Medco notified officials of data breach after six weeks

01.03.2006
The Ohio state attorney general's office is investigating the terms of a contract between the state Department of Administrative Services and a New Jersey-based prescription drug benefits provider after a laptop computer containing the unencrypted Social Security numbers and birth dates of about 4,300 state workers and 300 of their dependents was stolen in late December.

The theft wasn't reported to the state until last month.

Ben Piscitelli, a spokesman for the Ohio Department of Administrative Services (DAS), said the laptop was stolen Dec. 28 from the home of an employee of Medco Health Solutions Inc., which handles prescription drug benefits for state employees. Medco officials waited until Feb. 8 to inform the state about the theft.

"We told them that delay was unacceptable," Piscitelli said. Officials of the Franklin Lakes, N.J.-based company met with state DAS officials on Feb. 16 and agreed to provide free credit- and fraud-monitoring services to the affected workers for one year to help them watch their credit records for potential illegal activity, he said. The DAS announced the incident and its aftermath in a statement last week .

The DAS has also asked Attorney General Jim Petro to review the two-year, US$4 million drug benefits management contract DAS has with Medco through July 2007.

Kim Norris, a spokeswoman for the attorney general's office, said the contract is being reviewed for any violations that may have occurred in terms of data security. "If they promised to protect the information in a certain manner, those are the kinds of issues we'll look at," she said. "We're working on that right now."