Medical information theft is in the news again: this time, it's nearly 40,000 patient medical records, which were compromised when thieves made off with two hard drives belonging to the Indiana State Medical Association (ISMA).
In February, two archive backup hard drives were stolen, which stored the ISMA group health and life insurance databases for 39,090 insureds. The association called it a “random criminal act” that occurred while an ISMA employee was transporting the hard drives to an offsite storage location as part of the association’s disaster recovery plan.
The information at risk includes identifying information such as name, address, date of birth, email address, health plan number, social security number and personal medical history information—all that’s needed to commit insurance fraud, or identity theft. Also, there are likely to be follow-up phishing campaigns.
The loss or theft of data at rest contained on hard drives is not an uncommon situation, and seems to occur in medical settings more often than in other verticals, thanks to data storage requirements for patient records. It’s unclear if the data on the drives was encrypted or not; ISMA said only that the information “cannot be retrieved without special equipment and technical expertise.”
The theft was reported to the Indianapolis Metropolitan Police Department (IMPD), which is actively investigating, and the ISMA sent notification letters to the tens of thousands of individuals affected, who are current and former consumers of the ISMA insurance plans. Each individual notification letter explains the specific types of information involved, since not all records included social security numbers or medical history information.
The ISMA’s insurance plans are run through Anthem, but the company was quick to note that the situation is separate from the recent cyber-attack on the insurance giant. However, there is likely to be significant overlap between the two affected groups of victims.