The loss of thousands of paper records for those with coverage from a Philadelphia-based health insurer sends a strong reminder that all employees within organizations need to be trained on data security best practices.
Independence Blue Cross is notifying 12,500 members that four boxes containing reports with sensitive information are missing.
In October, the boxes were moved from one floor of the Blue Cross plan's office to another, the insurer says in a statement provided to Information Security Media Group. The boxes, however, never arrived at their intended destination.
"We initially believed that these boxes had been sent to our offsite storage facility," the insurer says. "On Nov. 14, we determined that the boxes had not been placed in storage, but were discarded by the maintenance team in error. We also determined that the method used to discard these boxes did not meet the company's standards for disposing of member information."
The incident highlights the importance training all personnel within an organization on information security practices, says privacy and security consultant Rebecca Herold. "Had these maintenance workers had training on how to protect sensitive information?" she asks. "Were procedures followed for making a request to move paper documents as opposed to disposing [them]? All these basic, low-tech types of activities can have significant impacts to privacy and security, as this incident shows."
In addition, occasional reminders and awareness communications need to be sent frequently to staff as part of a good risk management plan, Herold says. "It [also] points to the need to have documented procedures for moving any form of protected health information," she says.Information at Risk
Information that may have been exposed includes member name, address, home phone number, physician name, healthcare plan and group number. Approximately 8,800 of the impacted members also had their member identification number (Social Security number with a two-digit suffix) included in the reports, the insurer says.
Those whose member identification numbers were potentially exposed are being offered free credit monitoring for one year. Independence Blue Cross says it has not received any reports of misuse of member information thus far.
"To reduce the risk of another incident, we no longer allow our maintenance team to dispose of full boxes in the trash," the insurer says. "We are also reminding all associates of our existing policies and the appropriate safety precautions to take when discarding reports that contain member information or other sensitive and proprietary information."