Some 3,700 Highmark Inc. customers are being notified that documents bearing their personal information - including names and Social Security numbers - were lost and have yet to be recovered.
Highmark, in a statement issued Wednesday, said it didn't believe the data was stolen.
In January, Highmark sent a large billing statement to a Boscov's department store in eastern Pennsylvania. According to Highmark, "the envelope arrived damaged and torn, and there were pages missing. The pages were lost and have not yet been recovered."
In all, 171 pages of the document were missing. The 3,700 customers are spread throughout Boscov's employee base, including retirees who no longer live in Pennsylvania or New Jersey (the two states that were notified of the breach).
Lisa Martinelli, Highmark's chief privacy officer, said the lost data included the Social Security numbers, but not in an obvious way, because the Social Security number is mixed in with other account identification data.
"This is a series of numbers," she said. "It's not a neon light that says, hey, this is [a Social Security number]."
The billing statement was sent via the U.S. Postal Service, and Highmark said "this incident occurred during the mail process." Highmark is offering one year of free credit monitoring to the affected policyholders.
Highmark, and any business trafficking in personal health data, must now make certain disclosures and take additional security precautions in order to comply with the Health Information Technology for Economic and Clinical Health Act of 2009.
Part of those new disclosure rules require Highmark, and any other company subject to the HITECH Act, to inform the media if a data breach affects more than 500 people in one state.
Ms. Martinelli said Highmark was reviewing its mailing and data transfer procedures, but acknowledged that little could have been done on Highmark's end to prevent the loss.
"Maybe stronger envelopes," she said.
Last autumn, Highmark - and 38 other Blue Cross-Blue Shield insurance providers - were affected when a laptop computer containing sensitive personal data was stolen from a Blue Cross-Blue Shield Association employee. That time, the data breach didn't involve policyholders, but instead medical providers, including tens of thousands of doctors in the Highmark network.
Bill Toland: email@example.com or 412-263-2625.