Ill. Insurer Discovers PHI Disclosure Caused by Software Glitch

An Illinois-based health insurer, the Trustmark Mutual Holding Company, has discovered a data security issue that compromised the privacy of a number of its members.

The data breach was caused by an error in the company’s automated e-billing system. The system generates emails that are sent to the company’s insurance carrier clients. The system should generate an email containing a single file attachment in which information specific to that insurance carrier’s clients is contained. The emails and the attachments are encrypted, so there is no chance of interception of data in transit.

However on May 13, 2015, a software glitch resulted in emails being generated and sent which contained attachments meant for other insurance carriers. The spreadsheets contained information protected under HIPAA Rules, including Social Security numbers along with patient names and details of payroll deduction amounts.

The total number of breach victims has not been announced, although a breach notice issued to the New Hampshire attorney general states that 21 New Hampshire residents have been affected. Letters have already been sent to those individuals alerting them to the accidental disclosure of their Protected Health Information. Other state attorney generals are also being sent notifications.

In this case the breach involved data being sent to individuals authorized to view PHI; just the wrong ones. Trustmark did point out that the individuals to whom the data was inadvertently disclosed are professional companies operating under Business Associate Agreements (BAA), and the individuals are therefore aware of the importance of confidentiality and the rules covering the disclosure of PHI.

However, any disclosure of PHI carries a risk that the data may be used for malicious purposes. Even though the risk of identity fraud is perceived to be low, Trustmark is taking no chances and has taken the decision to offer all affected individuals two years’ of credit monitoring and identity theft protection services. Trustmark also took steps to recall the emails, and in cases where messages could not be recalled, it is working with the carriers concerned to ensure the emails are securely deleted.

The company has reported the breach to all appropriate state and national regulatory bodies and has notified patients. It has announced the reason for the breach and what is being done to prevent future breaches, and the data breach notice letters were sent by June 22, just over a month after the breach occurred (to New Hampshire residents at least).

Once PHI is disclosed, it can never be undisclosed, but a well-orchestrated breach response and two years of protection services will certainly help to reassure patients that their privacy is taken seriously.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.