Medicaid Breach Affects 280,000

Health Plans Report Missing Flash Drive
Medicaid Breach Affects 280,000
In one of the largest health information breach incidents in recent months, two affiliated insurance plans serving Medicaid patients in Pennsylvania have reported the loss of an unencrypted flash drive with information on 280,000 members.

The drive, which was discovered to be missing Sept. 20, included members' health plan ID numbers and certain health information, according to the insurers - Keystone Mercy Health Plan and AmeriHealth Mercy Health Plan. It also included the last four digits of 801 members' Social Security numbers plus complete Social Security numbers for seven others, the insurers said.

The health plans, which serve a total of 400,000 members, are notifying all affected individuals about the incident. They will offer free credit monitoring to those whose Social Security numbers, either in whole or in part, were on the drive. So far, the companies say they have no evidence that anyone has attempted to use the information stored on the drive.

"The information was put on an unencrypted portable flash drive so that the data could be available as part of testing a new hardware solution, and the drive was later lost in our corporate offices," according to a statement from the companies. "We have taken immediate steps to strengthen our operational protections to ensure this doesn't happen again," said Jay Feldstein, president of the plans.

Under the HITECH Act interim final breach notification rule, breaches affecting 500 or more individuals must be reported to the Department of Health and Human Services Office for Civil Rights and the individuals affected within 60 days. The Pennsylvania incident is not yet on the OCR list of major health information breaches, which includes 186 incidents affecting about 5 million individuals.

About the Author

Howard Anderson

Howard Anderson

Former News Editor, ISMG

Anderson was news editor of Information Security Media Group and founding editor of HealthcareInfoSecurity and DataBreachToday. He has more than 40 years of journalism experience, with a focus on healthcare information technology issues. Before launching HealthcareInfoSecurity, he served as founding editor of Health Data Management magazine, where he worked for 17 years, and he served in leadership roles at several other healthcare magazines and newspapers.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.