A computer flash drive containing the names, addresses, and personal health information of 280,000 people is missing – one of the largest recent security breaches of personal health data in the nation. “We deeply regret this unfortunate incident,” said Jay Feldstein, the president of the two affiliated Philadelphia companies, Keystone Mercy Health Plan and AmeriHealth Mercy Health Plan. The breach, which involves the records of Medicaid recipients, is the first such Medicaid data breach in Pennsylvania since at least 1997, according to the state’s Department of Welfare, which has oversight. “We take compliance [with federal privacy laws] very seriously,” department spokeswoman Elisabeth Myers said Wednesday.
The security failure, one of the several largest in nearly two years, involves nearly two-thirds of the insurers’ subscribers. It became known only after The Inquirer requested information Tuesday evening. The insurers said the drive was missing from the corporate offices on Stevens Drive in Southwest Philadelphia. It noted that the same flash drive was used at community health fairs.
“That seems grossly irresponsible,” said Dr. Deborah Peel, a Texas psychiatrist who heads Patient Privacy Rights, an advocacy group.
The news of the breach comes at a time when there is more emphasis – and billions of dollars in federal funding – to develop protocols for electronic medical records, with information being shared among providers, insurers, and consumers.
Paul Stephens, director of policy for the Privacy Rights Clearinghouse, said that data breaches in the finance and retail sectors tended to involve more people, but that health data are very sensitive and may also contain payment information.
Until The Inquirer asked for information, the company had not disclosed the data breach to affected members, most of whom live in Philadelphia and nearby counties
The federal website explaining the law says that breaches must be reported “without unreasonable delay and in no case later than 60 days.”
They would not say how they know the computer drive was lost, not stolen. They would not comment on the riskiness of taking the drive to health fairs, nor would they say whether the data on the drive was encrypted.