Highmark Subsidiary Visionworks Hit by 75K HIPAA Breach

The Pennsylvania-based health Insurance company, Highmark Inc., has announced today that one of its subsidiaries, Visionworks, has lost a computer server containing the medical records of approximately 75,000 patients.

The medical data stored on the server included details of patients’ visits to Visionworks optometrists, their lens prescriptions and names and addresses. The HIPAA breach is understood to have potentially exposed the data of patients who had previously visited its Jennifer Square, Annapolis, MD store. No patients of its other 650 nationwide vision care centers are believed to have been affected.

All affected individuals are in the process of being notified of the data breach by post in accordance with the breach notification rules laid down in the Health Insurance Portability and Accountability Act and are being offered a year of free credit monitoring services through Equifax.

The breach letter informs patients that the incident exposing patient data was actually part of the company´s efforts to improve privacy and security. A server was scheduled to be replaced as part of the company’s data encryption program; however after the old server was decommissioned it was temporarily stored at the company´s facilities in Jennifer Square. When the server was eventually recalled to Visionwork’s home office in San Antonio, staff at the Jennifer Square clinic could not locate it.

An investigation was immediately conducted to determine the whereabouts of the missing server and Visionworks has now concluded that it was accidentally discarded and placed in a dumpster. The Visionworks store where the server was located was in the process of being remodeled at the time, and there was a considerable amount of construction debris and building supplies at the store. It has been presumed that the server was accidentally discarded with the debris and is now in a landfill site, although the possibility remains that the server was stolen while the construction work was taking place.

Credit card data stored on the server was limited to just three days of records – approximately 100 records from May 31, 2014 to June 2, 2014 – and this data was fully encrypted and therefore unreadable. A limited number of Social Security numbers may have been exposed in the breach, although these were not identified as such in the database.

Personal and Protected Health Information stored on the server included names, addresses, contact telephone numbers, health insurance providers, group name and number, member ID and vision care expiration dates. The patient’s occupation, sex, referral source, examination comments and lens prescription/production information was also present.

According to the notice placed on the company’s website, “At this time, there is no reason to believe that any of the information residing on the server has been accessed or used inappropriately.” Efforts to locate the server are ongoing.

The breach is reportable to the Department of Health and Human Services’ Office for Civil Rights which may conduct an investigation to determine whether HIPAA rules and regulations have been followed. If violations are discovered, Visionworks could face a substantial financial penalty.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.