HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Indiana State Medical Association Suffers Major HIPAA Breach

The Indiana State Medical Association has reported a HIPAA breach as a result of the theft of two backup hard drives containing healthcare and insurance information of almost 39,000 individuals.

The hard drives contained group health and life insurance databases, with the data including Social Security numbers, medical histories, health plan numbers, email addresses, dates of birth and names and addresses that were supplied on health insurance applications. The backup drives were being transported to an off-site storage facility as part of the group’s disaster recovery plan when they were stolen in what the ISMA called a “random criminal act.”

According to the breach notice placed on the ISMA website, 39,090 individuals were potentially affected although the exact data compromised varies from individual to individual. Social Security numbers were present in the databases, but not for all individuals.

As a result the decision was made to send individual breach notification letters explaining the exact information that was compromised. Affected individuals are being offered credit monitoring services without charge in an effort to mitigate any damage caused. Should any information be accessed and used by criminals to commit fraud, the ISMA will work closely with the affected individuals to help them repair their credit.

Please see the HIPAA Journal Privacy Policy

The theft was been reported to the Indianapolis Metropolitan Police Department which is investigating the incident, although at this stage the devices have not been recovered. According to Associationsnow.com, the individual responsible for the theft has been captured on a surveillance camera which increases the likelihood of justice being served.

The data stored on the hard drives is not straightforward to access and requires a degree of technical expertise. The data does not appear to have been password protected or encrypted, but “specialized equipment” would be required to view the data.

To ensure that future breaches are prevented, ISMA is in the process of assessing and revising its policies and procedures and the group has enlisted the services of external security experts to assist in this regard.

The Indiana State Medical Association offers health insurance through Anthem, which suffered a huge data breach affecting 78.8 million health plan members at approximately the same time. To avoid any confusion, ISMA has pointed out that the two incidents are entirely separate, although it is likely that there will be a “significant overlap between the two groups” according to the breach notice.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.