WellPoint Finds Missing CD With Data On 75,000 PeopleWellPoint Finds Missing CD With Data On 75,000 People

After the country's largest managed care firm began informing customers that an unencrypted disc with the personal and health information of about 75,000 people had been lost, the company found it Wednesday afternoon.

WellPoint did not release any information on where the disc was found. A press advisory said that Health Data Management Solutions, a third-party vendor, had shipped the CD via UPS to Magellan Behavioral Health Services, and it had been lost in transit. Magellan monitors and coordinates substance abuse and mental health treatments for insurance companies.

The disc contained personal information on 75,000 members of WellPoint's Empire Blue Cross and Blue Shield unit in New York.

"Although there was no indication that the CD had been stolen, last week Empire sent a letter to inform affected groups and members who may have been impacted," the advisory stated. "While we understood it was possible the CD would be found, to be cautious, Empire accelerated member notification as our members' security and trust are our highest priority. We are relieved the CD has been found. "

The New York Times first reported Wednesday that the data had been lost, noting that the company began notifying affected members by mail last Saturday. The Times also reported that the records on the disc included names, Social Security numbers, health plan identification numbers, and description of medical services back to 2003.

According to the Times, the lost disc was first reported to WellPoint's Empire unit on Feb. 9.

The company points out in the advisory that the CD was not transferred in accordance with WellPoint's contractual terms with Magellan, which did not require HDMS to encrypt or password protect the data.

"We are addressing these issues and we have made it clear to both HDMS and Magellan that their security practices with respect to the data transfer were unacceptable," the advisory states. "As a result, Magellan will now only transmit personal health information electronically through a secure network, eliminating CDs and the use of a delivery service."

WellPoint adds that it will continue to investigate and use any additional findings to improve its security practices. The company set up a toll-free number for members who have questions or concerns about the data loss.

WellPoint was formed when WellPoint Health Networks Inc. and Anthem Inc. merged in 2004. Through its subsidiaries, WellPoint provides health care benefits to about 34.2 million people. It's the largest publicly traded commercial health benefits company in the United States and an independent licensee of the Blue Cross and Blue Shield Association.