Yesterday, the North Carolina Department of Health & Human Services (DHHS) disclosed that a flash drive with information on over 50,000 medical providers who are excluded from participating in federal healthcare programs had been misplaced or lost by its contractor, Computer Sciences Corporation (CSC). The provider information included names, addresses, dates of birth, and Social Security numbers. A report today in News & Observer incorrectly describes the data has having been encrypted.
CSC spokesperon Michelle Sicola Herd provided DataBreaches.net with the following statement:
CSC, a contractor for the state of North Carolina, discovered a loss of data involving medical provider information. The data loss involved approximately 50,405 medical providers throughout the country, including approximately 1,182 in North Carolina. The only providers involved are those prohibited by the federal government from participating in the Medicare, Medicaid and all other federal healthcare programs.
Following a CSC-couriered interoffice delivery between CSC facilities in North Carolina, a USB thumb drive of medical provider information is unaccounted for. The provider data included provider names, social security numbers, addresses and date of birth and was stored unencrypted on the thumb drive. The data does not include any patient-related information.
We have informed the North Carolina State Department of Health & Human Services of this loss of data and are working with the department on a full investigation, at the department’s request. Affected providers will be notified next week by CSC. In the meantime, providers who believe their information may have been compromised should monitor their credit and seek a free fraud alert for 90 days using a Federal Trade Commission website (http://www.consumer.ftc.gov/articles/0275-place-fraud-alert). A 1-800 number has been set up to field additional questions (1-800-957-7154).
At the department’s request, CSC will work with an independent third-party to assess security and compliance related to this incident. CSC is also reviewing thoroughly our privacy and security policies and procedures.
We sincerely regret the inconvenience and concern this loss of data causes the state’s Department of Health & Human Service and the affected providers. CSC understands the serious nature of this issue and we remain committed to responsible stewardship of data for which we are responsible.
Periodic updates will be shared as more details are known.