Centene loses hard drives containing health information of 950,000 individuals

Health insurance company Centene Corporation (Centene) is looking for six misplaced computer hard drives that contain the personal health information of an estimated 950,000 individuals. While the lost hard drives do not include any financial or payment information, the company says that names, addresses, birthdates, social security numbers, and health information of individuals who received laboratory services from 2009 to 2015 are contained within the drives.

Internal search

Centene Chairman, President and CEO, Michael F. Neidorff, says that the company does not believe that the information was used inappropriately, but adds that it is disclosing its ongoing search for the drives, “out of abundance of caution and in transparency.” The drives were part of a data project that intended to use laboratory results to improve health outcomes.

The company is reviewing and “reinforcing” its information technology (IT) asset managing procedures and is offering free credit and health care monitoring for the individuals who are affected by the loss.

Reporting

The HHS Office for Civil Rights (OCR) website does not currently reflect that Centene has reported the missing drives to that agency. The Health Insurance Portability and Accountability Act (HIPAA) (P.L. 104-191) Omnibus Final Rule (78 FR 5566) requires HIPAA covered entities and business associates to notify patients of breaches unless they actually demonstrate a low probability that protected health information was compromised (45 C.F.R. sec. 164.404). For breaches involving 500 individuals or more, CEs must notify HHS at the same time that they make individual notifications; in addition, they must notify the media (45 C.F.R. sec. 164.408).

Recent breaches

In 2015, there were six breaches that affected more than a million individuals that were reported on the HHS OCR’s website. These included breaches at Anthem, which compromised the data of 78.8 million individuals, and Premera Blue Cross, which reportedly involved 11 million records. Both breaches were tied to Chinese espionage (See 5 hot topics in cybersecurity, Health Law Daily, January 7, 2016).

Health programs

Centene provides programs and services to government-sponsored health care programs, including Medicare, Medicaid, and the Children’s Health Insurance Program (CHIP).