Major health insurer, Centene Corp., announced that six computer hard disk drives with the health records of almost one million individuals are missing. In a press release, the company confirmed that an ongoing comprehensive internal search has not yet resulted in recovering the disks that contain sensitive personal and health data. The company has not indicated how long the disks have been missing, if they were encrypted, or where the disks had been stored – onsite or at a third-party vendor.
Centene’s website indicates that the company has over 4.8 million members across 23 states. It covers government sponsored healthcare programs, focusing on under-insured and uninsured individuals via Medicaid and programs for State Children’s Health Insurance Program (CHIP), as well as Aged, Blind or Disabled (ABD), Foster Care and Long Term Care (LTC) including pharmacy, vision and in-home services.
“While we don’t believe this information has been used inappropriately, out of abundance of caution and in transparency, we are disclosing an ongoing search for the hard drives,” Michael Neidorff, Centene chairman, president and CEO, said in a news release. The company has determined the lost drives contained information for certain individuals who received laboratory services from 2009-2015 including individuals’ names, dates of birth, Social Security numbers, member ID numbers, and health information. The drives did not have any financial or payment histories.
The information on the disk falls into two categories: personal health information (PII) and personal health information (PHI). PHI includes health records, member identity numbers, pharmacy records and any providers seen including specialties. It is considered “rich information” because it can be used not only for identity theft but also medical services. Since few providers keep photos of patients, anyone can use medical ID numbers and names to get medical services including prescriptions leading to medical fraud and large bills later sent to the person whose information was used.
Jay Foley of ID Theft Info Source talked of one woman he counseled about identity theft issues who had to prove she had not given birth within the last three days. Another of Foley’s clients received a reminder call about a plastic surgery appointment that she never scheduled. With the help of the provider, that thief was arrested when she showed up for her breast enhancement surgery. One family received a bill for medical services provided six months after the death of their terminally ill child.
“The healthcare industry is a prime target for cyber criminals because of the data healthcare entities collect, create, manage and store,” said Emily Mossburg, a principal with Deloitte & Touche LLP’s cyber risk services practice. “PHI, personal health information, is a rich target and given the breadth of ways this data can be illegally and maliciously used and exploited, there are a broad set of attackers targeting PHI.