Health insurer Centene Corp said on Monday it is missing six hard drives containing the personal and health information of about 950,000 people.
The hard drives do not include any financial or payment details of customers, the company said.
It said it was conducting an internal search for the hard drives and believed the information has not been used inappropriately..
The missing data from the hard drives included the names, addresses, dates of birth, Social Security numbers, member identification numbers and health information of patients who received laboratory services between 2009 and 2015.
Centene said it has started to notify clients and would offer free credit and healthcare monitoring to those affected.
You now need to ask the question, why is this important to me? From the information provided by Centene, it appears that they believe the drives may have been misplaced and may still be in their possession, they just do not know where. The problem with this is just that they do not know. It also appears that the drives were not encrypted, had they been Centene would have included that information when they made their announcement. If the drives were properly encrypted, Centene would not have been obligated to make the announcement, they would not have been required to begin notification of any individuals, and they would not be obligated to offer free credit and healthcare monitoring services.
The moral of this story is that ALL drives must be encrypted, this includes removable hard drives, thumb drives and all devices that may contain patient data. Simply losing track of one of these devices when they are not encrypted can result in your practice having to go the many of the steps related to breach notification. In this case 950,000 patients are potentially impacted, but the threshold for the required breach notification process is 1 patient, and if 500 or more are impacted you are required to report this to a news outlet.