Data on 39,090 people insured through the Indiana State Medical Association was on two archive backup hard drives that were stolen Feb. 13, the group said.
The Indianapolis-based association said Monday in a statement that although its insurance plans are through Anthem Inc., this situation is separate from the cyber attack on the insurer that was announced in February.
“However, there is likely to be significant overlap between the two groups,” the ISMA said in the statement.
The association said the theft was a “random criminal act” that occurred when an association employee was transporting the hard drives to an off-site storage location as part of the group's disaster recovery plan. It said the theft was reported to the Indianapolis Metropolitan Police Department, which is actively investigating the incident.
The association said the information on the stolen hard drives, which it said cannot be retrieved “without special equipment and technical expertise,” included names, addresses, dates of birth, email addresses, health plan numbers, Social Security numbers and personal medical history information.
The association, which said it has engaged outside experts to review its internal processes to prevent future incidents, is offering one-year credit monitoring and repair services to anyone affected.
The association issued a statement that said in part, “We are deeply sorry this incident occurred and apologize to our insured physicians, their families and staff, as well as our employees for the inconvenience this may cause.” It said the association “takes the security of all information entrusted to us very seriously.”
In the first substantive ruling in last year's theft of four laptop computers at Advocate Medical Group in which 4 million patients' data was stolen, an Illinois court has ruled that plaintiffs cannot claim injuries based merely on potential losses.