PHI Exposed Due to Retirement Systems of Alabama Website Error
An error on the website of the Retirement Systems of Alabama (RSA) has resulted in the exposure of hundreds of retirees’ protected health information. The PHI of members of the Public Education Employees’ Health Insurance Plan (PEEHIP) was accessible via the member portal of the RSA website for a number of days.
Social Security numbers, dates of birth, plan members’ names and those of their dependents, ID numbers, and retirement dates were temporarily accessible to other members who accessed the PEEHIP member’s portal.
The privacy breach was discovered by a woman from Mobile who was accessing the patient portal on behalf of her parents. After gaining access to the portal she was able to view the PHI of hundreds of other retirees. The incident occurred late on Friday. Realizing the error, the woman contacted PEEHIP but was unable to speak to anyone. On Monday she alerted the FBI and was able to get a message to the RSA IT department, according to an Alabama Media Group report.
RSA is aware of the patient portal was undergoing maintenance and the issue was resolved on or before Monday July 11. It is unclear at this time exactly what went wrong and how patient data became accessible. RSA is currently conducting an investigation to determine the cause of the problem and which individuals were affected. Action will be taken to protect all plan members who were affected by the privacy breach and to prevent similar incidents from occurring in the future.