US healthcare provider Centene has admitted to losing six hard drives containing the healthcare records of over 950,000 customers. The company insists that no payment information was lost but does admit that the drives held personal information including health information, social security number, date of birth and other identifying data.
The drives were discovered to be missing when the company carried out an inventory of its IT assets. As more information is disclosed it will be interesting to see how long the disks have been missing and how they were stored and managed. So far Centene has not disclosed if the data on the drives was encrypted or protected in any way at all.
In the brief press release admitting the loss Michael F. Neidorff, Chairman, President and CEO of Centene said: “Centene takes the privacy and security of our members’ information seriously. While we don’t believe this information has been used inappropriately, out of abundance of caution and in transparency, we are disclosing an ongoing search for the hard drives. The drives were a part of a data project using laboratory results to improve the health outcomes of our members.”
At present Centene claims there is no evidence that any of the data has been used yet. However it has said that it will offer free credit and healthcare monitoring to all those customers affected but hasn’t said how long it will take to inform everyone. The company has also said that it is now: “reinforcing and reviewing its procedures related to managing its IT assets.”
Why did Centene store data on spare disk drives?
Many will wonder why so much data was just stored on hard drives without any evidence of encryption or being in a secure environment. It is not unusual for companies to archive or just copy unwanted data onto a hard drive. Unlike tape which takes time to restore, hard drives are a quick and easy approach for writing and restore data. They are especially useful where there is a need for occasional access to the data but the company doesn’t want to keep data online.
The problem with this approach is that you need to adopt strong safeguards to stop someone from stealing the drives. This includes the use of secure cabinets, controlled access and a sign in/out mechanism akin to an evidence control room. We don’t know yet if these processes are in place, were circumvented or whether the drives were just sitting in a cupboard or desk drawer.
Without knowing how long the drives have been missing it is difficult to establish the risk of the data surfacing. In addition to be stolen for their data, there are other ways that the drive may have gone missing. One possibility is that the drives may have been reused elsewhere inside the company and this is something that the audit should show up. Another possibility is that the drives were simply stolen because somebody wanted additional storage capability at home.
Centene will be hoping that this blows over quickly. Like many other publicly listed healthcare providers it will be acutely aware of the potential damage to its reputation from this incident. There will also be concerns over the level of fines it could face from the US regulator, especially if it transpires data was not encrypted and the drives were not held securely.
At the moment, the biggest concern for customers will be what do they do next. While no payment information was taken, hackers are investing large sums into building data sets that rival those of intelligence agencies. Healthcare data is a key part of that set especially if there is something that an individual would not want disclosed such as a transmissible disease.
It will be interesting to see how long it takes Centene to carry out their investigation and whether they go public with the results. With 950,000 patient records lost there will be a lot of attention paid to the how and why as well as what Centene is going to do to prevent a repeat.