Another HIPAA Breach Courtesy of a Printing Error

Over the course of the last three months, HIPAA covered entities have reported 54 data breaches to the Office for Civil Rights. The majority of those data breaches can be attributed to human error.

15% of the breaches have resulted from errors made when printing and mailing letters to patients and health plan members. While these privacy breaches do not affect anywhere near as many patients/plan members as hacking incidents (which have resulted in 10,134,208 records being stolen since September 9, 2015), they still require a breach response and result in considerable costs to the covered entity. The breach victims can be adversely affected, and the incidents tarnish the organizations’ reputations. They are also some of the easiest data breaches to prevent.

On Friday last week, another covered entity, BlueCross Blue Shield of Nebraska, reported a printing error had been made during a patient mailing, and each month in its report to congress, the Department of Veteran Affairs lists numerous examples of errors made when sending letters/prescription information to veterans.

Efforts must be made to make it harder for hackers to gain access to healthcare networks and for employees to steal patient’s data, but extra care should also be taken when printing and preparing mailings.

HIPAA Breaches Caused by Printing Errors

Covered Entity Patients/Subscribers Affected Date Reported to OCR
BlueCross BlueShield of Nebraska 1,827 12/03/15
Centegra Health System 2,929 12/01/15
Rush University Medical Center 1,529 11/06/15
EnvisionRx 540 10/23/15
BeHealthy Florida 835 10/19/15
Affinity Health Plan 721 09/14/15
Blue Cross and Blue Shield of North Carolina 807 09/11/15
Blue Cross and Blue Shield of North Carolina 1,530 09/11/15


BlueCross Blue Shield of Nebraska HIPAA Breach

The error resulted in Explanation of Benefits (EoB) statements being sent to the wrong customers, and divulged patients names, ID numbers, and dental claim information, including the services that had been covered by members’ health insurance policies. The unauthorized disclosure affected 1,872 BCBS members.

Centegra Health System HIPAA Breach

An error made by a Business Associate of Centegra Health System resulted in two billing statements being placed in a envelope instead of one. This resulted in 2,929 patients receiving a billing statement intended for another patient. Patient names, addresses, account numbers, service dates, service summaries, account balances, third party payment information and charges were disclosed.

Rush University Medical Center HIPAA Breach

A minor data disclosure affected a limited number of patients of Paul Jones, MD. Letters were sent to the patients announcing the retirement of their physician. The letters were sent to the right addresses, although they included the name of an incorrect patient.

Envision RX HIPAA Breach

An error occurred when exporting data from a PDF file for a prescription mailing, resulting in 540 patients (out of a mailing of 11,000 letters) being sent data relating to other patients. The PHI exposed in this HIPAA breach included patient names, drug/dosage information, dates of service, prescription costs, and copay/plan payment amounts.

BeHealthy Florida HIPAA Breach

Health insurance claim numbers were disclosed as a result of a printing error that saw data printed on the outside of envelopes. The claim numbers were made up from the Social Security numbers of subscribers, potentially making this data breach one of the more serious printing errors reported in recent months. 835 subscribers were affected by the data breach.

Affinity Health Plan HIPAA Breach

Affinity Health Plan suffered a breach of patient data as a result of appointment reminders being printed on both sides of a mailing. A letter intended for another patient was printed on the reverse of each letter, which exposed children’s health plan numbers, names, and addresses.

Blue Cross and Blue Shield of North Carolina HIPAA Breaches

Blue Cross and Blue Shield of North Carolina suffered two printing errors in quick succession, exposing the data of 2,337 individuals. Patient names, payment ID numbers, payment amounts, health insurance marketplace ID numbers, health plan information, and effective dates were disclosed. BCBSNC account numbers were also disclosed in one of the data breaches.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.