25% off all training courses Offer ends May 29, 2026
View HIPAA Courses
Learner Login Learner Support
Learner Login Learner Support
25% off all training courses
View HIPAA Courses
Offer ends May 29, 2026

The HIPAA Journal is the leading provider of HIPAA training, news, regulatory updates, and independent compliance advice.

OptumHealth New Mexico Announces 2000-Record Data Breach

Posted By on Dec 2, 2016

OptumHealth New Mexico has notified 2,006 patients of a privacy breach that was caused by one of its vendors. The vendor had downloaded some electronic protected health information to a flash drive, which was then sent to an undisclosed recipient by mail using the U.S. Postal Service. The flash drive did not arrive at its destination.

Upon discovery of the loss, the U.S. Postal Service was notified but attempts to locate the device have so far failed, although according to the substitute breach notice issued by OptumHealth, the matter is still being investigated.

It is unclear why, with many secure methods of sending sensitive data, the vendor chose to post the flash drive nor why the contents of the drive were not encrypted.

OptumHealth was notified of the potential privacy breach on September 26, 2016 and breach notification letters were mailed to all affected individuals on November 17. A substitute breach notice was recently uploaded to the OptumHealth website as it was not possible to contact all affected individuals by mail.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

Patients have been informed that the data stored on the drive includes names, telephone numbers, addresses, full or partial dates of birth, health identification numbers, providers’ names, medical diagnoses, and other health information. Some patients’ full or partial Social Security numbers were also present on the device. OptumHealth was informed that only “a limited number” of Social Security numbers were saved to the flash drive.

It is not possible to tell whether the device was lost or stolen, nor whether any of the information stored on the device has been accessed. Since there is a possibility of the data on the device being viewed by unauthorized individuals, all affected patients have been offered one year of identity theft protection services through LifeLock.

Affected patients have been encouraged to check healthcare documents, tax returns, and bank and credit card statements and to be vigilant for any signs of fraudulent activity.

OptumHealth has responded to the incident by updating its processes relating to vendors to prevent similar privacy breaches from occurring in the future.

Author: Steve Alder is the editor-in-chief of The HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist