Californian Health Plan Administrator Announces 35K-Record Data Breach

Californian health plan administrator, Keenan & Associates, has announced a breach of Protected Health Information that has impacted 35,000 health plan subscribers.

An error was made by a vendor with the configuration of a web portal. The server security settings had been misconfigured resulting in a number of confidential documents being inadvertently indexed by search engines. A search of the Internet would have resulted in the documents being displayed in the search results. Clicking on the links would have opened up the documents and a number of data fields would have been viewable.

The data contained in the documents was mostly limited to personal information. Subscriber names, addresses, dates of birth, contact telephone numbers, health plan identifiers, and medical plan names were stored in the documents. Some Social Security numbers were also exposed, although Keenan & Assoc., reports that no financial information was detailed in the documents, neither any clinical or medical information.

An investigation into the data breach has not uncovered any evidence to suggest the files were actually viewed during the time they were accessible. However, this cannot be confirmed so there is a risk that data were viewed by a third party. In order for the documents to have appeared in a search, the search term entered would have needed to be quite specific.

The server settings have now been changed and the documents are no longer accessible via the Internet, and are no longer appearing in searches.

The breach notice issued by Keenan & Assoc., indicates the error was discovered on October 9, 2015; however, no information has been disclosed about the length of time the data were accessible.

All affected individuals have been provided with a range of services to monitor credit files and protect against identity theft and fraud for a period of two years. The breach victims are being covered by a $1 million identity theft protection policy, and in the event that health plan subscribers do suffer identity theft or fraud, services will be provided to restore credit and identities.

Since a wide range of personal information was exposed along with health plan identifiers, there is a possibility that an individual would be able to commit insurance fraud. As such, all breach victims have been advised to keep a close check on their Explanation of Benefits (EoB) statements to monitor for signs of fraudulent activity.

This is the second Californian data breach to be announced in the space of a week that has involved the exposure of PHI as a result of a server misconfiguration. Cottage Health System announced earlier this week that a misconfiguration resulted in the exposure of 11,000 patient records.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.