Shades of 2003: Have contractors started holding individuals’ PII hostage again?

It’s been a long time since I’ve seen any report that a contractor or their employees were holding an organization’s client or patient data hostage as part of a dispute.  To my surprise, however, there have been two such reports like that recently.  One case is in the healthcare sector and I’ll be blogging about that later today on PHIprivacy.net.   The other in the business sector and involves Irvine Scientific.

Although it has managed to fly under the media radar,  on December 18, Irvine notified the New Hampshire Attorney General’s Office that on October 31, an unnamed former contractor contacted them, claiming to be in possession of customers’ credit card information.  The contractor reportedly refused to return the information or even disclose what he information he allegedly possesses. On or about December 18, the  firm notified all customers whose data might have been acquired by the contractor. They also notified the U.S. Secret Service and the Santa Ana Police Department.

According to a spokesperson, Irvine Scientific does not know whether their former contractor is really in possession of customers’ credit card information, but he did have access to the data in the course of his duties as a web developer for the firm. The firm’s notification letter did not indicate what the contractor’s motivation might be, but it seems a reasonable hypothesis that some payment dispute might be at the root of it.

So what happens now? And could this happen to any entity? Probably.  And what would your firm or entity do if it happened to you?

Credit card numbers can be cancelled, although there’s no indication that the contractor has been misusing the information in any way.  And Irvine Scientific may take a reputation hit with their customers who may be unhappy over the inconvenience and the firm’s failure to offer any free credit monitoring service  But if the contractor hoped to have any leverage by threatening the firm about customers’ data, that threat is gone now that they’ve disclosed the breach. The only remaining threat may be to the contractor’s freedom if he’s charged criminally over this or to his pocket if the firm decides to sue him.

About the author: Dissent

Comments are closed.