US health insurer Centene says it has lost six hard drives containing highly sensitive personal and medical information on 950,000 patients.
The firm posted an official mea culpa on Monday, claiming it was involved in an “ongoing comprehensive internal search” for the half dozed drives, which are currently unaccounted for.
"Centene takes the privacy and security of our members' information seriously," said Centene president and CEO, Michael Neidorff, in a statement.
"While we don't believe this information has been used inappropriately, out of abundance of caution and in transparency, we are disclosing an ongoing search for the hard drives. The drives were a part of a data project using laboratory results to improve the health outcomes of our members."
The information said to have been stored on the hard drives includes name, address, date of birth, social security number, member ID number and – presumably pretty sensitive – medical data.
There’s apparently no financial information on the missing hard drives.
However, what is on there is certainly enough for scammers to use in convincing looking phishing campaigns. There’s even the risk with medical information that hackers could use it to blackmail victims.
Centene is offering the obligatory free post-incident credit and healthcare monitoring, and says it is currently “reinforcing and reviewing” its processes for managing IT assets.
There was no word on whether the data on the drives was encrypted or not, although it would be a strange detail to leave out if such security precautions had been taken.
The incident represents something of a departure for many high profile US-related data breaches, which usually involve the virtual lifting of information via remote hackers.
The biggest such incident in the UK, of course, came in 2007 when two password-protected CDs were lost in the post, affecting over 25 million individuals – more than two-fifths of the population at that point.
The incident prompted a government review and helped privacy watchdog the ICO successfully accrue new powers to fine organizations for breaches of the Data Protection Act.