31,876 Managed Health Services of Indiana Health Plan Members Notified of Impermissible Disclosure of PHI

Share this article on:

Managed Health Services, the Indianapolis, IN-based managed care entity that runs the Hoosier Healthwise and Hoosier Care Connect Medicaid programs, has discovered the protected health information (PHI) of 31,876 plan members has potentially been disclosed in two separate breaches that were announced in December 2018.

31,300 Plan Members Notified of Phishing-Related PHI Breach

A phishing attack on a business associate of Managed Health Services has potentially resulted in the disclosure of some plan members PHI. On or around July 30, 2018, employees of LCP Transportation responded to phishing emails and provided the attacker with credentials that allowed their email accounts to be remotely accessed. LCP Transportation disabled the affected email accounts on September 7, 2018.

A third-party computer forensics firm was hired to assist with the investigation. While no evidence of PHI misuse has been detected, it is possible that emails in the accounts were accessed by the attacker. Some of the emails in the compromised accounts contained plan members’ PHI including names, addresses, dates of birth, dates of service, insurance ID numbers, and a description of medical conditions.

Email security has now been enhanced and employees have received further training on cyber risks.

Managed Health Services was informed of the breach on October 29 and issued notifications to affected plan members on December 21, 2018. Affected individuals have been offered complimentary credit monitoring services with CyberScan for 12 months.

LCP Transportation notified the HHS about the breach on March 15, 2019. The breach portal indicates that in total, 54,528 individuals were impacted by the breach.

Mailing Error Caused Letters to be Sent to Incorrect Recipients

On December 20, 2018, Managed Health Services issued notifications to 576 plan members informing them that a limited amount of their PHI had been impermissibly disclosed to other plan members as a result of a mailing error.

On October 16, 2018, notification letters were sent to plan members regarding an upcoming pharmacy change; however, an error saw some of the letters sent to incorrect recipients. The mis-mailed letters resulted in the name, insurance identification number, and medication information of one plan member disclosed to another plan member. A call campaign was conducted to contact all individuals who received a letter to request they return the mis-mailed letters.

Managed Health Services has not received any information to suggest that plan members’ PHI has been misused; however, out of an abundance of caution, affected individuals have been offered 12 months of complimentary credit monitoring services through CyberScan.

Managed Health Services has taken steps to prevent mailing errors in the future including reinforcing mailing policies and procedures and reviewing practices in relation to the submission of mailing addresses to its national mailing center.

Author: HIPAA Journal

Share This Post On