A portable flash drive missing from the offices of Keystone Mercy Health Plan and AmeriHealth Mercy Health Plan, in Philadelphia, has jeopardized the personal information of 280,000 Medicaid recipients
An employee for the health plans had stored the personal info for the Medicaid recipients on an unencrypted hard drive while testing a new hardware product and misplaced the device at the office, Keith Eckert, a spokesperson for The AmeriHealth Mercy Family of Companies, wrote in an e-mail to CIO Insight sister publication eWeek.
Keystone Mercy Health Plan serves 300,000 Medicaid members in Southeastern Pennsylvania, which includes including Bucks, Chester, Delaware, Montgomery and Philadelphia counties, while AmeriHealth provides health coverage to 100,000 people in 15 counties in Northeastern Pennsylvania and the Lehigh/Capital area.
AmeriHealth Mercy will send letters to those recipients affected, Eckert said. In addition, the company will contact community and advocacy groups, legislators and health care providers to inform people about the situation. The health plan will also launch an employee training program to encourage the protection of members’ personal health data.
The company has 60 days to report the incident to the Department of Health and Human Services Office for Civil Rights, which enforces the HIPAA privacy regulations. HHS defines a breach as "an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information such that the use or disclosure poses a significant risk of financial, reputational or other harm to the affected individual."
For more, read the eWeek article Lost AmeriHealth Mercy Flash Drive Exposes Data of 280,000 Medicaid Members.