On Tuesday, when the companies announced the security breach, a statement said the records were on a "flash drive for use at community health fairs."
On Friday, Burtanger said: "That flash drive was never intended to leave the building."
The two firms, which serve 400,000 eastern Pennsylvania members on medical assistance, share headquarters in Southwest Philadelphia.
The insurers, she said, had been working to improve a method for allowing encrypted patient information to be available to company representatives at local health events. The drive was being used at headquarters to test the new system, she said.
The information on the missing portable drive was not encrypted.
Also, the two companies had embarked on an initiative to encrypt all company data, especially data on devices such as laptops or flash drives that would be used outside the building. But that initiative was not completed when the Sept. 20 incident occurred.
Texas psychiatrist Deborah Peel, who heads Patient Privacy Rights, an advocacy group, said it was "grossly irresponsible" for an insurer to take private members' health information to a community fair.
Burtanger said reaching members in their communities was a key company mission. That's why, she said, "we believe this information is so vital that we need to have access to it in the field."
Burtanger gave an example: Keystone Mercy Health Plan representatives might set up a table at Praise for the Cure, an event held earlier this month by 100 churches to raise awareness about breast cancer, particularly among African Americans.
If a Keystone member were to stop by the table, the representative would be able to tell how long it had been since the member's last mammogram and schedule one.
Burtanger said officials at the companies were fairly confident the missing portable drive was lost, not stolen. But, since the drive has not been recovered, it is also possible that it was thrown away.
