Medicaid Breach Affects 280,000Health Plans Report Missing Flash Drive
The drive, which was discovered to be missing Sept. 20, included members' health plan ID numbers and certain health information, according to the insurers - Keystone Mercy Health Plan and AmeriHealth Mercy Health Plan. It also included the last four digits of 801 members' Social Security numbers plus complete Social Security numbers for seven others, the insurers said.
The health plans, which serve a total of 400,000 members, are notifying all affected individuals about the incident. They will offer free credit monitoring to those whose Social Security numbers, either in whole or in part, were on the drive. So far, the companies say they have no evidence that anyone has attempted to use the information stored on the drive.
"The information was put on an unencrypted portable flash drive so that the data could be available as part of testing a new hardware solution, and the drive was later lost in our corporate offices," according to a statement from the companies. "We have taken immediate steps to strengthen our operational protections to ensure this doesn't happen again," said Jay Feldstein, president of the plans.
Under the HITECH Act interim final breach notification rule, breaches affecting 500 or more individuals must be reported to the Department of Health and Human Services Office for Civil Rights and the individuals affected within 60 days. The Pennsylvania incident is not yet on the OCR list of major health information breaches, which includes 186 incidents affecting about 5 million individuals.