The AmeriHealth Mercy insurance company has lost a portable flash drive containing personal information for 280,000 Medicaid recipients.
portable flash drive missing from the offices of Keystone Mercy Health Plan and
AmeriHealth Mercy Health Plan, in Philadelphia,
has jeopardized the personal information of 280,000
employee for the health plans had stored the personal information for the
Medicaid members on an unencrypted hard drive while testing a new hardware
product and misplaced the device at the office, Keith Eckert, a spokesperson
for The AmeriHealth Mercy Family of Companies, wrote in an e-mail to
AmeriHealth Mercy Family of Companies is the largest Medicaid plan organization
in the United States,
the company reports.
an exhaustive search, we have been unable to find the missing drive,"
Eckert said. "Keystone Mercy and AmeriHealth Mercy are now actively and
responsibly executing a multifaceted plan to inform those affected, while also
evaluating and enhancing our security measures to ensure this does not happen
again. There have been no reports of anyone attempting to use the
information stored on the drive."
Mercy will send letters to those members affected, Eckert said.
addition, the company will contact community and advocacy groups, legislators,
and health care providers to inform people about the situation.
the flash drive were names, addresses, plan ID numbers and some personal health
information, AmeriHealth Mercy reports.
device also held the Social Security numbers of seven members and the last four
Social Security digits of 801 others. The same portable device was also used at
health fairs, according to The
newspaper reportedly learned of the breach before AmeriHealth Mercy publicly
disclosed it, the Philadelphia Inquirer reports.
AmeriHealth Mercy has instituted changes to its systems since the incident but
didn't get into details on what changes have been made.
health plan will also launch an employee training program to encourage the
protection of members' personal health data.
addition, the company has 60 days to report the incident to the Department of
Health and Human Services Office for Civil Rights, which enforces the HIPAA
defines a breach as "an impermissible use or disclosure under the Privacy
Rule that compromises the security or privacy of the protected health
information such that the use or disclosure poses a significant risk of
financial, reputational or other harm to the affected individual."
Mercy Health Plan serves 300,000 Medicaid members in Southeastern
Pennsylvania, which includes Bucks, Chester,
and Philadelphia counties, while
AmeriHealth provides health coverage to 100,000 people in 15 counties in Northeastern
Pennsylvania and the Lehigh/Capital area.
another major breach, South Shore
Hospital, in South
Weymouth, Mass., reported on
July 19 that 800,000
personal records were lost
instead of destroyed by a data management firm.
On Sept. 8 the hospital announced that it had completed its investigation and
that the breach resulted in little to no risk of exposure. Files on a lost
backup tape could not be accessed, according to the hospital.