Mailing Error Resulted in Impermissible Disclosure of 19,570 Missouri Care Members’ PHI

An error in a mailing to Missouri Care members reminding them to book well-child visits has resulted in the accidental disclosure of the personal information of almost 20,000 children to other Missouri Care members.

The personal information detailed in the letters was limited to children’s names, ages, and the names of their provider’s. Health information and other sensitive data was not exposed, so the potential for the information to be misused is low. However, out of an abundance of caution, parents and legal guardians of affected children have been advised to monitor their credit card bills and account statements for any suspicious activity and told not to respond to any email requests asking for further personal information. Free credit monitoring services have been offered to all individuals affected by the breach.

WellCare Health Plans Inc., discovered the error on July 25, 2018 and launched an investigation to determine how the error occurred and the individuals that were impacted. The mailing had been sent to 19,570 individuals, although it is unclear how many of those letters were incorrectly addressed.

The personal information that was exposed is classed as protected health information under HIPAA, and as such, the exposure of the information requires notifications to be mailed to all affected individuals. Since the incident involved more than 500 individuals, a media notice about the breach was also warranted and was sent to the Kansas City Star.

In the letter, WellCare Health Plans VP and chief security and privacy officer said, “Missouri Care is deeply committed to protecting our members’ privacy, and we apologize for any inconvenience this incident may have caused.”

WellCare Health Plans Inc., said policies and procedures for mailings have been reviewed and updated to prevent similar incidents from occurring in the future.

This is the second mis-mailing incident to affect Missouri Care members in the past year. A similar mis-mailing error occurred in August 2017, which resulted in the accidental disclosure of the PHI of 1,223 plan members. In that case, the error was made by a subcontractor used for the mailing.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.