AvMed Breach Now Affects 1.2 Million

Largest incident reported so far under HITECH rule
AvMed Breach Now Affects 1.2 Million
AvMed Health Plans, which earlier reported a breach stemming from the theft of two laptops, now says one of the devices may have included information on more than 1.2 million of its current and former members.

That makes the breach the largest reported so far to federal authorities under the HITECH Act's Breach Notification Rule. A BlueCross and BlueShield of Tennessee breach caused by the theft of hard drives affected nearly 1 million.

In February, when it initially revealed the Dec. 11, 2009, incident, the Florida insurer said 208,000 current and former members had been affected. Later, it upped that total to 360,000 and notified them all.

Results of investigation
"As this investigation progressed with the involvement of leading data security experts, AvMed has concluded that there is reason to believe that similar information of approximately 860,000 additional current and former members may have been included," the insurer said in a June 3 statement. The company hired a forensics team from Price Waterhouse Coopers to help pinpoint the data involved, an AvMed spokesman says.

The two laptops were stolen from an AvMed facility in Gainesville, Fla., and one, which contained encrypted patient information, was recovered with the help of a tracking mechanism, the spokesman says. The other device, not yet recovered, included unencrypted information, including names, addresses, dates of birth, Social Security numbers and healthcare details. "There has been no evidence that any personal information has been misused as a result of this incident," the company said.

Notification efforts
Beginning the week of June 7, the 860,000 additional individuals affected will receive letters of notification offering two years of free identity protection from the Debix Identity Protection Network.

In addition, Florida Attorney General Bill McCollum, who is conducting an investigation, encouraged AvMed members to monitor their credit statements for possible fraud.

"We are strengthening our data security capabilities and procedures to help ensure this type of incident does not occur again," said Ed Hannum, the insurer's president and COO. AvMed is in the process of encrypting all its laptops, the spokesman acknowledges.


About the Author

Howard Anderson

Howard Anderson

News Editor, ISMG

Howard J. Anderson is news editor of Information Security Media Group and was founding editor of HealthcareInfoSecurity and DataBreachToday. He has more than 34 years of journalism experience, with a focus on healthcare information technology issues. Before launching HealthcareInfoSecurity, he served as founding editor of Health Data Management magazine, where he worked for 17 years, and he served in leadership roles at several other healthcare magazines and newspapers.




Around the Network