Lost AmeriHealth Mercy Flash Drive Exposes Data of 280,000 Medicaid Members

A portable flash drive missing from the offices of Keystone Mercy Health Plan and AmeriHealth Mercy Health Plan, in Philadelphia, has jeopardized the personal information of 280,000 Medicaid members.

An employee for the health plans had stored the personal information for the Medicaid members on an unencrypted hard drive while testing a new hardware product and misplaced the device at the office, Keith Eckert, a spokesperson for The AmeriHealth Mercy Family of Companies, wrote in an e-mail to eWEEK.

The AmeriHealth Mercy Family of Companies is the largest Medicaid plan organization in the United States, the company reports.

“Despite an exhaustive search, we have been unable to find the missing drive,” Eckert said. “Keystone Mercy and AmeriHealth Mercy are now actively and responsibly executing a multifaceted plan to inform those affected, while also evaluating and enhancing our security measures to ensure this does not happen again. There have been no reports of anyone attempting to use the information stored on the drive.”

AmeriHealth Mercy will send letters to those members affected, Eckert said.

In addition, the company will contact community and advocacy groups, legislators, and health care providers to inform people about the situation.

On the flash drive were names, addresses, plan ID numbers and some personal health information, AmeriHealth Mercy reports.

The device also held the Social Security numbers of seven members and the last four Social Security digits of 801 others. The same portable device was also used at health fairs, according to The Philadelphia Inquirer.

The newspaper reportedly learned of the breach before AmeriHealth Mercy publicly disclosed it, the Philadelphia Inquirer reports.

Meanwhile, AmeriHealth Mercy has instituted changes to its systems since the incident but didn’t get into details on what changes have been made.

The health plan will also launch an employee training program to encourage the protection of members’ personal health data.

In addition, the company has 60 days to report the incident to the Department of Health and Human Services Office for Civil Rights, which enforces the HIPAA privacy regulations.

HHS defines a breach as “an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information such that the use or disclosure poses a significant risk of financial, reputational or other harm to the affected individual.”

Keystone Mercy Health Plan serves 300,000 Medicaid members in Southeastern Pennsylvania, which includes Bucks, Chester, Delaware, Montgomery and Philadelphia counties, while AmeriHealth provides health coverage to 100,000 people in 15 counties in Northeastern Pennsylvania and the Lehigh/Capital area.

In another major breach, South Shore Hospital, in South Weymouth, Mass., reported on July 19 that 800,000 personal records were lost instead of destroyed by a data management firm. On Sept. 8 the hospital announced that it had completed its investigation and that the breach resulted in little to no risk of exposure. Files on a lost backup tape could not be accessed, according to the hospital.