An unencrypted CD containing personal information of 75,000 customers of Empire Blue Cross and Blue Shield has been recovered.
The CD was apparently lost in transit earlier this year when Health Data Management Services—a subcontractor to Magellan Behavioral Solutions of Avon, Conn.—sent it to Magellan via UPS. The disc contained medical and personal information, including social security numbers, names and health plan information dating back to 2003.
Empire Blue Cross and Blue Shield is a subsidiary of WellPoint, which began notifying customers whose information was on the CD last week.
"Although there was no indication that the CD had been stolen, last week Empire sent a letter to inform affected groups and members who may have been impacted," company officials said in a statement.
"We are relieved the CD has been found. The information was not transferred in accordance to our contractual terms with Magellan, who did not require HDMS to encrypt or password protect the data. We are addressing these issues and we have made it clear to both HDMS and Magellan that their security practices with respect to the data transfer were unacceptable."
Erin Sommers, vice president of public relations at Magellan, said her company and HDMS already have an agreement mandating appropriate measures be taken to protect data.
Calling the incident a lapse in judgement, she said Magellan and HDMS will now only exchange data through a secure electronic process. She added the CD was mistakenly delivered to a private residence in the Philadelphia area.
"Were confident theres been no inappropriate access to the data," Sommers said.
The flap over the missing CD was the second publicized potential data leak affecting WellPoint in recent weeks. In February, WellPoint officials reported information on 196,000 of their customers that was stored on electronic backup tapes was stolen from a subcontractor in Massachusetts late in 2006.
Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEKs Security Watch blog.