When McKesson Pharmacy Systems mailed Massachusetts-based Walsh Pharmacy a DVD containing information on Walsh Pharmacy patients, the envelope arrived but the DVD was missing. Through its attorney, Walsh Pharmacy notified the New Hampshire Attorney General’s Office of the incident involving its business associate systems vendor.
Information on the DVD included pharmacy patients’ names, and in some cases, Social Security or health insurance numbers, driver’s license numbers, and prescription information. No credit card or financial information was on the missing DVD. Walsh reports that the envelope appeared intact, and that the files on it had been created using a UNIX system which would make the contents more difficult to extract in a comprehensible format.
As a result of this incident, Walsh has changed its procedures and going forward, business associates will no longer return media with sensitive information, but will destroy it instead.