Update: CD with personal information of 75,000 Empire Blue Cross members found

Share this article:

Magellan Behavioral Health Services has located a CD containing the personal and medical information of about 75,000 customers of Empire Blue Cross and Blue Shield.

The CD was lost in transit but located Wednesday afternoon, according to a statement form Empire.

Health Data Management Solutions (HDMS), a third-party vendor to Magellan, had sent the CD via UPS, according to Empire’s news release. Magellan is an Empire program administrator.

Empire sent a letter to affected members last week notifying them of the possible breach.

Social Security numbers, health plan ID numbers and descriptions of medical services rendered since 2003 were on the CD, according to a report by the New York Times on Wednesday.

In a strongly worded statement released today by the New York-based health care provider, Empire officials were said to be "relieved the CD has been found."

"The information was not transferred in accordance to our contractual terms with Magellan, who did not require HDMS to encrypt or password protect the data. We are addressing these issues and we have made it clear to both HDMS and Magellan that their security practices with respect to the data transfer was unacceptable," Empire said in a statement. "As a result, Magellan will now only transmit personal health information electronically through a secure network, eliminating CDs and the use of a delivery source."

Empire spokeswoman Lisa Greiner referred queries to Empire’s statement.

Erin Somers, Magellan spokeswoman, told SCMagazine.com today that both her company and HDMS "had errors of judgment during the transition."

"It’s important to remember that we have a business associate agreement with HDMS that requires appropriate measures to be taken to safeguard data," she said. "We have put into place a process through which we transfer data through an electronic network."

Empire set up a toll-free number for affected parties to call, 1-800-293-3443.

James Hurley, executive director of research for the IT Policy Compliance Research Group, told SCMagazine.com today that one of every two data breaches are the product of human error.

Hurley said that health care organizations have a "more consistent set of rules" than firms in other verticals, especially international firms. Recent research showed that firms that often monitor their networks for breaches are less likely to see a data security incident, he said.

"There is a consistent, direct correlation between the number of firms monitoring and the (breach) results," he said. "I think (education) is a very important (factor for preventing data loss), but more than education is being able to develop serious company policies and being able to develop both encouragement and penalties for those policies."

Click here to email Online Editor Frank Washkuch Jr.

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS

More in News

Email promises free pizza, ensnares victims in Asprox botnet instead

Email promises free pizza, ensnares victims in Asprox ...

Cloudmark came upon an email that offers free pizza, but clicking on the link to get the coupon ends with victims being ensnared in a botnet.

Report: most orgs lacking in response team, policies to address cyber incidents

In its Q3 threat intelligence report, Solutionary learned that 75 percent of organizations it assisted had no response team or policies and procedures to address cyber incidents.

Flash redirect campaign impacts Carnegie Mellon page, leads to Angler EK

Flash redirect campaign impacts Carnegie Mellon page, leads ...

Malwarebytes found that, since early July, thousands of sites had been targeted in the campaign.