Triple-S Management, a managed care services provider in Puerto Rico, suffered a security breach that could have exposed the personal health care information of more than 400,000 customers.According to a post filed at DataBreaches.net, the Puerto Rico Department of Health reported a security breach to Health and Human Services (HHS) that involved managed care firm Triple-S Management and an independent licensee of the Blue Cross and Blue Shield Association in Puerto Rico. The breach affected the protected health information, such as name, address, diagnosis, procedures, and other information on 400,000 patients.

Triple-S Management's 10-Q filing [.pdf] explains how the breach occurred:

Our investigation has revealed that the security breaches were the result of unauthorized use of one or more active user IDs and passwords specific to the TCI IPA database, and not the result of breaches of TSS's or the Corporation's system security features. We cannot at this time determine the purpose of these breaches and do not know the extent of any fraudulent use of the information or its impact on the potentially affected individuals and IPAs. We believe, however, that the most likely target was financial information related to IPAs rather than the individuals' information. During the course of our investigation we learned that there may have been improper uses of the IPA passwords by one or more consultants working for the IPAs. We have taken measures to strengthen the TCI server security and credentials management procedures, and are conducting an assessment of our system-wide data and facility security to prevent the occurrence of a similar incident in the future.

Yet another classic lesson on how important good identity and access management hygiene is. It's an old problem, and the remedy has been repeated many times: maintain tight control over user access rights, and when users change jobs or responsibilities make certain their electronic credentials change with the times.

While that will solve many problems that relate to similar breaches as these, the practice won't solve all of them, such as when insiders who have appropriate rights for their jobs - and then abuse those rights. That could had of been the case here, but it's not possible to tell form the information available. However, had security event and access information been correlated, it's makes it much lot easier to be able to spot abuses by insiders. If access information is correlated with a security event monitoring, for example, security managers can then spot troubling trends. They could include users accessing more information than usual, or perhaps from systems other than work. Such data doesn't tell one what the intent of the user may be, but it does suggest further investigation is advisable. And that just may be enough to stop such incidents from happening as often as they do.