Several missing CDs containing unencrypted personal data on 68,000 members of the US CalOptima managed care plan have been traced to a secure postal facility in Atlanta. The discs went missing two weeks ago.
They appear untouched and will be collected by a CalOptima employee later today, a spokesman for the Orange, California-based health plan said.
The discs had been put in a box and sent by certified mail to CalOptima by one of its claims-scanning vendors earlier this month. CalOptima, however, received only the external packaging material — minus the box of discs. The unencrypted data on the CDs included member names, home addresses, dates of birth, medical procedure codes, diagnosis codes and member ID numbers, along with an unspecified number of Social Security numbers.
It's still unclear how the discs wound up in a US Postal Services facility in Atlanta, the spokesman said. But the facility appears to have been a secure one designed to store misrouted or lost postal material of a sensitive nature, he said.
Following the discovery of the discs, CalOptima scrapped its plans to send out breach notification letters to the 68,000 affected individuals. The discs were discovered as health plan was negotiating with a credit bureau to offer credit monitoring services for people whose data was missing, the spokesman said.
Until recently, organisations such as CalOptima would not have been required to disclose a data breach involving the loss or compromise of protected health information. But a law that went into effect last month, now requires all health care entities covered by HIPAA to disclose any breaches involving protected health data.