A health insurer based in St. Louis, called Centene, has “misplaced” six hard drives. Normally that would not be a big deal, but these particular hard drives happened to contain the personal health information (PHI) of around a million patients. The missing data includes patient names, addresses, birthdays, and social security numbers. The information is in plain-text, as the drives were not encrypted.
So many of the headlines we’ve seen about exposed customer information comes on the heels of a high profile successful hacking attack that resulted in a serious data breach. In this case, however, it was nothing so dramatic. This was more along the lines of a company not following HIPAA requirements. To date, nobody at the company has a firm idea of what happened to the hard drives, or even when they went missing. What they do know is that the drives were being used as part of a Big Data project designed to use laboratory results to improve health care outcomes of the people they insure. It is unclear at precisely what point the drives disappeared, but the scope of the impact includes people they insure who received laboratory services between 2009 and 2015.
This story rather painfully underscores the importance of all aspects of data security, including physical. Even if you have a rock-solid system in place to provide world class digital security, something as simple as an unlocked door, or a small cluster of hard drives left in the wrong place can lead to staggering data loss.
In terms of some of the other high profile cases of data loss we’ve seen in recent months, this one is rather small. Sadly, it also appears to have been self-inflicted. Physical security is well understood, and for the most part, well implemented, but clearly, there was a spectacular failure on that front here. The company’s investigation is ongoing. Expect HIPAA/OCR fines, and possibly even a lawsuit to follow.
Fill In The Form Below for industry news, and information about our services, events, webinars and more.