Six hard drives containing the medical records of nearly a million people have gone missing through a national health insurer, the group admitted this week.
St. Louis-based Centene Corporation confirmed that 950,000 client records – including customers’ names, addresses and dates of birth as well as social security numbers and membership details from 2009 to 2015 – were contained on the drives.
No financial or payment details of customers were included, however.
“While we don’t believe this information has been used inappropriately, out of abundance of caution and in transparency, we are disclosing an ongoing search for the hard drives,” Centene Chief Executive Michael Neidorff said.
“The drives were a part of a data project using laboratory results to improve the health outcomes of our members.”
Industry lawyers have told reporters that the sensitivity of the information involved is likely to require a report from Centene to US regulatory authorities. The carrier may also have to pay a fine for the data loss.
And depending on the eventual fate of the hard drives, the issues facing Centene could be much worse.
Paul Farringdon of the security company Veracode told the BBC the threat of fraudsters gaining access to the information is great.
“If this data was found and accessed, it could lead to fraudsters piecing together a bigger picture of information on individuals that could be used to trick users into giving away money, power and information to people who would do harm,” Farringdon said. “Information already available from other breaches on the dark web can be used to provide an enriched view on patients.”
The news comes after similar breaches occurred at Anthem and Blue Cross saw the loss of 80 millio and 11 million records, respectively.
Health insurer CareFirst also lost the data of 1.1 million of its customers in June 2015 through a hack, and Sutherland Healthcare suffered a breach that affected 340,000.
