HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

HealthFirst Notifies 5,300 Patients of 2-Year Data Breach

New York based health insurer, HealthFirst, will start sending breach notification letters to 5,300 health plan members today, informing them of a breach of their Personal Health Information that potentially started on April 11, 2012 and lasted until March 26, 2014.

The breach is serious. Data was stolen with the express purpose of committing fraud and plan members are being advised to take no chances. They have been urged to sign up for the credit monitoring and protection services being offered by CareFirst. The health insurer has already been a victim of fraud as a result of the data breach, although at this stage it is unclear whether any plan members have also suffered from fraud.

In 2013, HealthFirst discovered it had become a victim of fraud. The insurer notified the Department of Justice (DOJ) and following an investigation, the individual responsible was identified, arrested and charged with fraud. As the investigation continued, the DOJ determined that the individual in question had possibly obtained information on plan members from HealthFirst.

The DOJ alerted the insurer to the potential breach of member information on May 27, 2015, and an investigation into the potential breach was launched. HealthFirst enlisted the help of a computer forensics company to determine which patients had been affected, and the exact data that was viewed and copied. The investigation was completed on June 10, 2015.

Please see the HIPAA Journal Privacy Policy

3 Steps To HIPAA Compliance

Please see HIPAA Journal
privacy policy

  • Step 1 : Download Checklist.
  • Step 2 : Review Your Business.
  • Step 3 : Get Compliant!

The HIPAA Journal compliance checklist provides the top priorities for your organization to become fully HIPAA compliant.

HealthFirst determined that the data breach, which lasted for two years, affected approximately 5,300 individuals, with member information obtained from the insurer’s online portal.

The data exposed in the breach did not include Social Security numbers or financial information, although health insurance plan information, HealthFirst member ID numbers, patient ID numbers, claim numbers, diagnosis codes, and Medicare and Medicaid ID numbers appear to have been accessed, along with patient names, addresses, and dates of birth: more than enough information for the perpetrator to file false insurance claims and commit Medicare fraud.

A breach notice was posted on HealthFirst’s website yesterday and the Department of Health and Human Services’ Office for Civil Rights has been informed. Health plan members have been advised to exercise extreme caution due to the high risk of loss or harm, and have been told to obtain credit reports and Explanation of Benefits statements and to check them for any suspicious activity. Plan members have also been instructed to place fraud alerts on their files with each of the three credit bureaus (Experian, Equifax and TransUnion).

The insurer’s breach response was fast, and the efforts made to mitigate risk are in full accordance with the Health Insurance Portability and Accountability Act; however some questions remain unanswered, such as why it took until 2015 for the DOJ and HealthFirst to identify a data breach that appears to have first been uncovered in 2014.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.