Do you get the feeling someone’s not telling us the whole story here? How do you lose a hard drive? Do you mean someone physically removed them from the machines? Were they stored somewhere and then disappeared? Did someone simply misplace them? Here’s what the company CEO, Michael Neidorff, says. “While we don’t believe this information has been used inappropriately, out of abundance of caution and in transparency, we are disclosing an ongoing search for the hard drives.”
Ok, let’s get a few things straight. First of all, the company is not doing us all a favor by releasing this information. By law, (HIPAA Breach Notification Rule, 45 CFR §§ 164.400-414) the firm must release this information. This law states that “entities must provide notification of the breach to affected individuals, the Secretary, and, in certain circumstances, to the media.” And, since the media was, in fact, notified, what are those “certain circumstances”? This must happen any time more than 500 records are compromised in one state or jurisdiction. Interestingly, a company suspecting that a breach has occurred has up to 60 days to report it. In other word, we can assume that the company has been looking for these hard drives for quite a while and have come up empty.
In its press release, the company stated that, “the hard drives do not include any financial or payment information.” But before any clients out there breathe a sigh of relief, here’s the rest of the story. “The records on the missing drives include individuals’ names, dates of birth, Social Security numbers, member ID numbers and unspecified ‘health information.'” So your credit card is not compromised directly, but, if this information has fallen into the wrong hands, the information on these hard drives can be used for a variety of identity theft exploits. Those who possess this information can make their own credit cards using the client data, for example. In short, this could turn out to be a major breach. However, to make those compromised clients feel better, “notification to affected individuals will include an offer of free credit and healthcare monitoring.” It almost makes it seem like getting your personal information stolen is a good thing, right? Well, it’s not. If Centene wanted to include compensation for any future financial loses caused by their mismanagement, that would go a long way towards making their clients feel a little more comfortable. As it turns out, if clients eventually do find they are victims of a financial hack, they will have to deal with this through lawsuits.
Now, maybe these hard drives will just happen to turn up, you know, like that sock you thought you lost. Maybe someone accidentally threw these hard drives in the trash, put them in the laundry, or used them for doorstops. Maybe they are being held for ransom by some disgruntled insider. However, even if they miraculously return, you’d still have to wonder if the data on them hasn’t already been compromised. We’ll all find out if/when this data appears for sale on certain dark market sites. The company will then have the option to buy it back before it does any more damage. However, we may never even hear about such a transaction. For the moment, Centene has taken a drastic step. “Centene is in the process of reinforcing and reviewing its procedures related to managing its IT assets.” Who would’ve thought?