Share this article on:
OptumHealth New Mexico has notified 2,006 patients of a privacy breach that was caused by one of its vendors. The vendor had downloaded some electronic protected health information to a flash drive, which was then sent to an undisclosed recipient by mail using the U.S. Postal Service. The flash drive did not arrive at its destination.
Upon discovery of the loss, the U.S. Postal Service was notified but attempts to locate the device have so far failed, although according to the substitute breach notice issued by OptumHealth, the matter is still being investigated.
It is unclear why, with many secure methods of sending sensitive data, the vendor chose to post the flash drive nor why the contents of the drive were not encrypted.
OptumHealth was notified of the potential privacy breach on September 26, 2016 and breach notification letters were mailed to all affected individuals on November 17. A substitute breach notice was recently uploaded to the OptumHealth website as it was not possible to contact all affected individuals by mail.
Patients have been informed that the data stored on the drive includes names, telephone numbers, addresses, full or partial dates of birth, health identification numbers, providers’ names, medical diagnoses, and other health information. Some patients’ full or partial Social Security numbers were also present on the device. OptumHealth was informed that only “a limited number” of Social Security numbers were saved to the flash drive.
It is not possible to tell whether the device was lost or stolen, nor whether any of the information stored on the device has been accessed. Since there is a possibility of the data on the device being viewed by unauthorized individuals, all affected patients have been offered one year of identity theft protection services through LifeLock.
Affected patients have been encouraged to check healthcare documents, tax returns, and bank and credit card statements and to be vigilant for any signs of fraudulent activity.
OptumHealth has responded to the incident by updating its processes relating to vendors to prevent similar privacy breaches from occurring in the future.