Share this article on:
A potential privacy breach has been discovered to have affected CarePlus Health Plans. This is one of a number of patient privacy breaches to have been reported in recent weeks that have involved errors made when printing and mailing information to patients.
On September 18, 2015, CarePlus prepared a mailing of CarePlus Late Enrollment Penalty Premium Statements to patients. A machine was used to insert two premium statements into each envelope, but instead of inserting one statement, two were placed into each envelope by accident. The error resulted in 1,400 patients being sent statements intended for other patients.
The information potentially disclosed did not include highly sensitive information such as Social Security numbers, but patients have their names, addresses and CarePlus ID numbers accidentally disclosed to other health plan subscribers.
All affected members will undoubtedly already be aware of the error if they opened their statements, although they have now also been sent a HIPAA breach notification letter explaining the exposure of their information and how the incident occurred. They have also been issued with an apology for the error.
Given the limited amount of data disclosed it is unlikely that any patient will suffer damage or losses as a result of the privacy breach. CarePlus confirmed in a statement that it has not received any information to suggest that patient data have used inappropriately, although the company will continue to monitor all claims for any sign of fraudulent activity.
In order to prevent future breaches of this nature from occurring CarePlus is in the process of introducing new quality assurance procedures in its mailroom.
Spate of Mailing Errors Reported to the Office for Civil Rights
In August, Blue Cross and Blue Shield of North Carolina reported two privacy breaches resulting from printing and mailing errors that resulted in the PHI of members being accidentally disclosed to other individuals. One incident involved members’ information being printed on the reverse side of a document that was sent to other plan members, while a separate spreadsheet error similarly resulted in a mailing exposing patient data. In total, 2,300 members were affected by the two incidents.
Affinity Health Plan also suffered a similar incident in which double sided documents had different members’ information printed on each side.
The four incidents show how easy it is for privacy breaches to occur when printing and mailing letters to patients. HIPAA-covered entities should take note, and ensure that procedures are put in place in their mailrooms to double check for errors prior to letters being mailed. Vendors’ procedures should also be checked to make sure policies are in place to limit potential for patient and plan members’ privacy to be violated.