On Tuesday, when the companies announced the security breach, a statement said the records were on a "flash drive for use at community health fairs."
On Friday, Burtanger said: "That flash drive was never intended to leave the building."
The two firms, which serve 400,000 eastern Pennsylvania members on medical assistance, share headquarters in Southwest Philadelphia.
The insurers, she said, had been working to improve a method for allowing encrypted patient information to be available to company representatives at local health events. The drive was being used at headquarters to test the new system, she said.
The information on the missing portable drive was not encrypted.
Also, the two companies had embarked on an initiative to encrypt all company data, especially data on devices such as laptops or flash drives that would be used outside the building. But that initiative was not completed when the Sept. 20 incident occurred.
Texas psychiatrist Deborah Peel, who heads Patient Privacy Rights, an advocacy group, said it was "grossly irresponsible" for an insurer to take private members' health information to a community fair.
Burtanger said reaching members in their communities was a key company mission. That's why, she said, "we believe this information is so vital that we need to have access to it in the field."
Burtanger gave an example: Keystone Mercy Health Plan representatives might set up a table at Praise for the Cure, an event held earlier this month by 100 churches to raise awareness about breast cancer, particularly among African Americans.
If a Keystone member were to stop by the table, the representative would be able to tell how long it had been since the member's last mammogram and schedule one.
Burtanger said officials at the companies were fairly confident the missing portable drive was lost, not stolen. But, since the drive has not been recovered, it is also possible that it was thrown away.
So far, she said, there is no indication that the information is being misused. To detect fraud, claims from those numbers will receive extra scrutiny to make certain they follow previous patterns.
The majority of the 285,691 missing records contain health-plan identification numbers and results of recent screenings, but no names, Burtanger said.
A total of 2,203 records contain names with varying combinations of addresses, member identification numbers, and telephone numbers. Names and all or part of Social Security numbers are included on 808 records.
The insurers said they would provide free credit monitoring to those whose Social Security numbers were involved.
Burtanger said that letters to members would begin going out Saturday and that a toll-free number would be operational starting at 8 a.m. Monday.
If the drive was stolen, the thief may try to use the data to extract more information, including Social Security numbers, identity-theft experts said.
Burtanger cautioned members to remember that her companies' representatives would never call members on the phone to request Social Security numbers. If that happens, members should not provide the information and should contact the 800-number on their member cards.
Keystone Mercy Health Plan insures 300,000 Medicaid members in Philadelphia, Bucks, Montgomery, Delaware, and Chester Counties. AmeriHealth serves 100,000 members in a 15-county arc running from Harrisburg to Northeastern Pennsylvania.
Von Bergen examines
in medical identity theft. In Business.
Contact staff writer Jane M. Von Bergen at 215-854-2769 or firstname.lastname@example.org.