Lost Flash Drive Affects 280,000
Two affiliated Medicaid managed care plans in Pennsylvania have acknowledged that an unencrypted flash drive containing protected health information on 280,000 members went missing on Sept. 20.
AmeriHealth Mercy Health Plan and Keystone Mercy Health Plan did not disclose the lost drive until a Philadelphia Inquirer reporter learned of the incident and called in recent days, according to the newspaper. The plans will be notifying affected members, according to a statement.
Information on the flash drive included patient names, addresses, plan ID numbers and personal medical information. Only 7 members had their Social Security number on the drive and 801 had the last four digits of their number, according to the Inquirer. The plans will offer free credit monitoring services to patients whose Social Security information was on the drive.
The newspaper said the drive was taken to and used at community health fairs. The health plans in a statement said patient information was put on the drive “so the data could be available as part of testing a new hardware solution and the drive was later lost in our Philadelphia office.”
According to the statement, the company has put in place unspecified technical safeguards to prevent similar occurrences. A company spokesperson was not immediately available for additional comment.
Company officials would not comment to the Inquirer about how the incident happened, how they know the drive was lost and not stolen, the risk of taking it to health fairs, and whether the incident has been reported to the HHS Office for Civil Rights.
The incident is not yet posted on OCR's Web site of breaches affecting 500 or more individuals. Organizations have 60 days from the date when they learn of a breach to report it. There is no announcement of the breach on either health plan's Web site, or the site of corporate parent AmeriHealth Mercy Family of Companies. The parent operates eight Medicaid health plans covering 6.5 million members.