The medical records of nearly a million people have gone missing, a US health insurance company has admitted.
Centene Corporation said it was conducting an internal search for six hard drives containing the information.
Customers’ names, addresses and dates of birth were included, as well as their social security numbers, membership details and health information, Centene said.
But no financial or payment details of customers were on the drives, it said.
“While we don’t believe this information has been used inappropriately, out of abundance of caution and in transparency, we are disclosing an ongoing search for the hard drives,” said Centene’s chief executive, Michael Neidorff.
“The drives were a part of a data project using laboratory results to improve the health outcomes of our members.”
Centene said the hard drives contained the personal health information of about 950,000 people who had received laboratory services between 2009 and 2015.
It said it would notify those affected and offer them free healthcare monitoring.
The company also said it would reinforce and review its procedures.
The BBC asked whether the information on the hard drives was encrypted and how they were had been lost, but Centene did not respond.
“The stakes are high because Centene handles sensitive health information relating to its members. It is, therefore, highly likely that they will have to make a report to US regulatory authorities and will be fined for any data loss,” Alison Rea, a lawyer at Kemp Little, told the BBC.
She said that, while Centene’s “upfront” approach to the issue was commendable, it meant that some people may launch damages claims before the full extent of the data loss was known.
“If the data has been lost within the organisation, the potential damage suffered by Centene’s members will be minimal. However, if the data has been taken offsite and is now in the public domain, the damages claims Centene faces could be much higher,” she said.
“As Centene provides health insurance solutions for the under-insured and uninsured public in the USA, the release of details of who their members are and their medical information could be highly damaging.
“Not only will it cause personal distress to the individuals involved if their friends and families find out about their medical history, but also because it could make it harder for those people to secure medical health insurance with other providers in the future.”
Paul Farringdon, of the security company Veracode, said: “If this data was found and accessed, it could lead to fraudsters piecing together a bigger picture of information on individuals that could be used to trick users into giving away money, power and information to people who would do harm.
“Information already available from other breaches on the dark web can be used to provide an enriched view on patients.”
One of the largest similar breaches took place in 2014 at Sutherland Healthcare Solutions, which handles medical billing and collections.
According to reports, nearly 340,000 people were affected when eight computers were stolen during a break-in.
In 2015, the US health insurer CareFirst admitted the information belonging to 1.1 million of its customers had been exposed in a hack in June the previous year.
Similar attacks on Anthem and Blue Cross in 2015 saw 80 million and 11 million records lost, respectively.