2,800 Members Affected by Geisinger Health Plan Mailing Error

Danville, Pennsylvania-based Geisinger Health Plan has alerted 2,814 members from 220 employer health plans that some of their protected health information has been exposed to unauthorized individuals as a result of a processing error that occurred when mailing monthly invoices.

Invoice statements were prepared on July 30; however, a number were accidentally mailed to private citizens. The error was discovered on August 4, a few days after the invoices were mailed.

The invoices did not contain Social Security numbers, financial information, or other data that is typically used by criminals to commit fraud. The exposed data were limited to plan members’ names, health insurance premium amounts, member ID numbers, dates of birth, and smoking status. The breach was limited to members of the Geisinger Health Plan. Geisinger Gold, GHP Family and GHP Kids members were unaffected.

All individuals who were sent the invoices have been contacted and requested to send the invoices back to Geisinger Health Plan to ensure they are securely destroyed, in accordance with Geisinger Health System policies and procedures. Geisinger Health Plan has also implemented additional controls to prevent future errors of this nature from occurring.

All individuals and businesses affected by the incident have been sent breach notification letters to advise them of the privacy breach. The incident has also been reported to the Department of Health and Human Services’ Office for Civil Rights.

St. Elizabeth Physicians Notifies 674 Individuals of Email Incident

St. Elizabeth Physicians has informed 674 individuals that their email addresses have been disclosed to other patients.

On July 12, 2016, an email invitation was sent to patients by its Weight Management Center. The emails invited patients to take part in an open forum meeting and vitamin presentation. However, an employee mistakenly added patients’ email addresses to the to field instead of using the BCC field. Consequently, the email addresses of all 674 patients were visible to all email recipients. Only patients email addresses were exposed. No other data was included in the emails.

Procedures have been reviewed and appropriate action taken to reduce the risk of similar incidents occurring in the future. Patients have also been advised to be wary of any unsolicited emails that are received offering products or services, in case the disclosed email addresses are used by any of the email recipients.

Even though no sensitive PHI was exposed, St. Elizabeth took the decision to offer all affected patients a year of credit monitoring services without charge.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.