Humana Reports Mailing Errors Affecting More than 10,000 Members
Three mailing error incidents have resulted in the impermissible disclosure of the PHI of more than 10,000 Humana members. Data breaches have also recently occurred at KMJ Health Solutions, Jewish Home Lifecare, and Lake of the Woods County Social Services.
Insurance ACE/Humana Inc.
The Kentucky-based health insurance provider Humana Inc. has recently disclosed three separate mailing error incidents that have resulted in the impermissible disclosure of the protected health information of 10,688 of its members. On December 8, 2023, a programming error resulted in Explanation of Payment documents intended for providers being sent to an incorrect address. The documents included first and last names, Humana ID numbers, provider names, dates of service, and claim payment information.
On December 14, 2023, large print/braille health plan communications were mailed to incorrect recipients. An error was made when fixing an unrelated coding issue that added a date/time stamp to the naming convention, which was not a unique identifier. As a result, the system began overwriting files as duplicates, which resulted in members receiving another member’s letter. The information impermissibly disclosed included first and last names, addresses, Humana ID numbers, provider names, dates of service, claim payment information, prescription medication information, and copay and premium information.
On January 12, 2024, Humana’s printing vendor in Louisiana, Broadridge Output Solutions, Inc., experienced a printing error that caused explanation of benefits information of Humana members to be printed on the reverse of other members’ statements. The information impermissibly disclosed included names, claim information, provider name, gender, copay information, deductible and coinsurance information. Humana said all of the errors have been rectified and it is unaware of any misuse of members’ information.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
KMJ Health Solutions
KMJ Health Solutions, a Michigan-based provider of online signout and charge capture systems, has reported a breach of the protected health information of 2,191 individuals. On November 19, 2023, KMJ Health Solutions identified unauthorized access to the server that hosts its eDocList system. The attacker used ransomware to encrypt files and may have obtained the data of some of its clients. The threat actor first gained access to the server on July 1, 2023. KMJ Health Solutions notified the affected clients on or around January 11, 2024.
One of the affected clients was Saint Joseph’s Medical Center in New York. The information potentially compromised included names, dates of birth, medical record numbers, diagnoses, laboratory results, dates of service, provider names, medications, and/or treatment information. Saint Joseph’s sent notifications to the affected individuals on March 4, 2024, and has confirmed that it no longer uses KMJ Health Solutions.
Regional One Health has also confirmed that some OB/GYN residents and patients have been affected. The affected individuals were sent to Regional One Health by the University of Tennessee Health Science Center and the information exposed included First and last names, medical record numbers, ages, dates of admission, allergies, service provided, diagnoses, prenatal provider, laboratory results, medications, fetal or delivery details, contraception, and information regarding follow up care. It is currently unclear how many Regional One Health patients were affected.
When business associates experience data breaches, notifications may be issued by the business associate, their covered entity clients, or a combination of the two. It is therefore unclear at this stage how many individuals in total have been affected by the ransomware attack on KMH HEalth Solutions.
Jewish Home Lifecare
Jewish Home Lifecare, Inc., a New York senior health care system, identified unusual activity in its computer systems on January 7, 2023, and assisted by computer forensics experts, determined that there had been unauthorized access to its systems and the hackers potentially viewed or obtained patient data. The information exposed included names, addresses, dates of birth, Social Security numbers, payment card information, financial account information, passport numbers, medical record information, and medical treatment information. Jewish Home Lifecare has reported the incident to the HHS Office for Civil Rights as affecting 501 individuals. 501 is a placeholder often used to meet breach reporting requirements when the total number of affected individuals has yet to be confirmed.
Lake of the Woods County Social Services
Lake of the Woods County Social Services in Minnesota has reported a data breach that has affected individuals served by the County Social Services Department and their household members. On November 14, 2023, the County’s cybersecurity solutions detected and blocked a ransomware attack. While file encryption was prevented, the forensic investigation confirmed there was unauthorized access to its systems between November 14 and November 15, 2023, and data was stolen in the attack.
A ransom demand was received, but the County refused to pay to have the stolen data deleted, consistent with the advice of the FBI. Some of the stolen data was subsequently posted on the dark web. The information compromised in the attack included the following: Name, in combination with some or all of the following: address, date of birth, Social Security number, driver’s license number, financial account information, payment card information, information related to medical condition, treatment or diagnosis, medications, names of healthcare providers, information related to services individuals received from the County Social Services Department, such as locations of service, dates of service, client identification number or unique identifiers related to services provided to you, insurance identification number, and/or insurance information. For a limited number of individuals, the data included mental health reports and/or username(s) and password(s) used to access online accounts. The breach has been reported to the HHS’ Office for Civil Rights as affecting 537 individuals.
