Protecting private data

Our view: Companies should pay a price for breaches

The accidental exposure of personal information about patients in a Maryland dental plan should be another sharp reminder to institutions to better protect consumers' privacy. Absent tighter controls, states should consider imposing tough penalties for these breaches.

A technical error has been blamed for the posting of the names, addresses, dates of birth and Social Security numbers of 75,000 members on the public Web site of the Dental Network, an HMO owned by CareFirst BlueCross BlueShield. Members were informed in a March 10 letter, after data had been online for two weeks.

CareFirst insists that it acted as quickly as possible - in accordance with a state law passed last year - and doesn't think any information was misused. It has offered to provide 12 months of credit monitoring for aggrieved members. Helping consumers ensure the integrity of their credit is one way of making up for letting the horse out of the barn.

But with more than 223 million sensitive records estimated to have been involved in security breaches since January 2005, institutions need to be more aggressive about protecting personal information. That should mean fewer databases and fewer links among them, better internal controls on access and less reliance on Social Security numbers as identifiers. Most states require adequate protection for personal information. Stiff penalties would likely motivate companies to act sooner rather than later.