HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

31,876 Managed Health Services of Indiana Health Plan Members Notified of Impermissible Disclosure of PHI

Managed Health Services, the Indianapolis, IN-based managed care entity that runs the Hoosier Healthwise and Hoosier Care Connect Medicaid programs, has discovered the protected health information (PHI) of 31,876 plan members has potentially been disclosed in two separate breaches that were announced in December 2018.

31,300 Plan Members Notified of Phishing-Related PHI Breach

A phishing attack on a business associate of Managed Health Services has potentially resulted in the disclosure of some plan members PHI. On or around July 30, 2018, employees of LCP Transportation responded to phishing emails and provided the attacker with credentials that allowed their email accounts to be remotely accessed. LCP Transportation disabled the affected email accounts on September 7, 2018.

A third-party computer forensics firm was hired to assist with the investigation. While no evidence of PHI misuse has been detected, it is possible that emails in the accounts were accessed by the attacker. Some of the emails in the compromised accounts contained plan members’ PHI including names, addresses, dates of birth, dates of service, insurance ID numbers, and a description of medical conditions.

Email security has now been enhanced and employees have received further training on cyber risks.

Please see the HIPAA Journal Privacy Policy

3 Steps To HIPAA Compliance

Please see HIPAA Journal
privacy policy

  • Step 1 : Download Checklist.
  • Step 2 : Review Your Business.
  • Step 3 : Get Compliant!

The HIPAA Journal compliance checklist provides the top priorities for your organization to become fully HIPAA compliant.

Managed Health Services was informed of the breach on October 29 and issued notifications to affected plan members on December 21, 2018. Affected individuals have been offered complimentary credit monitoring services with CyberScan for 12 months.

LCP Transportation notified the HHS about the breach on March 15, 2019. The breach portal indicates that in total, 54,528 individuals were impacted by the breach.

Mailing Error Caused Letters to be Sent to Incorrect Recipients

On December 20, 2018, Managed Health Services issued notifications to 576 plan members informing them that a limited amount of their PHI had been impermissibly disclosed to other plan members as a result of a mailing error.

On October 16, 2018, notification letters were sent to plan members regarding an upcoming pharmacy change; however, an error saw some of the letters sent to incorrect recipients. The mis-mailed letters resulted in the name, insurance identification number, and medication information of one plan member disclosed to another plan member. A call campaign was conducted to contact all individuals who received a letter to request they return the mis-mailed letters.

Managed Health Services has not received any information to suggest that plan members’ PHI has been misused; however, out of an abundance of caution, affected individuals have been offered 12 months of complimentary credit monitoring services through CyberScan.

Managed Health Services has taken steps to prevent mailing errors in the future including reinforcing mailing policies and procedures and reviewing practices in relation to the submission of mailing addresses to its national mailing center.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.