Loss of sensitive information prompts new data transfer agreement

After recovering an unprotected compact disc containing sensitive data on 75,000 mental health patients, WellPoint Inc. negotiated a new data transfer agreement with the mental health claims administrator involved in shipping the CD.

The CD, containing data on patients of WellPoint subsidiary Empire Blue Cross Blue Shield, was ground-shipped from Chicago to Philadelphia even though--in violation of WellPoint's data management protocols--the data was not encrypted and the CD was not password-protected.

Under the new agreement, the claims provider Magellan Health Services Inc. in Philadelphia and data management vendor Health Data Management Solutions in Chicago will only electronically transfer data, said Shamla Naidoo, chief information security officer for WellPoint in North Haven, Conn.

Ms. Naidoo joined WellPoint in January in the newly created position.

WellPoint does not stipulate with other vendors how data must be transferred because not all vendors have the same data-transfer capabilities, Ms. Naidoo said. "We allow any method that's secure," she said.

But Magellan has agreed not to arrange ground shipments of CDs containing health data if there is no need to do so, Ms. Naidoo said.

Vendors, however, must adhere to certain safeguards to secure all protected health information, she said. Those safeguards include encrypting data and requiring passwords to access it.

WellPoint reviews the security procedures of vendors before signing contracts with them and is reviewing criteria used to select vendors, Ms. Naidoo said. After those security reviews, there is a "significant amount of trust we place in people we contract with."

But Wellpoint conducts onsite inspection of some of its vendors and is reviewing its risk-based model to determine which vendor relationships deserve greater supervision, she said.

Its contracts do not contain vendor liability provisions, but WellPoint does reserve the right to terminate contracts, Ms. Naidoo said.