The CD was lost in transit but located Wednesday afternoon, according to a statement form Empire.
Health Data Management Solutions (HDMS), a third-party vendor to Magellan, had sent the CD via UPS, according to Empire’s news release. Magellan is an Empire program administrator.
Empire sent a letter to affected members last week notifying them of the possible breach.
Social Security numbers, health plan ID numbers and descriptions of medical services rendered since 2003 were on the CD, according to a report by the New York Times on Wednesday.
In a strongly worded statement released today by the New York-based health care provider, Empire officials were said to be "relieved the CD has been found."
"The information was not transferred in accordance to our contractual terms with Magellan, who did not require HDMS to encrypt or password protect the data.
"We are addressing these issues and we have made it clear to both HDMS and Magellan that their security practices with respect to the data transfer was unacceptable," Empire said in a statement.
"As a result, Magellan will now only transmit personal health information electronically through a secure network, eliminating CDs and the use of a delivery source."
Empire spokeswoman Lisa Greiner referred queries to Empire’s statement.
Erin Somers, Magellan spokeswoman, told SCMagazine.com that both her company and HDMS "had errors of judgment during the transition."
"It’s important to remember that we have a business associate agreement with HDMS that requires appropriate measures to be taken to safeguard data," she said. "We have put into place a process through which we transfer data through an electronic network."
Empire set up a toll-free number for affected parties to call, 1-800-293-3443.
James Hurley, executive director of research for the IT Policy Compliance Research Group, told SCMagazine.com that one of every two data breaches are the product of human error.
Hurley said that health care organiSations have a "more consistent set of rules" than firms in other verticals, especially international firms. Recent research showed that firms that often monitor their networks for breaches are less likely to see a data security incident, he said.
"There is a consistent, direct correlation between the number of firms monitoring and the [breach] results," he said. "I think [education] is a very important [factor for preventing data loss], but more than education is being able to develop serious company policies and being able to develop both encouragement and penalties for those policies."
Update: CD with personal data of 75,000 medical services members found
By Frank Washkuch on Mar 16, 2007 8:24AM