Another health insurer has potentially suffered a massive data breach that may have exposed the protected health information of up to 950,000 individuals. If confirmed, the Centene Corp data breach will be the largest healthcare data breach of January 2016.
Plan Members Alerted to Potential Centene Corp Data Breach
The protected health information of members was used for a study that was being conducted to improve health outcomes of plan members. The data were stored on six hard drives which were recently discovered to be missing. A search for the missing hard drives has been conducted, but so far they have not been located and a more comprehensive search has begun.
Under HIPAA rules, breach notification letters need to be sent to individuals if equipment containing PHI is lost or stolen, unless the data on the storage devices has been encrypted to a nationally acceptable standard, such as that recommended by NIST. The issuing of breach notification letters to members suggests that the data stored on the drives had not been encrypted and therefore is at risk of exposure.
The stored information included the names and addresses of plan members, along with their dates of birth, Social Security numbers, and insurance ID numbers: Information that is highly sought after by identity thieves. The drives also contained some health information such as medical test results. Members affected by the breach had received laboratory services between 2005 and 2015.
Should it be confirmed that the drives are no longer located in the company’s facilities, the Centene Corp data breach will be the largest so far reported in 2016. No other data breach has been reported that has affected more than 30,000 individuals.
Other privacy and security incidents reported so far this month include one suffered by Indiana University Health Arnett, which reported the theft of an unencrypted storage device containing data on 29,324 patients. A similarly sized data breach was suffered by St. Luke’s Cornwall Hospital, again involving the theft of an unencrypted portable storage device. A thumb drive taken from a restricted area of the hospital and contained the PHI of 29,156 patients.
New West Health Services doing business as New West Medicare also suffered a data breach after a laptop computer was lost, exposing the data of 28,209 individuals, while Blue Shield of California suffered a network security incident that resulted in the records of 20,764 individuals being viewed by an unauthorized individual.
The potential Centene Corp data breach and those suffered by St. Luke’s Cornwall Hospital, Indiana University Health Arnett, and New West Medicare show how important it is to protect data stored on portable devices with encryption. The decision not to encrypt the data can prove to be expensive, far more than the cost of using encryption.