October 30, 2009
As many as 68,000 members of CalOptima, the Medicaid plan for Orange County, California, may be at risk of identity theft and fraud after several CDs containing their personal information disappeared while in transit, the agency reported.

"CalOptima's claims scanning vendor sent the electronic media devices to CalOptima through the U.S. Postal service by certified mail," the agency said. "On Tuesday, October 13, 2009, CalOptima discovered the apparent loss of the devices when the external packaging materials were delivered by the U.S. Postal Service without the box containing the devices."

The missing discs include patient information such as names, addresses, Social Security numbers, diagnoses, and billing codes. CalOptima said it notified state and federal agencies of the breach on October 14, and posted an alert on its Web site on October 15.

CalOptima is currently negotiating with one of the three major credit reporting agencies -- Equifax, Experian, and Trans Union -- to provide credit monitoring services for the affected members. The agency is also investigating why the data was not encrypted prior to its delivery.

The CalOptima incident comes at a sensitive time for rules governing data breaches or compromises. The economic stimulus package had initially contained rules that mandated disclosing breaches of personally-identifying health information held by organizations covered under the Health Insurance Portability and Accountability Act (HIPAA).

But the Department of Health and Human Services (HHS)'s interpretation of the law allows for a "harm standard," where the business affected does not have to disclose any information about the breach unless there is a risk of significant financial harm to itself or an affected individual. Critics say HHS' interpretation of the law effectively guts its usefulness as a data breach warning tool.

The CalOptima breach required mandatory reporting, even without the new laws, as some of the breached information included Social Security numbers.