Centene Corporation has begun the process of notifying 950,000 members who may have been affected by a possible data breach.
On Monday, the multi-line healthcare enterprise announced that it was launching a search for six hard drives that are currently unaccounted for among its information technology assets:
“Centene takes the privacy and security of our members’ information seriously,” Michael F. Neidorff, Chairman, President and CEO of the company, said in a press release. “While we don’t believe this information has been used inappropriately, out of abundance of caution and in transparency, we are disclosing an ongoing search for the hard drives. The drives were a part of a data project using laboratory results to improve the health outcomes of our members.”
The missing hard drives are thought to contain the personal health information of approximately 950,000 individuals who received laboratory services from Centene between 2009 and 2015, including members’ names, addresses, dates of birth, social security numbers, member IDs numbers, and other health information.
While there is no evidence that the hard drives contained individuals’ financial or payment data, stolen personal health information nonetheless enables computer criminals to conduct phishing attacks whereby they might seek to gain access to members’ accounts, notes Phil Muncaster of Infosecurity Magazine. Additionally, malicious actors could leverage the stolen information to blackmail affected members.
At this time, there is no evidence that the data was encrypted.
“Consistent with our policies around communication and transparency, we are beginning the process of notifying all affected individuals and all appropriate regulatory agencies as we continue to search and investigate,” Neidorff went on to comment.
Centene will also offer customers free credit and healthcare monitoring while it works to revamp its IT asset management strategy.
The nature of this incident differs significantly from previous breaches. For example, Anthem suffered a breach last year when external attackers exploited a vulnerability in order to gain access to a company database, thereby compromising the information of 80 million customers.
Even so, Centene is not the only company to have misplaced IT assets. Back in 2007, two password-protected CDs owned by Her Majesty’s Revenue and Customs (HMRC) were lost in the mail. This incident compromised the information of 25 million UK children and parents.