Hard Drives Lost, Affecting Nearly 1 MillionIncident Raises Issues About Encryption, Inventory Tracking
Health insurer Centene Corp. reports that six unencrypted hard drives containing protected health information for 950,000 individuals are missing.
The incident raises questions about the steps needed to protect storage media. Some security experts contend that the routine encryption of storage media may not be essential if, for example, the devices are locked up in a data center. But federal authorities in 2012 fined another health insurer after a breach involving stolen unencrypted hard drives. And the Centene incident also spotlights the challenges of tracking all IT inventory.
In a statement, the St. Louis company, which provides health plans for government-sponsored programs, including Medicaid, says that although it has no evidence that the information on the missing hard drives has been inappropriately used, it's notifying government regulators and affected individuals.
"While we don't believe this information has been used inappropriately, out of abundance of caution and in transparency, we are disclosing an ongoing search for the hard drives," said Michael Neidorff, chairman, president and CEO of Centene in the company's Jan. 25 statement.
In a subsequent Jan. 26 financial statement about Centene's preliminary 2015 financial results, the company said the hard drive incident "resulted from an employee not following established procedures on storing IT hardware." Centene also noted that it has approximately 26,000 IT devices in its inventory. "While we cannot estimate the impact with certainty at this time, the company does not expect the impact of the incident to have a material effect on its future growth opportunities, financial position, cash flow or results of operations," the statement said.
Centene, a Fortune 500 company that is in the process of buying Health Net, is one of many health insurers that have reported data breaches. In 2015, a number of major hacker attacks affecting a total of more than 100 million individuals were reported by insurers, including Anthem Inc., Premera Blue Cross, CareFirst Blue Cross Blue Shield and Excellus BlueCross BlueShield.
The Centene incident, if details are confirmed by the Department of Health and Human Services, would be among the largest breaches involving lost or stolen computing or storage devices listed on HHS' Office for Civil Rights "wall of shame" website of breaches affecting 500 or more individuals.
The largest of those incidents, which affected about 4.9 million individuals, involved the 2011 theft of unencrypted backup computer tapes from the car of an employee of Science Applications International Corp., a business associate of TRICARE, the military health program.
Other big incidents are the 2013 theft of desktop computers from Advocate Medical Group in Chicago, which affected more than 4 million individuals; and the 2009 theft of two unencrypted laptop computers from health insurer AvMed Health, affecting 1.2 million individuals.
Centene CEO Neidorff said the missing drives "were a part of a data project using laboratory results to improve the health outcomes of our members." The hard drives contained the PHI of certain individuals who received laboratory services from 2009 to 2015, including name, address, date of birth, Social Security number, member ID number and health information.
Under the HIPAA Security Rule, encryption of PHI is "addressable," which means it's not required if organizations thoroughly document alternative satisfactory security measures.
But an OCR spokesperson tells Information Security Media Group: "OCR's 2012 settlement with Blue Cross Blue Shield of Tennessee for $1.5 million illustrates the importance of encrypting hard drives." That case stemmed from a 2009 theft of 57 unencrypted hard drives from a leased call-center facility that had recently closed, compromising the data of 1 million individuals.
Some privacy and security experts, however, contend that the need to always encrypt hard drives is not as clear cut as the need to encrypt, for example, data on laptops.
"Many organizations do not encrypt hard drives, depending on what types of [computing] devices they're in and where the drives are physically located," says Kate Borten, founder of security and privacy consulting firm The Marblehead Group.
"Encryption is an addressable specification, allowing for alternative equivalent controls in some situations. Organizations may determine that their physical controls over certain hard drives that never leave the data center or other secure areas are sufficient protection," she notes. "Also, for drives that never leave the premises, there is a cost to encryption that must be weighed against the benefit. This isn't always a black-and-white decision. However, data storage on end-user portable and mobile devices and media, such as USB flash drives, carries very high risk and should routinely be encrypted."
The intended use of hard drives and other storage media can also influence policies about encryption, says privacy attorney Adam Greene of the law firm Davis Wright Tremaine.
"While many healthcare organizations have encrypted all of their laptops, encrypting all media, especially in settings such as research, can bring a different set of challenges," he says. "Sometimes there are less systems in place surrounding the issuance and tracking of electronic media, such as portable hard drives. Organizations can consider technical solutions, such as technical safeguards that do not allow transferring information to non-enterprise, unencrypted devices. But implementation of such technical solutions is expensive and time-consuming and will invariably cause widespread mutiny if not delicately managed."
The Centene incident shines a spotlight on the difficulties related to tracking IT inventory, says Tom Walsh, founder of security consulting firm tw-Security.
"While the HIPAA Security Rule has an implementation specification of 'accountability' under the standard of 'device and media controls,' maintaining an accurate inventory and tracking everywhere PHI is stored is easier said than done," he says.
"An inventory of any IT assets, including data, is only accurate for a moment. Things are constantly changing. Maintaining an accurate inventory doesn't scale well for large organizations. Rather than putting a lot of effort into an accurate inventory, efforts are better spent encrypting media containing confidential information. "
To improve the oversight of IT equipment and the appropriate level of security controls needed, "an inventory should identify high-risk devices where large amounts of PHI are stored or where the threat of theft and loss are greater than other devices," Walsh notes. "For example, a laptop used to collect and store patient information during a medical procedure is at a higher risk than a virtualized workstation - functioning like a dumb terminal - that cannot store any information to the internal hard drive."
A risk analysis along with an accurate inventory will help organizations to "channel limited security resources where they are needed most," Walsh adds.
Dan Berger, CEO of security consulting firm Redspin, notes: "PHI, by its very nature, finds its way onto many devices, is stored in many places and is accessed by many individuals. As a result, healthcare organizations must be disciplined about tracking PHI throughout the organization and ensuring the appropriate safeguards are in place everywhere. Encryption adds cost and complexity, but a PHI breach can be far more costly."
Centene did not immediately respond to ISMG's request for comment.