The 950,000 individual health records in its care may only be mislaid, but this health care company didn't wait to launch its breach program.
Centene, a Fortune 500 company that "provides programs and services to government sponsored health care programs, focusing on under-insured and uninsured individuals," according to its website, announced Jan. 25 it had lost track of six hard drives containing personal health information (PHI) from 950,000 people.
The drives "were a part of a data project using laboratory results to improve the health outcomes of our members," said Centene CEO Michael F. Neidorff. The lab results are from "certain individuals who received laboratory services from 2009-2015, including name, address, date of birth, social security number, member ID number and health information," Centene added.
Centene said they were still conducting an "internal search" for the hard drives. Nonetheless, consistent with best practices for breach management under HIPAA, Centene said it was notifying the affected individuals and "all appropriate regulatory agencies," presumably including the HHS Office for Civil Rights.
Also, though Centene is confident that "the hard drives do not include any financial or payment information," they also say "notification to affected individuals will include an offer of free credit and health care monitoring."
The credit monitoring is not required by HIPAA but is something experts frequently recommend that covered entities offer in the event of a breach. Also, some states require such services be offered after a breach. Tip for readers: Check state law -- federal HIPAA regs may not comprise all your legal duties in the event of a breach.
(What Centene means by "health care monitoring" is not clear; Centene did not respond to request for clarification.) UPDATE: Centene informs us that the health care monitoring will include "CyberScan Monitoring (Monitors criminal websites, chat rooms, and bulletin boards for illegal selling or trading of their personal information); Healthcare Identity Protection Toolkit ™ (Complete checklist that provides tips and resources for avoiding and detecting medical identity theft; [and] Access to the ID Experts Team (Access to an online resource center for up-to-date information on new identity theft scams, tips for protection, legislative updates and other topics associated with maintaining the health of the member’s identity)."
"Although they don’t yet know exactly what happened to the records, there is a presumption of a breach under HIPAA in a situation like this," says a health care lawyer familiar with the case who did not wish to be identified. "Therefore, they are required to take steps to mitigate immediately."
Centene also says it's "in the process of reinforcing and reviewing its procedures related to managing its IT assets," another typical post-breach HIPAA activity, usually performed as part of a corrective action plan.