Two hard drives containing medical data on more than 39,000 insured individuals were stolen last month in what the association calls “a random criminal act.” Here’s how the group is responding.
The Indiana State Medical Association was trying to protect its member data, but now it finds itself having to respond to a potentially damaging case of physical theft.
Earlier this month, ISMA announced that two backup hard drives containing sensitive data on 39,090 people insured under the association’s group health and life insurance plans were stolen while one of its employees was transporting the drives to a storage location as part of a disaster-recovery plan. The association called the situation “a random criminal act” in a news release [PDF].
While the data is difficult to retrieve from the drives, requiring the use of specialized equipment, ISMA acknowledged the sensitivity of the stolen information, including Social Security numbers and medical histories.
“We are deeply sorry this incident occurred and apologize to our insured physicians, their families, and staff, as well as our employees, for the inconvenience this may cause,” the association said in a note on its website.
ISMA is taking several actions to repond to the theft:
Working with authorities. Since the incident, ISMA has worked closely with the Indianapolis Metropolitan Police Department, which is involved in an active investigation. The association has discovered at least one surveillance video that captured the theft.
Analyzing internal processes. ISMA says it’s working with outside experts to analyze what it can do to prevent this type of crime from recurring.
Offering credit assistance. To all current and former members who were affected by the breach—only some of whom had their Social Security information compromised, for example—ISMA is offering a year of free credit-monitoring and repair services.
While the theft is significant, the association has noted that it’s different from a data breach involving the health insurance company Anthem. That breach, which was disclosed at roughly the same time, involved a cyberattack, rather than the physical theft of computer equipment.
“However, the ISMA’s insurance is through Anthem, so there is likely overlap between the groups of people affected,” the association noted.