Medicaid data breach 'like an onion'

One of the largest recent security breaches of personal health information (PHI), involving 280,000 individuals, is on the surface a "pretty low-risk scenario," says one privacy expert. But, he acknowledges, "these things are like an onion: the more layers you peel back, the stinkier it gets."

Affiliated insurers Keystone Mercy Health Plan and AmeriHealth Mercy Health Plan reported the data breach, which involves the records of Medicaid recipients. According to their websites on Sept. 20, Keystone Mercy misplaced a portable computer drive (USB flash drive). The drive had personal health information about some of its members and others who attended some of its community events.

According to the Pennsylvania Department of Welfare this is the first such Medicaid data breach in the state since at least 1997.

Keystone is Pennsylvania's largest Medical Assistance (Medicaid) managed care health plan serving more than 300,000 Medical Assistance recipients in Southeastern Pennsylvania including Bucks, Chester, Delaware, Montgomery and Philadelphia counties. AmeriHealth is a Medical Assistance (Medicaid) managed care health plan serving more than 100,000 Medical Assistance recipients in 15 counties. The two companies are jointly owned by Independence Blue Cross and the Mercy Health System and share headquarters in Southwest Philadelphia, where the drive was said to have gone missing.  

Ed Goodman, chief privacy officer at Identity Theft 911, a Scottsdale, Ariz., provider of data breach solutions, says the news has been so "sensational" due to the high number of individuals involved, "but the reality is that full Social Security numbers were not present."

Goodman says that according to reports, approximately 808 of the individuals' information included full or partial Social Security numbers. He says that although these members may want to take proactive measures to prevent fraud, such as checking their credit files, this is not a huge identity theft risk.

"Even though this is a low risk scenario, it cries out for recognition because it happened on one thumb drive," Goodman said.

Which brings him to the main takeaway – encryption. He says he assumes the data was not encrypted – if it was the companies would not be required under HIPAA to report the breach.

Goodman calls encryption the "one out" to avoid having to report breaches. "You can put systems in place, but there are always going to be breakdowns in processes," he said.

Encryption is an uncomplicated, fairly cheap way to protect health information even for small organizations, he adds.

For the moment, the insurers seem to be in accordance with HIPAA.