Mailing Error Exposes PHI of Integral Health Plan Members

On July 6, 2015, Integral Quality Care (IQC) sent breach notification letters to some of its Integral Health Plan (IHP) members advising them of a data breach that exposed a limited amount of Protected Health Information (PHI).

Patients’ names, dates of birth, Florida Medicaid ID numbers, diagnosis codes and payment information were exposed, although no addresses, Social Security numbers, credit card numbers or financial information were compromised in the incident.

PHI Emailed to Incorrect Recipients


In the breach notice, IQC informed patients that their data was accidentally emailed to the wrong doctors by a Business Associate, Independent Living Systems, LLC. The notice does not state how many individuals were affected by the data breach, although patients were told less than 10% of health plan members had their data compromised.

The error has been attributed to a “processing mistake” which resulted in patient data being emailed to incorrect individuals who were authorized to view PHI, but not the patient data they were sent.

The data breach occurred on May 11, 2015, although it was not discovered until four days later when physicians started contacting IQC about the emailing error. According to a breach report published on the Department of Health and Human Services’ website, 7,549 IHP members were affected.

Credit Protection Services Offered to Affected Health Plan Members


Credit protection services have been offered to breach victims as a precaution, even though the risk of data being used inappropriately is relatively low. Patients have been told they can take advantage of the services at any point in the next 12 months. The clock starts from the date of the breach notification letter, not the date that the services are activated.

Should patient data fall into the hands of criminals, it could be used to make fraudulent claims for medical services and there is a possibility of identity fraud being suffered. Plan members should therefore carefully check EoB statements and report any irregularities, and should activate the AllClear services as soon as they receive their notification letter. All affected plan members will also be covered by a $1,000,000.00 identity theft insurance policy, and assistance will be provided to restore identities

Children face a higher risk of suffering fraud as a result of a data breach, so IQC elected to provide minors with AllClear ID ChildScan as an additional precaution against identity theft and fraud. The service “identifies acts of credit, criminal, medical or employment fraud against children by searching thousands of public databases for use of your child’s information.”


Data Breach Attributed to Human Error


Integral Quality Care’s compliance officer, Lori Dillard, told plan members, “Please know, this incident did not occur because the wrong persons were able to access our computer systems. It was also not the result of a software problem.” Dillard went on to say, “We have asked the doctors who received the wrong information to destroy the information or return it to us.”

IQC will also be updating its policies and procedures to prevent data breaches of a similar nature from occurring in the future.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.