Share this article on:
Florida-based BeHealthy Health Plan has inadvertently exposed the health insurance claim numbers of 835 subscribers after a mailing error resulted in the data being printed on the outside of envelopes.
The mailing of benefit information packets took place on September 23, 2015, with the first complaints alerting the health plan to error being received 5 days later. The privacy breach affects members of the BeHealthy Medicare Advantage Plan who live in Manatee and Sarasota counties.
The exposure of a single data element such as the insurance claim number would not typically be a major cause for concern; however, in this case the health insurance claim numbers included the Social Security numbers of plan members. Since the letters also contained the names and addresses of subscribers to the health plan, it is conceivable that this information could be used inappropriatel; should any of the letters have been intercepted.
Any exposure of Social Security numbers is a serious matter, and BeHealthy has responded accordingly. All affected individuals have been offered a year of identity theft protection services without charge. The Experian® ProtectMyID® Elite service offers fast resolution of incidences of identity theft, and ensures victims are rapidly alerted to inappropriate use of their data.
The service is not automatically activated. Members must follow the instructions provided in their breach notification letters, or should contact BeHealthy for further information.
At this stage it is unclear how the error was made. BeHealthy is conducting an internal investigation to determine how such an error could have occurred. The results of that investigation will dictate what additional privacy and security controls are required to prevent similar mailing errors from occurring in the future.
The Department of Health and Human Services’ Office for Civil Rights was notified of the data breach within 3 weeks of its discovery. Under HIPAA Rules, covered entities have up to 60 days to report breaches of PHI that affect more than 500 individuals, although covered entities are advised in the legislation to issue breach notices to patients without unnecessary delay. When Social Security numbers and/or other particularly sensitive information is exposed, patients should be notified as soon as possible to allow them to take action to mitigate risk.
Mailing Letters to Patients Can All Too Easily Result in PHI Exposure
The last few months have seen a number of printing and mailing errors reported to the Office for Civil Rights. In October, three separate privacy breaches were reported, two of which affected Blue Cross and Blue Shield of North Carolina. 2,300 individuals had a limited amount of PHI exposed to other plan members after their billing information was accidentally printed on the reverse of letters sent to other patients. The second breach was attributed to a spreadsheet error.
The third mailing error was reported by Affinity Health plan. The privacy breach resulted in children’s names, addresses and plan ID numbers being printed on the reverse of Health Plan renewal reminder letters.
In August, the Colorado Department of Health Care Policy and Financing accidentally mailed letters to 1,622 households containing other members’ Medicaid numbers, Advanced Tax Credit amounts, employer names, income, state ID numbers, family member names, and in some cases, also dates of birth of patients.
In July, an Integral Quality Care (IQC) mailing error resulted in patients being incorrectly mailed the Florida Medicaid ID numbers, diagnosis codes, payment information, and dates of birth of other patients.
Each month the Department of Veteran Affairs issues an information security report to congress in which numerous instances of mailing errors are reported. Each month sees tens of these errors made, typically involving one patient being sent the PHI of another individual.
Mailing errors are perhaps some of the easiest HIPAA breaches to prevent; yet the mailing of letters, renewal notices, appointment and prescription reminders often result in the accidental disclosure of PHI and PII to other patients.
Now may be a good time to review policies covering patient mailings and remind staff members of the importance of double checking letters prior to them being mailed.