On July 6, the California Department of Health Care Services (DHCS) issued the following press release:
The California Department of Health Care Services (DHCS) has reported to federal authorities that a missing compact disc (CD) delivered to the department may not have been encrypted by the sender, Care 1st Health Plan. The CD contains personal information, including names and addresses, for 29,808 Care 1st members.
Without proper encryption, which is required by DHCS of all its trading partners who share protected and personal information, the CD could possibly be accessed by unauthorized users. Care 1st cannot confirm that the CD was encrypted. Though DHCS believes the CD is still on its premises and there is no indication of inappropriate access, DHCS reported the incident to the U.S. Department of Health and Human Services as required by law.
DHCS and Care 1st consider the protection of confidential personal information a top priority. When the CD could not be located, DHCS immediately launched an investigation and conducted numerous exhaustive searches of the premises. DHCS then reiterated and reinforced its longstanding direction to Care 1st and all trading partners that all personal information must be transmitted or delivered to DHCS in an approved, secure format. Care 1st now submits the information using secure electronic transfer rather than CDs.
DHCS has taken extensive steps to eliminate the use of CDs to transmit personal information and to implement electronic transfers for such information. Nearly all transactions are now carried out via secure electronic transfers or, in limited cases, via encrypted CDs.
Care 1st delivered the CD to DHCS for the purpose of identifying Care 1st members who are also Medi-Cal beneficiaries. The members whose information is contained on the misplaced CD are mostly Medicare recipients. On April 29, when the information on the CD that was delivered on April 7 was scheduled to be processed, it was determined to be missing.
On June 18, Care 1st began sending individual notification letters to the members whose information was on the CD. The letters gave the members information on steps they may take to protect themselves from any possibility of identity theft. Care 1st also arranged for free credit monitoring services to be provided to the members for one year at no cost.
DHCS has been implementing numerous steps to protect information for more than two years. During this period, it has successfully converted all mainframe computer tapes and paper reports containing confidential data to a secured electronic transfer. This includes approximately 600 annual exchanges and more than 400 paper reports (approximately 1.7 million pages printed annually) containing thousands and, in some cases, millions of records of beneficiary data.
Since they are offering free credit monitoring services, there may be more than just medical info on the missing CD, but the press release doesn’t actually detail what kinds of information are involved other than names and addresses. If anyone received a notification letter, can you please upload it or describe the contents in terms of types of information involved.