Hawai‘i Medical Service Association Privacy Breach Affects 10,800

Independent Blue Cross Blue Shield licensee Hawai‘i Medical Service Association (HMSA) has started sending breach notification letters to 10,800 members alerting them to a privacy breach that resulted in one member’s medical condition being disclosed to another HMSA member.

The privacy breach was caused by an error made with the mailing of care management letters to members, which resulted in letters being sent to incorrect individuals.

The incorrectly routed care management letters contained the name of an HMSA member along with information to help that individual manage a specific health conduction, such as asthma, diabetes, or health and lung disease.

According to a substitute breach notice placed on the HMSA website, no financial information, membership ID numbers, Social Security numbers, or other sensitive personal information were included in the letters. Individuals affected by the privacy breach do not therefore face a risk of identity theft as a result of the accidental disclosure of PHI.

As well as notifying affected individuals by mail, HMSA is contacting all recipients of the incorrectly mailed letters to ensure the correspondence is disposed of correctly, if the letters are still in recipients’ possession.

What is peculiar about this mailing error is how long it was allowed to continue before the error was identified. The investigation into the privacy breach revealed that the error first occurred in April 2015 and continued until November 2015. HMSA was not made aware of the mailing error until December 3, 2015.

Individuals who receive an incorrect letter from a healthcare association usually raise the alarm within a few days. A healthcare mailing error resulting in a few individuals receiving incorrect correspondence may not result in any complaints being made to the healthcare organization in question. However, according to the breach report submitted to the Office for Civil Rights, 10,800 individuals received incorrect letters. It is therefore peculiar that it took so long for HMSA to be made aware of the error.

Now that the error has been identified and patients notified, HMSA has taken steps to prevent similar mailing errors from occurring in the future.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.