When a Maryland dental HMO acknowledged this week that it had accidentally posted the names, addresses and Social Security numbers of 75,000 members on its Web site, the revelation made news.
But the security breach at The Dental Network is just one of more than three dozen filed so far this year with the Maryland attorney general's office, The Sun has learned.
And though most of the security breaches are much smaller, they underscore how hard it is to completely protect computerized information.
Consumer groups acknowledge that just about anyone is at risk.
"There's little you can do to protect yourself unless you go into seclusion," said Paul Stephens of the Privacy Rights Clearinghouse, a San Diego nonprofit.
Thirty-nine businesses or groups have reported losses of sensitive information involving about 87,500 Maryland residents in the three months since a state law took effect requiring that people be informed of such incidents, records show.
Jeannine Kenney, a senior policy analyst with Consumers Union, said the new Maryland law ensures that people will learn when their personal information has been compromised without having to rely on the good will of businesses.
"Now that Maryland has a law, consumers should be more confident that when there is a breach they will be notified," Kenney said.
Consumers can use the information to comparison shop. Notice requirements such as these "give businesses incentive to more carefully safeguard personal data," Kenney said.
Forms of inadvertent disclosure vary from case to case, but most commonly they result from theft of a computer or electronic equipment.
More than 4,600 Maryland residents were notified this week that BNY Mellon Shareowner Services had lost a box of computer backup tapes last month, according to state records.
"When I see things like this I get a little frightened," said retired schoolteacher Thomas Fox of Baltimore County, who received a letter this week from Pittsburgh-based BNY Mellon that his Social Security number and even bank account information might have been on the computer tapes.
Also in February, a hacker broke into MLSgear.com, Major League Soccer's online store, and stole the personal information -- including credit and debit card numbers -- of more than 1,600 state residents. This week, The Dental Network, a CareFirst BlueCross BlueShield dental HMO, revealed that it didn't notify about 75,000 members of a security breach until about three weeks later.
Sometimes human error is a factor. When Genworth Financial sent tax forms to its clients, including 69 Maryland residents, their Social Security numbers were visible through the envelope window, said Hugh Williams, who directs the identity theft program for the attorney general's office.
Maryland lawmakers passed the notification law last year, several months after Johns Hopkins reported the loss of data tapes containing personal information on more than 135,000 current and former employees. The legislature also approved a measure that would allow consumers to place a "security freeze" on credit reports.
Williams said he was surprised by the number of security breaches when he started in November.
He said he reviews the notifications before they are sent out to ensure that they include necessary -- and correct -- information for consumers. Thefts and other crimes are investigated by local police authorities.
Linda Foley, founder of the San Diego-based Identity Theft Resource Center, cautioned that "just because you've received a breach notification, it does not mean you're an identity theft victim."
Foley said such residents are at risk, and that they should take steps to reduce the possibility of fraud involving their information.
Experts say a security breach involving, say, a Social Security number is more worrisome than one involving a credit card -- which can be easily canceled.
"I'm less worried about my credit card number being stolen," Kenney said, because she'll notice any unusual charges on her next bill. However, for Social Security numbers, "there's a global market for this data," she said.
Although the person who initially stole a laptop computer might not be sophisticated enough to mine information from it, she said, "the buyer will check the hard drive to see if there's data on it that's marketable."
That's why Kenney recommends people consider a security freeze if their Social Security number has been disclosed.
Security freezes prevent businesses from accessing an individual's credit report, a step that's generally taken when a new line of credit is offered or considered. Under a Maryland law also passed last year, it costs only $5 to place or remove a freeze per credit bureau -- $15 for all three.
In many of the incidents reported in Maryland, businesses offered to pay for people to receive free credit monitoring for a year, state records show. But Kenney said businesses should offer consumers the choice of free credit monitoring or a security freeze.
"Credit monitoring only tells you you've been defrauded after it's happened," she said. "The key is protection beforehand so you don't have to clean up the mess."
liz.kay@baltsun.com
Sun reporter Tanika White contributed to this article.
Security breaches 2008
Maryland has received nearly 40 reports of security breaches since the state on Jan. 1 began requiring notification of affected state residents. Here are reported cases involving the personal data of 100 or more Marylanders:
CareFirst Blue Cross Blue Shield/The Dental Network: 75,000
BNY Mellon Shareowner Services: 4,690
Sava Senior Care/Mariner Health Care: 2,199
MLSGear.com: 1,613
T. Rowe Price Retirement Plan Services: 1,470
Invitrogen Corp.: 1,004
[Source: Office of the Maryland Attorney General]