Molina Healthcare recently began notifying 54,203 current and former plan members that a former CVS employee took their protected health information (PHI) and sent it to his personal computer on or around March 26, 2015 (h/t SC Magazine).
The exposed data includes names, CVS IDs, CVS ExtraCare Health Card numbers, member IDs, Rx plan numbers, Rx plan states, start dates, and end dates.
“This may put you at risk for identity theft,” Molina Healthcare stated in a notification letter [PDF] to those affected.
CVS believes the former employee stole the data in order to fraudulently obtain OTC products from CVS. All those affected are being advised to place fraud alerts on their credit files, are being provided with replacement CVS ExtraCare Health Cards, and are being offered one free year of identity theft protection services.
“Although the former CVS employee was found to have placed fraudulent OTC orders with respect to 182 Molina Medicare members in Texas, CVS has not detected any fraud with respect to any of the other affected Molina Medicare members,” Molina Healthcare said in a statement provided to SC Magazine.
“Molina Healthcare joins a long list of healthcare organizations that have suffered breach incidents this year due to unintended email or the mishandling of sensitive data,” FinalCode COO Scott Gordon told eSecurity Planet by email. “Given HIPAA and HITECH privacy regulations concerning the protection of PII (personal identifiable information) and ePHI (electronic patient health information), care providers, insurers and retailers need to rethink how they are securing data while advancing the necessary and timely access to medical records.”
“Managing modern data leakage risks requires a layered approach, due to the variety of user types, devices and data collaboration mechanisms, to handle potential internal and external threats,” Gordon added. “Beyond re-examining current policies, processes and education practices, additional technical controls are also warranted. Examples of these would include gateway protection, such as email filtering and data loss prevention (DLP), and host-level controls such as anti-malware and end-point threat detection.”
Molina Healthcare of New Mexico had previously experienced a data breach in May 2014 when 5,261 former members’ Social Security numbers were mistakenly printed on postcards sent on Molina’s behalf by third-party vendor Creel Printing.
A recent survey of 223 healthcare executives found that 81 percent of healthcare organizations have been compromised by malware, botnets or cyber attacks at least once in the past two years.