More than 280,000 Medicaid patients in Pennsylvania this week are learning that two of the state's largest managed care providers somehow managed to misplace a portable flash drive containing the kind of personally identifiable information (PII) that identity thieves often work months and years to attain.
Officials at AmeriHealth Mercy and Keystone Mercy Health Plan said they first noticed the drive was missing from the companies' shared corporate offices on Sept. 20.
Along with patients' names, addresses and other health data, the files also contained the full or partial Social Security numbers of a small percentage of patients impacted by the data breach.
Company officials would not disclose whether or not the storage device was encrypted, but did say that it had been taken out of the office and used at community health fairs in the months leading up to its disappearance.
Once the device was deemed lost or missing, the companies reported the security breach to the Pennsylvania Department of Public Welfare and initiated what they called a "multifaceted" plan to inform the 280,000-plus people affected of the mishap.
"We deeply regret this unfortunate incident," Jay Feldstein, president of the managed care plans for both insurers, said in a statement. "At Keystone Mercy Health Plan and AmeriHealth Mercy Health Plan, our number one priority is our members."
Keystone Mercy Health Plan provides insurance to 300,000 mostly elderly and low-income subscribers in Philadelphia and several surrounding counties while AmeriHealth services more than 100,000 subscribers in several other counties in the state.
Almost exactly one year ago, California insurer Health Net reported a similar breach that exposed the PII of more than 1.5 million patients when an external hard drive disappeared.
In that breach, officials said the lost drive contained sensitive information, including Social Security numbers, dating as far back as 2002 for customers in Arizona, Connecticut, New Jersey and New York. While the data was compressed and saved as image files that require a specific and unspecified software application for viewing, the records were not encrypted.
Medical offices and health insurance companies were among the 10 riskiest places for consumers to use or lose their Social Security numbers and other personal information this year, according to security software maker Symantec.
Keep up-to-date on the latest large-scale data breaches--follow eSecurityPlanet on Twitter @eSecurityP.