Paul Stephens of the Privacy Rights Clearinghouse said any breach that involves Social Security numbers poses a high risk of identity theft.
Consumers cannot guard themselves against security breaches such as The Dental Network's, he said. The notification time varies when they do occur.
"In some situations, companies are very responsible about getting the word out quickly," Stephens said, though the news media or mass mailings.
The privacy group's Web site has a chronology of identity theft incidents, including an incident last month in which the personal information of more than 100,000 doctors from 11 states was posted on the Web site of California-based Health Net Federal Services. Also last month, a computer file with information about former and current Texas A&M University employees was posted online for about three weeks.
The CareFirst security breach is the most recent example of confidential patient or employee records being exposed in Maryland.
Last summer, a desktop computer containing the personal information of about 5,800 Johns Hopkins patients was stolen, and the hospital waited five weeks to inform them.
Hopkins officials reported in February 2007 that a courier mistakenly left a box of computer tapes containing the personal records of 135,000 employees and patients at the wrong stop. Officials believed that the tapes were likely thrown away or incinerated.
In 2006, a laptop computer containing the Social Security numbers of more than 26 million veterans and their spouses was stolen from the Montgomery County home of a Department of Veterans Affairs employee, and later recovered.
In January, a state law took effect that requires credit bureaus to allow residents to put a "security freeze" on their credit reports.
liz.kay@baltsun.com
