Slashdot Mirror

← Back to Stories (view on slashdot.org)

Six Missing HDDs Contain Health Information of Nearly a Million Patients (corporate-ir.net)

Posted by Soulskill on from the your-insurance-premiums-at-work dept.

Lucas123 writes: Health insurer Centene Corp. revealed that it is looking for six HDDs with information on 950,000 customers that went missing during a data project that was using laboratory results to improve the health outcomes of patients. The drives not only contain sensitive personal identification information, such as addresses, dates of birth and social security numbers, but they also contain health information. "While we don't believe this information has been used inappropriately," said Michael Neidorff, CEO of Centene.

1 of 87 comments (clear)

  1. Re: Researchers! by tlambert · · Score: 5, Interesting

    Researchers don't need SSN for patient. Just assign each patient a number and refer to them that way.

    The CS professional should have sanitized the data before releasing it.

    In this case, the intent was to use the lab results to ensure improved patient outcomes. This means that the data had to be trackable back to the patients that provided it, and then the lab results were to be fed back into the treatment of said patients.

    So this was technically not "human trials research", it was a bioinformatics business process to manage outcomes. As such, it's HIPAA protected, certainly -- but also, 100% personally identifiable.

    For the people I know who have bought private insurance, or participated in one of the exchanges, but not yet provided their social security number, there tends to be a lot of letters sent (on the order of one a month) from the insurer, asking for the social, nominally to inform the IRS of your insurance, with the implied threat that if you don't provide the social, the IRS is going to eat your babies.

    In other words: health care providers really, really like your social. Typically, according to people in the billing industry whom I also happen to know, it so that when they screw up on their billing -- which they inevitably do -- they can send the bills to a collections agency easier, in order to damage your credit over their screwup, until you pay them for their inability to code a procedure "correctly" so the health insurance accepts the coding.

    So they had the socials, probably for not very good reasons, and they used them as an identifier for notionally very good reasons of unique correlation, and then they lost the data because they were idiots who don't routinely protect HIPAA data to the level required to allow them use of it in the first place.