The Indiana State Medical Association (ISMA) information technology administrator reportedly is the employee who had a laptop computer and two external hard drives stolen in February, potentially exposing the information of 39,000 patients and leading to an ISMA data breach.
The administrator left his car in an Indianapolis parking lot for two and a half hours, according to The Star Press. The laptop and hard drives had the personal information, including Social Security numbers and medical histories of 39,090 people in ISMA’s group health and life insurance databases.
Previously, ISMA stated that the incident was “promptly reported” to the authorities, and that this took place on the same day that the theft occurred. However, The Star Press stated that the administrator notified police 24 hours later, and met him at an Arby’s restaurant. A “delayed larceny report” was filed on Feb. 14, according to the news source, and police said that the administrator believed he had locked his car but found no damage or marks on it when he discovered the theft.
“We are continuing to work with the IMPD, which is actively investigating the case, and have discovered at least one surveillance video capturing the theft,” ISMA’s earlier statement read. “The ISMA has already engaged outside experts who are evaluating our internal processes to prevent future incidents.”
ISMA spokeswoman Marilyn Carter told The Star Press that many of the individuals involved in the February data breach were already involved in the much-larger Anthem breach, as ISMA’s insurance plans are through Anthem.
“We are unaware of any ID theft situation resulting from information illegally obtained from us. And … we think that is highly unlikely,” Carter said.
ISMA explained in its original statement on the data breach that four potential scenarios were possible from the incident:
The patient’s Social Security number was not exposed, nor was his or her personal medical information.
The patient’s medical information, such as health plan number and medical history information, was potentially exposed. However, his or her Social Security number was not involved.
The patient’s potentially exposed information included his or her Social Security number, but none of his or her personal medical information was involved.
The patient’s Social Security number and his or her medical history information included on their enrollment application for health insurance coverage were potentially exposed.
The Indiana Attorney General explains on its website that information on a data breach must be disclosed “without unreasonable delay,” and that individuals must be given enough detail to be able to protect themselves against potential identity fraud.
“Delayed notification may lead to further instances of fraud, higher monetary damage amounts, and even the passing of important deadlines that affect your legal rights to recover your money or restore your identity,” according to the Attorney General website.
Last month, Indiana-based Ball State University announced that Anthem representatives cancelled public forums. University employees were potentially victims of identity theft, but Anthem instead said that it would speak with Ball State employees individually if they had questions concerning the cyber attack.
“Anthem has been, and will continue to be, in frequent communication with university officials to respond to their questions,” Anthem said in a statement. “We continue to provide the latest information for consumers at anthemfacts.com. Unfortunately, at this time, we have been advised against making additional public comments so as not to jeopardize the ongoing investigation.”
View the original content and more from this author here: http://ift.tt/1REtkGY
from health IT caucus http://ift.tt/1REthuU
via IFTTT
No comments:
Post a Comment