Experian Health Accidentally Sends PHI to Incorrect Individuals

Experian Health has discovered the protected health information of some patients has been accidentally disclosed to incorrect individuals due to a technical error that occurred during a server migration.

The disclosed data including names, addresses, genders, dates of birth, Medicare ID/HIC numbers, member ID numbers, insurance/payer company names, group numbers/group policy numbers and Medicaid case numbers. The data were shared with incorrect HIPAA covered entities. No information was sent to or otherwise shared with members of the public.

Experian Health took immediate action to address what it refers to as ‘an isolated error’ and reports that the mistake has been corrected. The error affected two platforms used by Experian Health, with data disclosed between February 13 and March 13, 2017.

The information disclosed could only have been accessed or saved by HIPAA-covered entities, who are bound by HIPAA Rules. Therefore, the risk of protected health information being misused is likely to be low.

Experian Health notified affected healthcare institutions of the error on April 28, 2017. One of those entities was Southern Illinois Healthcare (SIH), which was told that 600 of its patients were impacted. Experian Health is a business associate of SIH and performs insurance eligibility verification during patient registration. Experian Health also works with other healthcare organizations.

At present, it is unclear exactly how many patients have been impacted in total since the incident has yet to appear on the Department of Health and Human Services’ Office for Civil Rights breach portal. It is possible that breach notices will be submitted separately by all of the covered entities impacted by the incident.

SIH has made the decision to offer credit monitoring and credit repair services to all affected individuals as a precautionary measure. Those services, which are being provided through AllClear ID, are available for 24 months without charge.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.