The Philadelphia Inquirer last week reported that the names, addresses, and personal health information of some 280,000 Medicaid recipients have gone missing. The information was on a flash drive owned by two affiliated Philadelphia insurance companies, Keystone Mercy Health Plan and AmeriHealth Mercy Health Plan. The two companies are jointly owned by Independence Blue Cross and the Mercy Health System.
The Inquirer says that, "Keystone Mercy Health Plan provides insurance to 300,000 Medicaid members in Philadelphia, Bucks, Montgomery, Delaware, and Chester Counties. AmeriHealth serves 100,000 in a 15-county arc running from Harrisburg to northeastern Pennsylvania."
The flash drive went missing on September 20, but the situation only came to light after the Philadelphia Inquirer sought information about it. How the paper heard about the lost drive wasn't mentioned.
According to the Inquirer, the flash drive was routinely taken to community health fairs, although the companies didn't think that the flash drive was lost at one of them, but at its corporate offices in Southwest Philadelphia.
The Inquirer noted that the insurance companies refused to explain why a flash drive containing tens of thousands of sensitive records was routinely taken to health fairs in the first place.
The press release by Keystone Mercy only cryptically says that, "The drive had personal health information about some of our members and others who attended some of our community events." This implies that the information on the drive was accessed by the companies' representatives at these health fairs - for what reason is not stated. Offering members more insurance, perhaps?
The Inquirer further noted that the insurance companies refused to say whether the data on the flash drive was encrypted, or why they thought the flash drive was lost rather than stolen.
In fact, the Inquirer said, "the companies refused to offer any explanation of how the incident happened."
Additionally, the Inquirer has been trying to determine whether the companies broke any data disclosure laws by not notifying its members about the missing information for nearly a month. The companies have refused to say whether or not they notified the federal government about losing track of the flash drive at the time.
Per usual, the president of two companies, Jay Feldstein, said, "We deeply regret this unfortunate incident."
And an accompanying press statement by the companies also said that plan members are their "number one priority."
You can judge that for yourself.
Robert N. Charette is a Contributing Editor to IEEE Spectrum and an acknowledged international authority on information technology and systems risk management. A self-described “risk ecologist,” he is interested in the intersections of business, political, technological, and societal risks. Charette is an award-winning author of multiple books and numerous articles on the subjects of risk management, project and program management, innovation, and entrepreneurship. A Life Senior Member of the IEEE, Charette was a recipient of the IEEE Computer Society’s Golden Core Award in 2008.