dates of birth, Social Security numbers, medical information and "other" information.
The total number of employees whose health data may have been exposed reflects some of those originally listed as being impacted by the breach, "but others are receiving letters for the first time," says David Partenheimer, a spokesperson at the U.S. Postal Service. Those who did not receive an earlier letter from the USPS regarding receiving free credit monitoring for one year have now been informed how to obtain the service.
The USPS says it has no evidence that any compromised employee information has been used to engage in any malicious activity, the letter says.
Although the latest breach details involve health information, the USPS is not subject to the HIPAA Privacy Rule that governs healthcare data because it is not a covered entity (a healthcare provider), Partenheimer says.
Notification Delay Explained
At a U.S. House hearing in November, Randy Miskanic, a USPS official, defended the agency's delay in notifying USPS workers of the breach, contending authorities didn't initially know what data was pilfered (see: USPS Defends Breach Notification Delay). The USPS first learned of the breach on Sept. 11, 2014, but didn't notify employees until Nov. 10, 2014.
Miskanic also said the government didn't want to tip off hackers that it was aware of the breach.
In its original report on the breach, USPS said employees' names, dates of birth, Social Security numbers, addresses, beginning and end dates of employment, and emergency contacts may have been exposed. For customers, names, addresses, phone numbers and e-mail addresses may have been compromised.
As a result of the breach, the USPS in a Nov. 28 filing with postal regulators said it was forced to delay the filing of its annual financial report. The reasoning for the delay was to give USPS time to confirm that the breach didn't compromise financial information that could affect its report.