The unencrypted drives held names, addresses, birthdates, Social Security numbers, member ID numbers and health information.
The healthcare provider Centene Corporation recently announced that it’s searching for six unencrypted hard drives that were unaccounted for in an inventory of IT assets.
The drives held the names, addresses, birthdates, Social Security numbers, member ID numbers and health information of approximately 950,000 people who received laboratory services between 2009 and 2015.
“While we don’t believe this information has been used inappropriately, out of abundance of caution and in transparency, we are disclosing an ongoing search for the hard drives,” Centene chairman, president and CEO Michael F. Neidorff said in a statement. “The drives were a part of a data project using laboratory results to improve the health outcomes of our members.”
All those affected are being offered free access to credit and healthcare monitoring services. “Centene is in the process of reinforcing and reviewing its procedures related to managing its IT assets,” the company said in a statement.
Hormazd Romer, head of product marketing at Accellion, noted by email that healthcare breaches keep occurring, despite the industry’s stringent compliance regulations. “Though the incident at Centene may not be linked to cybercrime, it still highlights the need for stronger security controls within highly regulated industries,” he said. “Unless the compromised data was encrypted, the individuals in possession of the hard drives now have access to very sensitive healthcare data, which is considerably more valuable on the black market than other forms of personally identifiable information.”
IDT911 chairman and founder Adam Levin said a breach like this can put patients’ lives in jeopardy. “When thieves or their customers exploit drug prescriptions, seek treatment or obtain medical procedures using stolen identities, they drain insurance coverage — leaving victims stranded when they are most vulnerable and in the greatest need,” he said. “In addition, health records can be contaminated and falsified: blood types can change and allergies can appear or disappear. This could mean the difference between life and death in emergency situations.”
The U.S. Department of Health and Human Services’ fines for potential HIPAA violations like these can be significant — in 2014, New York Presbyterian Hospital and Columbia University Medical Center were fined $4.8 million for failing to secure 6,800 patients’ PHI; in 2013, WellPoint agreed to pay $1.7 million for leaving 612,402 people’s PHI exposed online; and in 2012, Alaska’s Department of Health and Social Services agreed to pay a $1.7 million fine in connection with the theft of a hard drive containing 501 people’s PHI.
Bitglass this week released its 2016 Healthcare Breach Report, which found that one in three Americans were victims of healthcare data breaches in 2015, a massive increase over the previous year.
Ninety-eight percent of record leaks, the report found, were due to large-scale breaches such as the Premera Blue Cross and Anthem hacks. In total, more than 111 million Americans’ data was lost due to hacking or IT incidents in 2015, a massive increase from 12.5 million in 2014.